From 93e90a18393f1f35f28fbb40aa84dc595a1433e3 Mon Sep 17 00:00:00 2001
From: Yvan Janssens <yvanj@cyber.gent>
Date: Mon, 4 May 2026 14:51:57 +0200
Subject: [PATCH] Add Woodpecker Debian package pipeline

---
 .gitignore                   |  1 +
 .woodpecker.yml              | 13 +++++
 README.md                    |  1 +
 scripts/ci/bootstrap-apt.sh  | 34 +++++++++++++
 scripts/ci/build-package.sh  | 70 +++++++++++++++++++++++++++
 scripts/ci/upload-package.sh | 94 ++++++++++++++++++++++++++++++++++++
 scripts/lib/common.sh        | 44 +++++++++++++++++
 7 files changed, 257 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 .woodpecker.yml
 create mode 100755 scripts/ci/bootstrap-apt.sh
 create mode 100755 scripts/ci/build-package.sh
 create mode 100755 scripts/ci/upload-package.sh
 create mode 100755 scripts/lib/common.sh

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a9f8fa6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.ci-work/
diff --git a/.woodpecker.yml b/.woodpecker.yml
new file mode 100644
index 0000000..f96344a
--- /dev/null
+++ b/.woodpecker.yml
@@ -0,0 +1,13 @@
+steps:
+  - name: build-and-upload-debian-package
+    image: ubuntu:24.04
+    pull: true
+    environment:
+      GITEA_PACKAGE_TOKEN:
+        from_secret: gitea_token
+    commands:
+      - ./scripts/ci/bootstrap-apt.sh
+      - ./scripts/ci/build-package.sh
+      - ./scripts/ci/upload-package.sh
+    when:
+      - event: [push, cron, manual]
diff --git a/README.md b/README.md
index e78cbc4..6a3da90 100644
--- a/README.md
+++ b/README.md
@@ -2,4 +2,5 @@
 
 This is a Woodpecker CI/CD pipeline that runs on a scheduled task and that pulls in wrljet's hercules-helper repo and uses it to build a Debian package to be published to the repo here.
 
+`build.config` selects the `hercules-helper` repository and branch used by the pipeline. The Woodpecker job runs on `push`, `cron`, and `manual`, uses `ubuntu:24.04`, configures the local APT proxy first, invokes the helper repo's Debian packaging script, and uploads the resulting `.deb` to the Gitea Debian registry at `https://git.cyber.gent`.
 
diff --git a/scripts/ci/bootstrap-apt.sh b/scripts/ci/bootstrap-apt.sh
new file mode 100755
index 0000000..d78d8bd
--- /dev/null
+++ b/scripts/ci/bootstrap-apt.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+printf 'Acquire::http::Proxy "http://10.64.44.6:3142";\n' >/etc/apt/apt.conf.d/80proxy
+
+export DEBIAN_FRONTEND=noninteractive
+
+apt-get update
+apt-get install -y --no-install-recommends \
+  autoconf \
+  automake \
+  build-essential \
+  ca-certificates \
+  cmake \
+  curl \
+  dpkg-sig \
+  flex \
+  gawk \
+  git \
+  gnupg \
+  libbz2-dev \
+  libcap2-bin \
+  libltdl-dev \
+  libtool-bin \
+  m4 \
+  ncat \
+  reprepro \
+  sudo \
+  time \
+  wget \
+  zlib1g-dev
+
+update-ca-certificates
diff --git a/scripts/ci/build-package.sh b/scripts/ci/build-package.sh
new file mode 100755
index 0000000..385d065
--- /dev/null
+++ b/scripts/ci/build-package.sh
@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+source "$(cd "$(dirname "$0")/.." && pwd)/lib/common.sh"
+
+require_cmd bash
+require_cmd dpkg-deb
+require_cmd git
+
+load_build_config
+
+work_root="$(ci_work_root)"
+helper_dir="$work_root/hercules-helper"
+artifacts_dir="$work_root/artifacts"
+helper_entrypoint="$helper_dir/create-package-hyperion.sh"
+compat_template_dir="$helper_dir/packagers/debian/hyperion-4.4"
+build_path="/home/bill/hyperion-build-package"
+raw_package_path="$build_path/hyperion-4.4.deb"
+metadata_file="$artifacts_dir/package.env"
+
+log "Preparing CI work root at $work_root"
+rm -rf "$work_root"
+mkdir -p "$artifacts_dir"
+
+log "Cloning helper repo $REPO (branch: $BRANCH)"
+git clone --depth 1 --branch "$BRANCH" "$REPO" "$helper_dir"
+
+if [[ ! -e "$helper_entrypoint" ]]; then
+  ln -s "packagers/debian/create-package-hyperion.sh" "$helper_entrypoint"
+fi
+
+if [[ ! -e "$compat_template_dir" ]]; then
+  ln -s "hercules-hyperion" "$compat_template_dir"
+fi
+
+mkdir -p /home/bill
+rm -rf "$build_path"
+mkdir -p "$build_path"
+
+log "Invoking helper repo Debian package script"
+(
+  cd "$helper_dir"
+  env \
+    opt_prompts=false \
+    opt_beeps=false \
+    opt_verbose=true \
+    TRACE=false \
+    bash "$helper_entrypoint"
+)
+
+[[ -f "$raw_package_path" ]] || die "Expected package was not created: $raw_package_path"
+
+package_name="$(dpkg-deb -f "$raw_package_path" Package)"
+package_version="$(dpkg-deb -f "$raw_package_path" Version)"
+package_arch="$(dpkg-deb -f "$raw_package_path" Architecture)"
+artifact_path="$artifacts_dir/${package_name}_${package_version}_${package_arch}.deb"
+
+cp "$raw_package_path" "$artifact_path"
+
+cat >"$metadata_file" <<EOF
+PACKAGE_FILE=$artifact_path
+PACKAGE_NAME=$package_name
+PACKAGE_VERSION=$package_version
+PACKAGE_ARCHITECTURE=$package_arch
+PACKAGE_DISTRIBUTION=${DEBIAN_DISTRIBUTION:-$DEFAULT_DEBIAN_DISTRIBUTION}
+PACKAGE_COMPONENT=${DEBIAN_COMPONENT:-$DEFAULT_DEBIAN_COMPONENT}
+EOF
+
+log "Built package artifact: $artifact_path"
diff --git a/scripts/ci/upload-package.sh b/scripts/ci/upload-package.sh
new file mode 100755
index 0000000..ff2463a
--- /dev/null
+++ b/scripts/ci/upload-package.sh
@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+source "$(cd "$(dirname "$0")/.." && pwd)/lib/common.sh"
+
+require_cmd curl
+require_env GITEA_PACKAGE_TOKEN
+
+work_root="$(ci_work_root)"
+metadata_file="$work_root/artifacts/package.env"
+
+[[ -f "$metadata_file" ]] || die "Package metadata file not found: $metadata_file"
+
+set -a
+  # shellcheck disable=SC1090
+  . "$metadata_file"
+set +a
+
+owner="${GITEA_PACKAGE_OWNER:-${CI_REPO_OWNER:-}}"
+username="${GITEA_PACKAGE_USERNAME:-${CI_REPO_OWNER:-}}"
+base_url="${GITEA_BASE_URL:-$DEFAULT_GITEA_BASE_URL}"
+
+[[ -n "$owner" ]] || die "Unable to determine Gitea package owner. Set GITEA_PACKAGE_OWNER or CI_REPO_OWNER."
+[[ -n "$username" ]] || die "Unable to determine Gitea upload username. Set GITEA_PACKAGE_USERNAME or CI_REPO_OWNER."
+[[ -f "${PACKAGE_FILE:-}" ]] || die "Built package file not found: ${PACKAGE_FILE:-unset}"
+
+upload_url="$base_url/api/packages/$owner/debian/pool/$PACKAGE_DISTRIBUTION/$PACKAGE_COMPONENT/upload"
+upload_response_file="$(mktemp)"
+
+urlencode() {
+  local input="$1"
+  local length="${#input}"
+  local index char encoded=""
+
+  for ((index = 0; index < length; index++)); do
+    char="${input:index:1}"
+    case "$char" in
+      [a-zA-Z0-9._~-]) encoded+="$char" ;;
+      *)
+        printf -v char '%%%02X' "'$char"
+        encoded+="$char"
+        ;;
+    esac
+  done
+
+  printf '%s\n' "$encoded"
+}
+
+upload_package() {
+  curl \
+    --silent \
+    --show-error \
+    --output "$upload_response_file" \
+    --write-out '%{http_code}' \
+    --user "$username:$GITEA_PACKAGE_TOKEN" \
+    --upload-file "$PACKAGE_FILE" \
+    "$upload_url"
+}
+
+log "Uploading ${PACKAGE_FILE##*/} to $upload_url"
+status_code="$(upload_package)"
+
+if [[ "$status_code" == "409" ]]; then
+  delete_url="$base_url/api/packages/$owner/debian/pool/$PACKAGE_DISTRIBUTION/$PACKAGE_COMPONENT/$(urlencode "$PACKAGE_NAME")/$(urlencode "$PACKAGE_VERSION")/$(urlencode "$PACKAGE_ARCHITECTURE")"
+
+  log "Package already exists, deleting current $PACKAGE_NAME/$PACKAGE_VERSION/$PACKAGE_ARCHITECTURE before retry"
+  delete_status="$(
+    curl \
+      --silent \
+      --show-error \
+      --output "$upload_response_file" \
+      --write-out '%{http_code}' \
+      --user "$username:$GITEA_PACKAGE_TOKEN" \
+      --request DELETE \
+      "$delete_url"
+  )"
+
+  if [[ "$delete_status" != "204" ]]; then
+    cat "$upload_response_file" >&2
+    die "Package delete failed with HTTP $delete_status"
+  fi
+
+  status_code="$(upload_package)"
+fi
+
+if [[ "$status_code" != "201" ]]; then
+  cat "$upload_response_file" >&2
+  die "Package upload failed with HTTP $status_code"
+fi
+
+rm -f "$upload_response_file"
+
+log "Upload finished"
diff --git a/scripts/lib/common.sh b/scripts/lib/common.sh
new file mode 100755
index 0000000..275bf46
--- /dev/null
+++ b/scripts/lib/common.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+readonly REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+readonly BUILD_CONFIG_FILE="${BUILD_CONFIG_FILE:-$REPO_ROOT/build.config}"
+readonly DEFAULT_GITEA_BASE_URL="https://git.cyber.gent"
+readonly DEFAULT_DEBIAN_DISTRIBUTION="noble"
+readonly DEFAULT_DEBIAN_COMPONENT="main"
+readonly DEFAULT_CI_WORK_ROOT="$REPO_ROOT/.ci-work"
+
+log() {
+  printf '[%s] %s\n' "$(basename "$0")" "$*"
+}
+
+die() {
+  printf '[%s] %s\n' "$(basename "$0")" "$*" >&2
+  exit 1
+}
+
+require_cmd() {
+  command -v "$1" >/dev/null 2>&1 || die "Required command not found: $1"
+}
+
+require_env() {
+  local name="$1"
+  [[ -n "${!name:-}" ]] || die "Required environment variable is missing: $name"
+}
+
+load_build_config() {
+  [[ -f "$BUILD_CONFIG_FILE" ]] || die "Build config not found: $BUILD_CONFIG_FILE"
+
+  set -a
+  # shellcheck disable=SC1090
+  . "$BUILD_CONFIG_FILE"
+  set +a
+
+  [[ -n "${REPO:-}" ]] || die "REPO is missing in $BUILD_CONFIG_FILE"
+  [[ -n "${BRANCH:-}" ]] || die "BRANCH is missing in $BUILD_CONFIG_FILE"
+}
+
+ci_work_root() {
+  printf '%s\n' "${CI_WORK_ROOT:-$DEFAULT_CI_WORK_ROOT}"
+}