From 35806f98536b47defafdf6d438803bce36a7df35 Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Tue, 9 Dec 2025 15:55:45 +1100
Subject: [PATCH] CI

---
 .forgejo/workflows/7.4.yml |  32 ++++++++++
 .forgejo/workflows/8.2.yml |  32 ++++++++++
 .forgejo/workflows/8.4.yml |  32 ++++++++++
 actions.yml                | 122 +++++++++++++++++++++++++++++++++++++
 4 files changed, 218 insertions(+)
 create mode 100644 .forgejo/workflows/7.4.yml
 create mode 100644 .forgejo/workflows/8.2.yml
 create mode 100644 .forgejo/workflows/8.4.yml
 create mode 100644 actions.yml

diff --git a/.forgejo/workflows/7.4.yml b/.forgejo/workflows/7.4.yml
new file mode 100644
index 0000000..185637b
--- /dev/null
+++ b/.forgejo/workflows/7.4.yml
@@ -0,0 +1,32 @@
+name: CI
+
+on:
+  push:
+
+jobs:
+  build-deb:
+    runs-on: docker
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build
+        uses: ./
+        with:
+          php-version: '7.4'
+          sqlcipher-version: '4.12.0'
+          tz: 'UTC'
+
+      - name: Notify on failure
+        if: ${{ failure() }}
+        env:
+          WEBHOOK_URL: ${{ secrets.NODERED_WEBHOOK_URL }}
+          REPOSITORY: ${{ forgejo.repository }}
+          RUN_NUMBER: ${{ forgejo.run_number }}
+          SERVER_URL: ${{ forgejo.server_url }}
+        run: |
+          curl -X POST \
+               -H "Content-Type: application/json" \
+               -d "{\"repository\":\"$REPOSITORY\",\"run_number\":\"$RUN_NUMBER\",\"status\":\"failure\",\"url\":\"$SERVER_URL/$REPOSITORY/actions/runs/$RUN_NUMBER\"}" \
+               "$WEBHOOK_URL"
diff --git a/.forgejo/workflows/8.2.yml b/.forgejo/workflows/8.2.yml
new file mode 100644
index 0000000..976b84a
--- /dev/null
+++ b/.forgejo/workflows/8.2.yml
@@ -0,0 +1,32 @@
+name: CI
+
+on:
+  push:
+
+jobs:
+  build-deb:
+    runs-on: docker
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build
+        uses: ./
+        with:
+          php-version: '8.2'
+          sqlcipher-version: '4.12.0'
+          tz: 'UTC'
+
+      - name: Notify on failure
+        if: ${{ failure() }}
+        env:
+          WEBHOOK_URL: ${{ secrets.NODERED_WEBHOOK_URL }}
+          REPOSITORY: ${{ forgejo.repository }}
+          RUN_NUMBER: ${{ forgejo.run_number }}
+          SERVER_URL: ${{ forgejo.server_url }}
+        run: |
+          curl -X POST \
+               -H "Content-Type: application/json" \
+               -d "{\"repository\":\"$REPOSITORY\",\"run_number\":\"$RUN_NUMBER\",\"status\":\"failure\",\"url\":\"$SERVER_URL/$REPOSITORY/actions/runs/$RUN_NUMBER\"}" \
+               "$WEBHOOK_URL"
diff --git a/.forgejo/workflows/8.4.yml b/.forgejo/workflows/8.4.yml
new file mode 100644
index 0000000..d6fda1c
--- /dev/null
+++ b/.forgejo/workflows/8.4.yml
@@ -0,0 +1,32 @@
+name: CI
+
+on:
+  push:
+
+jobs:
+  build-deb:
+    runs-on: docker
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build
+        uses: ./
+        with:
+          php-version: '8.4'
+          sqlcipher-version: '4.12.0'
+          tz: 'UTC'
+
+      - name: Notify on failure
+        if: ${{ failure() }}
+        env:
+          WEBHOOK_URL: ${{ secrets.NODERED_WEBHOOK_URL }}
+          REPOSITORY: ${{ forgejo.repository }}
+          RUN_NUMBER: ${{ forgejo.run_number }}
+          SERVER_URL: ${{ forgejo.server_url }}
+        run: |
+          curl -X POST \
+               -H "Content-Type: application/json" \
+               -d "{\"repository\":\"$REPOSITORY\",\"run_number\":\"$RUN_NUMBER\",\"status\":\"failure\",\"url\":\"$SERVER_URL/$REPOSITORY/actions/runs/$RUN_NUMBER\"}" \
+               "$WEBHOOK_URL"
diff --git a/actions.yml b/actions.yml
new file mode 100644
index 0000000..d3252da
--- /dev/null
+++ b/actions.yml
@@ -0,0 +1,122 @@
+name: Build php-pdo-sqlcipher Debian package
+description: Build and test php-pdo-sqlcipher .deb using dpkg-buildpackage + autopkgtest on Debian
+
+inputs:
+  php-version:
+    description: PHP version to build against (e.g. 8.2)
+    default: '8.2'
+  sqlcipher-version:
+    description: SQLCipher tag (without the leading v)
+    default: '4.12.0'
+  tz:
+    description: Timezone
+    default: 'UTC'
+
+runs:
+  using: composite
+  steps:
+    - name: Set up APT and build dependencies
+      shell: bash
+      env:
+        DEBIAN_FRONTEND: noninteractive
+        TZ: ${{ inputs.tz }}
+      run: |
+        set -euo pipefail
+
+        apt-get update
+        apt-get install -y --no-install-recommends \
+          apt-transport-https apt-utils autoconf autopkgtest build-essential \
+          ca-certificates curl dpkg-dev devscripts debhelper dh-php pkg-php-tools \
+          git gnupg pkg-config \
+          libicu-dev libreadline-dev libssl-dev libsqlite3-dev libtool \
+          lintian lsb-release tcl-dev
+
+    - name: Configure PHP APT sources
+      shell: bash
+      env:
+        TZ: ${{ inputs.tz }}
+      run: |
+        set -euo pipefail
+        # scripts/ lives in the repo; when used as a local action, this path is correct
+        ./scripts/setup-php-sources.sh
+
+    - name: Install PHP build-deps
+      shell: bash
+      env:
+        DEBIAN_FRONTEND: noninteractive
+        PHP_VER: ${{ inputs.php-version }}
+      run: |
+        set -euo pipefail
+        apt-get update
+        apt-get build-dep -y "php${PHP_VER}"
+
+    - name: Ensure PHP CLI with docs for autopkgtest
+      shell: bash
+      env:
+        DEBIAN_FRONTEND: noninteractive
+        PHP_VER: ${{ inputs.php-version }}
+      run: |
+        set -euo pipefail
+
+        # Make sure docs are not excluded, autopkgtest needs examples
+        rm -f /etc/dpkg/dpkg.cfg.d/docker /etc/dpkg/dpkg.cfg.d/excludes || true
+        printf 'path-include=/usr/share/doc/*\n' > /etc/dpkg/dpkg.cfg.d/01-include-docs
+
+        apt-get update
+        apt-get install -y --no-install-recommends "php${PHP_VER}-cli"
+
+    - name: Fetch upstream sources (sqlcipher, pdo_sqlcipher, PHP)
+      shell: bash
+      env:
+        PHP_VER: ${{ inputs.php-version }}
+        SQLCIPHER_VERSION: ${{ inputs.sqlcipher-version }}
+      run: |
+        set -euo pipefail
+        cd "$GITHUB_WORKSPACE"
+
+        # match Dockerfile layout in /work/src
+        git clone --branch "v${SQLCIPHER_VERSION}" --depth 1 \
+          https://github.com/sqlcipher/sqlcipher.git build-sqlcipher
+
+        git clone --branch main --depth 1 \
+          https://git.mig5.net/mig5/pdo_sqlcipher.git
+
+        mkdir -p php-src
+        cd php-src
+        apt-get -y source "php${PHP_VER}"
+
+    - name: Render Debian files and build package
+      shell: bash
+      env:
+        PHP_VER: ${{ inputs.php-version }}
+        SQLCIPHER_VERSION: ${{ inputs.sqlcipher-version }}
+      run: |
+        set -euo pipefail
+        cd "$GITHUB_WORKSPACE"
+
+        umask 022
+        ./scripts/render-debian-files.sh
+
+        dpkg-buildpackage -us -uc -b -rfakeroot
+
+        . /etc/os-release
+        lintian -i -E --pedantic --profile "${ID}" --fail-on error ../*.changes
+
+    - name: Run autopkgtest on built package
+      shell: bash
+      run: |
+        set -euo pipefail
+        cd "$GITHUB_WORKSPACE"
+
+        pkg=$(ls -1 ../*.deb | grep -v dbgsym | head -n1)
+        echo "Testing package: $pkg"
+        autopkgtest "$pkg" -- null
+
+    - name: Collect artifacts
+      shell: bash
+      run: |
+        set -euo pipefail
+        cd "$GITHUB_WORKSPACE"
+
+        mkdir -p dist
+        cp -a ../*.deb ../*.buildinfo ../*.changes dist/ || true