initial EncryptedClientHello support in ssl module #11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: builder | |
on: | |
workflow_dispatch: | |
push: | |
schedule: | |
- cron: '30 5 * * *' | |
jobs: | |
packages: | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: merge upstream | |
run: | | |
git remote add upstream https://github.com/python/cpython.git | |
git fetch upstream | |
git -c user.name=Github -c user.email=none merge upstream/main | |
- name: Cache ccache | |
uses: actions/cache@v4 | |
with: | |
path: /home/runner/.cache/ccache | |
key: ccache | |
- name: Prepare build environment | |
run: | | |
sudo DEBIAN_FRONTEND=noninteractive apt update && sudo DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends sbuild mmdebstrap debian-archive-keyring ccache uidmap quilt | |
mkdir -p "$HOME/.cache/sbuild" | |
# shellcheck disable=SC2016 | |
mmdebstrap --variant=buildd --include=apt,ccache,ca-certificates \ | |
--keyring=/usr/share/keyrings/debian-archive-keyring.gpg \ | |
--customize-hook='chroot "$1" update-ccache-symlinks' \ | |
testing "$HOME/.cache/sbuild/testing-amd64.tar" | |
ccache --zero-stats --max-size=10.0G | |
chmod a+X "$HOME" "$HOME/.cache" | |
chmod -R a+rwX "$HOME/.cache/ccache" | |
cat << "EOF" > "$HOME/.quiltrc" | |
QUILT_PATCHES=debian/patches | |
QUILT_NO_DIFF_INDEX=1 | |
QUILT_NO_DIFF_TIMESTAMPS=1 | |
QUILT_REFRESH_ARGS="-p ab" | |
QUILT_DIFF_ARGS="--color=auto" # If you want some color when using `quilt diff`. | |
QUILT_PATCH_OPTS="--reject-format=unified" | |
QUILT_COLORS="diff_hdr=1;32:diff_add=1;34:diff_rem=1;31:diff_hunk=1;33:diff_ctx=35:diff_cctx=33" | |
EOF | |
cat << "EOF" > "$HOME/.sbuildrc" | |
$build_environment = { "CCACHE_DIR" => "/build/ccache" }; | |
$path = "/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"; | |
$build_path = "/build/package/"; | |
$dsc_dir = "package"; | |
$unshare_bind_mounts = [ { directory => "$HOME/.cache/ccache", mountpoint => "/build/ccache" } ]; | |
$verbose = 1; | |
EOF | |
mkdir "$HOME/apt_repo" | |
- name: Run sbuild | |
run: | | |
quilt push -a | |
# shellcheck disable=SC2016 | |
sed -i "1 s/([^)]*)/($(git describe --tags | sed 's/^[^0-9]*//;s/-/./g;s/_/./g')-$(date -u '+%Y%m%d.%H%M%S%N'))/" debian/changelog | |
sbuild -d testing --chroot-mode=unshare --no-clean-source --no-run-lintian \ | |
--extra-repository="deb [trusted=yes] https://github.com/defo-project/openssl/raw/packages/ ./" \ | |
--dpkg-source-opts="-Zgzip -z1 --format=1.0 -sn" --build-dir="$HOME/apt_repo" | |
cd "$HOME/apt_repo" | |
apt-ftparchive packages . > Packages | |
apt-ftparchive release . > Release | |
# - name: Test packages | |
# run: | | |
# mmdebstrap --verbose --chrooted-customize-hook="curl --ech true --doh-url 'https://1.1.1.1/dns-query' 'https://defo.ie/ech-check.php' | grep 'SSL_ECH_STATUS: success'" \ | |
# --variant=essential --include=ca-certificates,curl testing /dev/null \ | |
# "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://deb.debian.org/debian testing main" \ | |
# "deb [trusted=yes] https://github.com/defo-project/openssl/raw/packages/ /" \ | |
# "deb [trusted=yes] copy:/$HOME/apt_repo /" | |
- name: Upload apt repository | |
run: | | |
cd "$HOME/apt_repo" | |
BRANCH=packages | |
REPOSITORY="$(printf "%s" "$GITHUB_REPOSITORY" | tr / _)" | |
echo "echo \"deb [trusted=yes] $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/raw/$BRANCH/ /\" | sudo tee /etc/apt/sources.list.d/$REPOSITORY.list" >> README.md | |
git init -b "$BRANCH" | |
git remote add origin "$(echo "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY.git" | sed "s#https://#https://x-access-token:${{ secrets.GITHUB_TOKEN }}@#")" | |
git add . | |
git -c user.name=Github -c user.email=none commit --message="Generated with $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | |
git push --force origin "$BRANCH" |