Skip to content

Serve .deb from Releases/OSS instead of Git LFS#51

Merged
eggfly merged 4 commits into
mainfrom
migrate-deb-to-releases
Jun 30, 2026
Merged

Serve .deb from Releases/OSS instead of Git LFS#51
eggfly merged 4 commits into
mainfrom
migrate-deb-to-releases

Conversation

@eggfly

@eggfly eggfly commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Why

The org Git LFS budget is exhausted ($0 budget → LFS hard-blocked). This broke CI checkout (lfs: true), Pages/OSS deploys, and new publishes. pwnagotchi 0.1.1 never even reached Pages.

What changed

Storage: .deb no longer live in git. They are stored in a long-lived apt-pool GitHub Release (already seeded with the current 13 packages, byte-identical / sha256-verified against the old LFS oids) and mirrored to Aliyun OSS. Each package keeps a <pkg>_<ver>_<arch>.deb.release.json manifest (url + sha256 + size).

  • update-index.yml (no LFS):
    • Promote any pending manifests into apt-pool (download from the fork release URL, verify sha256, upload).
    • Download apt-pool assets, build the Pages index with Filename → release URL (Pages = metadata only, never hits 1 GB).
    • Stage an OSS tree with the .deb included and relative Filename, fed to the existing oss/sync-apt-repo.sh (China serves binaries from OSS; CN registry/region filtering preserved).
  • validate-pr.yml split into the secure two-stage pattern:
    • untrusted pull_request stage (read-only, no secrets): downloads the manifest .deb, verifies sha256 + dpkg-deb checks + maintainer/version/ownership, uploads a result artifact;
    • privileged validate-pr-comment.yml (workflow_run) posts the comment. Removes the prior pull_request_target + checkout-PR-head footgun.
  • generate-registry.py: pass absolute Filename URLs through unchanged.
  • .gitattributes / .gitignore: drop LFS, ignore *.deb.

Distribution

  • Global apt → https://cardputerzero.github.io/packages (.deb from Releases CDN).
  • China apt → https://cardputer-zero-repo.oss-cn-shenzhen.aliyuncs.com/packages (.deb from OSS).

Coupled change (separate PR)

m5stack/CardputerZero-AppBuilder czdev publish must upload the .deb to a fork release and emit the manifest instead of pushing via LFS. PR linked separately. Merge together.

Test plan

  • Run update-index (workflow_dispatch) on this branch; confirm Pages Packages has release-URL Filename and apt update + apt install nc2000 works.
  • Enable OSS sync (sync_oss=true) and confirm OSS serves .deb + CN registry.json.
  • Open a test publish PR and confirm validate → comment flow.

Made with Cursor

The org LFS budget is exhausted, which blocked CI and broke deploys. Move .deb
distribution off LFS entirely:

- .deb are stored in the long-lived `apt-pool` GitHub Release (seeded with the
  current 13 packages, byte-identical / sha256-verified) and mirrored to OSS.
  They are no longer kept in git; each package carries a
  <pkg>_<ver>_<arch>.deb.release.json manifest (url + sha256 + size).
- update-index.yml: no LFS. Promote pending manifests into apt-pool, build the
  Pages index with Filename -> release URL, and stage an OSS tree (relative
  Filename, .deb included) for the existing Aliyun OSS sync.
- validate-pr.yml: split into an untrusted `pull_request` stage (download the
  manifest .deb, verify sha256 + dpkg checks, upload result artifact) and a
  privileged validate-pr-comment.yml (`workflow_run`) that posts the comment.
  Fixes the previous pull_request_target + checkout-PR-head pattern.
- generate-registry.py: pass through absolute Filename URLs.
- .gitattributes/.gitignore: drop LFS, ignore *.deb.

Distribution: global apt -> Releases CDN, China apt -> OSS. git stays tiny.
Co-authored-by: Cursor <cursoragent@cursor.com>
@github-actions

Copy link
Copy Markdown
Contributor

❌ Package Validation Failed

Unknown validation failure


If you believe this is an error, contact a maintainer.

Make the in-git manifests the source of truth: only .deb referenced by a
<pkg>_<ver>_<arch>.deb.release.json manifest is downloaded and indexed, so
removing a manifest (czdev unpublish) actually drops the package on the next
build even though the asset remains in the apt-pool release.

Co-authored-by: Cursor <cursoragent@cursor.com>
@github-actions

Copy link
Copy Markdown
Contributor

❌ Package Validation Failed

Unknown validation failure


If you believe this is an error, contact a maintainer.

- OSS staging regenerated Packages with relative Filename but reused the
  Pages-build Release, so apt rejected Packages.gz on a size/hash mismatch.
  Regenerate the OSS Release from the relative Packages (verified: apt-get
  update + apt download nc2000 now succeed against the OSS tree).
- README: the device installs via registry download.url (absolute Release
  URLs); apt requires co-located binaries so the apt endpoint is the OSS
  mirror. Pages is the registry/web-UI data source, not an apt mirror (apt
  does not follow absolute Filename URLs).

Co-authored-by: Cursor <cursoragent@cursor.com>
@github-actions

Copy link
Copy Markdown
Contributor

❌ Package Validation Failed

Unknown validation failure


If you believe this is an error, contact a maintainer.

- Skip third-party submission validation for same-repo (maintainer/infra) PRs
  such as the migration that seeds many authors' packages at once; only fork
  PRs are untrusted submissions.
- The .desktop check piped dpkg-deb into 'grep -q', which closes the pipe on
  first match; under pipefail dpkg-deb's SIGPIPE made the check falsely report
  a missing .desktop. Read the contents to a file first.

Co-authored-by: Cursor <cursoragent@cursor.com>
@github-actions

Copy link
Copy Markdown
Contributor

❌ Package Validation Failed

Unknown validation failure


If you believe this is an error, contact a maintainer.

@eggfly eggfly merged commit 0ecc9c3 into main Jun 30, 2026
1 of 2 checks passed
@eggfly eggfly deleted the migrate-deb-to-releases branch June 30, 2026 11:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant