+++ /dev/null
-FROM debian:10
-
-
-# Configuration version history
-# v1.0 - Initial version by Etienne Champetier
-# v1.0.1 - Run as non-root, add unzip, xz-utils
-# v1.0.2 - Add bzr
-# v1.0.3 - Verify usign signatures
-# v1.0.4 - Add support for Python3
-# v1.0.5 - Add 19.07 public keys, verify keys
-# v1.0.6 - Add 21.02 public keys, update Debian image to version 10, add rsync
-# v1.0.7 - Add 22.03 public keys, 18.06 v2 gpg key, 18.06 usign key
-
-RUN apt update && apt install -y \
-build-essential \
-bzr \
-curl \
-jq \
-gawk \
-gettext \
-git \
-libncurses5-dev \
-libssl-dev \
-python \
-python3 \
-signify-openbsd \
-subversion \
-rsync \
-time \
-unzip \
-wget \
-xz-utils \
-zlib1g-dev \
-&& rm -rf /var/lib/apt/lists/*
-
-RUN useradd -c "OpenWrt Builder" -m -d /home/build -s /bin/bash build
-USER build
-ENV HOME /home/build
-
-# OpenWrt Build System (PGP key for unattended snapshot builds)
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/626471F1.asc' | gpg --import \
- && gpg --fingerprint --with-colons '<pgpsign-snapshots@openwrt.org>' | grep '^fpr:::::::::54CC74307A2C6DC9CE618269CD84BCED626471F1:$' \
- && echo '54CC74307A2C6DC9CE618269CD84BCED626471F1:6:' | gpg --import-ownertrust
-
-# OpenWrt Build System (PGP key for 17.01 "Reboot" release builds)
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/D52BBB6B.asc' | gpg --import \
- && gpg --fingerprint --with-colons '<pgpsign-17.01@openwrt.org>' | grep '^fpr:::::::::B09BE781AE8A0CD4702FDCD3833C6010D52BBB6B:$' \
- && echo 'B09BE781AE8A0CD4702FDCD3833C6010D52BBB6B:6:' | gpg --import-ownertrust
-
-# OpenWrt Release Builder (18.06 Signing Key)
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/17E1CE16.asc' | gpg --import \
- && gpg --fingerprint --with-colons '<openwrt-devel@lists.openwrt.org>' | grep '^fpr:::::::::6768C55E79B032D77A28DA5F0F20257417E1CE16:$' \
- && echo '6768C55E79B032D77A28DA5F0F20257417E1CE16:6:' | gpg --import-ownertrust
-
-# OpenWrt Build System (PGP key for 18.06 release builds)
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/15807931.asc' | gpg --import \
- && gpg --fingerprint --with-colons '<pgpsign-18.06@openwrt.org>' | grep '^fpr:::::::::AD0507363D2BCE9C9E36CEC4FBCB78F015807931:$' \
- && echo 'AD0507363D2BCE9C9E36CEC4FBCB78F015807931:6:' | gpg --import-ownertrust
-
-# OpenWrt Build System (PGP key for 19.07 release builds)
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/2074BE7A.asc' | gpg --import \
- && gpg --fingerprint --with-colons '<pgpsign-19.07@openwrt.org>' | grep '^fpr:::::::::D9C6901F45C9B86858687DFF28A39BC32074BE7A:$' \
- && echo 'D9C6901F45C9B86858687DFF28A39BC32074BE7A:6:' | gpg --import-ownertrust
-
-# OpenWrt Build System (PGP key for 21.02 release builds)
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/88CA59E8.asc' | gpg --import \
- && gpg --fingerprint --with-colons '<pgpsign-21.02@openwrt.org>' | grep '^fpr:::::::::667205E379BAF348863A5C6688CA59E88F681580:$' \
- && echo '667205E379BAF348863A5C6688CA59E88F681580:6:' | gpg --import-ownertrust
-
-# OpenWrt Build System (GnuPGP key for 22.03 release builds)
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/CD54E82DADB3684D.asc' | gpg --import \
- && gpg --fingerprint --with-colons '<pgpsign-22.03@openwrt.org>' | grep '^fpr:::::::::BF856781A01293C8409ABE72CD54E82DADB3684D:$' \
- && echo 'BF856781A01293C8409ABE72CD54E82DADB3684D:6:' | gpg --import-ownertrust
-
-# untrusted comment: Public usign key for unattended snapshot builds
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/b5043e70f9a75cde' --create-dirs -o /home/build/usign/b5043e70f9a75cde \
- && echo 'd7ac10f9ed1b38033855f3d27c9327d558444fca804c685b17d9dcfb0648228f */home/build/usign/b5043e70f9a75cde' | sha256sum --check
-
-# untrusted comment: Public usign key for 18.06 release builds
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/1035ac73cc4e59e3' --create-dirs -o /home/build/usign/1035ac73cc4e59e3 \
- && echo '8dc2e7f5c4e634437e6641f4df77a18bf59f0c8e9016c8ba4be5d4a0111e68c2 */home/build/usign/1035ac73cc4e59e3' | sha256sum --check
-
-# untrusted comment: Public usign key for 19.07 release builds
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/f94b9dd6febac963' --create-dirs -o /home/build/usign/f94b9dd6febac963 \
- && echo 'b1d09457cfbc36fccfe18382d65c54a2ade3e7fd3902da490a53aa517b512755 */home/build/usign/f94b9dd6febac963' | sha256sum --check
-
-# untrusted comment: Public usign key for 21.02 release builds
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/2f8b0b98e08306bf' --create-dirs -o /home/build/usign/2f8b0b98e08306bf \
- && echo 'd102bdd75421c62490b97f520f9db06aadb44ad408b244755d26e96ea5cd3b7f */home/build/usign/2f8b0b98e08306bf' | sha256sum --check
-
-# untrusted comment: Public usign key for 22.03 release builds
-RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/4d017e6f1ed5d616' --create-dirs -o /home/build/usign/4d017e6f1ed5d616 \
- && echo 'f3c5fdf447d7c2743442e68077d60acc7c3e91754849e1f4b6be837b4204b7e2 */home/build/usign/4d017e6f1ed5d616' | sha256sum --check
+++ /dev/null
-version: 2.0
-jobs:
- build:
- docker:
- - image: docker.io/openwrtorg/packages-cci:v1.0.7
- environment:
- - SDK_HOST: "downloads.openwrt.org"
- - SDK_PATH: "snapshots/targets/ath79/generic"
- - SDK_FILE: "openwrt-sdk-ath79-generic_*.Linux-x86_64.tar.xz"
- - BRANCH: "master"
- steps:
- - checkout:
- path: ~/openwrt_packages
-
- - run:
- name: Check changes / verify commits
- working_directory: ~/openwrt_packages
- command: |
- cat >> $BASH_ENV <<EOF
- echo_red() { printf "\033[1;31m\$*\033[m\n"; }
- echo_green() { printf "\033[1;32m\$*\033[m\n"; }
- echo_blue() { printf "\033[1;34m\$*\033[m\n"; }
- EOF
- source $BASH_ENV
-
- RET=0
- for commit in $(git rev-list HEAD ^origin/$BRANCH); do
- echo_blue "=== Checking commit '$commit'"
- if git show --format='%P' -s $commit | grep -qF ' '; then
- echo_red "Pull request should not include merge commits"
- RET=1
- fi
-
- author="$(git show -s --format=%aN $commit)"
- if echo $author | grep -q '\S\+\s\+\S\+'; then
- echo_green "Author name ($author) seems ok"
- else
- echo_red "Author name ($author) need to be your real name 'firstname lastname'"
- RET=1
- fi
-
- subject="$(git show -s --format=%s $commit)"
- if echo "$subject" | grep -q -e '^[0-9A-Za-z,+/_-]\+: ' -e '^Revert '; then
- echo_green "Commit subject line seems ok ($subject)"
- else
- echo_red "Commit subject line MUST start with '<package name>: ' ($subject)"
- RET=1
- fi
-
- body="$(git show -s --format=%b $commit)"
- sob="$(git show -s --format='Signed-off-by: %aN <%aE>' $commit)"
- if echo "$body" | grep -qF "$sob"; then
- echo_green "Signed-off-by match author"
- else
- echo_red "Signed-off-by is missing or doesn't match author (should be '$sob')"
- RET=1
- fi
- done
-
- exit $RET
-
- - run:
- name: Download the SDK
- working_directory: ~/sdk
- command: |
- curl "https://$SDK_HOST/$SDK_PATH/sha256sums" -sS -o sha256sums
- curl "https://$SDK_HOST/$SDK_PATH/sha256sums.asc" -fs -o sha256sums.asc || true
- curl "https://$SDK_HOST/$SDK_PATH/sha256sums.sig" -fs -o sha256sums.sig || true
- if [ ! -f sha256sums.asc ] && [ ! -f sha256sums.sig ]; then
- echo_red "Missing sha256sums signature files"
- exit 1
- fi
- [ ! -f sha256sums.asc ] || gpg --with-fingerprint --verify sha256sums.asc sha256sums
- if [ -f sha256sums.sig ]; then
- VERIFIED=
- for KEY in ~/usign/*; do
- echo "Trying $KEY..."
- if signify-openbsd -V -q -p "$KEY" -x sha256sums.sig -m sha256sums; then
- echo "...verified"
- VERIFIED=1
- break
- fi
- done
- if [ -z "$VERIFIED" ]; then
- echo_red "Could not verify usign signature"
- exit 1
- fi
- fi
- rsync -av "$SDK_HOST::downloads/$SDK_PATH/$SDK_FILE" .
- sha256sum -c --ignore-missing sha256sums
-
- - run:
- name: Prepare build_dir
- working_directory: ~/build_dir
- command: |
- tar Jxf ~/sdk/$SDK_FILE --strip=1
- touch .config
- make prepare-tmpinfo scripts/config/conf
- ./scripts/config/conf --defconfig=.config Config.in
- make prereq
- rm .config
- cat > feeds.conf <<EOF
- src-git base https://github.com/openwrt/openwrt.git;$BRANCH
- src-link packages $HOME/openwrt_packages
- src-git luci https://github.com/openwrt/luci.git;$BRANCH
- EOF
- cat feeds.conf
- ./scripts/feeds update -a > /dev/null
- make defconfig > /dev/null
- # enable BUILD_LOG
- sed -i 's/# CONFIG_BUILD_LOG is not set/CONFIG_BUILD_LOG=y/' .config
-
- - run:
- name: Install & download source, check package, compile
- working_directory: ~/build_dir
- command: |
- set +o pipefail
- PKGS=$(cd ~/openwrt_packages; git diff --diff-filter=d --name-only "origin/$BRANCH..." | grep 'Makefile$' | grep -Ev '/files/|/src/' | awk -F/ '{ print $(NF-1) }')
- if [ -z "$PKGS" ] ; then
- echo_blue "WARNING: No new or modified packages found!"
- exit 0
- fi
-
- echo_blue "=== Found new/modified packages: $PKGS"
- for PKG in $PKGS ; do
- echo_blue "===+ Install: $PKG"
- ./scripts/feeds install "$PKG"
-
- echo_blue "===+ Download: $PKG"
- make "package/$PKG/download" V=s
-
- echo_blue "===+ Check package: $PKG"
- make "package/$PKG/check" V=s 2>&1 | tee logtmp
- RET=${PIPESTATUS[0]}
-
- if [ $RET -ne 0 ]; then
- echo_red "=> Package check failed: $RET)"
- exit $RET
- fi
-
- badhash_msg="HASH does not match "
- badhash_msg+="|HASH uses deprecated hash,"
- badhash_msg+="|HASH is missing,"
- if grep -qE "$badhash_msg" logtmp; then
- echo_red "=> Package HASH check failed"
- exit 1
- fi
- echo_green "=> Package check OK"
- done
-
- make \
- -f .config \
- -f tmp/.packagedeps \
- -f <(echo '$(info $(sort $(package-y) $(package-m)))'; echo -en 'a:\n\t@:') \
- | tr ' ' '\n' >enabled-package-subdirs.txt
- for PKG in $PKGS ; do
- if ! grep -m1 -qE "(^|/)$PKG$" enabled-package-subdirs.txt; then
- echo_red "===+ Building: $PKG skipped. It cannot be enabled with $SDK_FILE"
- continue
- fi
- echo_blue "===+ Building: $PKG"
- make "package/$PKG/compile" -j3 V=s || {
- RET=$?
- echo_red "===+ Building: $PKG failed, rebuilding with -j1 for human readable error log"
- make "package/$PKG/compile" -j1 V=s; exit $RET
- }
- done
-
- - store_artifacts:
- path: ~/build_dir/logs
-
- - store_artifacts:
- path: ~/build_dir/bin
-
-workflows:
- version: 2
- buildpr:
- jobs:
- - build:
- filters:
- branches:
- ignore: master