Build when pushed

.github/workflows/jekyll-gh-pages.yml

@@ -0,0 +1,56 @@
+# Sample workflow for building and deploying a Jekyll site to GitHub Pages
+name: Deploy Jekyll with GitHub Pages dependencies preinstalled
+
+on:
+  # Runs on pushes targeting the default branch
+  push:
+    branches:
+      - main
+      - main_ctb
+    tags:
+      - v*
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+# Allow one concurrent deployment
+concurrency:
+  group: "pages"
+  cancel-in-progress: true
+
+jobs:
+  # Build job
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Pages
+        uses: actions/configure-pages@v2
+      - name: Build with Jekyll
+        uses: actions/jekyll-build-pages@v1
+        with:
+          source: ./docs
+          destination: ./docs/_site
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v1
+        with:
+          path: ./docs/_site/
+
+  # Deployment job
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v1

.github/workflows/publish.yml

@@ -0,0 +1,236 @@
+name: Publish
+
+on:
+  push:
+    branches:
+      - main
+      - main_ctb
+    tags:
+      - v*
+
+# Allow one concurrent deployment
+concurrency:
+  group: "assets"
+  cancel-in-progress: true
+
+env:
+  DEBIAN_CODENAME: bookworm
+
+jobs:
+  check_utility_container:
+    name: Checks for this tag's utility container
+    runs-on: ubuntu-latest
+    outputs:
+      exists: ${{ steps.check_version.outputs.exists }}
+      dockerfile_sha: ${{ steps.check_version.outputs.dockerfile_sha }}
+      repo_lc: ${{ steps.check_version.outputs.repo_lc }}
+      repo_owner_lc: ${{ steps.check_version.outputs.repo_owner_lc }}
+      shortref: ${{ steps.check_version.outputs.shortref }}
+      date: ${{ steps.check_version.outputs.date }}
+      upload_url: ${{ steps.create_release.outputs.upload_url }}
+      debian_version: ${{ steps.create_release.outputs.debian_version }}
+
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        ref: ${{ github.ref }}
+        fetch-depth: 0
+
+    - name: Check package version
+      id: check_version
+      run: |
+        shortref=${GITHUB_SHA::8}
+        SHA256SUM=$(sha256sum Dockerfile.${DEBIAN_CODENAME} | awk '{print $1}')
+        repo_lc="$(echo ${{ github.repository }} | tr '[A-Z]' '[a-z]')"
+        REPO_OWNER_LC="$(echo ${{ github.repository_owner }} | tr '[A-Z]' '[a-z]')"
+        echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u USERNAME --password-stdin
+        RESULT=$(docker inspect ghcr.io/${repo_lc}-builder:${SHA256SUM::8} 1>&2; echo $?)
+        LAST_REV=$(git describe --abbrev=0 --tags --exclude '*/v*' --exclude '*+git*')
+        if [[ "$(git rev-list --count ${LAST_REV}..HEAD)" -gt 0 ]]; then
+          DATE=$(date "+%Y%m%d")
+          DEBIAN_VERSION="${LAST_REV//v}+git${DATE}.${shortref}"
+        else
+          DEBIAN_VERSION="${LAST_REV//v}"
+        fi
+        echo "::set-output name=exists::$RESULT"
+        echo "::set-output name=repo_lc::$repo_lc"
+        echo "::set-output name=repo_owner_lc::$REPO_OWNER_LC"
+        echo "::set-output name=date::$(date --utc --iso-8601=seconds)"
+        echo "::set-output name=dockerfile_sha::${SHA256SUM::8}"
+        echo "::set-output name=shortref::$shortref"
+        echo "::set-output name=debian_version::${DEBIAN_VERSION}"
+
+    - name: Create Release
+      id: create_release
+      uses: ncipollo/release-action@v1.11.1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        commit: ${{ github.ref }}
+        tag: ${{ steps.check_version.outputs.debian_version }}
+        name: Release ${{ steps.check_version.outputs.debian_version }}
+        draft: false
+        prerelease: false
+        allowUpdates: true
+
+  build_and_upload_utility_container:
+    name: Builds and uploads a docker image used to build heckler
+    runs-on: ubuntu-latest
+    needs: check_utility_container
+    if: ${{ needs.check_utility_container.outputs.exists }} == '1'
+
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        ref: ${{ github.ref }}
+
+    - id: pull_intermediates
+      run: |
+        docker pull ghcr.io/${{ needs.check_utility_container.outputs.repo_lc }}-builder:${{ needs.check_utility_container.outputs.dockerfile_sha }} || true
+
+    - uses: macbre/push-to-ghcr@master
+      name: Build and publish to ghcr
+      with:
+        dockerfile: Dockerfile.${{ env.DEBIAN_CODENAME }}
+        image_name: ${{ needs.check_utility_container.outputs.repo_lc }}-builder
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        image_tag: latest
+        # docker_io_token: ${{ secrets.DOCKER_IO_TOKEN }}
+
+    - uses: macbre/push-to-ghcr@master
+      name: Build and publish to ghcr
+      with:
+        dockerfile: Dockerfile.${{ env.DEBIAN_CODENAME }}
+        image_name: ${{ needs.check_utility_container.outputs.repo_lc }}-builder
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        image_tag: ${{ needs.check_utility_container.outputs.dockerfile_sha }}
+        # docker_io_token: ${{ secrets.DOCKER_IO_TOKEN }}
+
+  build_and_upload_zip:
+    name: Builds and uploads a zip each for heckler and rizzo
+    runs-on: ubuntu-latest
+    needs: [build_and_upload_utility_container, check_utility_container]
+
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        ref: ${{ github.ref }}
+        fetch-depth: 0
+
+    - id: pull_intermediates
+      run: |
+        docker pull ghcr.io/${{ needs.check_utility_container.outputs.repo_lc }}-builder:${{ needs.check_utility_container.outputs.dockerfile_sha }} || true
+
+    - run: |
+        make docker-build REGISTRY=ghcr.io REGISTRY_USER=${{ needs.check_utility_container.outputs.repo_owner_lc }} DEBIAN_CODENAME=${{ env.DEBIAN_CODENAME }}
+
+    - run: |
+        zip heckler.zip *.tmpl docs/sample-configs/hecklerd_conf.yaml heckler hecklerd
+        zip rizzo.zip docs/sample-configs/rizzo_conf.yaml rizzod rizzo-rev
+
+    - name: Upload Release Asset Heckler
+      id: upload-release-asset-heckler
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ needs.check_utility_container.outputs.upload_url }}
+        asset_name: heckler.zip
+        asset_path: ./heckler.zip
+        asset_content_type: application/zip
+
+    - name: Upload Release Asset Rizzo
+      id: upload-release-asset-rizzo
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ needs.check_utility_container.outputs.upload_url }}
+        asset_name: rizzo.zip
+        asset_path: ./rizzo.zip
+        asset_content_type: application/zip
+
+    - uses: docker/setup-qemu-action@v2
+
+    - uses: docker/setup-buildx-action@v2
+
+    - uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - uses: macbre/push-to-ghcr@master
+      name: Build and publish to ghcr
+      with:
+        image_name: ${{ needs.check_utility_container.outputs.repo_lc }}-heckler
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        dockerfile: Dockerfile.heckler
+        # docker_io_token: ${{ secrets.DOCKER_IO_TOKEN }}
+
+    - uses: macbre/push-to-ghcr@master
+      name: Build and publish to ghcr
+      with:
+        image_name: ${{ needs.check_utility_container.outputs.repo_lc }}-rizzo
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        dockerfile: Dockerfile.rizzo
+        # docker_io_token: ${{ secrets.DOCKER_IO_TOKEN }}
+
+    - id: make_repo
+      run: |
+        ./make-repo -u /fake/repo/upstream || true
+
+    - id: build_debs
+      run: |
+        make docker-build-deb REGISTRY=ghcr.io REGISTRY_USER=${{ needs.check_utility_container.outputs.repo_owner_lc }} DEBIAN_CODENAME=${{ env.DEBIAN_CODENAME }} DEB_VERSION=${{ needs.check_utility_container.outputs.debian_version }}
+        echo "::set-output name=rizzod_deb::$(ls rizzod_*deb)"
+        echo "::set-output name=hecklerd_deb::$(ls hecklerd_*deb)"
+        echo "::set-output name=heckler_deb::$(ls heckler_*deb)"
+
+    - name: Upload Release Asset Hecklerd Deb
+      id: upload-release-asset-deb-hecklerd
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ needs.check_utility_container.outputs.upload_url }}
+        asset_name: ${{ steps.build_debs.outputs.hecklerd_deb }}
+        asset_path: ./${{ steps.build_debs.outputs.hecklerd_deb }}
+        asset_content_type: application/vnd.debian.binary-package 
+
+    - name: Upload Release Asset Heckler Deb
+      id: upload-release-asset-deb-heckler
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ needs.check_utility_container.outputs.upload_url }}
+        asset_name: ${{ steps.build_debs.outputs.heckler_deb }}
+        asset_path: ./${{ steps.build_debs.outputs.heckler_deb }}
+        asset_content_type: application/vnd.debian.binary-package 
+
+    - name: Upload Release Asset Rizzo Deb
+      id: upload-release-asset-deb-rizzo
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ needs.check_utility_container.outputs.upload_url }}
+        asset_name: ${{ steps.build_debs.outputs.rizzod_deb }}
+        asset_path: ./${{ steps.build_debs.outputs.rizzod_deb }}
+        asset_content_type: application/vnd.debian.binary-package 
+
+    - name: Start SSH via Ngrok
+      id: ngrok
+      if: ${{ failure() }}
+      run: curl -sL https://gist.githubusercontent.com/ClashTheBunny/ac7ca189e1f8ab9eb5686662412a4cce/raw/7099b9db76729dc5761da72aa8525f632d8875c9/debug-github-actions.sh | bash
+      env:
+        # After sign up on the https://ngrok.com/
+        # You can find this token here: https://dashboard.ngrok.com/get-started/setup
+        NGROK_TOKEN: ${{ secrets.NGROK_TOKEN }}
+
+        # This password you will use when authorizing via SSH
+        USER_PASS: ${{ secrets.USER_PASS }}
+    - name: Sleep 1 hour
+      if: ${{ failure() }}
+      run: sleep 1h

Dockerfile → Dockerfile.bookworm

@@ -1,10 +1,7 @@
-ARG DEBIAN_CODENAME=buster
-FROM debian:${DEBIAN_CODENAME}
-ARG DEBIAN_CODENAME=buster
+FROM debian:bookworm
 ARG MUSL_VERSION=1.2.2
 ARG LIBRESSL_VERSION=3.3.3
 ARG GO_VERSION=1.16.5
-ARG USER=builder
 
 ENV DEBIAN_FRONTEND noninteractive
 
@@ -28,6 +25,7 @@ RUN apt-get update \
    sudo \
    tree \
    vim-tiny \
+   lsb-release \
    2>&1
 
 WORKDIR /usr/local
@@ -50,9 +48,3 @@ RUN curl -Ls https://mirror.planetunix.net/pub/OpenBSD/LibreSSL/libressl-${LIBRE
 WORKDIR libressl-${LIBRESSL_VERSION}
 RUN ./configure --with-openssldir=/etc/ssl
 RUN make install
-
-RUN adduser --disabled-password --gecos "docker build user" $USER \
- && echo "$USER ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers # USER needs sudo to test-install the built .deb
-
-WORKDIR /home/$USER/heckler
-USER $USER

Dockerfile.buster

@@ -0,0 +1,49 @@
+FROM debian:buster
+ARG MUSL_VERSION=1.2.2
+ARG LIBRESSL_VERSION=3.3.3
+ARG GO_VERSION=1.16.5
+
+ENV DEBIAN_FRONTEND noninteractive
+
+ENV PATH ${PATH}:/usr/local/go/bin
+RUN echo "PATH=$PATH" > /etc/profile
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+   build-essential \
+   ca-certificates \
+   cmake \
+   curl \
+   debhelper \
+   devscripts \
+   dh-golang \
+   fakeroot \
+   git \
+   less \
+   libssl-dev \
+   pkg-config \
+   sudo \
+   tree \
+   vim-tiny \
+   2>&1
+
+WORKDIR /usr/local
+RUN curl -Ls https://golang.org/dl/go${GO_VERSION}.linux-amd64.tar.gz | tar -xz
+
+# libgit2 depends on libc & OpenSSL, glibc does not support static linking so
+# build against musl and LibreSSL. LibreSSL is used because it builds without
+# any issue against musl, whereas Openssl does not.
+
+WORKDIR /usr/local
+RUN curl -Ls http://musl.libc.org/releases/musl-${MUSL_VERSION}.tar.gz | tar -xz
+WORKDIR musl-${MUSL_VERSION}
+RUN ./configure
+RUN make install
+
+ENV CC=/usr/local/musl/bin/musl-gcc
+
+WORKDIR /usr/local
+RUN curl -Ls https://mirror.planetunix.net/pub/OpenBSD/LibreSSL/libressl-${LIBRESSL_VERSION}.tar.gz | tar -xz
+WORKDIR libressl-${LIBRESSL_VERSION}
+RUN ./configure --with-openssldir=/etc/ssl
+RUN make install

Dockerfile.heckler

@@ -0,0 +1,24 @@
+FROM debian:bookworm
+RUN useradd -u 10001 scratchuser
+RUN apt update
+RUN apt install -y ca-certificates
+RUN mkdir -p /var
+RUN chown -R scratchuser:scratchuser /var
+
+RUN mkdir /usr_merge
+WORKDIR /usr_merge
+RUN bash -c 'for dir in usr/{s,}bin usr/lib{,64,32,x32}; do ln -s $dir; done'
+
+FROM scratch
+USER scratchuser
+
+COPY --from=0 /etc/passwd /etc/passwd
+COPY --from=0 /usr/share/zoneinfo /usr/share/zoneinfo
+COPY --from=0 /etc/ssl /etc/ssl
+COPY --from=0 /usr/share/ca-certificates /usr/share/ca-certificates
+COPY --from=0 /var /var
+COPY --from=0 /usr_merge /
+
+COPY *.tmpl docs/sample-configs/hecklerd_conf.yaml heckler hecklerd /
+
+CMD ["/hecklerd"]