From 0bc8e5117bfc87d45dd02d79e8d4fc6bee599c63 Mon Sep 17 00:00:00 2001
From: JonMagon <jonmagon@gmail.com>
Date: Sun, 1 Sep 2024 12:48:48 +0300
Subject: [PATCH] CI: arm64 builds, PGP package signing, fix RPM deps

---
 .github/workflows/release.yml | 99 +++++++++++++++++++++++++++++------
 CMakeLists.txt                |  1 +
 2 files changed, 85 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8c3708d..280432f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,6 +2,9 @@ name: Release
 on:
   release:
     types: created
+env:
+  GPG_KEY_ID: 'F903BFACDCEF9A432055CC6F651E1A80B494B6F7'
+
 jobs:
   pack:
     name: Pack source tarball
@@ -14,7 +17,7 @@ jobs:
 
       - name: Create source tarball
         run: |
-          SOURCE_NAME=$(awk -F/ '{print $NF}' <<<"${{ github.repository }}")-$(awk -F/ '{print $NF}' <<<"${{ github.ref }}")
+          SOURCE_NAME=$(awk -F/ '{print tolower($NF)}' <<<"${{ github.repository }}")-$(awk -F/ '{print $NF}' <<<"${{ github.ref }}")
           git ls-files --recurse-submodules | \
           tar --exclude-vcs --transform "s|^|$SOURCE_NAME/|S" -ca -T - -f ../$SOURCE_NAME-source.tar.gz
       - name: Upload source tarball
@@ -28,11 +31,11 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-20.04]
-        arch: [amd64]
+        arch: [amd64, aarch64]
         include:
           - os: ubuntu-20.04
-            cmake-defines: '-D CPACK_GENERATOR="DEB;RPM;7Z" -D CMAKE_BUILD_TYPE=Release'
-            upload-files: 'build/*.deb;build/*.rpm;build/*.7z'
+            cmake-defines: '-D CPACK_GENERATOR="DEB;RPM" -D CMAKE_BUILD_TYPE=Release'
+            upload-files: 'build/*.deb;build/*.rpm;package-signing-key.pub'
     steps:
     - name: Clone repo
       uses: actions/checkout@v2.2.0
@@ -40,22 +43,77 @@ jobs:
         submodules: recursive
 
     - name: Install dependent apt packages
-      if: runner.os == 'Linux'
+      if: runner.os == 'Linux' && matrix.arch == 'amd64'
       run: |
         sudo apt-get update
-        sudo apt-get install qttools5-dev libpolkit-qt5-1-dev rpm
+        sudo apt-get install qttools5-dev libpolkit-qt5-1-dev
         wget http://launchpadlibrarian.net/590905036/extra-cmake-modules_5.92.0-0ubuntu1_amd64.deb
         sudo dpkg -i extra-cmake-modules_5.92.0-0ubuntu1_amd64.deb
 
-    - name: Build
+    - name: Import GPG key
+      uses: crazy-max/ghaction-import-gpg@v6
+      with:
+        gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+        passphrase: ${{ secrets.GPG_PASSPHRASE }}
+        fingerprint: ${{ env.GPG_KEY_ID }}
+
+    - name: Configure RPM for signing
       run: |
-        mkdir build
-        cd build
-        cmake ${{ matrix.cmake-defines }} ..
-        sed -i 's|etc/dbus-1|share/dbus-1|g' cmake_install.cmake
-        cmake --build . --target package --parallel 2 --config Release
+        echo "%_gpg_name ${{ env.GPG_KEY_ID }}" >> ~/.rpmmacros
+        echo "%_signature gpg" >> ~/.rpmmacros
+        echo "%_gpgpath $HOME/.gnupg" >> ~/.rpmmacros
+        echo "%__gpg /usr/bin/gpg" >> ~/.rpmmacros
 
-    - name: Upload
+    - name: Build AMD64
+      if: matrix.arch == 'amd64'
+      run: |
+        cmake -S . -B build ${{ matrix.cmake-defines }}
+        sed -i 's|etc/dbus-1|share/dbus-1|g' build/cmake_install.cmake
+        cmake --build build --target package --parallel 2 --config Release
+
+    - name: Build ARM64
+      uses: uraimo/run-on-arch-action@v2.7.2
+      if: matrix.os == 'ubuntu-20.04' && matrix.arch != 'amd64'
+      with:
+        arch: ${{ matrix.arch }}
+        distro: ubuntu20.04
+        githubToken: ${{ github.token }}
+        dockerRunArgs: --volume "${PWD}:/repo"
+        install: |
+          apt update -y
+          # dpkg-dev for dpkg-shlibdeps
+          apt install -y qttools5-dev libpolkit-qt5-1-dev g++ rpm dpkg-dev apt-transport-https ca-certificates gnupg software-properties-common wget
+          wget http://launchpadlibrarian.net/590905696/extra-cmake-modules_5.92.0-0ubuntu1_arm64.deb
+          dpkg -i extra-cmake-modules_5.92.0-0ubuntu1_arm64.deb
+          wget -O - https://apt.kitware.com/keys/kitware-archive-latest.asc 2>/dev/null | gpg --dearmor - | tee /etc/apt/trusted.gpg.d/kitware.gpg >/dev/null
+          apt-add-repository 'deb https://apt.kitware.com/ubuntu/ focal main'
+          apt install -y cmake
+
+        run: |
+          cmake -S . -B build ${{ matrix.cmake-defines }}
+          sed -i 's|etc/dbus-1|share/dbus-1|g' build/cmake_install.cmake
+          cmake --build build --target package --parallel 2 --config Release
+
+    - name: Fix permissions for ARM64 build
+      if: matrix.os == 'ubuntu-20.04' && matrix.arch == 'aarch64'
+      run: |
+        sudo chown -R $USER:$USER build
+        sudo chmod -R 755 build
+
+    - name: Install sign packages
+      run: |
+        sudo apt install rpm dpkg-sig
+
+    - name: Sign packages
+      run: |
+        rpm --addsign build/*.rpm
+        dpkg-sig --sign builder build/*.deb
+
+    - name: Export GPG public key
+      run: |
+        gpg --export --armor ${{ env.GPG_KEY_ID }} > package-signing-key.pub
+
+    - name: Upload to Release
       uses: AButler/upload-release-assets@v2.0
       with:
         files: ${{ matrix.upload-files }}
@@ -69,9 +127,9 @@ jobs:
         arch: [amd64]
         include:
           - os: ubuntu-20.04
-            bundled-fio: '3.35'
+            bundled-fio: '3.37'
             cmake-defines: '-D CMAKE_BUILD_TYPE=Release'
-            upload-files: 'build/{*.AppImage,*.AppImage.zsync}'
+            upload-files: 'build/{*.AppImage,*.AppImage.zsync,*.AppImage.sig}'
     steps:
     - name: Clone repo
       uses: actions/checkout@v2.2.0
@@ -86,6 +144,13 @@ jobs:
         wget http://launchpadlibrarian.net/590905036/extra-cmake-modules_5.92.0-0ubuntu1_amd64.deb
         sudo dpkg -i extra-cmake-modules_5.92.0-0ubuntu1_amd64.deb
 
+    - name: Import GPG key
+      uses: crazy-max/ghaction-import-gpg@v6
+      with:
+        gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+        passphrase: ${{ secrets.GPG_PASSPHRASE }}
+        fingerprint: ${{ env.GPG_KEY_ID }}
+
     - name: Install Qt
       run: |
         sudo pip3 install setuptools
@@ -126,6 +191,10 @@ jobs:
         ../3rd-party/linuxdeployqt-continuous-x86_64.AppImage appdir/usr/share/applications/*.desktop -appimage -qmake=/opt/Qt/5.15.1/gcc_64/bin/qmake \
           -extra-plugins=styles/breeze.so -updateinformation="gh-releases-zsync|${{ github.repository_owner }}|$REPO_NAME|latest|*.zsync"
 
+    - name: Sign AppImage
+      run: |
+        find . -name '*.AppImage' -exec gpg --detach-sign --output {}.sig {} \;
+
     - name: Upload
       uses: AButler/upload-release-assets@v2.0
       with:
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 30f1623..02a88b5 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -46,6 +46,7 @@ set(CPACK_DEBIAN_PACKAGE_GENERATE_SHLIBS_POLICY >=)
 set(CPACK_RPM_FILE_NAME RPM-DEFAULT)
 set(CPACK_RPM_PACKAGE_LICENSE GPLv3)
 set(CPACK_RPM_PACKAGE_GROUP Applications/System)
+set(CPACK_RPM_PACKAGE_REQUIRES "fio >= 3.1")
 set(CPACK_DEBIAN_PACKAGE_DEPENDS "fio (>= 3.1)")
 set(CPACK_RPM_COMPRESSION_TYPE lzma)
 set(CPACK_NSIS_DISPLAY_NAME ${APPLICATION_NAME})