[ci] publish releases with artifacts

* before this, CI built packages but didn’t create a release with downloadable .deb's, now it does, for both amd64 and arm64 architectures and three Debian versions: bookworm, trixie and sid.
* in order to make the .deb versioning better, version detection has been changed - on tagged commits, packages use the tag verbatim; otherwise the prevous logic is preserved.
* tag matching on master is derived from VERSION (major.minor) instead of hard‑coded. This yields versions that align with release tags and clearer pre‑release identifiers.

Author: f355

.github/workflows/ci.yml

@@ -10,6 +10,9 @@ on:
   check_suite:
     types: [rerequested]
 
+permissions:
+  contents: read #  to fetch code (actions/checkout)
+
 jobs:
 
   rip-and-test:
@@ -29,6 +32,7 @@ jobs:
         set -x
         sudo apt-get install -y eatmydata
         eatmydata ./scripts/travis-install-build-deps.sh
+        sudo eatmydata apt --quiet --yes upgrade
         cd src
         eatmydata ./autogen.sh
         eatmydata ./configure --with-realtime=uspace --disable-check-runtime-deps
@@ -54,6 +58,7 @@ jobs:
         sudo apt-get install -y eatmydata
         eatmydata ./scripts/travis-install-build-deps.sh
         sudo eatmydata apt-get install -y clang
+        sudo eatmydata apt --quiet --yes upgrade
         cd src
         eatmydata ./autogen.sh
         CC=clang CXX=clang++ eatmydata ./configure --with-realtime=uspace --disable-check-runtime-deps
@@ -77,6 +82,7 @@ jobs:
       run: |
         ./scripts/travis-install-build-deps.sh
         sudo apt-get install -y eatmydata
+        sudo eatmydata apt --quiet --yes upgrade
         cd src
         eatmydata ./autogen.sh
         eatmydata ./configure --with-realtime=uspace --disable-check-runtime-deps --enable-build-documentation=html
@@ -86,11 +92,11 @@ jobs:
         # Note that the package build covers html docs
 
   package-arch:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runner }}
     strategy:
       matrix:
-        image: ["debian:bullseye", "debian:bookworm", "debian:sid"]
-
+        runner: ["ubuntu-24.04", "ubuntu-24.04-arm"]
+        image: ["debian:bullseye", "debian:bookworm", "debian:trixie", "debian:sid"]
     container:
       image: ${{ matrix.image }}
       # IPC_OWNER is needed for shmget IPC_CREAT
@@ -108,7 +114,8 @@ jobs:
         set -e
         set -x
         apt-get --quiet update
-        apt-get --yes --quiet install eatmydata
+        apt-get --yes --quiet install eatmydata curl
+        eatmydata apt --quiet --yes upgrade
         # Install stuff needed to check out the linuxcnc repo and turn it into a debian source package.
         eatmydata apt-get --yes --quiet install --no-install-suggests git lsb-release python3 devscripts
 
@@ -118,25 +125,6 @@ jobs:
         # our build system to determine the version from tags
         fetch-depth: 0
 
-    - name: Add linuxcnc.org deb archive
-      env:
-        DEBIAN_FRONTEND: noninteractive
-      run: |
-        case "${{matrix.image}}" in
-            debian:sid|debian:bookworm)
-                exit 0
-                ;;
-            *)
-                ;;
-        esac
-        set -e
-        set -x
-        eatmydata apt-get --yes --quiet install --no-install-recommends gpg software-properties-common
-        eatmydata gpg --homedir="${PWD}/gnupg" --output /etc/apt/trusted.gpg.d/linuxcnc-deb-archive.gpg --export 3CB9FD148F374FEF
-        DIST=$(echo ${{matrix.image}} | cut -d : -f 2)
-        eatmydata add-apt-repository "deb http://linuxcnc.org $DIST base"
-        eatmydata apt-get --quiet update
-
     - name: Build architecture-specific Debian packages
       env:
         DEBEMAIL: emc-developers@lists.sourceforge.net
@@ -165,12 +153,37 @@ jobs:
         eatmydata adduser testrunner sudo
         chmod 0777 $(find tests/ -type d) # make test dirs world-writable for the testrunner
         su -c "eatmydata ./scripts/runtests -p ./tests" testrunner
+    - name: Gather build artifacts
+      run: |
+        set -e
+        set -x
+        ARCH=$(dpkg --print-architecture)
+        DIST=$(echo ${{ matrix.image }} | cut -d : -f 2)
+        OUTDIR="artifacts/${DIST}/${ARCH}"
+        mkdir -p "$OUTDIR"
+        cp -v ../*.deb ../*.changes ../*.buildinfo "$OUTDIR" || true
+        (cd "$OUTDIR" && sha256sum * > SHA256SUMS.txt)
+        echo "DIST=$DIST" >> "$GITHUB_ENV"
+        echo "ARCH=$ARCH" >> "$GITHUB_ENV"
+    - name: Compute artifact metadata
+      id: meta
+      run: |
+        echo "dist=$(echo ${{ matrix.image }} | cut -d : -f 2)" >> $GITHUB_OUTPUT
+        echo "arch=$(dpkg --print-architecture)" >> $GITHUB_OUTPUT
+
+    - name: Upload build artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: linuxcnc-${{ steps.meta.outputs.dist }}-${{ steps.meta.outputs.arch }}
+        path: artifacts/${{ steps.meta.outputs.dist }}/${{ steps.meta.outputs.arch }}
+        if-no-files-found: error
+
 
   package-indep:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     strategy:
       matrix:
-        image: ["debian:bullseye", "debian:bookworm", "debian:sid"]
+        image: ["debian:bullseye", "debian:bookworm", "debian:trixie", "debian:sid"]
     container:
       image: ${{ matrix.image }}
       # IPC_OWNER is needed for shmget IPC_CREAT
@@ -189,7 +202,8 @@ jobs:
         set -e
         set -x
         apt-get --quiet update
-        apt-get --yes --quiet install eatmydata
+        apt-get --yes --quiet install eatmydata curl
+        eatmydata apt --quiet --yes upgrade
         # Install stuff needed to check out the linuxcnc repo and turn it into a debian source package.
         eatmydata apt-get --yes --quiet install --no-install-suggests git lsb-release python3 devscripts
 
@@ -204,7 +218,7 @@ jobs:
         DEBIAN_FRONTEND: noninteractive
       run: |
         case "${{matrix.image}}" in
-            debian:sid|debian:bookworm)
+            debian:sid|debian:bookworm|debian:trixie)
                 exit 0
                 ;;
             *)
@@ -240,3 +254,86 @@ jobs:
         set -e
         set -x
         eatmydata apt-get --yes --quiet install ../*.deb
+    - name: Gather build artifacts
+      run: |
+        set -e
+        set -x
+        DIST=$(echo ${{ matrix.image }} | cut -d : -f 2)
+        ARCH=all
+        OUTDIR="artifacts/${DIST}/${ARCH}"
+        mkdir -p "$OUTDIR"
+        cp -v ../*.deb ../*.changes ../*.buildinfo "$OUTDIR" || true
+        (cd "$OUTDIR" && sha256sum * > SHA256SUMS.txt)
+        echo "DIST=$DIST" >> "$GITHUB_ENV"
+        echo "ARCH=$ARCH" >> "$GITHUB_ENV"
+    - name: Compute artifact metadata
+      id: meta
+      run: |
+        echo "dist=$(echo ${{ matrix.image }} | cut -d : -f 2)" >> $GITHUB_OUTPUT
+        echo "arch=all" >> $GITHUB_OUTPUT
+
+    - name: Upload build artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: linuxcnc-${{ steps.meta.outputs.dist }}-${{ steps.meta.outputs.arch }}
+        path: artifacts/${{ steps.meta.outputs.dist }}/${{ steps.meta.outputs.arch }}
+        if-no-files-found: error
+
+  release:
+    name: Release packages
+    needs:
+      - package-arch
+      - package-indep
+    if: (github.event_name == 'release' && github.event.action == 'published') || startsWith(github.ref, 'refs/tags/')
+    permissions:
+      contents: write
+    runs-on: ubuntu-24.04
+    steps:
+    - name: Download artifacts
+      uses: actions/download-artifact@v4
+      with:
+        path: release_artifacts
+    - name: Prepare upload assets
+      run: |
+        set -e
+        mkdir -p upload
+        echo "Downloaded artifacts layout:" && find release_artifacts -maxdepth 3 -print | sed 's/^/  /'
+        for d in release_artifacts/*; do
+          [ -d "$d" ] || continue
+          name=$(basename "$d")
+          # Expect name like linuxcnc-bookworm-amd64 or linuxcnc-trixie-all
+          dist=${name#linuxcnc-}
+          dist=${dist%-*}
+          arch=${name##*-}
+          echo "Processing artifact: $name (dist=$dist arch=$arch)"
+          # Copy .deb files with distro suffix (arch is already in Debian filename)
+          for f in "$d"/*.deb; do
+            [ -f "$f" ] || continue
+            base=$(basename "$f")
+            base_no_ext="${base%.deb}"
+            dest="upload/${base_no_ext}_${dist}.deb"
+            echo "  + $base -> $(basename "$dest")"
+            cp "$f" "$dest"
+          done
+        done
+
+        echo "Upload dir contents:" && ls -l upload | sed 's/^/  /'
+        # Single combined checksums file for all assets, deterministic order
+        if ls upload/*.deb >/dev/null 2>&1; then
+          (
+            cd upload
+            : > SHA256SUMS.txt
+            # sort file list for stable output
+            for f in $(ls -1 *.deb | LC_ALL=C sort); do
+              sha256sum "$f" >> SHA256SUMS.txt
+            done
+            echo "Preview of SHA256SUMS.txt:" && sed -n '1,200p' SHA256SUMS.txt | sed 's/^/  /'
+          )
+        fi
+    - name: Create GitHub Release and upload assets
+      uses: softprops/action-gh-release@v2
+      with:
+        files: |
+          upload/*
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

scripts/get-version-from-git

@@ -1,18 +1,26 @@
 #!/bin/bash
 
-if [ ! -z "$EMC2_HOME" ]; then
-    source $EMC2_HOME/scripts/githelper.sh
+if [ -n "$EMC2_HOME" ]; then
+    source "$EMC2_HOME"/scripts/githelper.sh
 else
-    source $(git rev-parse --show-toplevel)/scripts/githelper.sh
+    source "$(git rev-parse --show-toplevel)"/scripts/githelper.sh
 fi
 
-githelper $1
+githelper "$1"
 
 if [ "$DEB_COMPONENT" = "scratch" ]; then
-    # unknown branches get the VERSION file, plus the branch name (with any
-    # characters that are invalid in debian version numbers replaced with
-    # dashes '-'), plus the HEAD commit SHA1
-    echo v$(git show HEAD:VERSION | cut -d ' ' -f 1)~${GIT_BRANCH//[^-.+:~a-z0-9]/-}~$(git show --pretty=format:%h HEAD | head -1)
+    DESCRIBE=$(git describe --tags --exact-match 2>/dev/null)
+    if [ -n "$DESCRIBE" ]; then
+        echo "$DESCRIBE"
+    else
+        DESCRIBE=$(git describe --tags 2>/dev/null)
+        if [ -n "$DESCRIBE" ]; then
+            echo "$DESCRIBE"
+        else
+            BR=$(printf '%s' "$GIT_BRANCH" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^-.+:~a-z0-9]/-/g; s/-{2,}/-/g; s/^-//; s/-$//')
+            echo "v$(git show HEAD:VERSION | cut -d ' ' -f 1)~${BR:-head}~$(git show --pretty=format:%h HEAD | head -1)"
+        fi
+    fi
 else
     # known branches get the "describe" of the most recent signed git tag,
     # or of the most recent unsigned tag if no signed tags are found

scripts/githelper.sh

@@ -12,22 +12,23 @@
 # Sets GIT_TAG to the most recent signed tag (this will fall back to the
 # most recent tag of any kind if no signed tag is found).
 #
+# shellcheck shell=bash
 
 
 function githelper() {
     if [ -z "$1" ]; then
-        GIT_BRANCH=$(git branch | egrep '^\*' | cut -d ' ' -f 2)
-        if [ "$GIT_BRANCH" = "(no" ]; then
-            echo "'git branch' says we're not on a branch, pass one in as an argument" > /dev/null 1>&2
-            return
+        GIT_BRANCH=$(git symbolic-ref -q --short HEAD 2>/dev/null)
+        if [ -z "$GIT_BRANCH" ]; then
+            GIT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
         fi
     else
         GIT_BRANCH="$1"
     fi
 
     case $GIT_BRANCH in
         master)
-            GIT_TAG_GLOB="v2.10.*"
+            MM=$(git show HEAD:VERSION | sed -E 's/^([0-9]+)\.([0-9]+).*/\1.\2/')
+            GIT_TAG_GLOB="v${MM}.*"
             DEB_COMPONENT="master"
             ;;
         # release branches have names matching "number.number", which is awkward to express as a glob
@@ -45,46 +46,53 @@ function githelper() {
             ;;
         *)
             GIT_TAG_GLOB="*"
+            # Disable unused variable warnings on DEB_COMPONENT
+            # shellcheck disable=SC2034
             DEB_COMPONENT="scratch"
             ;;
     esac
 
 
     # use the gnupg keyring from our git repo to verify signatures on the release tags
-    export GNUPGHOME=$(git rev-parse --show-toplevel)/gnupg
+    GNUPGHOME=$(git rev-parse --show-toplevel)/gnupg
+    export GNUPGHOME
 
     NEWEST_SIGNED_TAG_UTIME=-1
     NEWEST_UNSIGNED_TAG_UTIME=-1
     for TAG in $(git tag -l "$GIT_TAG_GLOB"); do
-        if ! git cat-file tag $TAG > /dev/null 2> /dev/null; then
+        if ! git cat-file tag "$TAG" > /dev/null 2> /dev/null; then
             continue
         fi
 
-        TAG_UTIME=$(git cat-file tag $TAG | grep tagger | awk '{print $(NF-1)-$NF*36}')
+        TAG_UTIME=$(git cat-file tag "$TAG" | grep tagger | awk '{print $(NF-1)-$NF*36}')
 
         if git tag -v "$TAG" > /dev/null 2> /dev/null; then
             # it's a valid signed tag
-            if [ $TAG_UTIME -gt $NEWEST_SIGNED_TAG_UTIME ]; then
+            if [ "$TAG_UTIME" -gt "$NEWEST_SIGNED_TAG_UTIME" ]; then
                 NEWEST_SIGNED_TAG=$TAG
                 NEWEST_SIGNED_TAG_UTIME=$TAG_UTIME
             fi
         else
             # unsigned tag
-            if [ $TAG_UTIME -gt $NEWEST_UNSIGNED_TAG_UTIME ]; then
+            if [ "$TAG_UTIME" -gt "$NEWEST_UNSIGNED_TAG_UTIME" ]; then
                 NEWEST_UNSIGNED_TAG=$TAG
                 NEWEST_UNSIGNED_TAG_UTIME=$TAG_UTIME
             fi
         fi
 
     done
 
-    if [ $NEWEST_SIGNED_TAG_UTIME -gt -1 ]; then
+    if [ "$NEWEST_SIGNED_TAG_UTIME" -gt -1 ]; then
+        # Disable unused variable warnings on GIT_TAG
+        # shellcheck disable=SC2034
         GIT_TAG="$NEWEST_SIGNED_TAG"
         return
     fi
 
-    if [ $NEWEST_UNSIGNED_TAG_UTIME -gt -1 ]; then
+    if [ "$NEWEST_UNSIGNED_TAG_UTIME" -gt -1 ]; then
         echo "no signed tags found, falling back to unsigned tags" > /dev/null 1>&2
+        # Disable unused variable warnings on GIT_TAG
+        # shellcheck disable=SC2034
         GIT_TAG="$NEWEST_UNSIGNED_TAG"
         return
     fi