Guard reprepro db via concurrency limits

.github/workflows/build_and_deploy.yaml

@@ -39,9 +39,7 @@ on:
                 required: true
                 type: boolean
                 default: true
-concurrency:
-    group: ${{ github.workflow }}-${{ github.ref }}
-    cancel-in-progress: true
+concurrency: ${{ github.workflow }}
 env:
     # XXX: UPDATE THIS BEFORE WHEN GOING LIVE
     R2_BUCKET: "packages-element-io-test"
@@ -99,12 +97,12 @@ jobs:
         needs: prepare
         name: Linux
         uses: ./.github/workflows/build_linux.yaml
-        secrets: inherit
         with:
             sqlcipher: system
-            deploy-mode: true
             version: ${{ needs.prepare.outputs.linux-version }}
 
+    # This deploy job only handles Windows & macOS as those are stateless and static.
+    # Linux will be deployed via reprepro after it, but we list it as a dependency to abort if it fails.
     deploy:
         needs:
             - macos
@@ -113,7 +111,7 @@ jobs:
             - windows_64bit
         runs-on: ubuntu-latest
         name: Deploy
-        if: always() && (github.event != 'workflow_dispatch' || inputs.deploy)
+        if: github.event != 'workflow_dispatch' || (inputs.deploy && (inputs.macos || inputs.windows_32bit || inputs.windows_64bit))
         environment: packages.element.io
         steps:
             - name: Download artifacts
@@ -122,22 +120,23 @@ jobs:
                   name: packages.element.io
                   path: packages.element.io
 
-            - name: Deploy debian repo
-              if: github.event_name != 'workflow_dispatch' || inputs.linux
-              run: |
-                  mv packages.element.io/debian .
-                  aws s3 cp --recursive debian/ s3://$R2_BUCKET/debian --endpoint-url $R2_URL --region auto
-              env:
-                  AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
-                  AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}
-                  R2_URL: ${{ secrets.CF_R2_S3_API }}
-
             - name: Deploy artifacts
-              if: github.event_name != 'workflow_dispatch' || inputs.macos || inputs.windows_32bit || inputs.windows_64bit
               run: |
                   aws s3 cp --recursive packages.element.io/ s3://$R2_BUCKET/$DEPLOYMENT_DIR --endpoint-url $R2_URL --region auto
               env:
                   AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
                   AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}
                   R2_URL: ${{ secrets.CF_R2_S3_API }}
                   DEPLOYMENT_DIR: ${{ inputs.mode == 'release' && 'desktop' || 'nightly' }}
+
+    reprepro:
+        needs:
+            - linux
+            # We queue this after the other deploy stage as we want to abort if that fails
+            - deploy
+        name: Run reprepro
+        if: github.event != 'workflow_dispatch' || (inputs.deploy && inputs.linux)
+        uses: ./.github/workflows/reprepro.yaml
+        secrets: inherit
+        with:
+            artifact-name: linux-sqlcipher-system

.github/workflows/build_linux.yaml

@@ -3,17 +3,6 @@
 # the correct cache scoping, and additional care must be taken to not run untrusted actions on the develop branch.
 on:
     workflow_call:
-        secrets:
-            GPG_PRIVATE_KEY:
-                required: false
-            GPG_PASSPHRASE:
-                required: false
-            CF_R2_ACCESS_KEY_ID:
-                required: false
-            CF_R2_TOKEN:
-                required: false
-            CF_R2_S3_API:
-                required: false
         inputs:
             version:
                 type: string
@@ -23,14 +12,9 @@ on:
                 type: string
                 required: true
                 description: "How to link sqlcipher, one of 'system' | 'static'"
-            deploy-mode:
-                type: string
-                required: false
-                description: "Whether to arrange artifacts in the arrangement needed for deployment, skipping unrelated ones, this uses reprepro and requires 'packages.element.io' environment"
 jobs:
     build:
         runs-on: ubuntu-latest
-        environment: ${{ inputs.deploy-mode && 'packages.element.io' || '' }}
         steps:
             - uses: actions/checkout@v3
 
@@ -88,41 +72,9 @@ jobs:
                   scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} --deb-custom-control=debcontrol
                   yarn build --publish never -l --config electron-builder.json
 
-            - name: Load GPG key
-              if: inputs.deploy-mode
-              uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5
-              with:
-                  gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-                  passphrase: ${{ secrets.GPG_PASSPHRASE }}
-                  fingerprint: 75741890063E5E9A46135D01C2850B265AC085BD
-
-            - name: Prepare artifacts for deployment (reprepro)
-              if: inputs.deploy-mode
-              run: |
-                  # Clear out the template packages.element.io directory, it has a dedicated deploy workflow
-                  rm -R packages.element.io/*
-
-                  # Install reprepro
-                  sudo apt-get install -y reprepro
-
-                  # Fetch reprepro database
-                  aws s3 cp --recursive s3://$R2_BUCKET debian/db/ --endpoint-url $R2_URL --region auto
-
-                  grep Codename debian/conf/distributions | sed -n 's/Codename: //p' | while read -r target ; do
-                      reprepro -b debian includedeb "$target" ./dist/*.deb
-                  done
-
-                  # Store reprepro database
-                  aws s3 cp --recursive debian/db/ s3://$R2_BUCKET --endpoint-url $R2_URL --region auto
-              env:
-                  R2_BUCKET: packages-element-io-db
-                  AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
-                  AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}
-                  R2_URL: ${{ secrets.CF_R2_S3_API }}
-
             - name: Upload Artifacts
               uses: actions/upload-artifact@v3
               with:
-                  name: ${{ inputs.deploy-mode && 'packages.element.io' || format('linux-sqlcipher-{0}', inputs.sqlcipher) }}
-                  path: ${{ inputs.deploy-mode && 'packages.element.io' || 'dist' }}
+                  name: linux-sqlcipher-${{ inputs.sqlcipher }}
+                  path: dist
                   retention-days: 1

.github/workflows/reprepro.yaml

@@ -0,0 +1,73 @@
+on:
+    workflow_call:
+        inputs:
+            artifact-name:
+                type: string
+                required: true
+                description: "The name of the artifact containing the debs to include"
+        secrets:
+            GPG_PRIVATE_KEY:
+                required: false
+            GPG_PASSPHRASE:
+                required: false
+            CF_R2_ACCESS_KEY_ID:
+                required: false
+            CF_R2_TOKEN:
+                required: false
+            CF_R2_S3_API:
+                required: false
+# Protect reprepro database using concurrency
+concurrency: reprepro
+jobs:
+    reprepro:
+        name: Deploy debian package
+        environment: packages.element.io
+        runs-on: ubuntu-latest
+        env:
+            # XXX: UPDATE THIS BEFORE WHEN GOING LIVE
+            R2_BUCKET: "packages-element-io-test"
+            R2_DB_BUCKET: packages-element-io-db
+            R2_URL: ${{ secrets.CF_R2_S3_API }}
+        steps:
+            - uses: actions/checkout@v3
+
+            - name: Download artifacts
+              uses: actions/download-artifact@v3
+              with:
+                  name: ${{ inputs.artifact-name }}
+                  path: dist
+
+            - name: Load GPG key
+              uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5
+              with:
+                  gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+                  passphrase: ${{ secrets.GPG_PASSPHRASE }}
+                  fingerprint: 75741890063E5E9A46135D01C2850B265AC085BD
+
+            - name: Install reprepro
+              run: sudo apt-get install -y reprepro
+
+            - name: Fetch database
+              run: aws s3 cp --recursive s3://$R2_DB_BUCKET debian/db/ --endpoint-url $R2_URL --region auto
+              env:
+                  AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
+                  AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}
+
+            - name: Run reprepro
+              run: |
+                  grep Codename debian/conf/distributions | sed -n 's/Codename: //p' | while read -r target ; do
+                      reprepro -b debian includedeb "$target" ./dist/*.deb
+                  done
+
+            - name: Deploy debian repo
+              run: |
+                  aws s3 cp --recursive packages.element.io/debian/ s3://$R2_BUCKET/debian --endpoint-url $R2_URL --region auto
+              env:
+                  AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
+                  AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}
+
+            - name: Store database
+              run: aws s3 cp --recursive debian/db/ s3://$R2_DB_BUCKET --endpoint-url $R2_URL --region auto
+              env:
+                  AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
+                  AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}