Jump to content

APT Staging repository

From Wikitech

In addition to the main APT repository, which contains packages from upstream, we also run a repository for testing packages from Wikimedia-originated projects. Packages can be imported from Gitlab, currently Gerrit is not supported.

Requirements

To have your package imported automatically from Gitlab to the apt-staging repository, your package must meet the following conditions:

  1. Be built by the WMF DebCI pipeline (docs)
  2. Be built by a Trusted Runner
  3. Be part of a protected branch (i.e., main, production, etc.)

The tool will accept options to bypass the trusted runner and protected branch for development/testing purposes, but these should not be used in production to ensure that packages are built correctly and securely.

How the pipeline works

A cron job on the apt-staging host fetches the list of jobs that run on trusted runners. Then, it fetches the last 50 CI jobs and checks to see if they match the requirements above.

If a package matches, it fetches it and places it in the repository "incoming" directory and then executes `/usr/bin/reprepro -b /srv/aptrepo/wikimedia-staging processincoming default` to pull the packages in to the repository.

Packages are signed with a separate key to the main apt repository, this is deployed with puppet and added to the root gpg keyring, then specified in the apt repo config.

Limitations

This is slightly more cumbersome because of the limitations with Gitlab. The GraphQL endpoint would allow us to perform a single search across all repos to find the packages that match our requirements, however this particular endpoint is not available in our plan.

Promote packages to the main repository

In order to promote packages to the main APT repository, you need to set up the process with a puppet patch, that will need to modify two files before you can perform your first import.

In modules/aptrepo/files/updates, add an entry like this:

Name: vopsbot # Change to your package name
Method: https://apt-staging.wikimedia.org/wikimedia-staging/
Components: main # Change to the component you want to add it to
Suite: bookworm-wikimedia # If you have more than one suite, you will need to list them separately
UDebComponents:
Architectures: amd64
VerifyRelease: 671B51EA4CC7E5B2
ListShellHook: grep-dctrl -e -S '^vopsbot$' || [ $? -eq 1 ] # Change to your package name

In modules/aptrepo/files/distributions-wikimedia, add your package name to the relevant list given the Suite and Components that you have chosen.

Once you've done that, you can import your package in reprepro.

Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=APT_Staging_repository&oldid=2247190"