From a6fda6ba7347eb5b85a86035b84f1c1db7a6227e Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Mon, 10 Nov 2025 11:27:55 +0100 Subject: [PATCH 1/7] CI: make `build-ripunzip.yml` auto-create update PR --- .github/workflows/build-ripunzip.yml | 107 ++++++++++++++++++++++++--- 1 file changed, 98 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build-ripunzip.yml b/.github/workflows/build-ripunzip.yml index 5f037d08aa33..136870d94503 100644 --- a/.github/workflows/build-ripunzip.yml +++ b/.github/workflows/build-ripunzip.yml @@ -4,20 +4,43 @@ on: workflow_dispatch: inputs: ripunzip-version: - description: "what reference to checktout from google/runzip" + description: What reference to checktout from google/runzip. Latest by default required: false openssl-version: - description: "what reference to checkout from openssl/openssl for Linux" + description: What reference to checkout from openssl/openssl for Linux. Latest by default required: false + open-pr: + description: Open a pull request updating the ripunzip versions committed to lfs + required: false + default: true # will be false on PRs pull_request: paths: - .github/workflows/build-ripunzip.yml -env: - RIPUNZIP_DEFAULT: v2.0.3 - OPENSSL_DEFAULT: openssl-3.6.0 jobs: + versions: + runs-on: ubuntu-slim + outputs: + ripunzip-version: ${{ inputs.ripunzip-version || steps.fetch-ripunzip-version.outputs.version }} + openssl-version: ${{ inputs.openssl-version || steps.fetch-openssl-version.outputs.version }} + steps: + - name: Fetch latest ripunzip version + id: fetch-ripunzip-version + if: "!inputs.ripunzip-version" + run: &fetch-version + echo "version=$(gh release view --repo $REPO --json tagName --jq .tagName)" | tee -a $GITHUB_OUTPUT + env: + REPO: "google/ripunzip" + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Fetch latest openssl version + id: fetch-openssl-version + if: "!inputs.openssl-version" + run: *fetch-version + env: + REPO: "openssl/openssl" + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} build: + needs: versions strategy: fail-fast: false matrix: @@ -27,7 +50,7 @@ jobs: - uses: actions/checkout@v5 with: repository: google/ripunzip - ref: ${{ inputs.ripunzip-version || env.RIPUNZIP_DEFAULT }} + ref: ${{ needs.versions.outputs.ripunzip-version }} # we need to avoid ripunzip dynamically linking into libssl # see https://github.com/sfackler/rust-openssl/issues/183 - if: runner.os == 'Linux' @@ -36,7 +59,7 @@ jobs: with: repository: openssl/openssl path: openssl - ref: ${{ inputs.openssl-version || env.OPENSSL_DEFAULT }} + ref: ${{ needs.versions.outputs.openssl-version }} - if: runner.os == 'Linux' name: build and install openssl with fPIC shell: bash @@ -68,11 +91,77 @@ jobs: lipo -create -output ripunzip-macos \ -arch x86_64 target/x86_64-apple-darwin/release/ripunzip \ -arch arm64 target/aarch64-apple-darwin/release/ripunzip - - uses: actions/upload-artifact@v4 + - name: Archive (POSIX) + if: runner.os != 'Windows' + shell: bash + run: | + zip -j ripunzip-${{ runner.os }}.zip ripunzip-* + - name: Archive (Windows) + if: runner.os == 'Windows' + shell: powershell + run: | + Compress-Archive -Path ripunzip-* -DestinationPath ripunzip-${{ runner.os }}.zip -Force + - name: Upload built binary + uses: actions/upload-artifact@v4 with: name: ripunzip-${{ runner.os }} - path: ripunzip-* + path: ripunzip-${{ runner.os }}.zip + retention-days: 5 + compression: 0 - name: Check built binary shell: bash run: | + rm -f ripunzip-*.zip ./ripunzip-* --version + publish: + needs: [versions, build] + if: inputs.open-pr == 'true' + runs-on: ubuntu-slim + steps: + # workaround for git-lfs not being installed yet on ubuntu-slim runners + - name: Ensure git-lfs is installed + shell: bash + run: | + if which git-lfs &>/dev/null; then + echo "git-lfs is already installed" + exit 0 + fi + cd $TMP + gh release download --repo git-lfs/git-lfs --pattern "git-lfs-linux-amd64-*.tar.gz" --clobber + tar xzf git-lfs-linux-amd64-*.tar.gz + rm git-lfs-linux-amd64-*.tar.gz + cd git-lfs-* + pwd | tee -a $GITHUB_PATH + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/checkout@v5 + with: + sparse-checkout: | + .github + misc/ripunzip + lfs: true + - name: Download built binaries + uses: actions/download-artifact@v4 + with: + merge-multiple: true + path: misc/ripunzip + - name: Open PR + shell: bash + run: | + git config --global user.name "github-actions[bot]" + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git switch -c update-ripunzip + git add misc/ripunzip + git commit -m "Update ripunzip binaries to version $VERSION" + git push --set-upstream origin update-ripunzip --force + TITLE="Update ripunzip binaries to version $VERSION" + gh pr create \ + --draft \ + --title "$TITLE" \ + --body "Automated update of ripunzip binaries." \ + --assignee "$ACTOR" || + (gh pr edit --title "$TITLE" --add-assignee "$ACTOR" && gh pr ready --undo) + env: + ACTOR: ${{ github.actor }} + VERSION: ${{ needs.versions.outputs.ripunzip-version }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 02e696d9ccaf8b5ad31595b4469cd14ef69552fd Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Mon, 10 Nov 2025 15:58:43 +0100 Subject: [PATCH 2/7] Update .github/workflows/build-ripunzip.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/build-ripunzip.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-ripunzip.yml b/.github/workflows/build-ripunzip.yml index 136870d94503..8ce04c47dde5 100644 --- a/.github/workflows/build-ripunzip.yml +++ b/.github/workflows/build-ripunzip.yml @@ -4,7 +4,7 @@ on: workflow_dispatch: inputs: ripunzip-version: - description: What reference to checktout from google/runzip. Latest by default + description: What reference to checkout from google/ripunzip. Latest by default required: false openssl-version: description: What reference to checkout from openssl/openssl for Linux. Latest by default From 295744eb36631870fca79093530fd14449e37141 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 11 Nov 2025 12:00:30 +0100 Subject: [PATCH 3/7] Set permissions --- .github/workflows/build-ripunzip.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build-ripunzip.yml b/.github/workflows/build-ripunzip.yml index 8ce04c47dde5..07e00bff8118 100644 --- a/.github/workflows/build-ripunzip.yml +++ b/.github/workflows/build-ripunzip.yml @@ -17,6 +17,8 @@ on: paths: - .github/workflows/build-ripunzip.yml +permissions: {} + jobs: versions: runs-on: ubuntu-slim @@ -116,6 +118,9 @@ jobs: publish: needs: [versions, build] if: inputs.open-pr == 'true' + permissions: + contents: write + pull-requests: write runs-on: ubuntu-slim steps: # workaround for git-lfs not being installed yet on ubuntu-slim runners From 47f2617b4db35516bacfd67434034e496b012d12 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 11 Nov 2025 12:07:19 +0100 Subject: [PATCH 4/7] Use other compression method for ripunzip --- .github/workflows/build-ripunzip.yml | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build-ripunzip.yml b/.github/workflows/build-ripunzip.yml index 07e00bff8118..a8868adad98e 100644 --- a/.github/workflows/build-ripunzip.yml +++ b/.github/workflows/build-ripunzip.yml @@ -93,21 +93,14 @@ jobs: lipo -create -output ripunzip-macos \ -arch x86_64 target/x86_64-apple-darwin/release/ripunzip \ -arch arm64 target/aarch64-apple-darwin/release/ripunzip - - name: Archive (POSIX) - if: runner.os != 'Windows' - shell: bash - run: | - zip -j ripunzip-${{ runner.os }}.zip ripunzip-* - - name: Archive (Windows) - if: runner.os == 'Windows' - shell: powershell + - name: Archive run: | - Compress-Archive -Path ripunzip-* -DestinationPath ripunzip-${{ runner.os }}.zip -Force + tar acf ripunzip-${{ runner.os }}.tar.zst ripunzip-* - name: Upload built binary uses: actions/upload-artifact@v4 with: name: ripunzip-${{ runner.os }} - path: ripunzip-${{ runner.os }}.zip + path: ripunzip-${{ runner.os }}.tar.zst retention-days: 5 compression: 0 - name: Check built binary From 99baf98897c42403897b53b06319a28144dabadc Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 11 Nov 2025 12:46:28 +0100 Subject: [PATCH 5/7] Fix `build-ripunzip.yml` --- .github/workflows/build-ripunzip.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-ripunzip.yml b/.github/workflows/build-ripunzip.yml index a8868adad98e..2982cf3099fc 100644 --- a/.github/workflows/build-ripunzip.yml +++ b/.github/workflows/build-ripunzip.yml @@ -106,7 +106,7 @@ jobs: - name: Check built binary shell: bash run: | - rm -f ripunzip-*.zip + rm -f ripunzip-*.tar.zst ./ripunzip-* --version publish: needs: [versions, build] From 104f0e3a0232c137e34cbc22e22ab0eb32440296 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 11 Nov 2025 12:51:30 +0100 Subject: [PATCH 6/7] Fix `build-ripunzip.yml` archive step on windows --- .github/workflows/build-ripunzip.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-ripunzip.yml b/.github/workflows/build-ripunzip.yml index 2982cf3099fc..2bf932d9c146 100644 --- a/.github/workflows/build-ripunzip.yml +++ b/.github/workflows/build-ripunzip.yml @@ -94,8 +94,9 @@ jobs: -arch x86_64 target/x86_64-apple-darwin/release/ripunzip \ -arch arm64 target/aarch64-apple-darwin/release/ripunzip - name: Archive + shell: bash run: | - tar acf ripunzip-${{ runner.os }}.tar.zst ripunzip-* + tar acf ripunzip-$RUNNER_OS.tar.zst ripunzip-${RUNNER_OS,,} - name: Upload built binary uses: actions/upload-artifact@v4 with: From e2671da05fcbe7e512ebbfe3f3e2d31f8bf79364 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 11 Nov 2025 13:00:50 +0100 Subject: [PATCH 7/7] Fix `build-ripunzip.yml` archive step on macos --- .github/workflows/build-ripunzip.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-ripunzip.yml b/.github/workflows/build-ripunzip.yml index 2bf932d9c146..08547268e3b8 100644 --- a/.github/workflows/build-ripunzip.yml +++ b/.github/workflows/build-ripunzip.yml @@ -96,7 +96,7 @@ jobs: - name: Archive shell: bash run: | - tar acf ripunzip-$RUNNER_OS.tar.zst ripunzip-${RUNNER_OS,,} + tar acf ripunzip-$RUNNER_OS.tar.zst ripunzip-$(echo $RUNNER_OS | tr '[:upper:]' '[:lower:]') - name: Upload built binary uses: actions/upload-artifact@v4 with: