.github/workflows/update_sign_apt.yaml

name: Update Apt Repository

on:
  schedule:
    - cron: "0 0 * * 0"
  workflow_dispatch:

env:
  DEBIAN_RELEASES: "stretch buster bullseye"
  UBUNTU_RELEASES: "jammy xenial bionic focal"
  ERLANG_VERSIONS: "24 25 26 27"
  ELIXIR_VERSIONS: "1.16 1.15 1.14 1.13 1.12"
  MONGOOSEIM_VERSIONS: "5 6"
  AWS_REGION: "eu-west-2"
  AWS_SOURCE_BUCKET: "esl-erlang"
  AWS_DESTINATION_BUCKET: "esl-packages"
  ARCHITECTURE: "amd64,arm64"
  GPG_PASS: "${{ secrets.GPG_PASS }}"

jobs:
  update-repo:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v2
        
      # Install dependencies required by the scripts
      - name: Install Dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y aptly awscli dpkg-sig gnupg python3-pip zstd
          pip3 install boto3
      # Configure Credentials for AWS    
      - name: Set AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: eu-west-2

      - id: install-aws-cli
        uses: unfor19/install-aws-cli-action@v1.0.2
        with:
          version: 2 # default
          verbose: false # default
          arch: amd64
          
      # Clean files from Destination S3 to avoid metadata issues
      - name: Clean previous deb files from destination Bucket
        run: |
          aws s3 rm s3://$AWS_DESTINATION_BUCKET/debian --recursive
          aws s3 rm s3://$AWS_DESTINATION_BUCKET/ubuntu --recursive
          
      # Run the script to create the repositories for ESL-erlang
      - name: Create Repositories
        run: |
          for distro in $DEBIAN_RELEASES $UBUNTU_RELEASES
          do
            for erlang in $ERLANG_VERSIONS
            do
              aptly repo create "$distro/esl-erlang-$erlang"
            done
          done
          
      # Run the script to create the repositories for Elixir
      - name: Create Elixir Repositories
        run: |
          for distro in $DEBIAN_RELEASES $UBUNTU_RELEASES
          do
            for elixir in $ELIXIR_VERSIONS
            do
              aptly repo create "$distro/elixir-$elixir"
            done
          done

      # Run the script to create the repositories for MongooseIM
      - name: Create Mongoose Repositories
        run: |
          for distro in $DEBIAN_RELEASES $UBUNTU_RELEASES
          do
            for mongooseim in $MONGOOSEIM_VERSIONS
            do
              aptly repo create "$distro/mongooseim-$mongooseim"
            done
          done
      # Download .deb files from S3
      - name: Download deb files
        run: |
          mkdir Packages
          aws s3 sync s3://$AWS_SOURCE_BUCKET Packages --exclude "*" --include "*.deb"
          
      # After "Download deb files" step
      - name: Handle Zstandard Compression
        run: |
          for file in $(find Packages -name '*.deb'); do
            echo "Processing $file"
            mkdir -p temp_dir
            cd temp_dir
      
            # Extract .deb package
            ar x ../$file
      
            # Check if control.tar.zst exists and decompress
            if [ -f control.tar.zst ]; then
              echo "$file has a Zstandard compressed control file. Converting..."
      
              # Decompress control.tar.zst to control.tar
              unzstd control.tar.zst
      
              # Verify if control.tar exists after decompression
              if [ -f control.tar ]; then
                # Check the contents of control.tar before extracting
                tar -tf control.tar
                
                # Extract files from control.tar only if it contains expected files
                if tar -tf control.tar | grep -qE 'control|postinst|preinst|postrm|prerm'; then
                  # Create directory to extract the contents of control.tar
                  mkdir -p control_dir
                  tar -xf control.tar -C control_dir
      
                  # Re-compress to control.tar.gz
                  tar -czf control.tar.gz -C control_dir .
      
                  # Re-package .deb without .zst, using control.tar.gz
                  ar rcs ../new_$file debian-binary control.tar.gz data.tar.xz
      
                  # Replace the original file with the new one
                  mv ../new_$file ../$file
                else
                  echo "Warning: control.tar in $file does not contain expected control files. Skipping."
                fi
              else
                echo "Error: Failed to decompress control.tar.zst in $file"
              fi
            fi
      
            # Clean up temporary directory
            cd ..
            rm -rf temp_dir
          done

      # Run the script to add the packages to the repositories and check sign
      - name: Add Packages to Repositories
        run: |
          for file in $(find Packages -name '*.deb')
          do
          if [[ "$file" =~ (esl-erlang|elixir|mongooseim)_([0-9]+(\.[0-9]+)*(-[0-9]+)?)(_[0-9]+)?(_otp_[0-9.]+)?~(debian|ubuntu)~([a-z]+)_(amd64|arm64|all)\.deb$ ]]; then
              if ! dpkg-sig --verify "$file" >/dev/null 2>&1; then
                echo "File $file is not signed. Signing with key $GPG_KEY_ID."
                dpkg-sig -g "--no-tty --passphrase $GPG_PASS" -k $GPG_KEY_ID "$file"
              fi

              if [[ "${BASH_REMATCH[1]}" == "mongooseim" ]]; then
                repo_name="${BASH_REMATCH[8]}/${BASH_REMATCH[1]}-${BASH_REMATCH[2]%%.*}"
              elif [[ "${BASH_REMATCH[1]}" == "esl-erlang" ]]; then
                repo_name="${BASH_REMATCH[8]}/${BASH_REMATCH[1]}-${BASH_REMATCH[2]%%.*}"
              elif [[ "${BASH_REMATCH[1]}" == "elixir" ]]; then
                repo_name="${BASH_REMATCH[8]}/${BASH_REMATCH[1]}-${BASH_REMATCH[2]%.*}"
              fi

              aptly repo add --force-replace "$repo_name" "$file"
            fi
          done

          
      #Configure Aptly    
      - name: Configure aptly.conf
        run: |
          echo '{
            "S3PublishEndpoints": {
              "esl-packages": {
                "region": "eu-west-2",
                "bucket": "esl-packages",
                "awsAccessKeyID": "${{ secrets.AWS_ACCESS_KEY_ID }}",
                "awsSecretAccessKey": "${{ secrets.AWS_SECRET_ACCESS_KEY }}",
                "awsRegion": "eu-west-2",
                "acl": "public-read"
              }
            }
          }' > aptly.conf
          
          sudo mv aptly.conf ~/.aptly.conf
    
      # Retrieve GPG key and passphrase from GitHub Actions secrets          
      - name: Import keys
        run: |
          echo "${{ secrets.GPG_P_KEY }}" | tr ';' '\n' > GPG-KEY-pmanager
          gpg --batch --import GPG-KEY-pmanager
          gpg --batch --list-keys
          gpg --batch --output GPG-KEY-pmanager.asc --armor --export ${{ secrets.GPG_KEY_ID }}
          aws s3 sync . s3://esl-packages --acl public-read --exclude "*" --include "*.asc" --include "*.json"
          
     # Publish the repositories for ESL-Erlang to S3 Destination
      - name: Publish esl-erlang repositories
        run: |
          for distro in $DEBIAN_RELEASES
          do
            for erlang in $ERLANG_VERSIONS
            do
              aptly publish repo -architectures="$ARCHITECTURE" -batch -acquire-by-hash -component="contrib" -distribution="$distro-esl-erlang-$erlang" -gpg-key="${{ secrets.GPG_KEY_ID }}" -passphrase="${{ secrets.GPG_PASS }}" "$distro/esl-erlang-$erlang" s3:$AWS_DESTINATION_BUCKET:debian/
            done
          done

          for distro in $UBUNTU_RELEASES
          do
            for erlang in $ERLANG_VERSIONS
            do
              aptly publish repo -architectures="$ARCHITECTURE" -batch -acquire-by-hash -component="contrib" -distribution="$distro-esl-erlang-$erlang" -gpg-key="${{ secrets.GPG_KEY_ID }}" -passphrase="${{ secrets.GPG_PASS }}" "$distro/esl-erlang-$erlang" s3:$AWS_DESTINATION_BUCKET:ubuntu/
            done
          done

      # Publish the repositories for Elixir to S3 Destination
      - name: Publish elixir repositories
        run: |
          for distro in $DEBIAN_RELEASES
          do
            for elixir in $ELIXIR_VERSIONS
            do
              aptly publish repo -architectures="$ARCHITECTURE" -batch -acquire-by-hash -component="contrib" -distribution="$distro-elixir-$elixir" -passphrase=""${{ secrets.GPG_PASS }}"" "$distro/elixir-$elixir" s3:$AWS_DESTINATION_BUCKET:debian/
            done
          done

          for distro in $UBUNTU_RELEASES
          do
            for elixir in $ELIXIR_VERSIONS
            do
              aptly publish repo -architectures="$ARCHITECTURE" -batch -acquire-by-hash -component="contrib" -distribution="$distro-elixir-$elixir"  -passphrase=""${{ secrets.GPG_PASS }}"" "$distro/elixir-$elixir" s3:$AWS_DESTINATION_BUCKET:ubuntu/
            done
          done
          
      # Publish the repositories for MongooseIM to S3 Destination
      - name: Publish MongooseIM Repositories
        run: |
          for distro in $DEBIAN_RELEASES
          do
            for mongooseim in $MONGOOSEIM_VERSIONS
            do
              aptly publish repo -architectures="$ARCHITECTURE" -batch -acquire-by-hash -component="contrib" -distribution="$distro-mongooseim-$mongooseim" -passphrase=""${{ secrets.GPG_PASS }}"" "$distro/mongooseim-$mongooseim" s3:$AWS_DESTINATION_BUCKET:debian/
            done
          done

          for distro in $UBUNTU_RELEASES
          do
            for mongooseim in $MONGOOSEIM_VERSIONS
            do
              aptly publish repo -architectures="$ARCHITECTURE" -batch -acquire-by-hash -component="contrib" -distribution="$distro-mongooseim-$mongooseim" -passphrase=""${{ secrets.GPG_PASS }}"" "$distro/mongooseim-$mongooseim" s3:$AWS_DESTINATION_BUCKET:ubuntu/
            done
          done