Befator-Inc-Firmen-Netzwerk/msys2-autobuild
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 10 Wiki Activity
181 Commits 1 Branch 10 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Christoph Reiter 584cea762b Rework everything 
It now calculates the status of all builds upfront and then just decides
what to do about it.

This means we can potentially dump the status to a json file and re-use
it in other places.
2021-01-22 16:13:14 +01:00
.github/workflows
Install wheel first
2021-01-16 07:46:41 +01:00
docs
we now build every 2 hours
2020-12-08 23:09:24 +01:00
.gitignore
Add .mypy_cache to gitignore
2020-10-23 09:21:42 +02:00
autobuild.py
Rework everything
2021-01-22 16:13:14 +01:00
LICENSE
Create LICENSE
2020-08-16 15:22:14 +02:00
poetry.lock
Update deps
2021-01-22 12:19:20 +01:00
pyproject.toml
Switch to poetry
2021-01-16 07:40:28 +01:00
README.md
Remove show-assets/trigger commands
2021-01-21 21:24:38 +01:00
requirements.txt
Update requirements.txt
2021-01-22 12:40:06 +01:00
setup.cfg
Rework everything
2021-01-22 16:13:14 +01:00

README.md

msys2-autobuild

autobuild.py

$ python -m pip install --user -r requirements.txt
# or
$ poetry install

$ python autobuild.py --help
usage: autobuild.py [-h] {build,show,should-run,fetch-assets,clean-assets} ...

Build packages

optional arguments:
  -h, --help            show this help message and exit

subcommands:
  {build,show,should-run,fetch-assets,clean-assets}
    build               Build all packages
    show                Show all packages to be built
    should-run          Fails if the workflow shouldn't run
    fetch-assets        Download all staging packages
    clean-assets        Clean up GHA assets

Automated Build Process

The following graph shows what happens between a PKGBUILD getting changed in git and the built package being available in the pacman repo.

sequence

Security Considerations

Assuming changes to PKGBUILDs are properly reviewed, the pacman signature checking works, the upstream source is OK and all MSYS2 organization members are trusted we need to consider a bad actor controlling some part of the building process between the PKGBUILD getting changed and the package ending up signed in the pacman repo.

A bad actor would need to get a package on the machine of the developer signing the package and adding it to the pacman repo. We take the following precautions:

  • We only build packages automatically with GitHub Actions without third party actions, excluding the official GitHub ones. We assume the GHA images and official actions are safe.
  • The download tool used by the person signing the package checks that the binaries where uploaded by GHA so that uploading a package with a personal account leads to an error. Someone would need to push a workflow change to the repo which gets run and uploads a package to the release assets to avoid that. We assume the bad actor doesn't have git push rights.
  • Packages too large for GHA get built/signed by MSYS2 developers on their machines. We assume the developer machines are safe.
  • We enforce 2FA for the MSYS2 organization to make account takeovers of existing MSYS2 developers harder.

Feedback and ideas on how to improve this welcome.

Description
🏭🏭🏭🏭🏭🏭🏭🏭
Readme MIT 1,007 KiB
Languages
Python 98.8%
Shell 0.8%
Batchfile 0.4%