builder-dispatch: Use the build-packages workflow

diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml
index 7d3bb7b28bda879527c877b7352e800691c4e5b8..1f7148b6947cc97373cad7361891aff1a67f30d4 100644 (file)
--- a/.github/workflows/build-packages.yml
+++ b/.github/workflows/build-packages.yml
@@ -18,7 +18,7 @@ on:
           el-9
           debian-buster
           debian-bullseye
-          ubuntu-bionic
+          debian-bookworm
           ubuntu-focal
           ubuntu-jammy
       ref:
@@ -71,7 +71,7 @@ jobs:
       pkghashes-el-9: ${{ steps.pkghashes.outputs.pkghashes-el-9 }}
       pkghashes-debian-buster: ${{ steps.pkghashes.outputs.pkghashes-debian-buster }}
       pkghashes-debian-bullseye: ${{ steps.pkghashes.outputs.pkghashes-debian-bullseye }}
-      pkghashes-ubuntu-bionic: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-bionic }}
+      pkghashes-debian-bookworm: ${{ steps.pkghashes.outputs.pkghashes-debian-bookworm }}
       pkghashes-ubuntu-focal: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-focal }}
       pkghashes-ubuntu-jammy: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-jammy }}
       srchashes: ${{ steps.srchashes.outputs.srchashes }}

diff --git a/.github/workflows/builder-dispatch.yml b/.github/workflows/builder-dispatch.yml
index d2a43de736d75c9a83396d5640b2dc351452f1e3..b0a825c9aa5f44a66bada898cf47a468dbd52769 100644 (file)
--- a/.github/workflows/builder-dispatch.yml
+++ b/.github/workflows/builder-dispatch.yml
@@ -36,115 +36,15 @@ on:
         - 'NO'
         - 'YES'
 
-permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
-  contents: read
-
 jobs:
-  prepare:
-    name: generate OS list
-    runs-on: ubuntu-20.04
-    outputs:
-      oslist: ${{ steps.get-oslist.outputs.oslist }}
-    steps:
-      # instead of jo, we could use jq here, which avoids running apt, and thus would be faster.
-      # but, as this whole workflow needs at least 30 minutes to run, I prefer spending a few seconds here
-      # so that the command remains readable, because jo is simpler to use.
-      - run: sudo apt-get update && sudo apt-get -y install jo
-      - id: get-oslist
-        run: echo "oslist=$(jo -a ${{ github.event.inputs.os }})" >> "$GITHUB_OUTPUT"
-
-  build:
-    needs: prepare
-    name: build ${{ github.event.inputs.product }} (${{ github.event.inputs.ref }}) for ${{ matrix.os }}
-    # on a ubuntu-20.04 VM
-    runs-on: ubuntu-20.04
-    strategy:
-      matrix:
-        os: ${{fromJson(needs.prepare.outputs.oslist)}}
-      fail-fast: false
-    outputs:
-      version: ${{ steps.getversion.outputs.version }}
-      pkghashes-el-7: ${{ steps.pkghashes.outputs.pkghashes-el-7 }}
-      pkghashes-el-8: ${{ steps.pkghashes.outputs.pkghashes-el-8 }}
-      pkghashes-el-9: ${{ steps.pkghashes.outputs.pkghashes-el-9 }}
-      pkghashes-debian-buster: ${{ steps.pkghashes.outputs.pkghashes-debian-buster }}
-      pkghashes-debian-bullseye: ${{ steps.pkghashes.outputs.pkghashes-debian-bullseye }}
-      pkghashes-debian-bookworm: ${{ steps.pkghashes.outputs.pkghashes-debian-bookworm }}
-      pkghashes-ubuntu-focal: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-focal }}
-      pkghashes-ubuntu-jammy: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-jammy }}
-      srchashes: ${{ steps.srchashes.outputs.srchashes }}
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0 # for correct version numbers
-          submodules: recursive
-          ref: ${{ github.event.inputs.ref }}
-      # this builds packages and runs our unit tests (make check)
-      - run: IS_RELEASE=${{ github.event.inputs.is_release}} builder/build.sh -v -m ${{ github.event.inputs.product }} ${{ matrix.os }}
-      - name: Get version number
-        run: 'echo ::set-output name=version::$(readlink builder/tmp/latest)'
-        id: getversion
-      - name: Upload packages as GH artifacts
-        uses: actions/upload-artifact@v3
-        with:
-          name: ${{ github.event.inputs.product }}-${{ matrix.os }}-${{ steps.getversion.outputs.version }}
-          path: built_pkgs/
-          retention-days: 7
-      - name: Extract packages from the tarball
-        # so we get provenance for individual packages (and the JSON package manifests from the builder)
-        id: extract
-        run: |
-          mkdir -m 700 -p ./packages/
-          tar xvf ./built_pkgs/*/*/${{ github.event.inputs.product }}-${{ steps.getversion.outputs.version }}-${{ matrix.os }}.tar.bz2 -C ./packages/ --transform='s/.*\///'
-      - name: Generate package hashes for provenance
-        shell: bash
-        id: pkghashes
-        run: |
-          echo "pkghashes-${{ matrix.os }}=$(sha256sum ./packages/*.rpm ./packages/*.deb ./packages/*.json | base64 -w0)" >> $GITHUB_OUTPUT
-      - name: Generate source hash for provenance
-        shell: bash
-        id: srchashes
-        run: |
-          echo "srchashes=$(sha256sum ./built_pkgs/*/*/${{ github.event.inputs.product }}-${{ steps.getversion.outputs.version }}.tar.bz2 ./packages/*.json | base64 -w0)" >> $GITHUB_OUTPUT
-      - name: Upload packages to downloads.powerdns.com
-        env:
-          SSHKEY: ${{ secrets.DOWNLOADS_AUTOBUILT_SECRET }}
-          RSYNCTARGET: ${{ secrets.DOWNLOADS_AUTOBUILT_RSYNCTARGET }}
-          HOSTKEY: ${{ secrets.DOWNLOADS_AUTOBUILT_HOSTKEY }}
-        if:
-          "${{ env.SSHKEY != '' }}"
-        run: |
-          mkdir -m 700 -p ~/.ssh
-          echo "$SSHKEY" > ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-          echo "$HOSTKEY" > ~/.ssh/known_hosts
-          rsync -4rlptD built_pkgs/* "$RSYNCTARGET"
-
-  provenance-pkgs:
-    needs: [prepare, build]
-    name: Generate provenance for ${{ github.event.inputs.product }} (${{ github.event.inputs.ref }}) for ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: ${{fromJson(needs.prepare.outputs.oslist)}}
-    permissions:
-      actions: read   # To read the workflow path.
-      id-token: write # To sign the provenance.
-      contents: write # To be able to upload assets as release artifacts
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
-    with:
-      base64-subjects: "${{ needs.build.outputs[format('pkghashes-{0}', matrix.os)] }}"
-      upload-assets: false
-      provenance-name: "${{ github.event.inputs.product }}-${{ needs.build.outputs.version }}-${{ matrix.os}}.intoto.jsonl"
-
-  provenance-src:
-    needs: build
-    name: Generate provenance for ${{ github.event.inputs.product }} (${{ github.event.inputs.ref }}) source tarball
-    permissions:
-      actions: read   # To read the workflow path.
-      id-token: write # To sign the provenance.
-      contents: write # To be able to upload assets as release artifacts
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
+  call-build-packages:
+    uses: PowerDNS/pdns/.github/workflows/build-packages.yml@master
     with:
-      base64-subjects: "${{ needs.build.outputs.srchashes }}"
-      upload-assets: false
-      provenance-name: "${{ github.event.inputs.product }}-${{ needs.build.outputs.version }}-src.intoto.jsonl"
+      product: ${{ github.event.inputs.product }}
+      os: ${{ github.event.inputs.os }}
+      ref: ${{ github.event.inputs.ref }}
+      is_release: ${{ github.event.inputs.is_release }}
+    secrets:
+      DOWNLOADS_AUTOBUILT_SECRET: ${{ secrets.DOWNLOADS_AUTOBUILT_SECRET }}
+      DOWNLOADS_AUTOBUILT_RSYNCTARGET: ${{ secrets.DOWNLOADS_AUTOBUILT_RSYNCTARGET }}
+      DOWNLOADS_AUTOBUILT_HOSTKEY: ${{ secrets.DOWNLOADS_AUTOBUILT_HOSTKEY }}