Merge remote-tracking branch 'termux/master'

Author: lfdevs

.github/actions/zram/action.yml

@@ -73,7 +73,11 @@ runs:
         sudo cp scripts/zram.ko.zst ${{ steps.kernel-info.outputs.modules_dir }}/kernel/
         sudo depmod
         sudo modprobe zram
-        sudo zramctl ${{ inputs.device_name }} --algorithm ${{ inputs.algorithm }} --size ${{ inputs.size }}
+        set +e
+        sudo swapoff ${{ inputs.device_name }} || true
+        sudo zramctl --reset ${{ inputs.device_name }} || true
+        set -e
+        sudo zramctl --find --algorithm ${{ inputs.algorithm }} --size ${{ inputs.size }}
         sudo mkswap -U clear ${{ inputs.device_name }}
         sudo swapon --discard --priority ${{ inputs.priority }} ${{ inputs.device_name }}
 

.github/workflows/docker_image.yml

@@ -33,29 +33,52 @@ jobs:
     steps:
     - name: Clone repository
       uses: actions/checkout@v6
+
+    # Skip building the Docker image on scheduled runs if the last successful
+    # image build (the one tagged "latest") is less than IMAGE_MIN_INTERVAL_DAYS old.
+    - name: Optionally skip building image
+      if: github.event_name == 'schedule'
+      id: skip-build
+      env:
+        IMAGE_MIN_INTERVAL_DAYS: 30
+      run: |
+        LAST_TIMESTAMP=$(curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+         -H "Accept: application/vnd.github+json" \
+         "https://api.github.com/users/termux/packages/container/package-builder/versions" |
+          jq --raw-output 'map(select(.metadata.container.tags | contains(["latest"])))[0].created_at')
+        LAST_UNIX_TIME=$(date -d "$LAST_TIMESTAMP" +%s)
+        CURRENT_UNIX_TIME=$(date +%s)
+        if (( "$CURRENT_UNIX_TIME" - "$LAST_UNIX_TIME" < $IMAGE_MIN_INTERVAL_DAYS*24*60*60 )); then
+          echo "Skipping building Docker image: last successful build was done on $LAST_TIMESTAMP (< $IMAGE_MIN_INTERVAL_DAYS days)"
+          echo "skip-build=true" >> "$GITHUB_OUTPUT"
+        fi
+
     - name: Build
+      if: ${{ steps.skip-build.outputs.skip-build != 'true' }}
       run: |
         docker build --tag termux/package-builder:latest scripts/
         docker tag termux/package-builder:latest ghcr.io/termux/package-builder:latest
     - name: Build (CGCT)
+      if: ${{ steps.skip-build.outputs.skip-build != 'true' }}
       run: |
         docker build --tag termux/package-builder-cgct:latest --file scripts/Dockerfile.cgct scripts/
         docker tag termux/package-builder-cgct:latest ghcr.io/termux/package-builder-cgct:latest
     - name: Login to GHCR
-      if: github.ref == 'refs/heads/master' && github.event_name != 'pull_request' && github.repository == 'termux/termux-packages'
+      if: github.ref == 'refs/heads/master' && github.event_name != 'pull_request' && github.repository == 'termux/termux-packages' && steps.skip-build.outputs.skip-build != 'true'
+
       uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
     - name: Login to Docker Hub
-      if: github.ref == 'refs/heads/master' && github.event_name != 'pull_request' && github.repository == 'termux/termux-packages'
+      if: github.ref == 'refs/heads/master' && github.event_name != 'pull_request' && github.repository == 'termux/termux-packages' && steps.skip-build.outputs.skip-build != 'true'
       uses: docker/login-action@v3
       with:
         username: grimler
         password: ${{ secrets.DOCKER_TOKEN }}
     - name: Push
-      if: github.ref == 'refs/heads/master' && github.event_name != 'pull_request' && github.repository == 'termux/termux-packages'
+      if: github.ref == 'refs/heads/master' && github.event_name != 'pull_request' && github.repository == 'termux/termux-packages' && steps.skip-build.outputs.skip-build != 'true'
       run: |
         # ghcr.io seem to be unstable sometimes. It may suddenly drop connection
         # during docker push when some layers are already uploaded. The workaround

.github/workflows/golang_validation.yml

@@ -43,21 +43,18 @@ jobs:
       uses: actions/checkout@v6
       with:
         fetch-depth: 1
-    - name: Set process id limit for 32-bit builds depending on aosp-libs
-      run: echo 65535 | sudo tee /proc/sys/kernel/pid_max
     - name: Enable zram
-      if: ${{ steps.build-info.outputs.skip-building != 'true' }}
       uses: ./.github/actions/zram
       with:
         algorithm: zstd
         size: 16G
         priority: 100
         device_name: /dev/zram0
-    - name: Prepare environment
+    - name: Load Docker image
+      run: |
+        ./scripts/run-docker.sh true
+    - name: Free additional disk space
       run: |
-        ./scripts/setup-ubuntu.sh
-        ./scripts/setup-android-sdk.sh
-        sudo apt install ninja-build
         ./scripts/free-space.sh
     - name: Golang validation
       run: ./scripts/bin/validation ${{ matrix.target_arch }} golang ${{ matrix.batch }} || exit 1

.github/workflows/package_updates.yml

@@ -104,22 +104,29 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.TERMUXBOT2_TOKEN }}
-      - name: Set process id limit for 32-bit builds depending on aosp-libs
-        run: echo 65535 | sudo tee /proc/sys/kernel/pid_max
       - name: Enable zram
         uses: ./.github/actions/zram
         with:
           algorithm: zstd
           size: 16G
           priority: 100
           device_name: /dev/zram0
+      - name: Load Docker image
+        run: |
+          ./scripts/run-docker.sh true
       - name: Free additional disk space
-        run: CLEAN_DOCKER_IMAGES=false ./scripts/free-space.sh
+        run: ./scripts/free-space.sh
+      - name: Install needed dependencies for package updates
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends \
+            curl \
+            python3 \
+            jq
       - name: Process package updates
         env:
           GITHUB_TOKEN: ${{ secrets.TERMUXBOT2_TOKEN }}
           BUILD_PACKAGES: "true"
-          TERMUX_DOCKER__CONTAINER_EXEC_COMMAND__PRE_CHECK_IF_WILL_BUILD_PACKAGES: "true"
           CREATE_ISSUE: "true"
           GIT_COMMIT_PACKAGES: "true"
           GIT_PUSH_PACKAGES: "true"

.github/workflows/packages.yml

@@ -19,6 +19,10 @@ on:
       packages:
         description: "A space-separated names of packages selected for rebuilding"
         required: true
+      free-space:
+        description: "Free space even if not building large package (useful when building a large number of packages)"
+        type: boolean
+        default: false
 
 permissions: {} # none
 
@@ -42,8 +46,6 @@ jobs:
       uses: actions/checkout@v6
       with:
         fetch-depth: 1000
-    - name: Set process id limit for 32-bit builds depending on aosp-libs
-      run: echo 65535 | sudo tee /proc/sys/kernel/pid_max
 
     - name: Gather build summary
       id: build-info
@@ -97,7 +99,6 @@ jobs:
           # Forces CI to cancel current build with status 'passed'
           if grep -qiP '^\s*%ci:no-build\s*$' <(git log --format="%B" -n 1 --no-merges "HEAD"); then
             tar cf artifacts/debs-${{ matrix.target_arch }}.tar debs
-            echo "docker-build=true" >> $GITHUB_OUTPUT
             echo "[!] Force exiting as tag '%ci:no-build' was applied to HEAD commit message."
             exit 0
           fi
@@ -185,31 +186,33 @@ jobs:
 
         echo "packages: ${packages[*]}"
 
-        docker='true'
+        free_space='false'
+        if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
+          free_space=${{ github.event.inputs.free-space }}
+        else
+          if grep -qiP '^\s*%ci:free-disk\s*$' <(git log --format="%B" -n 1 --no-merges "HEAD"); then
+            free_space=true
+          fi
+        fi
         if [[ "${#packages[@]}" -gt 0 ]]; then
           for pkg in "${packages[@]}"; do
             if grep -qFx "$pkg" ./scripts/big-pkgs.list; then
-              docker='false'
+              free_space='true'
               break
             fi
           done
         fi
+        echo "free-space=$free_space" >> $GITHUB_OUTPUT
 
-        echo "docker-build=$docker" >> $GITHUB_OUTPUT
+        needs_docker_build=false
         if [ "${{ github.event_name }}" != "workflow_dispatch" ]; then
           # Build local Docker image if setup scripts were changed.
           # Useful for pull requests submitting changes for both build environment and packages.
           if grep -qP '^scripts/(Dockerfile|properties\.sh|setup-android-sdk\.sh|setup-ubuntu\.sh)$' <<< "$CHANGED_FILES"; then
-            echo "Detected changes for environment setup scripts. Building custom Docker image now."
-            if [ $docker == 'false' ]; then
-              echo "Skipping due to building large packages."
-              exit 0
-            fi
-            cd ./scripts
-            docker build -t ghcr.io/termux/package-builder:latest .
-            cd ..
+            needs_docker_build=true
           fi
         fi
+        echo "needs-docker-build=$needs_docker_build" >> $GITHUB_OUTPUT
 
     - name: Lint packages
       run: |
@@ -234,22 +237,24 @@ jobs:
         priority: 100
         device_name: /dev/zram0
 
+    - name: Build docker image
+      if: ${{ steps.build-info.outputs.needs-docker-build == 'true' }}
+      run: |
+        docker build -t ghcr.io/termux/package-builder:latest scripts/
+        docker buildx prune -af
+
+    - name: Load Docker image
+      if: ${{ steps.build-info.outputs.free-space == 'true' && steps.build-info.outputs.skip-building != 'true' }}
+      run: |
+        ./scripts/run-docker.sh true
+
     - name: Free additional disk space (if needed)
-      if: ${{ steps.build-info.outputs.docker-build == 'false' && steps.build-info.outputs.skip-building != 'true' }}
+      if: ${{ steps.build-info.outputs.free-space == 'true' && steps.build-info.outputs.skip-building != 'true' }}
       run: |
-        ./scripts/setup-ubuntu.sh
-        # need to unset these for setup-android-sdk.sh.
-        unset NDK ANDROID_HOME
-        ./scripts/setup-android-sdk.sh
-        rm -f ${HOME}/lib/ndk-*.zip ${HOME}/lib/sdk-*.zip
-        sudo apt install ninja-build
         ./scripts/free-space.sh
 
     - name: Build packages
       if: ${{ steps.build-info.outputs.skip-building != 'true' }}
-      env:
-        DOCKER_BUILD: ${{ steps.build-info.outputs.docker-build }}
-        TERMUX_DOCKER__CONTAINER_EXEC_COMMAND__PRE_CHECK_IF_WILL_BUILD_PACKAGES: "true"
       run: |
         declare -a packages=()
         for repo_path in $(jq --raw-output 'del(.pkg_format) | keys | .[]' repo.json); do
@@ -262,16 +267,7 @@ jobs:
         echo "packages: ${packages[*]}"
 
         if [[ "${#packages[@]}" -gt 0 ]]; then
-          if [ "$DOCKER_BUILD" == 'false' ]; then
-            # these need to be unset a second time again for ./build-package.sh
-            # when it is run outside of Docker, because GitHub Actions does not
-            # support permanently unsetting variables at time of writing.
-            # https://github.com/actions/runner/issues/1126
-            unset NDK ANDROID_HOME
-            ./build-package.sh -I -C -a "${{ matrix.target_arch }}" "${packages[@]}"
-          else
-            ./scripts/run-docker.sh ./build-package.sh -I -C -a "${{ matrix.target_arch }}" "${packages[@]}"
-          fi
+          ./scripts/run-docker.sh -d ./build-package.sh -I -C -a "${{ matrix.target_arch }}" "${packages[@]}"
         fi
 
     - name: Generate build artifacts
@@ -316,6 +312,10 @@ jobs:
       with:
         name: debs-${{ matrix.target_arch }}-${{ github.sha }}
         path: ./artifacts
+    - name: AppArmor Logs
+      if: always()
+      run: |
+        sudo dmesg | grep apparmor
 
   test-buildorder-random:
     permissions:

.github/workflows/zig_validation.yml

@@ -43,20 +43,18 @@ jobs:
       uses: actions/checkout@v6
       with:
         fetch-depth: 1
-    - name: Set process id limit for 32-bit builds depending on aosp-libs
-      run: echo 65535 | sudo tee /proc/sys/kernel/pid_max
     - name: Enable zram
-      if: ${{ steps.build-info.outputs.skip-building != 'true' }}
       uses: ./.github/actions/zram
       with:
         algorithm: zstd
         size: 16G
         priority: 100
         device_name: /dev/zram0
-    - name: Prepare environment
+    - name: Load Docker image
+      run: |
+        ./scripts/run-docker.sh true
+    - name: Free additional disk space
       run: |
-        ./scripts/setup-ubuntu.sh
-        ./scripts/setup-android-sdk.sh
         ./scripts/free-space.sh
     - name: Zig validation
       run: ./scripts/bin/validation ${{ matrix.target_arch }} zig ${{ matrix.batch }} || exit 1

.gitignore

@@ -6,9 +6,6 @@ Session.vim
 .netrwhist
 *~
 
-# Vagrant
-scripts/.vagrant/
-
 # Logs
 scripts/*.log
 /*.log

CODEOWNERS

@@ -15,6 +15,10 @@
 /scripts/ @Grimler91 @thunder-coding
 /repo.json @Grimler91 @thunder-coding
 
+# Docker security profiles
+/scripts/profile.json @thunder-coding @licy183
+/scripts/*.apparmor @thunder-coding
+
 # Build script linter
 /scripts/lint-packages.sh @TomJo2000
 
@@ -28,6 +32,10 @@
 # Nodejs setup script
 /scripts/build/setup/termux_setup_nodejs.sh @thunder-coding
 
+# Python setup scripts
+/scripts/build/setup/termux_setup_python_pip.sh @thunder-coding
+/scripts/build/setup/termux_setup_build_python.sh @thunder-coding
+
 # Packages owned by @finagolfin
 /packages/libdispatch/ @finagolfin
 /packages/libllvm/ @finagolfin
@@ -84,6 +92,7 @@
 /packages/nodejs/ @thunder-coding
 /packages/nodejs-lts/ @thunder-coding
 /packages/npm/ @thunder-coding
+/packages/python/ @thunder-coding
 /packages/silicon/ @thunder-coding
 /packages/slides/ @thunder-coding
 

build-package.sh

@@ -149,6 +149,10 @@ source "$TERMUX_SCRIPTDIR/scripts/build/setup/termux_setup_ldc.sh"
 # shellcheck source=scripts/build/setup/termux_setup_no_integrated_as.sh
 source "$TERMUX_SCRIPTDIR/scripts/build/setup/termux_setup_no_integrated_as.sh"
 
+# Utility function for setting up build-python for cross-compilation of Python and crossenv
+# shellcheck source=scripts/build/setup/termux_setup_build_python.sh
+source "$TERMUX_SCRIPTDIR/scripts/build/setup/termux_setup_build_python.sh"
+
 # Utility function for python packages to setup a python.
 # shellcheck source=scripts/build/setup/termux_setup_python_pip.sh
 source "$TERMUX_SCRIPTDIR/scripts/build/setup/termux_setup_python_pip.sh"
@@ -656,7 +660,7 @@ for (( i=0; i < ${#PACKAGE_LIST[@]}; i++ )); do
 		if [[ "$TERMUX_BUILD_IGNORE_LOCK" != "true" ]]; then
 			flock -n 5 || termux_error_exit "Another build is already running within same environment."
 		fi
-
+		(
 		# Handle 'all' arch:
 		if [[ "$TERMUX_ON_DEVICE_BUILD" == "false" && -n "${TERMUX_ARCH+x}" && "${TERMUX_ARCH}" == 'all' ]]; then
 			_SELF_ARGS=()
@@ -787,6 +791,7 @@ for (( i=0; i < ${#PACKAGE_LIST[@]}; i++ )); do
 		fi
 		termux_add_package_to_built_packages_list "$TERMUX_PKG_NAME"
 		termux_step_finish_build
+		) 5>&-
 	) 5< "$TERMUX_BUILD_LOCK_FILE"
 done
 

clean.sh

@@ -93,5 +93,16 @@ fi
 		rm -Rf "/data/data/.built-packages"
 	fi
 
-	rm -Rf "$TERMUX_TOPDIR"
+	# unmount overlayfs before we remove the parent directory
+	[ -d "$TERMUX_TOPDIR" ] && for dir in $(find "$TERMUX_TOPDIR" -type d); do
+		if mountpoint -q "$dir"; then
+			umount "$dir"
+		fi
+	done
+
+	# We can't use rm -Rf "$TERMUX_TOPDIR" in case the "$TERMUX_TOPDIR" is mounted as a Docker volume
+	if [ -d "$TERMUX_TOPDIR" ]; then
+		find "$TERMUX_TOPDIR" -type f,l,b,c -delete
+		find "$TERMUX_TOPDIR" -type d ! -path "$TERMUX_TOPDIR" -delete
+	fi
 } 5< "$TERMUX_BUILD_LOCK_FILE"