Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 19 additions & 2 deletions action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -102,13 +102,30 @@ runs:
# ubuntu-24.04 doesn't package apk, so fetch the official statically-linked binary from
# upstream so mkosi can use it to populate the postmarketOS tools tree.
#
# Since GitLab's API can be unreliable, this is retried a few times if there
# is a failure when fetching.
#
# NOTE: apk is dropped into /usr/bin and not /usr/local/bin because later CI
# scripts (like .github/workflows/ci.yml) clean up /usr/local
if: ${{ inputs.apk == 'true' }}
shell: bash
run: |
sudo curl -fsSL -o /usr/bin/apk https://gitlab.alpinelinux.org/api/v4/projects/5/packages/generic/v3.0.6/x86_64/apk.static
echo 'f1489e05bace7d7dd0a687fcd38d50b585ac660af4231668b123649bef3718c4 /usr/bin/apk' | sha256sum --check
set +e
APK_TOOLS_API="https://gitlab.alpinelinux.org/api/v4/projects/5"
APK_VERSION=$(curl -fsSL --retry 5 --retry-all-errors "${APK_TOOLS_API}/repository/tags" | jq -r '.[].name' | grep -v '_rc' | sort -V | tail -1)
APK_PKG_ID=$(curl -fsSL --retry 5 --retry-all-errors "${APK_TOOLS_API}/packages?package_name=${APK_VERSION}&package_type=generic" | jq '.[] | select(.version == "x86_64") | .id' | sort -n | tail -1)
APK_SHA256=$(curl -fsSL --retry 5 --retry-all-errors "${APK_TOOLS_API}/packages/${APK_PKG_ID}/package_files" | jq -r '.[0].file_sha256')

@martinpitt martinpitt Jun 26, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An absent .file_sha256 gets rendered as string "null", failing the [ -z ] check below. jq has an // empty guard for that.

Also, is it safe to blindly take the first ([0]) file? I suppose good enough if they only ever publish one file.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hope that should be safe, since it's only a single package ID.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went for adding another check for APK_SHA256 being the actual string null. Unlikely, but then it'll cover the key not being there and the value being empty.

set -e

# If the API fails, fall back to a known-good version
if [ -z "$APK_VERSION" ] || [ -z "$APK_SHA256" ] || [ "$APK_SHA256" = null ]
then
APK_VERSION='v3.0.6'
APK_SHA256='f1489e05bace7d7dd0a687fcd38d50b585ac660af4231668b123649bef3718c4'
fi

sudo curl -fsSL --retry 5 --retry-all-errors -o /usr/bin/apk "$APK_TOOLS_API/packages/generic/${APK_VERSION}/x86_64/apk.static"
echo "${APK_SHA256} /usr/bin/apk" | sha256sum --check
sudo chmod +x /usr/bin/apk

- name: Dependencies
Expand Down
Loading