# msys2-autobuild

**Repository Path**: wang-yi-1989/msys2-autobuild

## Basic Information

- **Project Name**: msys2-autobuild
- **Description**: No description available
- **Primary Language**: Unknown
- **License**: MIT
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2021-04-11
- **Last Updated**: 2021-04-11

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# msys2-autobuild

## autobuild.py

```console
$ pacman -S mingw-w64-x86_64-python-tabulate mingw-w64-x86_64-python-pygithub mingw-w64-x86_64-python-requests
# or
$ poetry install
# or
$ python -m pip install --user -r requirements.txt
```

```console
$ ./autobuild.py --help
usage: autobuild.py [-h]
                    {build,show,should-run,update-status,fetch-assets,upload-assets,clean-assets}
                    ...

Build packages

optional arguments:
  -h, --help            show this help message and exit

subcommands:
  {build,show,should-run,update-status,fetch-assets,upload-assets,clean-assets}
    build               Build all packages
    show                Show all packages to be built
    update-status       Update the status file
    fetch-assets        Download all staging packages
    upload-assets       Upload packages
    clean-assets        Clean up GHA assets
```

## Automated Build Process

The following graph shows what happens between a PKGBUILD getting changed in git
and the built package being available in the pacman repo.

![sequence](./docs/sequence.svg)

### Security Considerations

Assuming changes to PKGBUILDs are properly reviewed, the pacman signature
checking works, the upstream source is OK and all MSYS2 organization members are
trusted we need to consider a bad actor controlling some part of the building
process between the PKGBUILD getting changed and the package ending up signed in
the pacman repo.

A bad actor would need to get a package on the machine of the developer signing
the package and adding it to the pacman repo. We take the following precautions:

* We only build packages automatically with GitHub Actions without third party
  actions, excluding the official GitHub ones. We assume the GHA images and
  official actions are safe.
* The download tool used by the person signing the package checks that the
  binaries where uploaded by a restricted set of GitHub users or GHA.
  We assume the bad actor doesn't have git push rights.
* Packages too large for GHA get built/signed by MSYS2 developers on their
  machines. We assume the developer machines are safe.
* We enforce 2FA for the MSYS2 organization to make account takeovers of
  existing MSYS2 developers harder.

Feedback and ideas on how to improve this welcome.