diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 0f77d5b..80a23e3 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -52,7 +52,7 @@ jobs: # make sure to collect artifacts in a separate directory # makes uploading easier mkdir -p out - (cd out && ../build-with-docker.sh) + (cd out && ../scripts/build-with-docker.sh) - name: Sign env: @@ -61,7 +61,7 @@ jobs: if: ${{ env.SIGNING_KEY != '' }} run: | find out - ./sign.sh out/runtime-* + scripts/sign.sh out/runtime-* # copy pubkey so that it's included with the files uploaded to the release page cp signing-pubkey.asc out/ diff --git a/Dockerfile b/Dockerfile index 30f271d..2c6d123 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,32 +7,8 @@ RUN apk add --no-cache \ eudev-dev gettext-dev linux-headers meson \ zstd-dev zstd-static zlib-dev zlib-static # fuse3-dev fuse3-static fuse-static fuse-dev +COPY scripts/install-dependencies.sh /tmp/scripts/install-dependencies.sh COPY patches/ /tmp/patches/ WORKDIR /tmp - -RUN wget https://github.com/libfuse/libfuse/releases/download/fuse-3.15.0/fuse-3.15.0.tar.xz && \ - echo "70589cfd5e1cff7ccd6ac91c86c01be340b227285c5e200baa284e401eea2ca0 fuse-3.15.0.tar.xz" | sha256sum -c && \ - tar xf fuse-3.*.tar.xz && \ - cd fuse-3*/ && \ - patch -p1 < /tmp/patches/libfuse/mount.c.diff && \ - mkdir build && \ - cd build && \ - meson setup --prefix=/usr .. && \ - meson configure --default-library static && \ - ninja -v install && \ - rm -r /tmp/fuse-* - -# Minimize binary size -ENV CFLAGS="-ffunction-sections -fdata-sections -Os" - -RUN wget "https://github.com/vasi/squashfuse/archive/e51978c.tar.gz" && \ - echo "f544029ad30d8fbde4e4540c574b8cdc6d38b94df025a98d8551a9441f07d341 e51978c.tar.gz" | sha256sum -c && \ - tar xf e51978c.tar.gz && \ - cd squashfuse-*/ && \ - ./autogen.sh && \ - ./configure CFLAGS="${CFLAGS} -no-pie" LDFLAGS=-static && \ - make -j"$(nproc)" && \ - make install && \ - /usr/bin/install -c -m 644 ./*.h '/usr/local/include/squashfuse' && \ - rm -r /tmp/e51978c* /tmp/squashfuse* +RUN bash scripts/install-dependencies.sh diff --git a/build-in-container.sh b/scripts/build-in-container.sh similarity index 100% rename from build-in-container.sh rename to scripts/build-in-container.sh diff --git a/scripts/build-with-docker.sh b/scripts/build-with-docker.sh new file mode 100755 index 0000000..66554e9 --- /dev/null +++ b/scripts/build-with-docker.sh @@ -0,0 +1,12 @@ +#! /bin/bash + +set -euo pipefail + +orig_cwd="$(readlink -f .)" + +this_dir="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")"/ + +bash "$this_dir"/create-build-container.sh -u "$(id -u):$(id -g)" -- bash scripts/build-in-container.sh + +# done! +# you should now have the binary in your current working directory diff --git a/build-with-docker.sh b/scripts/create-build-container.sh similarity index 60% rename from build-with-docker.sh rename to scripts/create-build-container.sh index b4a2c2a..d0535b2 100755 --- a/build-with-docker.sh +++ b/scripts/create-build-container.sh @@ -21,7 +21,7 @@ case "${ARCH}" in ;; armhf) docker_arch=arm32v7 - docker_platform=linux/arm32/v7 + docker_platform=linux/arm/v7 ;; aarch64) docker_arch=arm64v8 @@ -37,16 +37,30 @@ image_name="$docker_arch"/type2-runtime-build # first, we need to build the image # if nothing has changed, it'll run over this within a few seconds -this_dir="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")" -docker build --build-arg docker_arch="$docker_arch" --platform "$docker_platform" -t "$image_name" "$this_dir" +repo_root_dir="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")"/..)"/ +docker build --build-arg docker_arch="$docker_arch" --platform "$docker_platform" -t "$image_name" "$repo_root_dir" docker_run_args=() [[ -t 0 ]] && docker_run_args+=("-t") -# next, build the binary in a container running this image -# we run the build as an unprivileged user to a) make sure that the build process does not require root permissions and b) make the resulting binary writable to the current user -set -x -docker run -u "$(id -u):$(id -g)" --platform "$docker_platform" --rm -i "${docker_run_args[@]}" -w /ws -v "$this_dir":/ws -v "$orig_cwd":/ws/out "$image_name" bash build-in-container.sh +# split Docker args from command +while true; do + # no more args left + if [[ "${1:-}" == "" ]]; then + break + fi + + # consume --, the remaining args will be in the $@ array + if [[ "$1" == "--" ]]; then + shift + break + fi -# done! -# you should now have the binary in your current working directory + # append and consume Docker arg + docker_run_args+=("$1") + shift +done + +# finally, we can run the build container +# we run the build as an unprivileged user to a) make sure that the build process does not require root permissions and b) make the resulting binary writable to the current user +exec docker run -u "$(id -u):$(id -g)" --platform "$docker_platform" --rm -i "${docker_run_args[@]}" -w /ws -v "$repo_root_dir":/ws -v "$orig_cwd":/ws/out "$image_name" "$@" diff --git a/scripts/install-dependencies.sh b/scripts/install-dependencies.sh new file mode 100644 index 0000000..c0f1ed4 --- /dev/null +++ b/scripts/install-dependencies.sh @@ -0,0 +1,31 @@ +#! /bin/bash + +set -euo pipefail + +wget https://github.com/libfuse/libfuse/releases/download/fuse-3.15.0/fuse-3.15.0.tar.xz +echo "70589cfd5e1cff7ccd6ac91c86c01be340b227285c5e200baa284e401eea2ca0 fuse-3.15.0.tar.xz" | sha256sum -c - +tar xf fuse-3.*.tar.xz +pushd fuse-3*/ +patch -p1 < /tmp/patches/libfuse/mount.c.diff +mkdir build +cd build +meson setup --prefix=/usr .. +meson configure --default-library static +ninja -v install +popd +rm -r fuse-* + +# Minimize binary size +export CFLAGS="-ffunction-sections -fdata-sections -Os" + +wget "https://github.com/vasi/squashfuse/archive/e51978c.tar.gz" +echo "f544029ad30d8fbde4e4540c574b8cdc6d38b94df025a98d8551a9441f07d341 e51978c.tar.gz" | sha256sum -c - +tar xf e51978c.tar.gz +pushd squashfuse-*/ +./autogen.sh +./configure CFLAGS="${CFLAGS} -no-pie" LDFLAGS=-static +make -j"$(nproc)" +make install +/usr/bin/install -c -m 644 ./*.h '/usr/local/include/squashfuse' +popd +rm -r e51978c* squashfuse* diff --git a/sign.sh b/scripts/sign.sh similarity index 100% rename from sign.sh rename to scripts/sign.sh