Serve .deb from Releases/OSS instead of Git LFS#51
Merged
Conversation
The org LFS budget is exhausted, which blocked CI and broke deploys. Move .deb distribution off LFS entirely: - .deb are stored in the long-lived `apt-pool` GitHub Release (seeded with the current 13 packages, byte-identical / sha256-verified) and mirrored to OSS. They are no longer kept in git; each package carries a <pkg>_<ver>_<arch>.deb.release.json manifest (url + sha256 + size). - update-index.yml: no LFS. Promote pending manifests into apt-pool, build the Pages index with Filename -> release URL, and stage an OSS tree (relative Filename, .deb included) for the existing Aliyun OSS sync. - validate-pr.yml: split into an untrusted `pull_request` stage (download the manifest .deb, verify sha256 + dpkg checks, upload result artifact) and a privileged validate-pr-comment.yml (`workflow_run`) that posts the comment. Fixes the previous pull_request_target + checkout-PR-head pattern. - generate-registry.py: pass through absolute Filename URLs. - .gitattributes/.gitignore: drop LFS, ignore *.deb. Distribution: global apt -> Releases CDN, China apt -> OSS. git stays tiny. Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
❌ Package Validation FailedUnknown validation failure If you believe this is an error, contact a maintainer. |
Merged
3 tasks
Make the in-git manifests the source of truth: only .deb referenced by a <pkg>_<ver>_<arch>.deb.release.json manifest is downloaded and indexed, so removing a manifest (czdev unpublish) actually drops the package on the next build even though the asset remains in the apt-pool release. Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
❌ Package Validation FailedUnknown validation failure If you believe this is an error, contact a maintainer. |
1 task
- OSS staging regenerated Packages with relative Filename but reused the Pages-build Release, so apt rejected Packages.gz on a size/hash mismatch. Regenerate the OSS Release from the relative Packages (verified: apt-get update + apt download nc2000 now succeed against the OSS tree). - README: the device installs via registry download.url (absolute Release URLs); apt requires co-located binaries so the apt endpoint is the OSS mirror. Pages is the registry/web-UI data source, not an apt mirror (apt does not follow absolute Filename URLs). Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
❌ Package Validation FailedUnknown validation failure If you believe this is an error, contact a maintainer. |
- Skip third-party submission validation for same-repo (maintainer/infra) PRs such as the migration that seeds many authors' packages at once; only fork PRs are untrusted submissions. - The .desktop check piped dpkg-deb into 'grep -q', which closes the pipe on first match; under pipefail dpkg-deb's SIGPIPE made the check falsely report a missing .desktop. Read the contents to a file first. Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
❌ Package Validation FailedUnknown validation failure If you believe this is an error, contact a maintainer. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The org Git LFS budget is exhausted ($0 budget → LFS hard-blocked). This broke CI checkout (
lfs: true), Pages/OSS deploys, and new publishes.pwnagotchi 0.1.1never even reached Pages.What changed
Storage:
.debno longer live in git. They are stored in a long-livedapt-poolGitHub Release (already seeded with the current 13 packages, byte-identical / sha256-verified against the old LFS oids) and mirrored to Aliyun OSS. Each package keeps a<pkg>_<ver>_<arch>.deb.release.jsonmanifest (url+sha256+size).update-index.yml(no LFS):apt-pool(download from the fork release URL, verify sha256, upload).apt-poolassets, build the Pages index withFilename→ release URL (Pages = metadata only, never hits 1 GB)..debincluded and relativeFilename, fed to the existingoss/sync-apt-repo.sh(China serves binaries from OSS; CN registry/region filtering preserved).validate-pr.ymlsplit into the secure two-stage pattern:pull_requeststage (read-only, no secrets): downloads the manifest.deb, verifies sha256 +dpkg-debchecks + maintainer/version/ownership, uploads a result artifact;validate-pr-comment.yml(workflow_run) posts the comment. Removes the priorpull_request_target+ checkout-PR-head footgun.generate-registry.py: pass absoluteFilenameURLs through unchanged..gitattributes/.gitignore: drop LFS, ignore*.deb.Distribution
https://cardputerzero.github.io/packages(.debfrom Releases CDN).https://cardputer-zero-repo.oss-cn-shenzhen.aliyuncs.com/packages(.debfrom OSS).Coupled change (separate PR)
m5stack/CardputerZero-AppBuilderczdev publishmust upload the.debto a fork release and emit the manifest instead of pushing via LFS. PR linked separately. Merge together.Test plan
update-index(workflow_dispatch) on this branch; confirm PagesPackageshas release-URLFilenameandapt update+apt install nc2000works.sync_oss=true) and confirm OSS serves.deb+ CNregistry.json.Made with Cursor