The gitea_ci user cannot set timestamps on /var/www/rpm/ which is
owned by root. Directory timestamps are irrelevant for static files.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Installs nvm, Node.js LTS, and creates a stable symlink at
~/.nvm/default_bin for the systemd PATH so actions/checkout@v4
can find node without sourcing .bashrc.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Gitea Actions runs steps in a non-interactive shell that does not
source .bashrc. Use the explicit NVM_DIR path to load nvm.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Vite + React + SWC + TypeScript SPA with react-router and
react-bootstrap
- Dark/light/system theme with Bootstrap 5.3 data-bs-theme
- Home page with repo setup instructions and copyable code blocks
- Package list and detail pages driven by packages.json
- Python script to generate packages.json from repodata XML
- Nginx config updated for SPA fallback, asset caching, removed
autoindex
- New deploy-ui workflow triggered on ui/ or nginx config changes,
requires runners with nvm label
- packages.json generation added to publish job after createrepo_c
- Runner setup docs for nvm and sequoia-sq added to readme
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use actions/rpm-changelog@v1 with repo-url to collect commits from
the upstream mistral.rs repo between release tags and prepend a
changelog entry to the spec file before building the RPM.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The linker needs LIBRARY_PATH to find -lcudnn at link time.
LD_LIBRARY_PATH only affects runtime library loading.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The RPM file existing on the server is not sufficient — the repo
metadata must also reference it. After checking the file exists,
verify repomd.xml is present and dnf repoquery can find the package
in the index. This catches the case where sync succeeded but
createrepo_c failed.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Set RPM_REPO_HOST=oolon.kosherinata.internal as a plain env var
instead of treating the hostname as a secret via RSYNC_TARGET
- Add explicit SSH connectivity test step using StrictHostKeyChecking=accept-new
- Remove ssh-keyscan in favour of accept-new which provides meaningful errors
- Remove RSYNC_TARGET secret dependency
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the monolithic publish-repo.sh with discrete workflow steps:
Sign RPMs, Set up SSH, Sync RPMs to repo, Update repo metadata.
Each step now has its own name in the CI UI, making failures
immediately identifiable. Removed 2>/dev/null from ssh-keyscan
which was silently hiding DNS resolution failures.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Disable set -e around rpm --addsign to prevent silent exits and
capture the actual exit code and error output.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
RPM 6 on Fedora 43 uses sequoia (sq) for signing instead of gpg.
Replace %_gpg_name with %_openpgp_sign_id and drop the gpg-agent
loopback config. Add a pre-flight check for sequoia-sq.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fedora 43 uses rpm-sequoia which does not expand %{__plaintext_filename}
or %{__signature_filename} from %__gpg_sign_cmd. Remove the override
and let rpm-sequoia read the gpg key directly. The key trust and
gpg-agent loopback config are already in place.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fedora 43 defaults to rpm-sequoia for signing which ignores the
imported gpg key. Set %__gpg_sign_cmd explicitly to force gpg-based
signing with loopback pinentry. Remove diagnostics.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Test gpg signing directly, dump macro expansion, and use rpmsign
with --verbose to get more detail.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
GPG refuses to sign with a key that has unknown trust. Set the
imported key to ultimate trust after import.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Dump rpmmacros, gpg keys, and file permissions before signing to
debug the silent failure.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Direct stdout/stderr capture may miss gpg subprocess output. Write
to a temp file and cat it on failure.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Capture stderr from rpm --addsign so the actual gpg error is visible
when signing fails.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The rpm keyring import needs root access which CI doesn't have.
Client-side verification on install is sufficient.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Ensures package, publish, and poll-upstream jobs are picked up by
Fedora 43 runners specifically.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Import the GPG public key into rpm's keyring so rpm --checksig can
verify signatures. Also use --undefine dist before --define to ensure
the CLI value overrides the system macro on the build host.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The custom %__gpg_sign_cmd macro with %{__plaintext_filename} is not
supported on modern rpm. Instead, configure gpg-agent for loopback
pinentry and let rpm use its default sign command.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The heredoc with column-0 lines inside a YAML block scalar may
confuse Gitea's workflow parser. Move rpmmacros content to
rpm/rpmmacros as a template with sed substitution.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Gitea may not support matrix expressions in job-level concurrency
groups. The workflow-level concurrency group already prevents
parallel runs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Gitea 1.25 does not support array values in matrix includes for
runs-on, causing the dispatch API to return 500. Revert to a single
runner label.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add fedora_version to build, package, and publish matrices so the
pipeline can target multiple Fedora releases in parallel. Force the
dist tag via --define to ensure RPMs are stamped correctly regardless
of build host. Update poll-upstream to check all fedora/flavour
combinations before triggering a build.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The echo-based approach was mangling rpm macro tokens like
%{__plaintext_filename}. Switch to a heredoc so the content is
written verbatim.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
%{__gpg} already expands to /usr/bin/gpg, so the extra "gpg" was
passed as a positional argument causing all flags to be ignored.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add %__gpg_sign_cmd macro to ~/.rpmmacros with --batch, --no-tty, and
--pinentry-mode loopback so rpm --addsign works without a TTY in CI.
Also add signing progress output and post-sign verification to
publish-repo.sh for easier debugging.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Gitea's download-artifact does not support merge-multiple, so RPMs
end up in subdirectories. Add a step to move them into the expected
flat directory before publish-repo.sh runs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The shared runner retains ~/.rpmmacros from previous publish jobs,
causing a spurious "Macro %_gpg_name has empty body" error during
rpmbuild in the package job.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add script/setup/gpg.sh to generate a dedicated lair keyring with a
certify-only master key and a 1-year signing subkey, cross-signed by
both personal keys. The public key is synced to oolon as <short-id>.gpg.
Update nginx config to serve any .gpg file instead of a hardcoded
RPM-GPG-KEY-mistralrs path, supporting multiple keys as the repo grows.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Poll was firing every minute, dispatching new builds that cancelled
the running one. Restore 15-minute cron interval and add shared
concurrency group across both workflows so new polls queue instead
of re-dispatching.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The gitea runner user on beast doesn't have Rust installed.
Reuses existing installation on subsequent runs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Gitea Actions doesn't support fromJSON in matrix strategies
(expressions are evaluated before dependent jobs run). Move
flavour definitions into the workflow as static matrix includes
and remove flavours.yml.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The runners have python yq (jq wrapper), not mikefarah/yq (Go).
Replace -o=json -I=0 with --compact-output which is the jq equivalent.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Gitea API requires refs/heads/main (not just main) and
Content-Type: application/json for the dispatch endpoint.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
