name: Build SecuBox Images (GlobalScale) on: workflow_dispatch: inputs: device: description: 'Target device' required: true type: choice options: - espressobin-v7 - espressobin-ultra - sheeva64 - sheeva64-wifi - mochabin - all openwrt_version: description: 'OpenWrt version' required: true default: '23.05.5' type: choice options: - '23.05.5' - '23.05.4' - 'SNAPSHOT' include_secubox: description: 'Include SecuBox packages' required: true type: boolean default: true env: OPENWRT_VERSION: ${{ github.event.inputs.openwrt_version }} jobs: # ============================================ # Generate build matrix based on input # ============================================ setup: runs-on: ubuntu-latest outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - name: Set build matrix id: set-matrix run: | DEVICE="${{ github.event.inputs.device }}" # Define all devices in a file to avoid heredoc issues cat > /tmp/devices.json << 'DEVICES_EOF' [ { "device": "espressobin-v7", "target": "mvebu", "subtarget": "cortexa53", "profile": "globalscale_espressobin", "description": "ESPRESSObin V7 (1-2GB DDR4)" }, { "device": "espressobin-ultra", "target": "mvebu", "subtarget": "cortexa53", "profile": "globalscale_espressobin-ultra", "description": "ESPRESSObin Ultra (PoE, WiFi)" }, { "device": "sheeva64", "target": "mvebu", "subtarget": "cortexa53", "profile": "globalscale_sheeva64", "description": "Sheeva64 (Plug computer)" }, { "device": "sheeva64-wifi", "target": "mvebu", "subtarget": "cortexa53", "profile": "globalscale_sheeva64", "description": "Sheeva64 WiFi (802.11ac + BT)" }, { "device": "mochabin", "target": "mvebu", "subtarget": "cortexa72", "profile": "globalscale_mochabin", "description": "MOCHAbin (Quad-core A72, 10G)" } ] DEVICES_EOF # Filter based on input if [[ "$DEVICE" == "all" ]]; then MATRIX=$(jq -c '{"include": .}' /tmp/devices.json) else MATRIX=$(jq -c --arg dev "$DEVICE" '{"include": [.[] | select(.device == $dev)]}' /tmp/devices.json) fi # Use delimiter for multiline output echo "matrix<> $GITHUB_OUTPUT echo "$MATRIX" >> $GITHUB_OUTPUT echo "EOF" >> $GITHUB_OUTPUT echo "๐Ÿ“‹ Build matrix:" echo "$MATRIX" | jq '.' # ============================================ # Build firmware images for GlobalScale devices # ============================================ build-image: needs: setup runs-on: ubuntu-latest strategy: fail-fast: false matrix: ${{ fromJson(needs.setup.outputs.matrix) }} name: ${{ matrix.description }} steps: - name: Checkout SecuBox packages uses: actions/checkout@v4 - name: Free disk space run: | echo "๐Ÿงน Cleaning up disk space..." sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc sudo docker image prune --all --force df -h - name: Install dependencies run: | sudo apt-get update sudo apt-get install -y \ build-essential clang flex bison g++ gawk \ gcc-multilib g++-multilib gettext git libncurses5-dev \ libssl-dev python3-setuptools python3-dev rsync \ swig unzip zlib1g-dev file wget curl qemu-utils - name: Clone OpenWrt run: | if [[ "${{ env.OPENWRT_VERSION }}" == "SNAPSHOT" ]]; then git clone --depth 1 https://github.com/openwrt/openwrt.git openwrt else git clone --depth 1 --branch v${{ env.OPENWRT_VERSION }} \ https://github.com/openwrt/openwrt.git openwrt fi - name: Update feeds run: | cd openwrt ./scripts/feeds update -a ./scripts/feeds install -a - name: Copy SecuBox packages if: ${{ github.event.inputs.include_secubox == 'true' }} run: | mkdir -p openwrt/package/secubox for pkg in luci-app-*/; do if [[ -d "$pkg" ]]; then echo "๐Ÿ“ฆ Adding $pkg" cp -r "$pkg" openwrt/package/secubox/ fi done - name: Generate SecuBox config run: | cd openwrt # Base configuration cat > .config << EOF # Target CONFIG_TARGET_${{ matrix.target }}=y CONFIG_TARGET_${{ matrix.target }}_${{ matrix.subtarget }}=y CONFIG_TARGET_${{ matrix.target }}_${{ matrix.subtarget }}_DEVICE_${{ matrix.profile }}=y # Image settings CONFIG_TARGET_ROOTFS_SQUASHFS=y CONFIG_TARGET_ROOTFS_EXT4FS=y CONFIG_TARGET_KERNEL_PARTSIZE=32 CONFIG_TARGET_ROOTFS_PARTSIZE=512 # Base packages CONFIG_PACKAGE_luci=y CONFIG_PACKAGE_luci-ssl=y CONFIG_PACKAGE_luci-app-opkg=y CONFIG_PACKAGE_luci-theme-openwrt-2020=y # Networking essentials CONFIG_PACKAGE_curl=y CONFIG_PACKAGE_wget-ssl=y CONFIG_PACKAGE_iptables=y CONFIG_PACKAGE_ip6tables=y CONFIG_PACKAGE_kmod-nft-core=y # USB support CONFIG_PACKAGE_kmod-usb-core=y CONFIG_PACKAGE_kmod-usb3=y CONFIG_PACKAGE_kmod-usb-storage=y # Filesystem CONFIG_PACKAGE_kmod-fs-ext4=y CONFIG_PACKAGE_kmod-fs-vfat=y CONFIG_PACKAGE_block-mount=y # Wireless (if applicable) CONFIG_PACKAGE_hostapd-common=y CONFIG_PACKAGE_wpad-basic-mbedtls=y # Monitoring tools CONFIG_PACKAGE_htop=y CONFIG_PACKAGE_iftop=y CONFIG_PACKAGE_tcpdump=y # SSH CONFIG_PACKAGE_openssh-sftp-server=y EOF - name: Add SecuBox packages to config if: ${{ github.event.inputs.include_secubox == 'true' }} run: | cd openwrt # CrowdSec cat >> .config << EOF CONFIG_PACKAGE_crowdsec=y CONFIG_PACKAGE_crowdsec-firewall-bouncer=y CONFIG_PACKAGE_luci-app-crowdsec-dashboard=y EOF # Netdata cat >> .config << EOF CONFIG_PACKAGE_netdata=y CONFIG_PACKAGE_luci-app-netdata-dashboard=y EOF # Netifyd cat >> .config << EOF CONFIG_PACKAGE_netifyd=y CONFIG_PACKAGE_luci-app-netifyd-dashboard=y EOF # WireGuard cat >> .config << EOF CONFIG_PACKAGE_wireguard-tools=y CONFIG_PACKAGE_kmod-wireguard=y CONFIG_PACKAGE_luci-app-wireguard-dashboard=y CONFIG_PACKAGE_qrencode=y EOF # SecuBox core cat >> .config << EOF CONFIG_PACKAGE_luci-app-network-modes=y CONFIG_PACKAGE_luci-app-client-guardian=y CONFIG_PACKAGE_luci-app-system-hub=y EOF - name: Add device-specific packages run: | cd openwrt case "${{ matrix.device }}" in mochabin) # 10G networking, more RAM cat >> .config << EOF CONFIG_PACKAGE_kmod-sfp=y CONFIG_PACKAGE_kmod-phy-marvell-10g=y CONFIG_PACKAGE_prometheus-node-exporter-lua=y EOF ;; espressobin-ultra|sheeva64-wifi) # WiFi support cat >> .config << EOF CONFIG_PACKAGE_kmod-mt76=y CONFIG_PACKAGE_kmod-mac80211=y EOF ;; sheeva64*) # Minimal for plug computer cat >> .config << EOF # Optimized for plug form factor CONFIG_PACKAGE_kmod-ledtrig-heartbeat=y EOF ;; esac - name: Make defconfig run: | cd openwrt make defconfig - name: Download packages run: | cd openwrt make download -j$(nproc) V=s || make download -j1 V=s - name: Build firmware run: | cd openwrt echo "๐Ÿ”จ Building firmware for ${{ matrix.description }}..." echo "โฑ๏ธ This may take 1-2 hours..." make -j$(nproc) V=s 2>&1 | tee build.log || { echo "โŒ Build failed, retrying with single thread..." make -j1 V=s 2>&1 | tee build-retry.log } - name: Prepare artifacts run: | mkdir -p artifacts # Copy firmware images find openwrt/bin/targets -name "*.img.gz" -exec cp {} artifacts/ \; find openwrt/bin/targets -name "*.bin" -exec cp {} artifacts/ \; find openwrt/bin/targets -name "*sysupgrade*" -exec cp {} artifacts/ \; find openwrt/bin/targets -name "*factory*" -exec cp {} artifacts/ \; # Copy packages mkdir -p artifacts/packages find openwrt/bin/packages -name "luci-app-*secubox*.ipk" -exec cp {} artifacts/packages/ \; 2>/dev/null || true find openwrt/bin/packages -name "luci-app-*dashboard*.ipk" -exec cp {} artifacts/packages/ \; 2>/dev/null || true # Generate checksums cd artifacts sha256sum * > SHA256SUMS 2>/dev/null || true # Create info file cat > BUILD_INFO.txt << EOF SecuBox Firmware Build ======================= Device: ${{ matrix.description }} Profile: ${{ matrix.profile }} Target: ${{ matrix.target }}/${{ matrix.subtarget }} OpenWrt: ${{ env.OPENWRT_VERSION }} SecuBox: ${{ github.event.inputs.include_secubox }} Built: $(date -u +%Y-%m-%dT%H:%M:%SZ) Commit: ${{ github.sha }} EOF echo "๐Ÿ“ฆ Artifacts:" ls -la - name: Upload artifacts uses: actions/upload-artifact@v4 with: name: secubox-${{ matrix.device }}-${{ env.OPENWRT_VERSION }} path: artifacts/ retention-days: 30 # ============================================ # Create combined release for all devices # ============================================ release: needs: [setup, build-image] runs-on: ubuntu-latest if: github.event.inputs.device == 'all' steps: - name: Download all artifacts uses: actions/download-artifact@v4 with: path: firmware pattern: secubox-* - name: Organize release run: | mkdir -p release for device_dir in firmware/secubox-*/; do DEVICE=$(basename "$device_dir" | sed 's/secubox-//' | sed "s/-${{ env.OPENWRT_VERSION }}//") echo "๐Ÿ“ฆ Processing $DEVICE..." # Create device archive tar -czf "release/secubox-firmware-${DEVICE}.tar.gz" -C "$device_dir" . done # Global checksums cd release sha256sum *.tar.gz > SHA256SUMS # Release notes cat > RELEASE_NOTES.md << 'EOF' # SecuBox Firmware Images Pre-built firmware images for GlobalScale devices with SecuBox modules pre-installed. ## Included Devices | Device | SoC | RAM | Description | |--------|-----|-----|-------------| | ESPRESSObin V7 | Armada 3720 | 1-2GB | Entry-level | | ESPRESSObin Ultra | Armada 3720 | 1-2GB | WiFi + PoE | | Sheeva64 | Armada 3720 | 1GB | Plug computer | | MOCHAbin | Armada 7040 | 4-8GB | Quad-core + 10G | ## Pre-installed SecuBox Modules - luci-app-crowdsec-dashboard - luci-app-netdata-dashboard - luci-app-netifyd-dashboard - luci-app-wireguard-dashboard - luci-app-network-modes - luci-app-client-guardian - luci-app-system-hub ## Installation 1. Download the appropriate firmware for your device 2. Flash using OpenWrt sysupgrade or manufacturer tools 3. Access LuCI at http://192.168.1.1 4. Navigate to Services โ†’ SecuBox ## Support - [Documentation](https://cybermind.fr/docs/secubox) - [CyberMind.fr](https://cybermind.fr) EOF - name: Create release if: github.ref == 'refs/heads/main' uses: softprops/action-gh-release@v2 with: name: "SecuBox Firmware ${{ env.OPENWRT_VERSION }}" tag_name: "firmware-${{ env.OPENWRT_VERSION }}-${{ github.run_number }}" body_path: release/RELEASE_NOTES.md files: | release/*.tar.gz release/SHA256SUMS draft: true env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}