.github/actions/package-source/action.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

# Copyright (C) Project Tick
# SPDX-License-Identifier: MIT
name: Package Source Tarball
description: >
  Create source archives in multiple formats (.tar, .tar.xz, .tar.gz, .tar.zst, .zip, .7z),
  generate SHA-256 checksums, and optionally GPG-sign each artifact.

inputs:
  project:
    description: "Project directory name (e.g. meshmc, neozip)"
    required: true
  version:
    description: "Release version string (e.g. 1.0.0)"
    required: true
  source-dir:
    description: "Path to the prepared source tree to archive"
    required: true
  output-dir:
    description: "Directory to write archives, checksums, and signatures"
    required: false
    default: "release-artifacts"
  gpg-private-key:
    description: "ASCII-armored GPG private key for signing"
    required: false
  gpg-private-key-id:
    description: "GPG key ID to select the signing key"
    required: false

outputs:
  artifact-dir:
    description: "Path to the directory containing all release artifacts"
    value: ${{ inputs.output-dir }}

runs:
  using: composite
  steps:
    - name: Install packaging tools
      shell: bash
      run: |
        sudo apt-get update -qq
        sudo apt-get install -y -qq p7zip-full zstd xz-utils zip

    - name: Create archives
      shell: bash
      env:
        PROJECT: ${{ inputs.project }}
        VERSION: ${{ inputs.version }}
        SRC_DIR: ${{ inputs.source-dir }}
        OUT_DIR: ${{ inputs.output-dir }}
      run: |
        set -euo pipefail
        mkdir -p "$OUT_DIR"

        BASE="${PROJECT}-${VERSION}"

        # Create a clean directory named project-version for the archive root
        STAGING="$(mktemp -d)"
        cp -a "$SRC_DIR" "$STAGING/$BASE"

        # Remove .git directories from the staged copy
        find "$STAGING/$BASE" -name '.git' -type d -exec rm -rf {} + 2>/dev/null || true
        find "$STAGING/$BASE" -name '.gitmodules' -delete 2>/dev/null || true

        tar -cf "$OUT_DIR/${BASE}.tar" -C "$STAGING" "$BASE"
        gzip -9 -k "$OUT_DIR/${BASE}.tar"
        xz -9 -k "$OUT_DIR/${BASE}.tar"
        zstd -19 "$OUT_DIR/${BASE}.tar" -o "$OUT_DIR/${BASE}.tar.zst"
        (cd "$STAGING" && zip -r -9 -q "$OLDPWD/$OUT_DIR/${BASE}.zip" "$BASE")
        7z a -mx=9 "$OUT_DIR/${BASE}.7z" "$STAGING/$BASE" > /dev/null

        rm -rf "$STAGING"

        echo "### 📦 Archives created for ${BASE}" >> "$GITHUB_STEP_SUMMARY"
        ls -lh "$OUT_DIR"/ >> "$GITHUB_STEP_SUMMARY"

    - name: Generate SHA-256 checksums
      shell: bash
      env:
        OUT_DIR: ${{ inputs.output-dir }}
      run: |
        set -euo pipefail
        cd "$OUT_DIR"
        for f in *.tar *.tar.gz *.tar.xz *.tar.zst *.zip *.7z; do
          [ -f "$f" ] || continue
          sha256sum "$f" > "${f}.sha256"
        done

    - name: Import GPG key
      if: inputs.gpg-private-key != '' && inputs.gpg-private-key-id != ''
      shell: bash
      env:
        GPG_PRIVATE_KEY: ${{ inputs.gpg-private-key }}
      run: |
        echo "$GPG_PRIVATE_KEY" | gpg --batch --import

    - name: Sign archives with GPG
      if: inputs.gpg-private-key != '' && inputs.gpg-private-key-id != ''
      shell: bash
      env:
        OUT_DIR: ${{ inputs.output-dir }}
        GPG_KEY_ID: ${{ inputs.gpg-private-key-id }}
      run: |
        set -euo pipefail
        cd "$OUT_DIR"
        for f in *.tar *.tar.gz *.tar.xz *.tar.zst *.zip *.7z; do
          [ -f "$f" ] || continue
          gpg --batch --yes --detach-sign --armor \
            --local-user "$GPG_KEY_ID" \
            "$f"
        done
        echo "### 🔏 GPG signatures created" >> "$GITHUB_STEP_SUMMARY"