Add dev branch deployment pipeline and Proxmox upgrade script#138
Add dev branch deployment pipeline and Proxmox upgrade script#138anishapant21 wants to merge 2 commits intodevfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a dev-branch delivery path (rolling dev-latest GitHub pre-release with packages) and a Proxmox LXC upgrade helper, plus systemd hardening/path fixes to match nfpm’s install layout.
Changes:
- Extend CI triggers to include
devand add adev-releasejob that publishes a rollingdev-latestpre-release withdev--prefixed package assets and checksums. - Update the packaged systemd unit to start the correct entrypoint and adjust sandbox path allowances (
certdir and Proxmox mountpoints). - Add a Proxmox/Debian upgrade script that downloads a release asset, verifies SHA256 (when available), installs it, and reports service status.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
scripts/proxmox-upgrade.sh |
New one-command upgrade script for installing stable/dev .deb releases with optional checksum verification. |
nfpm/systemd/ldap-gateway.service |
Fix ExecStart/cert path to align with nfpm’s /opt/ldap-gateway/ tree install; allow read-only access to Proxmox mount paths. |
.github/workflows/build-and-release.yml |
Add dev triggers and a rolling dev-latest pre-release publisher job. |
| fi | ||
|
|
||
| REPO="mieweb/LDAPServer" | ||
| ARCH="amd64" |
There was a problem hiding this comment.
ARCH is hard-coded to amd64, which will download the wrong package on arm64 containers. Consider deriving it from dpkg --print-architecture (and mapping to the release asset naming) so the script works on both amd64 and arm64 Proxmox LXC guests.
| ARCH="amd64" | |
| # Detect architecture dynamically so we download the correct .deb on amd64 and arm64 | |
| DETECTED_ARCH="$(dpkg --print-architecture 2>/dev/null || echo amd64)" | |
| case "$DETECTED_ARCH" in | |
| amd64|arm64) | |
| ARCH="$DETECTED_ARCH" | |
| ;; | |
| *) | |
| echo "WARNING: Unsupported architecture '$DETECTED_ARCH'; defaulting to amd64 package." >&2 | |
| ARCH="amd64" | |
| ;; | |
| esac |
| branches: [ main, dev ] | ||
| tags: [ 'v*' ] | ||
| pull_request: | ||
| branches: [ main ] | ||
| branches: [ main, dev ] |
There was a problem hiding this comment.
Adding dev to the workflow triggers means every job that runs on push (including build-docker, which is configured to push: ${{ github.event_name != 'pull_request' }}) will now publish images for the dev branch as well. If the intent is to publish only .deb dev packages (per PR description), consider gating Docker pushes to main/tags, or adjusting the build-docker job condition to avoid pushing on dev.
| dpkg -i "${TMP_DIR}/${DEB_FILE}" | ||
|
|
||
| # Fix any missing dependencies | ||
| apt-get install -f -y --no-install-recommends 2>/dev/null || true | ||
|
|
There was a problem hiding this comment.
With set -e, dpkg -i will exit non-zero when dependencies are missing, so the script aborts before the apt-get install -f recovery runs. Consider installing via apt-get install ./package.deb (lets apt resolve deps) or handling the dpkg -i failure explicitly so dependency installation can proceed and failures are surfaced appropriately.
| dpkg -i "${TMP_DIR}/${DEB_FILE}" | |
| # Fix any missing dependencies | |
| apt-get install -f -y --no-install-recommends 2>/dev/null || true | |
| if ! apt-get install -y --no-install-recommends "${TMP_DIR}/${DEB_FILE}"; then | |
| echo "ERROR: Failed to install ${DEB_FILE}. See apt-get output above for details." >&2 | |
| exit 1 | |
| fi |
1 participant
Summary
Adds automated .deb package publishing for the dev branch and a one-command upgrade script for Proxmox LXC containers.
Changes
CI/CD — [build-and-release.yml]
Systemd service — [ldap-gateway.service]
Upgrade script — [proxmox-upgrade.sh]
How to use
Testing