Sulkta-OSS/straw
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
straw/ci/Dockerfile
Cobb 5e89056f62
Some checks failed
build-apk / build-and-publish (push) Failing after 1m5s
Details
gitleaks / scan (push) Successful in 1m0s
Details
ci: Forgejo build workflow — per-repo straw-build image, gated auto-publish 
Build the Straw APK in CI from a dedicated, ephemeral build container
(git.sulkta.com/sulkta-infra/straw-build — Android SDK/NDK + Rust +
cargo-ndk, see ci/Dockerfile) instead of the persistent crafting-table.
The runner spins the container up per job and tears it down after.

On push to main (after the build passes + the signer fingerprint is
verified against the canonical key) it publishes to fdroid.sulkta.com:
APK into the Lucy repo + index re-sign via the host docker socket, then
the signed repo streamed to Rackham web168 over a scoped forced-command
deploy key. Keystore + deploy key are Forgejo repo secrets.

Build steps run under `ionice -c3 nice` so they can't I/O-starve the live
DBs on Lucy.
2026-06-19 20:18:32 -07:00

63 lines
3.2 KiB
Docker
Raw Blame History

# Sulkta straw-build — reproducible Android + Rust build image for the Straw APK.
#
# Pushed to git.sulkta.com/sulkta-infra/straw-build:latest and used as the job
# `container:` in .forgejo/workflows/build.yml. It bakes the toolchain that
# otherwise lives only in bind-mounts on the long-running crafting-table, so a
# FRESH Forgejo CI job container is fully self-contained (no host /caches
# dependency, no per-machine signing key).
#
# Toolchain pinned to exactly what builds vc=72 successfully:
# JDK 21 · NDK 27.2.12479018 · build-tools 34.0.0 · platforms android-36
# Rust stable + 4 Android targets · cargo-ndk · clang/libclang (rquickjs bindgen)
FROM eclipse-temurin:21-jdk-jammy
ENV DEBIAN_FRONTEND=noninteractive \
ANDROID_SDK_ROOT=/opt/android-sdk \
ANDROID_HOME=/opt/android-sdk \
ANDROID_NDK_HOME=/opt/android-sdk/ndk/27.2.12479018 \
CARGO_HOME=/opt/cargo \
RUSTUP_HOME=/opt/rustup \
PATH=/opt/cargo/bin:/opt/android-sdk/cmdline-tools/latest/bin:/opt/android-sdk/platform-tools:/usr/bin:/bin
# Base OS deps: clang/libclang for rquickjs bindgen, a C toolchain for the
# QuickJS C sources, unzip for the SDK zips, git+ca-certs for checkout.
RUN apt-get update && apt-get install -y --no-install-recommends \
git curl unzip ca-certificates clang libclang-dev build-essential pkg-config \
&& rm -rf /var/lib/apt/lists/*
# Android cmdline-tools + the SDK packages the build needs.
ARG CMDLINE_TOOLS_ZIP=commandlinetools-linux-11076708_latest.zip
RUN mkdir -p "$ANDROID_SDK_ROOT/cmdline-tools" \
&& curl -fsSL -o /tmp/cmdtools.zip "https://dl.google.com/android/repository/${CMDLINE_TOOLS_ZIP}" \
&& unzip -q /tmp/cmdtools.zip -d "$ANDROID_SDK_ROOT/cmdline-tools" \
&& mv "$ANDROID_SDK_ROOT/cmdline-tools/cmdline-tools" "$ANDROID_SDK_ROOT/cmdline-tools/latest" \
&& rm /tmp/cmdtools.zip \
&& yes | sdkmanager --licenses >/dev/null 2>&1 \
&& sdkmanager --install \
"platform-tools" \
"platforms;android-36" \
"build-tools;34.0.0" \
"ndk;27.2.12479018" >/dev/null \
&& rm -rf "$ANDROID_SDK_ROOT/.temp" /tmp/*
# Rust toolchain + the four Android targets + cargo-ndk.
RUN curl -fsSL https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal \
&& rustup target add \
aarch64-linux-android armv7-linux-androideabi i686-linux-android x86_64-linux-android \
&& cargo install cargo-ndk --locked \
&& rm -rf /opt/cargo/registry/cache /opt/cargo/registry/src
# Sanity: fail the image build early if anything's missing.
RUN java -version && cargo --version && cargo ndk --version || true \
&& test -d "$ANDROID_NDK_HOME" && test -d "$ANDROID_SDK_ROOT/build-tools/34.0.0"
# Publish tooling (appended last so the heavy toolchain layers stay cached):
# docker CLI to talk to the runner's host socket for the fdroid steps, and
# openssh-client to stream the signed repo to Rackham. The build steps don't
# touch the socket; only the gated publish step does.
RUN apt-get update && apt-get install -y --no-install-recommends \
docker.io openssh-client \
&& rm -rf /var/lib/apt/lists/*
# The signing keystore is NOT baked — it's injected per-build from the Forgejo
# secret STRAW_SIGNING_KEYSTORE_B64 → STRAW_KEYSTORE_FILE.
Reference in a new issue View git blame Copy permalink