From 1992a3aff548a154d7eb0b697d91404dd8f99964 Mon Sep 17 00:00:00 2001 From: Andres Cera Date: Thu, 15 Jan 2026 07:24:47 -0500 Subject: [PATCH 1/3] feat: add CI build check and publish release workflows - Add build-check.yml: runs on PR/push to main, builds for arm64/amd64 - Add publish-release.yml: manual workflow for releases - CalVer versioning with stable/beta channels - Builds .deb packages and .tar.gz archives - GPG signs APT repository metadata - Uploads to Cloudflare R2 - Creates GitHub release with all artifacts and checksums --- .github/workflows/build-check.yml | 62 ++++++ .github/workflows/publish-release.yml | 274 ++++++++++++++++++++++++++ 2 files changed, 336 insertions(+) create mode 100644 .github/workflows/build-check.yml create mode 100644 .github/workflows/publish-release.yml diff --git a/.github/workflows/build-check.yml b/.github/workflows/build-check.yml new file mode 100644 index 000000000..9c24cbae0 --- /dev/null +++ b/.github/workflows/build-check.yml @@ -0,0 +1,62 @@ +name: Build Check + +on: + push: + branches: [main, master] + pull_request: + branches: [main, master] + +jobs: + build: + name: Build ${{ matrix.arch }} + runs-on: ubuntu-latest + strategy: + matrix: + arch: [arm64, amd64] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Build SRT for ${{ matrix.arch }} + run: | + PLATFORM="linux/${{ matrix.arch }}" + + docker buildx build \ + --platform "$PLATFORM" \ + --load \ + -t srt-builder:${{ matrix.arch }} \ + -f - . <<'DOCKERFILE' + FROM debian:bookworm-slim + RUN apt-get update && apt-get install -y \ + build-essential \ + cmake \ + git \ + libssl-dev \ + pkg-config \ + tclsh \ + && rm -rf /var/lib/apt/lists/* + WORKDIR /build + COPY . . + RUN cmake -B build \ + -DCMAKE_BUILD_TYPE=Release \ + -DENABLE_APPS=OFF \ + -DENABLE_BONDING=ON \ + -DENABLE_ENCRYPTION=ON \ + && cmake --build build -j$(nproc) + DOCKERFILE + + - name: Verify library was built + run: | + docker run --rm srt-builder:${{ matrix.arch }} ls -la /build/build/libsrt.so* + + - name: Build Summary + run: | + echo "## ✅ Build Check Passed" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "**Architecture:** ${{ matrix.arch }}" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml new file mode 100644 index 000000000..27107fec8 --- /dev/null +++ b/.github/workflows/publish-release.yml @@ -0,0 +1,274 @@ +name: Publish Release + +on: + workflow_dispatch: + inputs: + release_type: + description: "Release type" + required: true + type: choice + options: + - stable + - beta + default: stable + +jobs: + calculate-version: + name: Calculate Version + runs-on: ubuntu-latest + outputs: + version: ${{ steps.calver.outputs.version }} + channel: ${{ steps.calver.outputs.channel }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Calculate CalVer version + id: calver + env: + RELEASE_TYPE: ${{ github.event.inputs.release_type || 'beta' }} + run: | + YEAR=$(date -u +"%Y") + MONTH=$(date -u +"%-m") + IS_BETA=$([[ "$RELEASE_TYPE" == "beta" ]] && echo "true" || echo "false") + + PREFIX="v${YEAR}.${MONTH}" + + if [ "$IS_BETA" == "true" ]; then + LATEST_BETA=$(git tag -l "${PREFIX}.*-beta.*" | sed -E "s/.*-beta\.([0-9]+)/\1/" | sort -n | tail -1) + if [ -z "$LATEST_BETA" ]; then + BETA_NUM=1 + else + BETA_NUM=$((LATEST_BETA + 1)) + fi + LATEST_STABLE=$(git tag -l "${PREFIX}.*" | grep -v beta | sed "s/${PREFIX}\.//" | sort -n | tail -1) + PATCH=${LATEST_STABLE:-0} + NEXT_PATCH=$((PATCH + 1)) + VERSION="${YEAR}.${MONTH}.${NEXT_PATCH}-beta.${BETA_NUM}" + CHANNEL="beta" + else + LATEST_PATCH=$(git tag -l "${PREFIX}.*" | grep -v beta | sed "s/${PREFIX}\.//" | sort -n | tail -1) + if [ -z "$LATEST_PATCH" ]; then + PATCH=0 + else + PATCH=$((LATEST_PATCH + 1)) + fi + VERSION="${YEAR}.${MONTH}.${PATCH}" + CHANNEL="stable" + fi + + echo "version=${VERSION}" >> $GITHUB_OUTPUT + echo "channel=${CHANNEL}" >> $GITHUB_OUTPUT + echo "Version: ${VERSION} (Channel: ${CHANNEL})" + + build-deb: + name: Build Debian Package (${{ matrix.arch }}) + needs: calculate-version + runs-on: ubuntu-latest + strategy: + matrix: + arch: [arm64, amd64] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up QEMU + if: matrix.arch == 'arm64' + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build in Docker (${{ matrix.arch }}) + run: | + mkdir -p build-output + + cat > Dockerfile.build << 'DOCKERFILE' + FROM debian:bookworm + + RUN apt-get update && apt-get install -y \ + build-essential \ + cmake \ + pkg-config \ + libssl-dev \ + tclsh \ + && rm -rf /var/lib/apt/lists/* + + WORKDIR /src + COPY . . + + RUN mkdir _build && cd _build && \ + cmake ../ \ + -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DENABLE_STDCXX_SYNC=ON \ + -DENABLE_ENCRYPTION=ON \ + -DENABLE_BONDING=ON \ + -DENABLE_APPS=ON \ + -DENABLE_UNITTESTS=OFF \ + -DENABLE_TESTING=OFF + + RUN cd _build && cmake --build . -j$(nproc) + RUN cd _build && DESTDIR=/output cmake --install . + DOCKERFILE + + docker buildx build \ + --platform linux/${{ matrix.arch }} \ + --output type=local,dest=build-output \ + -f Dockerfile.build \ + . + + - name: Install FPM + run: | + sudo apt-get update + sudo apt-get install -y ruby-dev gcc g++ + sudo gem install fpm + + - name: Create packages + env: + VERSION: ${{ needs.calculate-version.outputs.version }} + ARCH: ${{ matrix.arch }} + run: | + mkdir -p dist + + # Create .deb package + fpm -s dir -t deb \ + -n srt \ + -v "${VERSION}" \ + -a "${ARCH}" \ + --description "SRT - Secure Reliable Transport library and tools" \ + --maintainer "CERALIVE " \ + --url "https://github.com/CERALIVE/srt" \ + --license "MPL-2.0" \ + --depends "libssl3" \ + -p "dist/srt_${VERSION}_${ARCH}.deb" \ + build-output/usr/=/usr/ + + # Create .tar.gz archive + mkdir -p tarball/srt-${VERSION} + cp -r build-output/usr/* tarball/srt-${VERSION}/ + cd tarball + tar -czvf ../dist/srt_${VERSION}_${ARCH}.tar.gz srt-${VERSION} + cd .. + + # Create checksums + cd dist + sha256sum srt_${VERSION}_${ARCH}.deb > srt_${VERSION}_${ARCH}.deb.sha256 + sha256sum srt_${VERSION}_${ARCH}.tar.gz > srt_${VERSION}_${ARCH}.tar.gz.sha256 + + - name: Upload artifact + uses: actions/upload-artifact@v4 + with: + name: srt-${{ matrix.arch }} + path: | + dist/*.deb + dist/*.tar.gz + dist/*.sha256 + + sign-and-publish: + name: Sign and Publish to R2 + needs: [calculate-version, build-deb] + runs-on: ubuntu-latest + steps: + - name: Download all artifacts + uses: actions/download-artifact@v4 + with: + path: artifacts + + - name: Prepare dist directory + run: | + mkdir -p dist/arm64 dist/amd64 dist/release + mv artifacts/srt-arm64/*.deb dist/arm64/ + mv artifacts/srt-amd64/*.deb dist/amd64/ + cp artifacts/srt-arm64/*.tar.gz dist/release/ + cp artifacts/srt-amd64/*.tar.gz dist/release/ + cp artifacts/srt-arm64/*.sha256 dist/release/ + cp artifacts/srt-amd64/*.sha256 dist/release/ + + - name: Import GPG key + run: | + echo "${{ secrets.DEB_SIGNING_KEY_B64 }}" | base64 -d | gpg --batch --import + + - name: Install apt-utils + run: sudo apt-get update && sudo apt-get install -y apt-utils + + - name: Generate and sign repo metadata (arm64) + run: | + cd dist/arm64 + dpkg-scanpackages . > Packages + gzip -k Packages + apt-ftparchive release . > Release + gpg --batch --yes -abs -o Release.gpg Release + gpg --batch --yes --clearsign -o InRelease Release + + - name: Generate and sign repo metadata (amd64) + run: | + cd dist/amd64 + dpkg-scanpackages . > Packages + gzip -k Packages + apt-ftparchive release . > Release + gpg --batch --yes -abs -o Release.gpg Release + gpg --batch --yes --clearsign -o InRelease Release + + - name: Install AWS CLI + run: | + curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" + unzip -q awscliv2.zip + sudo ./aws/install + + - name: Upload to R2 + env: + R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }} + R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }} + R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }} + R2_BUCKET: ${{ secrets.R2_BUCKET }} + CHANNEL: ${{ needs.calculate-version.outputs.channel }} + run: | + aws configure set aws_access_key_id "$R2_ACCESS_KEY_ID" + aws configure set aws_secret_access_key "$R2_SECRET_ACCESS_KEY" + + aws s3 sync dist/arm64/ "s3://$R2_BUCKET/dists/$CHANNEL/binary-arm64/" \ + --endpoint-url "$R2_ENDPOINT" + aws s3 sync dist/amd64/ "s3://$R2_BUCKET/dists/$CHANNEL/binary-amd64/" \ + --endpoint-url "$R2_ENDPOINT" + + - name: Create GitHub Release + uses: softprops/action-gh-release@v2 + with: + tag_name: v${{ needs.calculate-version.outputs.version }} + name: srt v${{ needs.calculate-version.outputs.version }} + prerelease: ${{ needs.calculate-version.outputs.channel == 'beta' }} + files: | + dist/arm64/*.deb + dist/amd64/*.deb + dist/release/*.tar.gz + dist/release/*.sha256 + body: | + ## srt v${{ needs.calculate-version.outputs.version }} + + ### Debian Packages + | Architecture | Package | + |--------------|---------| + | ARM64 | `srt_${{ needs.calculate-version.outputs.version }}_arm64.deb` | + | AMD64 | `srt_${{ needs.calculate-version.outputs.version }}_amd64.deb` | + + ### Binary Archives + | Architecture | Archive | + |--------------|---------| + | ARM64 | `srt_${{ needs.calculate-version.outputs.version }}_arm64.tar.gz` | + | AMD64 | `srt_${{ needs.calculate-version.outputs.version }}_amd64.tar.gz` | + + ### Installation + + **Debian/Ubuntu:** + ```bash + sudo dpkg -i srt_${{ needs.calculate-version.outputs.version }}_.deb + ``` + + **Manual:** + ```bash + tar -xzf srt_${{ needs.calculate-version.outputs.version }}_.tar.gz + sudo cp -r srt-${{ needs.calculate-version.outputs.version }}/* /usr/ + ``` From 8ccaaf4000946b1dc8ba9e65ffd178a490f2916b Mon Sep 17 00:00:00 2001 From: Andres Cera Date: Thu, 15 Jan 2026 07:44:41 -0500 Subject: [PATCH 2/3] fix: use find to verify library build location --- .github/workflows/build-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-check.yml b/.github/workflows/build-check.yml index 9c24cbae0..e730b9f0d 100644 --- a/.github/workflows/build-check.yml +++ b/.github/workflows/build-check.yml @@ -53,7 +53,7 @@ jobs: - name: Verify library was built run: | - docker run --rm srt-builder:${{ matrix.arch }} ls -la /build/build/libsrt.so* + docker run --rm srt-builder:${{ matrix.arch }} find /build/build -name "libsrt.so*" -ls - name: Build Summary run: | From fba48642a65a6db376d5f639079ad6112c6bda23 Mon Sep 17 00:00:00 2001 From: Andres Cera Date: Thu, 15 Jan 2026 14:53:26 -0500 Subject: [PATCH 3/3] docs: add dependency chain to release notes --- .github/workflows/publish-release.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 27107fec8..3fa3a3bc6 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -248,6 +248,17 @@ jobs: body: | ## srt v${{ needs.calculate-version.outputs.version }} + SRT (Secure Reliable Transport) library with bonding and encryption support. + + ### Dependency Chain + ``` + srt (this package) ← base package + └── libssl3 + + Used by: + └── srtla → ceracoder → ceralive-device + ``` + ### Debian Packages | Architecture | Package | |--------------|---------|