refactor(ci): inline publish steps, delete publish-repo.sh

Replace the monolithic publish-repo.sh with discrete workflow steps:
Sign RPMs, Set up SSH, Sync RPMs to repo, Update repo metadata.

Each step now has its own name in the CI UI, making failures
immediately identifiable. Removed 2>/dev/null from ssh-keyscan
which was silently hiding DNS resolution failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/build-release.yml

@@ -148,9 +148,31 @@ jobs:
           echo "${fpr}:6:" | gpg --batch --import-ownertrust
           sed "s/@GPG_NAME@/${{ secrets.RPM_SIGNING_KEY_ID }}/" rpm/rpmmacros > ~/.rpmmacros
 
-      - name: Sign and publish
-        run: ./script/publish-repo.sh rpms/
+      - name: Sign RPMs
+        run: |
+          for rpm in rpms/*.rpm; do
+            echo "signing ${rpm}..."
+            rpm --addsign "${rpm}"
+          done
+
+      - name: Set up SSH
+        run: |
+          install --directory --mode 700 ~/.ssh
+          echo "${RSYNC_SSH_KEY}" | install --mode 600 /dev/stdin ~/.ssh/id_ed25519
+          ssh-keyscan -H oolon.kosherinata.internal >> ~/.ssh/known_hosts
         env:
-          FEDORA_VERSION: ${{ matrix.fedora_version }}
-          RSYNC_TARGET: ${{ secrets.RSYNC_TARGET }}
           RSYNC_SSH_KEY: ${{ secrets.RSYNC_SSH_KEY }}
+
+      - name: Sync RPMs to repo
+        run: |
+          rsync \
+            --archive \
+            --verbose \
+            --chmod D755,F644 \
+            rpms/*.rpm \
+            "${{ secrets.RSYNC_TARGET }}:/var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64/"
+
+      - name: Update repo metadata
+        run: |
+          ssh "${{ secrets.RSYNC_TARGET }}" \
+            "cd /var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64 && createrepo_c --update ."

CLAUDE.md

@@ -28,8 +28,7 @@ Defined in `flavours.yml`. Each flavour specifies a name, `cuda_home`, `cargo_fe
 - `rpm/systemd/mistralrs@.service` — templated systemd unit (`@BINARY@` and `@FLAVOUR@` are sed-replaced during rpmbuild)
 - `rpm/systemd/mistralrs@.conf.example` — example env file for instances
 - `script/build-binary.sh` — compiles mistralrs-server with cargo (requires `FLAVOUR_NAME`, `CUDA_HOME`, `CARGO_FEATURES`, `CUDA_COMPUTE_CAP`, `SRC_DIR` env vars)
-- `script/publish-repo.sh` — signs RPMs and rsyncs to the repo server
-- `script/setup/` — one-time infra setup scripts (DNS, TLS cert, nginx) for `rpm.lair.cafe` on host `oolon`
+- `script/setup/` — one-time infra setup scripts (DNS, TLS cert, nginx, GPG) for `rpm.lair.cafe` on host `oolon`
 
 ## Commands
 

script/publish-repo.sh

@@ -1,45 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-RPM_DIR="${1%/}"
-: "${RPM_DIR:?usage: $0 <rpm-directory>}"
-: "${FEDORA_VERSION:?}"
-REMOTE_DIR="/var/www/rpm/fedora/${FEDORA_VERSION}/x86_64"
-
-# sign each rpm with the imported gpg key
-echo "--- rpmmacros ---"
-cat ~/.rpmmacros
-echo "--- macro check ---"
-rpm -E '%{_openpgp_sign_id}' || true
-rpm -E '%{_gpg_name}' || true
-echo "--- signing ---"
-for rpm in "${RPM_DIR}"/*.rpm; do
-    echo "signing ${rpm}..."
-    set +e
-    rpm --addsign "${rpm}" 2>&1
-    rc=$?
-    set -e
-    echo "exit code: ${rc}"
-    if [ "${rc}" -ne 0 ]; then
-        echo "failed to sign ${rpm}" >&2
-        exit 1
-    fi
-done
-
-echo "setting up ssh..."
-install --directory --mode 700 ~/.ssh
-echo "${RSYNC_SSH_KEY}" | install --mode 600 /dev/stdin ~/.ssh/id_ed25519
-ssh-keyscan -H oolon.kosherinata.internal > ~/.ssh/known_hosts 2>/dev/null
-
-echo "rsyncing to ${RSYNC_TARGET}:${REMOTE_DIR}/..."
-rsync \
-    --archive \
-    --verbose \
-    --chmod D755,F644 \
-    "${RPM_DIR}/"*.rpm \
-    "${RSYNC_TARGET}:${REMOTE_DIR}/"
-
-echo "updating repo metadata..."
-ssh "${RSYNC_TARGET}" "cd ${REMOTE_DIR} && createrepo_c --update ."
-
-echo "Published $(ls ${RPM_DIR}/*.rpm | wc -l) RPMs"