Add ubuntu 22.04 apt upload pipeline (#645)

jakub-tldr · t-aleksander · web-flow · commit f8aa403ad770 · 2025-10-29T16:05:26.000+01:00
* release ubuntu client

* add run on branch

* tauri action version change

* fix version variable

* remove sudo

* add sudo to apt-sign

* job for building ubuntu22.04 client with apt uploading/signing

* Update release.yaml

---------

Co-authored-by: Aleksander &lt;170264518+t-aleksander@users.noreply.github.com&gt;
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -119,7 +119,7 @@ jobs:
         run: |
           apt-get install -y build-essential libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm
       - name: Build packages
-        uses: tauri-apps/tauri-action@v0
+        uses: tauri-apps/tauri-action@v0.5.23
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -133,6 +133,18 @@ jobs:
           asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb
           asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}_ubuntu-22-04-lts.deb
           asset_content_type: application/octet-stream
+      - name: Install ruby with deb-s3
+        if: matrix.build != 'freebsd'
+        run: |
+          apt-get install -y ruby
+          gem install deb-s3
+          echo "$(ruby -r rubygems -e 'puts Gem.user_dir')/bin" >> $GITHUB_PATH
+      - name: Upload DEB to APT repository 
+        run: |
+          COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release.
+
+          deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=bookworm --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb
+          
 
   build-linux:
     needs:
@@ -519,3 +531,40 @@ jobs:
           asset_path: defguard-client-signed.exe
           asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe
           asset_content_type: application/octet-stream
+
+  apt-sign:
+    needs: 
+      - build-linux
+      - ubuntu-22-04-build
+    runs-on:
+      - self-hosted
+      - Linux
+      - X64
+    strategy:
+      fail-fast: false
+    steps:
+      - name: Sign APT repository
+        run: |
+          export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }}
+          export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }}
+          export AWS_REGION=eu-north-1
+          sudo apt update -y
+          sudo apt install -y awscli curl jq
+
+          for DIST in trixie bookworm; do
+            aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release .
+            
+            curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \
+              -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \
+              -F "file=@Release" \
+              -o response.json
+            
+            cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg
+            cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease
+            
+            aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read
+            aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read
+
+          done
+          (aws s3 ls s3://apt.defguard.net/dists/ --recursive; aws s3 ls s3://apt.defguard.net/pool/ --recursive) | awk '{print "<a href=\""$4"\">"$4"</a><br>"}' > index.html
+          aws s3 cp index.html s3://apt.defguard.net/ --acl public-read
