# Build cross-platform binaries via goreleaser, publish to pages.sr.ht # under bigbes.pages.srht.bigb.es/ci-cacher/. The latest tag overwrites # the previous publish under /ci-cacher (other projects sharing the # user-level pages domain stay intact thanks to `hut pages publish -s`). # # Dependency tarballs (Go, goreleaser) are cached through cacher itself — # bootstrapped from the previously-published binary on pages. First run # is a `--url` fallback fetch + S3 fill; later runs hit S3 directly. # # Auto-submission is restricted to tag refs only. image: ubuntu/noble packages: - curl - ca-certificates - cmark # CHANGELOG.md → HTML secrets: - 7dde4219-0783-4581-a67d-c94749de3600 # ~/.s3-cache-key-id - 0e5b3530-6f19-4f30-9b73-9339dd382e46 # ~/.s3-cache-key-secret oauth: pages.sr.ht/PAGES:RW sources: - https://git.srht.bigb.es/~bigbes/ci-cacher environment: GO_VERSION: "1.26.3" GORELEASER_VERSION: "v2.7.0" PATH: /home/build/.local/go/bin:/home/build/.local/bin:/home/build/go/bin:/usr/local/bin:/usr/bin:/bin GOPATH: /home/build/go PAGES_DOMAIN: bigbes.pages.srht.bigb.es PAGES_SUBPATH: /ci-cacher submitter: git.sr.ht: enabled: true allow-refs: - "refs/tags/*" tasks: - install_cacher: | # Bootstrap from the previously-published binary on pages. The # very first publish wasn't cacher-aware (chicken/egg); every run # since then can dogfood the tool we're shipping. mkdir -p ~/.local/bin curl -sSL "https://${PAGES_DOMAIN}${PAGES_SUBPATH}/cacher-linux-amd64" \ -o ~/.local/bin/cacher chmod +x ~/.local/bin/cacher cacher version - cacher_init: | cacher init \ --endpoint https://s3.bigb.es \ --region garage \ --bucket docker-cache \ --prefix ci-cacher/deps \ --key-file ~/.s3-cache-key-id \ --secret-file ~/.s3-cache-key-secret - install_go: | GO_TARBALL="go${GO_VERSION}.linux-amd64.tar.gz" mkdir -p ~/.local cacher download "golang/${GO_TARBALL}" "/tmp/${GO_TARBALL}" \ --url "https://go.dev/dl/${GO_TARBALL}" tar -xz -C ~/.local -f "/tmp/${GO_TARBALL}" rm "/tmp/${GO_TARBALL}" go version - install_hut: | # No upstream binary release for hut; build it from source. Output # is small (~5MB) so caching it would barely save anything vs the # `go install` time itself. go install git.sr.ht/~xenrox/hut@latest hut version - install_goreleaser: | GRL_TARBALL="goreleaser_${GORELEASER_VERSION}_Linux_x86_64.tar.gz" cacher download "goreleaser/${GRL_TARBALL}" "/tmp/${GRL_TARBALL}" \ --url "https://github.com/goreleaser/goreleaser/releases/download/${GORELEASER_VERSION}/goreleaser_Linux_x86_64.tar.gz" tar -xz -C ~/.local/bin -f "/tmp/${GRL_TARBALL}" goreleaser rm "/tmp/${GRL_TARBALL}" goreleaser --version - build: | cd ci-cacher # --skip=validate lets goreleaser release v0.1.0 from a commit # that isn't precisely the v0.1.0 tag (e.g. a CI manifest patch # landed after tagging). Safe here because the published binary # is built from the same Go source either way; only # .builds/publish.yml differs between HEAD and the tagged commit. goreleaser release --clean --skip=validate,publish ls dist/ - package_pages: | # Goreleaser writes binaries under dist/cacher___v/cacher. # Flatten + rename to the pages-facing /ci-cacher/cacher-- # naming. Regenerate checksums.txt against the renamed files so the # published file matches the URLs people will wget. VERSION=$(cd ci-cacher && (git describe --tags --abbrev=0 2>/dev/null || cat VERSION)) BUILT=$(date -u +%Y-%m-%dT%H:%M:%SZ) mkdir -p /home/build/pages cp ci-cacher/dist/cacher_linux_amd64_v1/cacher /home/build/pages/cacher-linux-amd64 cp ci-cacher/dist/cacher_linux_arm64_v8.0/cacher /home/build/pages/cacher-linux-arm64 cp ci-cacher/dist/cacher_darwin_amd64_v1/cacher /home/build/pages/cacher-darwin-amd64 cp ci-cacher/dist/cacher_darwin_arm64_v8.0/cacher /home/build/pages/cacher-darwin-arm64 chmod +x /home/build/pages/cacher-* ( cd /home/build/pages && sha256sum cacher-* > checksums.txt ) cat /home/build/pages/checksums.txt SHA_LA=$( awk '/cacher-linux-amd64$/ {print $1}' /home/build/pages/checksums.txt) SHA_LAR=$(awk '/cacher-linux-arm64$/ {print $1}' /home/build/pages/checksums.txt) SHA_DA=$( awk '/cacher-darwin-amd64$/ {print $1}' /home/build/pages/checksums.txt) SHA_DAR=$(awk '/cacher-darwin-arm64$/ {print $1}' /home/build/pages/checksums.txt) # Render CHANGELOG.md to an HTML fragment for inline embedding. # Drop the file's top-level `# Changelog` h1 (we already have an #

Changelog

in the template) and demote remaining # headings one level so they nest under the outer h2. cmark --to html ci-cacher/CHANGELOG.md \ | sed '/

Changelog<\/h1>/d' \ | sed -e 's||

|g; s|||g' \ > /tmp/changelog.html # Substitute scalar placeholders, then insert the changelog at the # {{CHANGELOG}} marker via sed's read+delete trick. sed -e "s|{{VERSION}}|$VERSION|g" \ -e "s|{{BUILT}}|$BUILT|g" \ -e "s|{{SHA_LINUX_AMD64}}|$SHA_LA|g" \ -e "s|{{SHA_LINUX_ARM64}}|$SHA_LAR|g" \ -e "s|{{SHA_DARWIN_AMD64}}|$SHA_DA|g" \ -e "s|{{SHA_DARWIN_ARM64}}|$SHA_DAR|g" \ ci-cacher/docs/index.html \ | sed -e '/{{CHANGELOG}}/r /tmp/changelog.html' -e '/{{CHANGELOG}}/d' \ > /home/build/pages/index.html cd /home/build/pages tar -czvf /home/build/site.tar.gz . - publish_pages: | # The srht.bigb.es OAuth worker writes the per-service origin # `http://pages:5112` (internal docker-compose hostname) into # ~/.config/hut/config. Override with the public origin before # hut runs, or it can't reach the API from outside the cluster. sed -i 's|http://pages:5112|https://pages.srht.bigb.es|' ~/.config/hut/config hut pages publish -d "$PAGES_DOMAIN" -s "$PAGES_SUBPATH" /home/build/site.tar.gz