diff --git a/.github/workflows/version-bumps.yml b/.github/workflows/version-bumps.yml index ba01442..dd06371 100644 --- a/.github/workflows/version-bumps.yml +++ b/.github/workflows/version-bumps.yml @@ -2,6 +2,10 @@ name: version-bumps on: workflow_dispatch: + inputs: + meshix_cli_version: + description: Optional Meshix CLI release tag to pin for this run (for example v0.0.2) + required: false schedule: - cron: '23 6 * * *' @@ -17,6 +21,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} SHPIT_GH_TOKEN: ${{ secrets.SHPIT_GH_TOKEN }} + MESHIX_CLI_VERSION: ${{ github.event.inputs.meshix_cli_version || '' }} UPDATE_BRANCH: automation/version-bumps steps: - name: Install updater dependencies @@ -51,7 +56,7 @@ jobs: if: ${{ steps.detect.outputs.changed == 'true' }} run: | git checkout -B "${UPDATE_BRANCH}" - git add README.md docs scripts .github/workflows tabex-bin osyrra-bin + git add README.md docs scripts .github/workflows meshix-cli-bin tabex-bin osyrra-bin git commit -m "chore(pkgbuilds): bump package versions" git push --force --set-upstream origin "${UPDATE_BRANCH}" diff --git a/README.md b/README.md index 0c759d1..49475f4 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ Arch Linux package definitions for SHPIT-maintained command-line tools. | Package | Upstream | Notes | |---|---|---| +| `meshix-cli-bin` | `shpitdev/meshix-observability` GitHub Releases | Private release assets. Same auth model as `tabex-bin` and `osyrra-bin`. | | `tabex-bin` | `shpitdev/tabex` GitHub Releases | Private release assets. The PKGBUILD is public, but `makepkg` needs GitHub access to the `shpitdev` org to download the release tarball. | | `osyrra-bin` | `shpitdev/osyrra` GitHub Releases | Private release assets. Same auth model as `tabex-bin`. | @@ -36,7 +37,7 @@ cd makepkg -si ``` -`gh auth login` must be configured with access to the `shpitdev` org before `makepkg` can download the private release assets. +`gh auth login` must be configured with access to the `shpitdev` org before `makepkg` can download the private `meshix-cli-bin`, `tabex-bin`, or `osyrra-bin` release assets. After installing `tabex-bin`, start with: @@ -50,12 +51,12 @@ The package includes an install hook that prints the same guidance after install - You can use this repo immediately without creating the AUR repositories or AUR secrets. - The scheduled/manual bump workflow uses the repository `GITHUB_TOKEN` for branch and PR operations in this repo. -- Without `SHPIT_GH_TOKEN`, the workflow skips the private package updates (both `tabex-bin` and `osyrra-bin` need it). +- Without `SHPIT_GH_TOKEN`, the workflow skips the private package updates (`meshix-cli-bin`, `tabex-bin`, and `osyrra-bin`). - Without AUR secrets, the publish workflow exits successfully without pushing anywhere. ## Secrets -- `SHPIT_GH_TOKEN` — required for GitHub Actions to refresh private SHPIT packages from their GitHub releases. +- `SHPIT_GH_TOKEN` — optional; required for GitHub Actions to refresh the private SHPIT packages (`meshix-cli-bin`, `tabex-bin`, and `osyrra-bin`) from their GitHub releases. - `AUR_USERNAME`, `AUR_EMAIL`, `AUR_SSH_PRIVATE_KEY` — optional until you actually want to publish to AUR. ## Local Auth diff --git a/docs/setup.md b/docs/setup.md index 6836434..f7555c2 100644 --- a/docs/setup.md +++ b/docs/setup.md @@ -16,9 +16,9 @@ Use this first. Result: - branch and PR creation use the repo `GITHUB_TOKEN` -- `tabex-bin` and `osyrra-bin` update only if the repo has access to `SHPIT_GH_TOKEN` +- `meshix-cli-bin`, `tabex-bin`, and `osyrra-bin` update only if the repo has access to `SHPIT_GH_TOKEN` - AUR publishing is skipped without failing -- upstream `tabex` and `osyrra` release workflows can also trigger this workflow automatically with `gh workflow run version-bumps.yml`, but that depends on `SHPIT_WORKFLOW_DISPATCH_TOKEN` being available in their Depot CI repo secrets +- upstream `meshix-observability`, `tabex`, and `osyrra` release workflows can also trigger this workflow automatically with `gh workflow run version-bumps.yml`, but that depends on `SHPIT_WORKFLOW_DISPATCH_TOKEN` being available in their producer-repo Depot CI secrets ## GitHub UI Links @@ -28,7 +28,7 @@ Result: ## SHPIT_GH_TOKEN -Create the secret (org-level or repo-level) with access to read private releases on `shpitdev/tabex` and `shpitdev/osyrra`. An org-level secret with `selected` visibility is the cleanest option if you have multiple consuming repos. +Create the secret (org-level or repo-level) with access to read private releases on `shpitdev/meshix-observability`, `shpitdev/tabex`, and `shpitdev/osyrra`. An org-level secret with `selected` visibility is the cleanest option if you have multiple consuming repos. Attach it to this repo with: @@ -50,12 +50,16 @@ Create a fine-grained PAT that can trigger workflow dispatches in: Store that PAT as the GitHub org secret `SHPIT_WORKFLOW_DISPATCH_TOKEN` with `selected` visibility for these producer repos: +- `shpitdev/meshix-observability` - `shpitdev/tabex` - `shpitdev/osyrra` Those producer release workflows run in Depot CI, so GitHub org secrets are not enough on their own. Mirror the same secret into Depot for each producer repo with one of these paths: ```bash +cd /home/anandpant/Development/shpitdev/meshix/meshix-observability +depot ci migrate secrets-and-vars -y + cd /home/anandpant/Development/shpitdev/tabex depot ci migrate secrets-and-vars -y @@ -66,6 +70,7 @@ depot ci migrate secrets-and-vars -y Or add the Depot secrets directly: ```bash +depot ci secrets add SHPIT_WORKFLOW_DISPATCH_TOKEN --repo shpitdev/meshix-observability depot ci secrets add SHPIT_WORKFLOW_DISPATCH_TOKEN --repo shpitdev/tabex depot ci secrets add SHPIT_WORKFLOW_DISPATCH_TOKEN --repo shpitdev/osyrra ``` @@ -93,7 +98,7 @@ That is safe because `v0.0.4` is the first stable release that ships the source- When you are ready to publish to AUR: -1. Create the target AUR package repos (`tabex-bin`, `osyrra-bin`). +1. Create the target AUR package repos (`meshix-cli-bin`, `tabex-bin`, `osyrra-bin`). 2. Generate an SSH key that can push to those AUR repos. 3. Add these repo secrets: - `AUR_USERNAME` @@ -105,12 +110,12 @@ When you are ready to publish to AUR: ## Token Model - Same-repo automation uses the built-in `GITHUB_TOKEN`. -- Cross-repo private release access for `tabex-bin` and `osyrra-bin` needs a separate credential in Actions, because the workflow token is scoped to the repository that contains the workflow. +- Cross-repo private release access for `meshix-cli-bin`, `tabex-bin`, and `osyrra-bin` needs a separate credential in Actions, because the workflow token is scoped to the repository that contains the workflow. - Local runs can use your normal `gh auth login` session instead of any exported token. ## Recommended Follow-Up Replace the org-level token with a narrower machine credential when practical: -1. Create a dedicated machine user token with only the repo access needed for private release reads on `shpitdev/tabex` and `shpitdev/osyrra`. +1. Create a dedicated machine user token with only the repo access needed for private release reads on `shpitdev/meshix-observability`, `shpitdev/tabex`, and `shpitdev/osyrra`. 2. Or use a GitHub App installation token flow for the cleanest long-term setup. diff --git a/meshix-cli-bin/.SRCINFO b/meshix-cli-bin/.SRCINFO new file mode 100644 index 0000000..4c11f3f --- /dev/null +++ b/meshix-cli-bin/.SRCINFO @@ -0,0 +1,13 @@ +pkgbase = meshix-cli-bin + pkgdesc = Meshix CLI for run inspection and generation workflows + pkgver = 0.0.1 + pkgrel = 1 + url = https://github.com/shpitdev/meshix-observability + install = meshix-cli-bin.install + arch = x86_64 + license = LicenseRef-proprietary + makedepends = github-cli + provides = meshix-cli + conflicts = meshix-cli + +pkgname = meshix-cli-bin diff --git a/meshix-cli-bin/PKGBUILD b/meshix-cli-bin/PKGBUILD new file mode 100644 index 0000000..fb83cc1 --- /dev/null +++ b/meshix-cli-bin/PKGBUILD @@ -0,0 +1,32 @@ +# Maintainer: Anand Pant + +pkgname=meshix-cli-bin +pkgver=0.0.1 +pkgrel=1 +pkgdesc="Meshix CLI for run inspection and generation workflows" +arch=('x86_64') +url="https://github.com/shpitdev/meshix-observability" +license=('LicenseRef-proprietary') +install="${pkgname}.install" +makedepends=('github-cli') +provides=('meshix-cli') +conflicts=('meshix-cli') + +# Public PKGBUILD, private release asset. Users need GitHub access to the shpitdev org. +_asset="meshix-cli_v${pkgver}_linux_amd64.tar.gz" +_sha256='a6f8fa1b8c12fa8705bc508efe13b8f462c375016edee0683ceb577370ac1911' + +prepare() { + gh release download "v${pkgver}" \ + --repo shpitdev/meshix-observability \ + --pattern "${_asset}" \ + --dir . --clobber + + echo "${_sha256} ${_asset}" | sha256sum -c + tar xzf "${_asset}" +} + +package() { + install -Dm755 "meshix-cli_v${pkgver}_linux_amd64/meshix-cli" \ + "${pkgdir}/usr/bin/meshix-cli" +} diff --git a/meshix-cli-bin/meshix-cli-bin.install b/meshix-cli-bin/meshix-cli-bin.install new file mode 100644 index 0000000..5de5704 --- /dev/null +++ b/meshix-cli-bin/meshix-cli-bin.install @@ -0,0 +1,13 @@ +post_install() { + cat <<'EOF' +==> meshix-cli-bin: package-manager installs provide the stable meshix-cli command only. +==> Start with: +==> meshix-cli --help +==> +==> For a checkout-linked dev command, install meshix-cli-dev from a local checkout. +EOF +} + +post_upgrade() { + post_install +} diff --git a/osyrra-bin/.SRCINFO b/osyrra-bin/.SRCINFO index d6f4d64..fa93015 100644 --- a/osyrra-bin/.SRCINFO +++ b/osyrra-bin/.SRCINFO @@ -1,6 +1,6 @@ pkgbase = osyrra-bin pkgdesc = Osyrra silent email worker and operator TUI - pkgver = 0.0.2 + pkgver = 0.0.3 pkgrel = 1 url = https://github.com/shpitdev/osyrra arch = x86_64 diff --git a/osyrra-bin/PKGBUILD b/osyrra-bin/PKGBUILD index f6c9168..c232249 100644 --- a/osyrra-bin/PKGBUILD +++ b/osyrra-bin/PKGBUILD @@ -1,7 +1,7 @@ # Maintainer: Anand Pant pkgname=osyrra-bin -pkgver=0.0.2 +pkgver=0.0.3 pkgrel=1 pkgdesc="Osyrra silent email worker and operator TUI" arch=('x86_64') @@ -13,7 +13,7 @@ conflicts=('osyrra') # Public PKGBUILD, private release asset. Users need GitHub access to the shpitdev org. _asset="osyrra_v${pkgver}_linux_amd64.tar.gz" -_sha256='b169ace1b18d2be22a264f57524728d3f0985787558c8e2ba6796c0a80b81e71' +_sha256='0b2ba661104227faa1f4aff9579557633933544578d586abd5972f14802c810c' prepare() { gh release download "v${pkgver}" \ diff --git a/scripts/update-meshix-cli-bin.sh b/scripts/update-meshix-cli-bin.sh new file mode 100755 index 0000000..0536784 --- /dev/null +++ b/scripts/update-meshix-cli-bin.sh @@ -0,0 +1,97 @@ +#!/usr/bin/env bash +set -euo pipefail + +optional=false +if (($# > 1)); then + echo "usage: $0 [--optional]" >&2 + exit 1 +fi +if (($# == 1)); then + if [[ "$1" != "--optional" ]]; then + echo "usage: $0 [--optional]" >&2 + exit 1 + fi + optional=true +fi + +repo_root="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")/.." && pwd)" +pkgbuild="${repo_root}/meshix-cli-bin/PKGBUILD" +repo="shpitdev/meshix-observability" +requested_version="${MESHIX_CLI_VERSION:-latest}" + +resolve_release_json() { + local version="$1" + local endpoint + local output="" + + if [[ -z "${version}" || "${version}" == "latest" ]]; then + endpoint="repos/${repo}/releases/latest" + else + if [[ "${version}" != v* ]]; then + version="v${version}" + fi + endpoint="repos/${repo}/releases/tags/${version}" + fi + + if [[ -n "${SHPIT_GH_TOKEN:-}" ]]; then + if output="$(GH_TOKEN="${SHPIT_GH_TOKEN}" gh api "${endpoint}" 2>/dev/null)"; then + printf '%s' "${output}" + return 0 + fi + if [[ -n "${GITHUB_ACTIONS:-}" && "${optional}" == "true" ]]; then + echo "Skipping meshix-cli-bin: SHPIT_GH_TOKEN does not currently grant release access to ${repo}." >&2 + printf '__SKIP__' + return 0 + fi + echo "SHPIT_GH_TOKEN could not read the private meshix-cli release in ${repo}." >&2 + return 1 + elif [[ -n "${GITHUB_ACTIONS:-}" ]]; then + if [[ "${optional}" == "true" ]]; then + echo "Skipping meshix-cli-bin: SHPIT_GH_TOKEN is not configured in GitHub Actions." >&2 + printf '__SKIP__' + return 0 + fi + echo "SHPIT_GH_TOKEN is required in GitHub Actions to read the private meshix-cli release." >&2 + return 1 + else + gh api "${endpoint}" + fi +} + +release_json="$(resolve_release_json "${requested_version}")" +if [[ "${release_json}" == "__SKIP__" ]]; then + exit 0 +fi +pkgver="$(jq -r '.tag_name | ltrimstr("v")' <<<"${release_json}")" +asset_json="$(jq -c ' + .assets + | map(select(.name | test("_linux_amd64\\.tar\\.gz$"))) + | first +' <<<"${release_json}")" +release_asset="$(jq -r '.name // empty' <<<"${asset_json}")" +sha256="$(jq -r '.digest // empty' <<<"${asset_json}")" + +if [[ -z "${release_asset}" || "${release_asset}" == "null" ]]; then + if [[ "${optional}" == "true" ]]; then + echo "Skipping meshix-cli-bin: release is missing a linux amd64 archive." >&2 + exit 0 + fi + echo "meshix-cli release is missing a linux amd64 archive" >&2 + exit 1 +fi + +if [[ -z "${sha256}" || "${sha256}" == "null" ]]; then + if [[ "${optional}" == "true" ]]; then + echo "Skipping meshix-cli-bin: release is missing an asset digest." >&2 + exit 0 + fi + echo "meshix-cli release is missing an asset digest" >&2 + exit 1 +fi + +sha256="${sha256#sha256:}" + +perl -0pi -e "s/^pkgver=.*/pkgver=${pkgver}/m" "${pkgbuild}" +perl -0pi -e "s/^_sha256=.*/_sha256='${sha256}'/m" "${pkgbuild}" + +"${repo_root}/scripts/render-srcinfo.sh" "${repo_root}/meshix-cli-bin" diff --git a/scripts/update-packages.sh b/scripts/update-packages.sh index 2d57fe9..a20f20c 100755 --- a/scripts/update-packages.sh +++ b/scripts/update-packages.sh @@ -8,13 +8,14 @@ if (($# == 0)); then fi if [[ "$1" == "auto" ]]; then - packages=() + packages=(meshix-cli-bin) if [[ -n "${SHPIT_GH_TOKEN:-}" || -z "${GITHUB_ACTIONS:-}" ]]; then packages+=(tabex-bin) packages+=(osyrra-bin) fi elif [[ "$1" == "all" ]]; then packages=( + meshix-cli-bin tabex-bin osyrra-bin ) @@ -24,6 +25,13 @@ fi for package in "${packages[@]}"; do case "${package}" in + meshix-cli-bin) + if [[ "$1" == "auto" ]]; then + "${repo_root}/scripts/update-meshix-cli-bin.sh" --optional + else + "${repo_root}/scripts/update-meshix-cli-bin.sh" + fi + ;; tabex-bin) if [[ "$1" == "auto" ]]; then "${repo_root}/scripts/update-tabex-bin.sh" --optional diff --git a/scripts/validate-packages.sh b/scripts/validate-packages.sh index 6912d17..52f6978 100755 --- a/scripts/validate-packages.sh +++ b/scripts/validate-packages.sh @@ -9,6 +9,13 @@ for package_dir in "${repo_root}"/*; do "${repo_root}/scripts/validate-package.sh" "${package_dir}" done +meshix_pkg="${repo_root}/meshix-cli-bin" +if [[ -f "${meshix_pkg}/PKGBUILD" ]]; then + grep -q 'gh release download "v${pkgver}"' "${meshix_pkg}/PKGBUILD" + grep -q 'install="${pkgname}\.install"' "${meshix_pkg}/PKGBUILD" + grep -q 'meshix-cli-dev' "${meshix_pkg}/meshix-cli-bin.install" +fi + tabex_pkg="${repo_root}/tabex-bin" if [[ -f "${tabex_pkg}/PKGBUILD" ]]; then grep -q 'install="${pkgname}\.install"' "${tabex_pkg}/PKGBUILD" diff --git a/tabex-bin/.SRCINFO b/tabex-bin/.SRCINFO index 6710fb9..00b58ad 100644 --- a/tabex-bin/.SRCINFO +++ b/tabex-bin/.SRCINFO @@ -1,6 +1,6 @@ pkgbase = tabex-bin pkgdesc = Tabex CLI for browser session, capture, and page inspection - pkgver = 0.0.4 + pkgver = 0.0.5 pkgrel = 1 url = https://github.com/shpitdev/tabex install = tabex-bin.install diff --git a/tabex-bin/PKGBUILD b/tabex-bin/PKGBUILD index 6f60e37..1cfcc9d 100644 --- a/tabex-bin/PKGBUILD +++ b/tabex-bin/PKGBUILD @@ -1,7 +1,7 @@ # Maintainer: Anand Pant pkgname=tabex-bin -pkgver=0.0.4 +pkgver=0.0.5 pkgrel=1 pkgdesc="Tabex CLI for browser session, capture, and page inspection" arch=('x86_64') @@ -14,7 +14,7 @@ conflicts=('tabex') # Public PKGBUILD, private release asset. Users need GitHub access to the shpitdev org. _asset="tabex_v${pkgver}_linux_amd64.tar.gz" -_sha256='f6f3f2e5912ba985453a4ec4d97522a59ecbb4278a44135264303d96c4451e70' +_sha256='c29a17a401d8a478a3e8f77031e950d0d3bfab8e4bb07d9111a48ab341860c22' prepare() { gh release download "v${pkgver}" \