Implements automated repository synchronization to mirror servers with:
- Proper input validation (SSRF protection, hostname/port/path validation)
- Enhanced error handling with set -e and set -o pipefail
- Secret validation before use
- Conditional sync based on timestamp comparison (10-hour threshold)
- Support for forced sync via workflow dispatch
- Two-phase rsync (initial + cleanup with --delete)
- Support for both debs and debs-beta repositories
- Comprehensive logging to GitHub step summaries
- Team membership check for manual execution
- Scheduled runs every 4 hours
Security improvements:
- API URL format validation to prevent SSRF
- Hostname format validation
- Port range validation (1-65535)
- Username format validation (alphanumeric + ._-)
- Path traversal prevention (.. check)
- All paths validated against expected prefixes
Signed-off-by: Igor Pecovnik <igor@armbian.com>
- Add INCOMING_PATH environment variable for staging files
- Add new Copying job that handles moving files from incoming to storage
- Copying job processes different targets (stable, cron, nightly, etc.)
- Remove Payload job and xx.yml workflow file
- Change Check job runner from ubuntu-latest to Linux
- Update external job dependency from Check to Copying
- Add comprehensive input validation for all paths and parameters
- Implement SSRF prevention for API calls
- Add format validation for hostnames, usernames, and ports
- Enhance NetBox API error handling and validation
- Improve permission management with safety checks
- Add dry-run support for sync operations
- Strengthen repository path validation throughout
- Enhance security for beta repository operations
Signed-off-by: Igor Pecovnik <igor@armbian.com>
- Update workflow name from "Rewrite kernel configs" to "Update image-info.json"
- Remove unused matrix outputs from job configuration
- Fix duplicate cd command in commit step
- Fix git add path to use correct data/image-info.json
- Correct commit message to describe actual change
- Rename job from build-matrix to update-image-info
Signed-off-by: Igor Pecovnik <igor@armbian.com>
* Improve package version check and repository management
- Replace apt-cache with direct HTTP queries to Armbian repository
package indices for reliable version detection across all components
- Add repository cleanup jobs (preclean/postclean) to purge old
package versions and keep only newest
- Implement retry logic (3 attempts) for aptly mirror update
operations with automatic mirror recreation on failure
- Add download validation to ensure .deb files are actually downloaded
- Add HIDE_NO_UPDATE input option for controlling summary output
- Always sync to debs-beta, sync to debs only on actual version updates
- Enhanced debugging with comprehensive logging for aptly operations
* Fix syntax for PURGE variable in workflow
* Fix
- Replace apt-cache with direct HTTP queries to Armbian repository
package indices for reliable version detection across all components
- Add repository cleanup jobs (preclean/postclean) to purge old
package versions and keep only newest
- Implement retry logic (3 attempts) for aptly mirror update
operations with automatic mirror recreation on failure
- Add download validation to ensure .deb files are actually downloaded
- Add HIDE_NO_UPDATE input option for controlling summary output
- Always sync to debs-beta, sync to debs only on actual version updates
- Enhanced debugging with comprehensive logging for aptly operations
