So pushing to a ci/** branch fully exercises the pipeline (apt-ftparchive,
GPG skip-path, index commit back, Pages publish) without polluting the
production gh-pages branch:
- push filter includes "ci/**" in addition to main
- metadata commit pushes back to the source branch, not hard-coded main
- gh-pages publish lands on gh-pages-preview when the source branch is
anything other than main
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This is the initial shape of the CardputerZero deb repository. The design
follows the GitHub Pages (metadata) + Releases (deb assets) pattern that
sibling projects like ryanfortner/box64-debs and AdityaGarg8/t2-ubuntu-repo
use successfully — it deliberately avoids Git LFS because the free plan's
1 GB/1 GB storage+bandwidth limits apply to public repos too.
Files landing here:
- README.md / docs/ARCHITECTURE.md / docs/MAINTAINERS.md explain the flow
for users, the design tradeoffs, and the maintainer runbook (including
GPG key setup).
- .github/workflows/validate-submission.yml runs on pull_request with a
read-only token and no secrets, verifying any incoming/*.deb is a valid
arm64 package. Safe to run on external contributor PRs.
- .github/workflows/publish.yml runs on push to main (after merge). It
uploads incoming/*.deb to a rolling "apt-pool" GitHub Release, rebuilds
Packages/Release/InRelease with apt-ftparchive, GPG-signs if
GPG_PRIVATE_KEY is set (warns loudly otherwise), and publishes the
metadata tree to gh-pages.
- incoming/czrepo-hello_0.1-1_arm64.deb is a 784-byte sentinel package
used to exercise the publish pipeline end-to-end on this very first
PR merge.
The workflow is intentionally safe-by-default: without a GPG key
configured it will still produce a usable (unsigned) apt index so the
plumbing can be validated before trusted signing keys are generated.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
LiHaohua