Befator-Inc-Firmen-Netzwerk/msys2-autobuild
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 10 Wiki Activity

README: add a short description and remove the process info

Browse Source 
the process info is now moved to the main MSYS2 documentation
This commit is contained in:
Christoph Reiter 2023-03-22 10:42:42 +01:00
parent 6788467670
commit 6f40845ba3
1 changed files with 11 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
README.md
View File

@ -1,6 +1,12 @@
# msys2-autobuild # msys2-autobuild
## CLI msys2-autobuild is a Python tool for
* automatically building MSYS2 packages in GitHub Actions
* manually uploading packages, or retrying builds
* retrieving the built packages for upload to the pacman repo
## Installation
```console ```console
$ pacman -S mingw-w64-x86_64-python-tabulate mingw-w64-x86_64-python-pygithub mingw-w64-x86_64-python-requests $ pacman -S mingw-w64-x86_64-python-tabulate mingw-w64-x86_64-python-pygithub mingw-w64-x86_64-python-requests
@ -8,8 +14,12 @@ $ pacman -S mingw-w64-x86_64-python-tabulate mingw-w64-x86_64-python-pygithub mi
$ poetry install $ poetry install
# or # or
$ python -m pip install --user -r requirements.txt $ python -m pip install --user -r requirements.txt
# or
$ pipx install git+https://github.com/msys2/msys2-autobuild
``` ```
## Usage
```console ```console
$ msys2-autobuild --help $ msys2-autobuild --help
usage: msys2-autobuild [-h] [-R REPO] usage: msys2-autobuild [-h] [-R REPO]
@ -32,68 +42,3 @@ subcommands:
upload-assets Upload packages upload-assets Upload packages
clear-failed Clear the failed state for packages clear-failed Clear the failed state for packages
``` ```
## Automated Build Process
The following graph shows what happens between a PKGBUILD getting changed in git
and the built package being available in the pacman repo.
```mermaid
sequenceDiagram
participant GIT as MSYS2/MINGW-packages
participant API as packages.msys2.org
participant GHA as GitHub Actions
participant DT as msys2-autobuild
participant DEV as Developer
participant REPO as Pacman Repo
GIT->>GHA: GIT push trigger
GHA->>GHA: parse PKGBUILDs
GHA-->>GIT: upload parsed PKGBUILDs
loop Every 5 minutes
API->>GIT: fetch parsed PKGBUILDs
GIT-->>API:
end
loop Every 2 hours
DT->>GHA: cron trigger
GHA->>API: fetch TODO list
API-->>GHA:
GHA->>GIT: fetch PKGBUILDs
GIT-->>GHA:
GHA->>DT: fetch staging
DT-->>GHA:
GHA->>GHA: build packages
GHA-->>DT: upload packages
end
DEV->>DT: fetch packages
DT-->>DEV:
DEV->>DEV: sign packages
DEV->>REPO: push to repo
```
### Security Considerations
Assuming changes to PKGBUILDs are properly reviewed, the pacman signature
checking works, the upstream source is OK and all MSYS2 organization members are
trusted we need to consider a bad actor controlling some part of the building
process between the PKGBUILD getting changed and the package ending up signed in
the pacman repo.
A bad actor would need to get a package on the machine of the developer signing
the package and adding it to the pacman repo. We take the following precautions:
* We only build packages automatically with GitHub Actions without third party
actions, excluding the official GitHub ones. We assume the GHA images and
official actions are safe.
* The download tool used by the person signing the package checks that the
binaries where uploaded by a restricted set of GitHub users or GHA.
We assume the bad actor doesn't have git push rights.
* Packages too large for GHA get built/signed by MSYS2 developers on their
machines. We assume the developer machines are safe.
* We enforce 2FA for the MSYS2 organization to make account takeovers of
existing MSYS2 developers harder.
Feedback and ideas on how to improve this welcome.