This is the initial shape of the CardputerZero deb repository. The design
follows the GitHub Pages (metadata) + Releases (deb assets) pattern that
sibling projects like ryanfortner/box64-debs and AdityaGarg8/t2-ubuntu-repo
use successfully — it deliberately avoids Git LFS because the free plan's
1 GB/1 GB storage+bandwidth limits apply to public repos too.
Files landing here:
- README.md / docs/ARCHITECTURE.md / docs/MAINTAINERS.md explain the flow
for users, the design tradeoffs, and the maintainer runbook (including
GPG key setup).
- .github/workflows/validate-submission.yml runs on pull_request with a
read-only token and no secrets, verifying any incoming/*.deb is a valid
arm64 package. Safe to run on external contributor PRs.
- .github/workflows/publish.yml runs on push to main (after merge). It
uploads incoming/*.deb to a rolling "apt-pool" GitHub Release, rebuilds
Packages/Release/InRelease with apt-ftparchive, GPG-signs if
GPG_PRIVATE_KEY is set (warns loudly otherwise), and publishes the
metadata tree to gh-pages.
- incoming/czrepo-hello_0.1-1_arm64.deb is a 784-byte sentinel package
used to exercise the publish pipeline end-to-end on this very first
PR merge.
The workflow is intentionally safe-by-default: without a GPG key
configured it will still produce a usable (unsigned) apt index so the
plumbing can be validated before trusted signing keys are generated.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
LiHaohua