-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rewrite repo-build and package-build in Python #218
Conversation
d3cf15e
to
eb37575
Compare
5b4dc0c
to
36a3f23
Compare
23bb0c3
to
f897f53
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how are you testing this? did you generate full repo and compare with the old repo?
I generated the repo, installed the packages and tested them. I haven’t automatically checked that the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your review @LinusCDE.
It worked before and then I switched to using absolute paths, which triggers a special behavior in |
Cool. Just first fixed the paths, then redid the adding of files manually, since it seemed to me they were empty. I was stupid (looked at a symlink) and the work was for nothing. xD Ideally I would like to replace |
That’s also what I did in my fix. :-) |
f8db03c
to
d60f01f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
overall, your python looks good! i don't have much to say about the code itself (i've read through it a few times), just comments+questions on usage and how things fit together
Thanks for your review @raisjn! |
i'm running this on python 3.8.5 on my machine locally, misc notes:
|
I think we’re seeing differences between 3.8 and 3.9 (I used the latter for testing). Should be fairly easy to make the code 3.8-compatible. |
Thanks for the report. Should be fixed now. |
e356bf7
to
6d6e31a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shipit
Thanks for the review! I’ll do a final test of all packages to make sure everything works fine tomorrow, and then I’ll merge this. |
(See #211.) * Rewrite to Python 3.8 - Create `toltec` Python support library (in `scripts/toltec`) - Remove superseded `opkg` Python library (in `scripts/opkg`) - Add Python linting and formatting checks - Replace `scripts/repo-build` (Bash script) with `scripts/repo_build.py` - Replace `scripts/package-build` (Bash script) with `scripts/package_build.py` - Update Makefile and workflows to work with the new scripts * Package changes - Update koreader to not use the `$recipedir` variable (not documented, not supported by the new scripts, and should not be used anymore) * Documentation changes - Add info on how required Python version and modules - Document custom fields and functions support * New features - Improve support for custom fields and functions in recipes - Parameterize "https://toltec-dev.org" in workflows, using a REMOTE_HTTP secret. Rename REMOTE secret to REMOTE_SSH * Additional checks - Check that all custom declarations start with `_` to guard against typos on optional standard declarations - Check that timestamp fields contain a valid ISO-8601 value - Check that pkgver fields contain a valid version number
0eb140e
to
8af5075
Compare
I went through all the packages and checked for differences between the versions generated with the new scripts and the versions existing in stable. I found some bugs that I addressed in the second commit of this branch (which is the diff since you last reviewed @raisjn). There remains no difference in the This is now awaiting a final review before merging. |
* Re-implement Oxide-specific install hook (see #251) * Keep existing field order in ./control file * Add ./ entries in .ipk archives * Run all Bash scripts with set -euo pipefail * Wrap scripts in functions to allow for local vars * Fixes for zoneinfo-utils * Always add maintainer scripts in the same order in ipk files * Add missing variables to generated maintainer scripts * Print tree & script list in sorted order (verbose mode) * Set fixed atime and mtime on source files before build * Call repo-build-web from workflows (pending a future rewrite)
8af5075
to
88fae12
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good to me, whats the roll-out plan?
i tested by building the whole repository (repo-local), then pushed packages and tested installation and removal of various packages: rm2fb, oxide, remux, fingerterm, draft, etc
Could you clarify what you mean by roll-out plan in this context @raisjn? |
Summary of our Discord discussion: @raisjn was “wondering if it makes sense to build a repo using the new build scripts while keeping the old repo, then have them run side by side and switch over down the line (so it gets live testing of packages). but after thinking about it, its much work”. @matteodelabre: “If we merge it into testing, we'll have a bit of time to look for remaining issues before it hits stable. Those remaining bugs should be fairly minor and affect relatively few users.” |
The REMOTE_HTTP secret was introduced to make the remote server configurable without changing the workflow code in #218. For security reasons, PR workflows do not have access to secret variables (this is an oversight of the aforementioned PR). We could switch the PR workflow to trigger on the `pull_request_target` event which allows access to secrets, but that would enable external attackers to exfiltrate our secrets (see <https://securitylab.github.com/research/github-actions-preventing-pwn-requests>). The correct solution would be for GitHub to provide a mechanism for marking secrets as non-sensitive (which is the case of REMOTE_HTTP). For now, let’s just hardcode that secret in PR workflows.
The REMOTE_HTTP secret was introduced to make the remote server configurable without changing the workflow code in #218. For security reasons, PR workflows do not have access to secret variables (this is an oversight of the aforementioned PR). We could switch the PR workflow to trigger on the `pull_request_target` event which allows access to secrets, but that would enable external attackers to exfiltrate our secrets (see <https://securitylab.github.com/research/github-actions-preventing-pwn-requests>). The correct solution would be for GitHub to provide a mechanism for marking secrets as non-sensitive (which is the case of REMOTE_HTTP). For now, let’s just hardcode that secret in PR workflows.
new packages: [ddvk-hacks] Add ddvk-hacks (toltec-dev#247) updated packages: [wireguard][1.0.20210219] - Updated package (and include wireguard-tools) (toltec-dev#285) [rm2fb] update rm2fb to work with xochitl 2.6 (v1.0.1) (toltec-dev#301) [recrossable] Update recrossable (toltec-dev#312) [wikipedia] Initial wikipedia package. [appmarkable] Update appmarkable to 0.0.0-9 and rmservewacominput to 0.3.0-1 (toltec-dev#308) with rm2 support [rmkit] patch genie to fix crash in testing (toltec-dev#304) [oxide] Update Oxide to v2.1.2 (toltec-dev#241) [rm2fb] update rm2fb with wait ioctl and no-op on rM1 (toltec-dev#298) [rmkit] add bufshot app, add lamp, add iago, add changelog (toltec-dev#276) [rmkit] update rmkit to latest (2021-02-17) (toltec-dev#286) [zshelf][0.3.1] - Updated Package (toltec-dev#287) tooling: Pin the Ubuntu version used in workflows to 20.04 (toltec-dev#316) Provide better version number error messages (toltec-dev#314) util.auto_extract: Extract broken symlinks and missing directories (toltec-dev#302) change web background color to #fcfaf8 (toltec-dev#280) Implement build-time package dependencies (toltec-dev#274) Rewrite repo-build-web in Python (toltec-dev#266) Print last 50 lines of output on build error (toltec-dev#263) Hardcode REMOTE_HTTP secret in PR workflows (toltec-dev#262) Rewrite repo-build and package-build in Python (toltec-dev#218) Make bootstrap execution conditional on hash verification (toltec-dev#257) Add Toltec web home page (toltec-dev#193)
New packages: * bufshot - 0.1.0-2 (#276) * ddvk-hacks - 17.04-1 (#247) * iago - 0.1.0-1 (#276) * lamp - 0.1.0-1 (#276) * libdlib, libdlib-dev - 19.21-1 (#274) * libvncserver, libvncserver-dev - 0.9.13-1 (#274) * wikipedia - 0.1.0-2 (#311) Updated packages: * appmarkable - 0.0.0-9 (#308) * decay - 2.1.2~1 (#241) * erode - 2.1.2~1 (#241) * fret - 2.1.2~1 (#241) * genie - 0.1.4-2 (#304) * harmony - 0.1.2-1 (#286) * mines - 0.1.2-1 (#286) * nao - 0.1.2-1 (#286) * oxide - 2.1.2~1 (#241) * recrossable - 0.0.0-5 (#274, #312) * remux - 0.1.8-1 (#286) * rm2fb - 1.0.1-1 (#298, #301) * rmservewacominput - 0.3.0-1 (#308) * rot - 2.1.2~1 (#241) * simple - 0.1.3-1 (#286) * tarnish - 2.1.2~1 (#241) * vnsee - 0.3.1-2 (#274) Tooling: * Pin the Ubuntu version used in workflows to 20.04 (#316) * Provide better version number error messages (#314) * util.auto_extract: Extract broken symlinks and missing directories (#302) * change web background color to #fcfaf8 (#280) * Implement build-time package dependencies (#274) * Rewrite repo-build-web in Python (#266) * Print last 50 lines of output on build error (#263) * Hardcode REMOTE_HTTP secret in PR workflows (#262) * Rewrite repo-build and package-build in Python (#218) * Make bootstrap execution conditional on hash verification (#257) * Add Toltec web home page (#193) Co-authored-by: okay <okay@arkose> Co-authored-by: Mattéo Delabre <spam@delab.re>
(See #211.)
The new build scripts are backward-compatible with existing recipes. Apart from some minor improvements on generated maintainer scripts, there are no changes in the final .ipk files.
toltec
Python support library (inscripts/toltec
)opkg
Python library (inscripts/opkg
)scripts/repo-build
(Bash script) withscripts/repo_build.py
scripts/package-build
(Bash script) withscripts/package_build.py
$recipedir
variable (not documented, not supported by the new scripts, and should not be used anymore)REMOTE_HTTP
secret.REMOTE
secret toREMOTE_SSH
for clarity_
to guard against typos on optional standard declarationsset -euo pipefail
flags enabled