build-linux | short tutorial about building Linux based operating systems | Learning library

This line is totally incorrect:

SET(EXE_SUFFIX, ".exe")

You have set the variable EXE_SUFFIX,, not EXE_SUFFIX. When you later expand ${EXE_SUFFIX}, it comes back empty, so that entire if (WIN32) block is a no-op from the perspective of the rest of the program.

Your CI script contains the line:

Finally managed to get this working having read and better understood this discussion; https://github.com/vitejs/vite/issues/2671#issuecomment-829535806.

I'm on MacOS but the container is running Linux and the architecture is mismatched when it attempts to use the version of esbuild from my mounted volume. So, I need to rebuild esbuild inside the container. I tried to use the entrypoint script as that thread suggests but that didn't work for me.

What did work was to change the command in my docker-compose.yml to command: sh -c "npm rebuild esbuild && yarn dev".

It's now hot reloading like a dream.

It is not possible to re-use the same user in multiple stages of the docker build without re-creating the user (same UID and GID at least) in each stage as each FROM is starting from a clean slate FROM image in which a user UID=42000 and GID=42000 is unlikely to already exist.

I am not aware of any recommendation against building as the root user inside a container. It is recommended to run services as unprivileged users however certain containers processes must be run as the root user (i.e. sshd):

The best way to prevent privilege-escalation attacks from within a container is to configure your container’s applications to run as unprivileged users. For containers whose processes must run as the root user within the container, you can re-map this user to a less-privileged user on the Docker host. The mapped user is assigned a range of UIDs which function within the namespace as normal UIDs from 0 to 65536, but have no privileges on the host machine itself.

Tip: The Haskell Dockerfile Linter will complain if the last user is root which you can configure as a git pre-commit hook to catch things like that before committing teh codez.

In /home//mailcore2/build/src/include/MailCore/MCICUTypes.h

replace:

that call (std::map::find()) was added in C++14 (see docs). I see you pass in -std=c++14 on the command line as well. Are you sure your GCC supports C++14? It seems a bit old for that.

The current stable branch of libtorrent only requires C++11 support, if that is the branch you're building, there may be something wrong with the compiler support detection here. If you are building from libtorrent master, it requires proper C++14 support. So in that case you may want to use the stable release.

As you've implied, you can't limit the scope of a personal access token to different scopes for different repos. Theres a few ways of doing this.

Intermediate, public storage

The first is to upload the artifacts to an intermediate place, accessible from anywhere, e.g. Dropbox, Docker Hub, etc. Then you can manually trigger a github action in your public repo to pull this artifact back down and create a release from it. To manually trigger this action you could use the repository_dispatch event either using cURL / postman locally (with an access token auth bearer) or using something like https://www.actionspanel.app/ which is a github app which allows you to manually trigger github actions using repository_dispatch, with parameters so your download link would be a parameter.

Personal access token

The simplest option is still a personal access token though. Your workflow above has repo_token: XXXXXXXXX which makes me wonder if you know about github secrets? Ideally this token would be stored in a secret then accessed using ${{ secrets.BRANDONS_TOKEN }}. I would ask why you are worried about a personal access token. If you use github secrets and are careful about the 3rd party code you pass the token to (you may not want to simply pass your token to @master, for example), it should be fine.

GitHub Apps & Webhooks

GitHub apps or webhooks would be another way, you can authenticate those on a per-person basis and per-repo basis but you'd need an application running online to receive and parse the messages and its quite a big piece of work.

(Probably not) GitHub Deploy Keys

Another thing to be aware of is Github Deploy Keys, you can use these to obtain read/write access to a single repository without an account attached. You would then store this deploy key in a secret in the settings of the other repo. However, I'm not sure you can trigger releases with deploy keys - they are not bound to an account so I'm unsure who's username would be visible on the release history.