From 07bf2c16cbcb97bf65fc105893d62b15bf147a0c Mon Sep 17 00:00:00 2001
From: Roman Lebedev <lebedev.ri@gmail.com>
Date: Sat, 4 Oct 2025 18:29:15 +0300
Subject: [PATCH] Deb PPA rewrite, adding packages for ppc64el

TLDR: instead of running the entirety of the job in the container,
start a detached container, and manually run each step
in detached container. This allows to run stuff outside of container.
---
 .github/workflows/deb-buildd.yml       | 310 ++++++++++++++++++-------
 .github/workflows/deb-orchestrator.yml |  17 +-
 .github/workflows/deb-publish.yml      | 236 +++++++++++++------
 .github/workflows/deb-reprotest.yml    | 205 ++++++++++++----
 .github/workflows/deb-src.yml          | 210 +++++++++++------
 debian/control                         |   3 +-
 6 files changed, 712 insertions(+), 269 deletions(-)

diff --git a/.github/workflows/deb-buildd.yml b/.github/workflows/deb-buildd.yml
index db171a1c..73667f0b 100644
--- a/.github/workflows/deb-buildd.yml
+++ b/.github/workflows/deb-buildd.yml
@@ -7,7 +7,13 @@ on:
       runs-on:
         required: true
         type: string
-      arch:
+      machine-arch:
+        required: true
+        type: string
+      build-arch:
+        required: true
+        type: string
+      host-arch:
         required: true
         type: string
       dist-name:
@@ -23,45 +29,94 @@ on:
 jobs:
   linux:
     runs-on: ${{ inputs.runs-on }}
-    container:
-      image: debian:unstable-slim
-      options: --privileged --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --tmpfs /tmp:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}
-    env:
-      DEBFULLNAME: apt.bcachefs.org CI bot
-      DEBEMAIL: linux-bcachefs@vger.kernel.org
-      DEB_SIGN_KEYID: "${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}"
     permissions:
       id-token: write
       contents: read
       attestations: write
     steps:
-      - name: Install necessary packages
-        timeout-minutes: 2
+      - name: Configure baseline system
+        timeout-minutes: 1
+        shell: sudo sh "{0}"
         run: |
           set -xe
-          tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT
-          force-unsafe-io
-          EOT
-          tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT
-          Dir::Cache::Archives "/tmp/apt/archives";
+          mount -t tmpfs tmpfs ${{ github.workspace }}
+          echo "set man-db/auto-update false" | debconf-communicate
+          dpkg-reconfigure man-db
+          mkdir -p /etc/apt/apt.conf.d
+          mkdir -p /etc/dpkg/dpkg.cfg.d
+          tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
           APT::ExtractTemplates::TempDir "/tmp/apt/temp";
-          EOT
-          mkdir -p /tmp/apt/archives
-          tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
           Acquire::Retries "10";
-          EOT
-          tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
           APT::Install-Recommends "false";
-          EOT
-          tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
           APT::Install-Suggests "false";
-          EOT
-          tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
           APT::Get::Assume-Yes "true";
-          EOT
-          tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
           APT::Get::Fix-Missing "true";
           EOT
+          tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
+          force-unsafe-io
+          force-confdef
+          EOT
+          rm -rf /var/lib/apt/lists/*
+          rm -rf /etc/apt/sources.list*
+          if [ "${{ inputs.machine-arch }}" = "amd64" ];
+          then
+          MIRROR="http://archive.ubuntu.com/ubuntu"
+          else
+          MIRROR="http://ports.ubuntu.com/ubuntu-ports"
+          fi
+          tee /etc/apt/sources.list > /dev/null <<EOT
+          deb $MIRROR noble main universe
+          EOT
+          apt update
+          apt install eatmydata
+          eatmydata apt install \
+            podman \
+            qemu-user-static \
+          ;
+          apt clean
+      - name: Start the container
+        timeout-minutes: 1
+        shell: sudo eatmydata sh "{0}"
+        run: |
+          set -xe
+          export IMAGE=debian:unstable-slim
+          podman pull ${IMAGE}
+          podman run \
+            --name container \
+            --image-volume=tmpfs \
+            --tmpfs=/run \
+            --tmpfs=/tmp \
+            --tmpfs=/var/tmp \
+            --volume=/home/runner:/home/runner \
+            --volume=${{ github.workspace }}:${{ github.workspace }} \
+            --privileged \
+            --cap-add=SYS_ADMIN \
+            --security-opt=apparmor:unconfined \
+            --interactive \
+            --tty \
+            --detach \
+            ${IMAGE} \
+            /usr/bin/sh \
+          ;
+      - name: Install necessary packages
+        timeout-minutes: 1
+        shell: sudo podman exec --interactive --tty container sh "{0}"
+        run: |
+          set -xe
+          mkdir -p /etc/apt/apt.conf.d
+          mkdir -p /etc/dpkg/dpkg.cfg.d
+          tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
+          APT::ExtractTemplates::TempDir "/tmp/apt/temp";
+          Acquire::Retries "10";
+          APT::Install-Recommends "false";
+          APT::Install-Suggests "false";
+          APT::Get::Assume-Yes "true";
+          APT::Get::Fix-Missing "true";
+          EOT
+          tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
+          force-unsafe-io
+          force-confdef
+          EOT
           rm -rf /var/lib/apt/lists/*
           rm -rf /etc/apt/sources.list*
           tee /etc/apt/sources.list > /dev/null <<EOT
@@ -72,6 +127,7 @@ jobs:
           eatmydata apt full-upgrade
           eatmydata apt install \
             ${{ inputs.dist-name }}-keyring \
+            arch-test \
             autopkgtest \
             curl \
             devscripts \
@@ -81,11 +137,13 @@ jobs:
             fdisk \
             gnupg \
             iproute2 \
+            ipxe-qemu \
             libarchive13 \
             mmdebstrap \
             mtools \
             ovmf \
             qemu-efi-aarch64 \
+            qemu-kvm \
             qemu-utils \
             sbuild \
             sudo \
@@ -99,25 +157,32 @@ jobs:
           apt clean
           USER=`whoami`
           sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
-      - name: Import GPG key
+      - name: Import/Configure GPG
         timeout-minutes: 1
         id: gpg
         if: github.event_name != 'pull_request'
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
-        with:
-          gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
-          fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
-          trust_level: 5
-      - name: Configure GPG
-        timeout-minutes: 1
-        if: steps.gpg.conclusion != 'skipped'
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          gpg --import <<EOT
+          ${{ secrets.GPG_SECRET_SUBKEYS }}
+          EOT
+          gpg \
+            --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
+            --armor \
+            --export \
+            ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} \
+          ;
           rm -f ~/.gnupg/trustedkeys.gpg
-          gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
+          gpg \
+            --no-default-keyring \
+            --keyring ~/.gnupg/trustedkeys.gpg \
+            --import \
+            /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
+          ;
           tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
           default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          trusted-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
           EOT
           tee -a ~/.gbp.conf > /dev/null <<EOT
           [buildpackage]
@@ -129,20 +194,25 @@ jobs:
           EOT
           tee -a ~/.sbuildrc > /dev/null <<EOT
           \$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}';
-          \$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign'];
+          \$dpkg_buildpackage_user_options = [
+            '--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}',
+            '--force-sign'
+          ];
           EOT
       - name: Configure sbuild
         timeout-minutes: 1
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          BUILD_DIR="$GITHUB_WORKSPACE/deb-bin/${{ inputs.dist-version }}/${{ inputs.arch }}"
-          echo "BUILD_DIR=$(echo ${BUILD_DIR})" >> $GITHUB_ENV
+          BUILD_DIR="${{ github.workspace }}/deb-bin/${{ inputs.dist-version }}/${{ inputs.host-arch }}"
+          echo "BUILD_DIR=$(echo ${BUILD_DIR})" >> ~/.env
           mkdir -p "$BUILD_DIR"
           tee -a ~/.sbuildrc > /dev/null <<EOT
           \$verbose = 1;
           \$build_dir = '$BUILD_DIR';
           \$distribution = '${{ inputs.dist-version }}';
-          #\$host_arch = '${{ inputs.arch }}';
+          \$build_arch = '${{ inputs.build-arch }}';
+          \$host_arch = '${{ inputs.host-arch }}';
           \$chroot_mode = 'unshare';
           \$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX';
           \$run_lintian = 1;
@@ -157,12 +227,18 @@ jobs:
           then
           tee -a ~/.sbuildrc > /dev/null <<EOT
           \$external_commands = {
-            'chroot-setup-commands' => [ "export LD_PRELOAD=/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so" ]
+            'chroot-setup-commands' => [
+              "export LD_PRELOAD=/usr/lib/$(dpkg-architecture -a "${{ inputs.build-arch }}" -q DEB_HOST_MULTIARCH)/libeatmydata.so"
+            ]
           };
           \$build_environment = {
-            "LD_PRELOAD" => "/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so"
+            "LD_PRELOAD" =>
+              "/usr/lib/$(dpkg-architecture -a "${{ inputs.build-arch }}" -q DEB_HOST_MULTIARCH)/libeatmydata.so"
           };
-          \$environment_filter = [Dpkg::BuildInfo::get_build_env_allowed(), '^LD_PRELOAD$'];
+          \$environment_filter = [
+            Dpkg::BuildInfo::get_build_env_allowed(),
+            '^LD_PRELOAD$'
+          ];
           push @{\$unshare_mmdebstrap_extra_args}, "*", [
             '--hook-dir=/usr/share/mmdebstrap/hooks/eatmydata'
           ];
@@ -171,10 +247,10 @@ jobs:
           if [ "${{ inputs.dist-name }}" = "debian" ];
           then
           MIRROR="http://deb.debian.org/debian"
-          elif [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.arch }}" = "amd64" ];
+          elif [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.build-arch }}" = "amd64" ];
           then
           MIRROR="http://archive.ubuntu.com/ubuntu"
-          elif [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.arch }}" != "amd64" ];
+          elif [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.build-arch }}" != "amd64" ];
           then
           MIRROR="http://ports.ubuntu.com/ubuntu-ports"
           else
@@ -189,7 +265,7 @@ jobs:
           else
           exit 1
           fi
-          echo "MIRROR=$(echo ${MIRROR})" >> $GITHUB_ENV
+          echo "MIRROR=$(echo ${MIRROR})" >> ~/.env
           if [ "${{ inputs.dist-name }}" = "debian" ];
           then
           tee -a ~/.sbuildrc > /dev/null <<EOT
@@ -224,63 +300,114 @@ jobs:
           ];
           EOT
           fi
+      - name: Ensure that the download directory does not exist
+        timeout-minutes: 1
+        run: |
+          set -xe
+          rm -rf "${{ github.workspace }}/deb-src"
       - name: Download source-only .deb to be built
         timeout-minutes: 1
         uses: actions/download-artifact@v5
         with:
           artifact-ids: ${{ inputs.deb-src-artifact-id }}
           path: deb-src
-      - name: Unpack the downloaded tarball
+      - name: Check attestation of all incoming artifact archives
         timeout-minutes: 1
+        if: github.event_name != 'pull_request'
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
           set -xe
-          cd "$GITHUB_WORKSPACE/deb-src"
-          tar -xf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar"
-          rm "$GITHUB_WORKSPACE/deb-src/artifact-src.tar"
+          cd "${{ github.workspace }}/deb-src"
+          find . -type f -print0 | xargs --null -I'{}' sh -c "                 \
+            echo '::group::Attestation check for {}' &&                        \
+            (                                                                  \
+              gh attestation verify                                            \
+                {}                                                             \
+                --repo        ${{ github.repository }}                         \
+                --signer-repo ${{ github.repository }}                         \
+                --source-digest ${{ github.sha }}                              \
+                --signer-digest ${{ github.sha }}                              \
+              ||                                                               \
+              (                                                                \
+                echo '::error file={}::NOT ATTESTED!' &&                       \
+                echo '::endgroup::' &&                                         \
+                exit 1                                                         \
+              )                                                                \
+            ) &&                                                               \
+            echo 'ok.' &&                                                      \
+            echo '::endgroup::'                                                \
+          "
+      - name: Unpack the downloaded tarball
+        timeout-minutes: 1
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
+        run: |
+          set -xe
+          cd "${{ github.workspace }}/deb-src"
+          tar -xf "${{ github.workspace }}/deb-src/artifact-src.tar"
+          rm "${{ github.workspace }}/deb-src/artifact-src.tar"
       - name: Ensure that all incoming source artifacts are signed
         timeout-minutes: 1
         if: steps.gpg.conclusion != 'skipped'
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          cd "$GITHUB_WORKSPACE/deb-src"
-          find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
-               echo 'Processing {}' \
-            && ( \
-                 gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}     \
-              || gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
-              || (echo 'Processing {}: NOT SIGNED!' && exit 1) \
-            ) \
-            && echo 'Processing {}: ok' \
+          cd "${{ github.workspace }}/deb-src"
+          find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "                     \
+            echo '::group::Signature check for {}' &&                                                  \
+            (                                                                                          \
+              gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}     || \
+              gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig || \
+              (                                                                                        \
+                echo '::error file={}::NOT SIGNED!' &&                                                 \
+                echo '::endgroup::' &&                                                                 \
+                exit 1                                                                                 \
+              )                                                                                        \
+            ) &&                                                                                       \
+            echo 'ok.' &&                                                                              \
+            echo '::endgroup::'                                                                        \
           "
       - name: Build the package
-        timeout-minutes: 10
+        timeout-minutes: 60
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          cd "$GITHUB_WORKSPACE/deb-bin"
+          cd "${{ github.workspace }}/deb-bin"
           if [ "${{ inputs.dist-name }}" = "ubuntu" ];
           then
           export DEB_BUILD_OPTIONS=noautodbgsym
           fi
-          eatmydata sbuild --verbose --arch-any --arch-all "$GITHUB_WORKSPACE/deb-src/"*.dsc
+          echo '::group::Building the package'
+          sbuild \
+            --verbose \
+            --arch-any \
+            --arch-all \
+            "${{ github.workspace }}/deb-src/"*.dsc \
+          ;
+          echo '::endgroup::'
       - name: Ensure that all binary artifacts are signed, or sign them
         timeout-minutes: 1
         if: steps.gpg.conclusion != 'skipped'
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          cd "$GITHUB_WORKSPACE/deb-bin"
-          find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
-            echo 'Processing {}' && ( \
-                 gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}     \
-              || gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
-              || gpg --verbose --detach-sign {}                                                        \
-            ) \
+          cd "${{ github.workspace }}/deb-bin"
+          find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "                     \
+            echo '::group::Signing {}' &&                                                              \
+            (                                                                                          \
+              gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}     || \
+              gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig || \
+              gpg --verbose --detach-sign {}                                                           \
+            ) &&                                                                                       \
+            echo '::endgroup::'                                                                        \
           "
       - name: Archive build artifacts
         timeout-minutes: 1
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          cd "$GITHUB_WORKSPACE/deb-bin"
-          tar -cf "$GITHUB_WORKSPACE/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar" *
+          cd "${{ github.workspace }}/deb-bin"
+          tar -cf "${{ github.workspace }}/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.host-arch }}.tar" *
       - name: Attest build artifact
         timeout-minutes: 1
         if: github.event_name != 'pull_request'
@@ -292,8 +419,8 @@ jobs:
         id: deb-bin-upload
         uses: actions/upload-artifact@v4
         with:
-          name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar
-          path: '${{ github.workspace }}/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar'
+          name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.host-arch }}.tar
+          path: '${{ github.workspace }}/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.host-arch }}.tar'
           if-no-files-found: error
           compression-level: 0
       - name: Attest uploaded build artifact
@@ -301,20 +428,45 @@ jobs:
         if: github.event_name != 'pull_request'
         uses: actions/attest-build-provenance@v3
         with:
-          subject-name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar.zip
+          subject-name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.host-arch }}.tar.zip
           subject-digest: sha256:${{ steps.deb-bin-upload.outputs.artifact-digest }}
       - name: Build Qemu image for autopkgtest
         timeout-minutes: 2
         id: qemu-image
-        if: inputs.dist-name == 'debian' && inputs.dist-version != 'trixie' && inputs.arch == 'amd64'
+        if: inputs.dist-name == 'debian' && inputs.dist-version != 'trixie' && inputs.machine-arch == 'amd64' && inputs.build-arch == inputs.machine-arch && inputs.host-arch == inputs.build-arch
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
+          . ~/.env
           IMAGE="/tmp/autopkgtest-qemu-image.qcow2"
-          echo "IMAGE=$(echo ${IMAGE})" >> $GITHUB_ENV
-          eatmydata mmdebstrap-autopkgtest-build-qemu --boot=efi --mirror "${{ env.MIRROR }}" "${{ inputs.dist-version }}" "$IMAGE"
+          echo "IMAGE=$(echo ${IMAGE})" >> ~/.env
+          mmdebstrap-autopkgtest-build-qemu --boot=efi --mirror "$MIRROR" "${{ inputs.dist-version }}" "$IMAGE"
       - name: Run autopkgtest
         timeout-minutes: 10
         if: steps.qemu-image.conclusion != 'skipped'
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          eatmydata autopkgtest --no-built-binaries --apt-upgrade "$GITHUB_WORKSPACE/deb-src"/*.dsc "${{ env.BUILD_DIR }}"/*.changes -- autopkgtest-virt-qemu --qemu-options="-smp $(nproc --all)" --boot=efi "${{ env.IMAGE }}"
+          . ~/.env
+          if [ "${{ inputs.machine-arch }}" = "amd64" ];
+          then
+          QEMU_OPTIONS="-enable-kvm -cpu host"
+          elif [ "${{ inputs.machine-arch }}" = "arm64" ];
+          then
+          QEMU_OPTIONS="-machine virt -cpu cortex-a710 -accel tcg"
+          else
+          exit 1
+          fi
+          autopkgtest \
+            --no-built-binaries \
+            --setup-commands "apt update && apt install openssl" \
+            --apt-upgrade \
+            "${{ github.workspace }}/deb-src"/*.dsc \
+            "$BUILD_DIR"/*.changes \
+            -- \
+            autopkgtest-virt-qemu \
+            --cpus=$(nproc --all) \
+            --qemu-options="$QEMU_OPTIONS" \
+            --boot=efi \
+            "$IMAGE" \
+          ;
diff --git a/.github/workflows/deb-orchestrator.yml b/.github/workflows/deb-orchestrator.yml
index 683f244f..5e69dbd1 100644
--- a/.github/workflows/deb-orchestrator.yml
+++ b/.github/workflows/deb-orchestrator.yml
@@ -22,9 +22,7 @@ jobs:
       attestations: write
     uses: ./.github/workflows/deb-src.yml
     with:
-      runs-on: ubuntu-latest
-      dist-name: debian
-      dist-version: unstable
+      runs-on: ubuntu-24.04
     secrets:
       GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }}
       GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
@@ -38,8 +36,9 @@ jobs:
       fail-fast: false
       matrix:
         stack:
-          - { runs-on: "ubuntu-latest",    arch: "amd64" }
-          - { runs-on: "ubuntu-24.04-arm", arch: "arm64" }
+          - { runs-on: "ubuntu-24.04",     machine-arch: "amd64", build-arch: "amd64",   host-arch: "amd64" }
+          - { runs-on: "ubuntu-24.04",     machine-arch: "amd64", build-arch: "ppc64el", host-arch: "ppc64el" }
+          - { runs-on: "ubuntu-24.04-arm", machine-arch: "arm64", build-arch: "arm64",   host-arch: "arm64" }
         dist:
           - { name: debian, version: unstable }
           - { name: debian, version: forky    } # Debian 14
@@ -50,7 +49,9 @@ jobs:
     with:
       deb-src-artifact-id: ${{ needs.source-only.outputs.deb-src-artifact-id }}
       runs-on: ${{ matrix.stack.runs-on }}
-      arch: ${{ matrix.stack.arch }}
+      machine-arch: ${{ matrix.stack.machine-arch }}
+      build-arch: ${{ matrix.stack.build-arch }}
+      host-arch: ${{ matrix.stack.host-arch }}
       dist-name: ${{ matrix.dist.name }}
       dist-version: ${{ matrix.dist.version }}
     secrets:
@@ -61,7 +62,7 @@ jobs:
     uses: ./.github/workflows/deb-reprotest.yml
     with:
       deb-src-artifact-id: ${{ needs.source-only.outputs.deb-src-artifact-id }}
-      runs-on: "ubuntu-latest"
+      runs-on: "ubuntu-24.04"
       arch: amd64
       dist-name: debian
       dist-version: unstable
@@ -72,6 +73,8 @@ jobs:
     needs: [ source-only, buildd, reprotest ]
     if: github.event_name != 'pull_request' && (github.ref_type == 'tag' || (github.ref_type == 'branch' && github.ref_name == 'master'))
     uses: ./.github/workflows/deb-publish.yml
+    with:
+      runs-on: ubuntu-24.04
     secrets:
       GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }}
       GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
diff --git a/.github/workflows/deb-publish.yml b/.github/workflows/deb-publish.yml
index 6caf8f5a..6a7eebf6 100644
--- a/.github/workflows/deb-publish.yml
+++ b/.github/workflows/deb-publish.yml
@@ -1,5 +1,9 @@
 on:
   workflow_call:
+    inputs:
+      runs-on:
+        required: true
+        type: string
     secrets:
       GPG_SECRET_SUBKEYS:
         required: true
@@ -14,49 +18,98 @@ on:
 
 jobs:
   linux:
-    concurrency: apt.bcachefs.org
-    runs-on: ubuntu-latest
-    container:
-      image: debian:unstable-slim
-      options: --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --device /dev/fuse --tmpfs /tmp --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}
+    runs-on: ${{ inputs.runs-on }}
     env:
       SUITE: ${{ (github.event_name == 'push' && github.ref_type == 'tag') && 'release' || 'snapshot' }}
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     steps:
-      - name: Install necessary packages
-        timeout-minutes: 2
+      - name: Configure baseline system
+        timeout-minutes: 1
+        shell: sudo sh "{0}"
         run: |
           set -xe
-          tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT
-          force-unsafe-io
-          EOT
-          tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT
-          Dir::Cache::Archives "/tmp/apt/archives";
+          mount -t tmpfs tmpfs ${{ github.workspace }}
+          echo "set man-db/auto-update false" | debconf-communicate
+          dpkg-reconfigure man-db
+          mkdir -p /etc/apt/apt.conf.d
+          mkdir -p /etc/dpkg/dpkg.cfg.d
+          tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
           APT::ExtractTemplates::TempDir "/tmp/apt/temp";
-          EOT
-          mkdir -p /tmp/apt/archives
-          tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
           Acquire::Retries "10";
-          EOT
-          tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
           APT::Install-Recommends "false";
-          EOT
-          tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
           APT::Install-Suggests "false";
-          EOT
-          tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
           APT::Get::Assume-Yes "true";
-          EOT
-          tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
           APT::Get::Fix-Missing "true";
           EOT
+          tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
+          force-unsafe-io
+          force-confdef
+          EOT
+          rm -rf /var/lib/apt/lists/*
+          rm -rf /etc/apt/sources.list*
+          tee /etc/apt/sources.list > /dev/null <<EOT
+          deb http://archive.ubuntu.com/ubuntu noble main universe
+          EOT
+          apt update
+          apt install eatmydata
+          eatmydata apt install \
+            podman \
+          ;
+          apt clean
+      - name: Start the container
+        timeout-minutes: 1
+        shell: sudo eatmydata sh "{0}"
+        run: |
+          set -xe
+          export IMAGE=debian:unstable-slim
+          podman pull ${IMAGE}
+          podman run \
+            --name container \
+            --image-volume=tmpfs \
+            --tmpfs=/run \
+            --tmpfs=/tmp \
+            --tmpfs=/var/tmp \
+            --volume=/home/runner:/home/runner \
+            --volume=${{ github.workspace }}:${{ github.workspace }} \
+            --cap-add=SYS_ADMIN \
+            --security-opt=apparmor:unconfined \
+            --interactive \
+            --tty \
+            --detach \
+            ${IMAGE} \
+            /usr/bin/sh \
+          ;
+      - name: Install necessary packages
+        timeout-minutes: 1
+        shell: sudo podman exec --interactive --tty container sh "{0}"
+        run: |
+          set -xe
+          mkdir -p /etc/apt/apt.conf.d
+          mkdir -p /etc/dpkg/dpkg.cfg.d
+          tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
+          APT::ExtractTemplates::TempDir "/tmp/apt/temp";
+          Acquire::Retries "10";
+          APT::Install-Recommends "false";
+          APT::Install-Suggests "false";
+          APT::Get::Assume-Yes "true";
+          APT::Get::Fix-Missing "true";
+          EOT
+          tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
+          force-unsafe-io
+          force-confdef
+          EOT
           rm -rf /var/lib/apt/lists/*
           rm -rf /etc/apt/sources.list*
           tee /etc/apt/sources.list > /dev/null <<EOT
           deb http://deb.debian.org/debian unstable main
           EOT
           apt update
-          apt full-upgrade
-          apt install \
+          apt install eatmydata
+          eatmydata apt full-upgrade
+          eatmydata apt install \
             devscripts \
             gettext-base \
             git \
@@ -71,6 +124,7 @@ jobs:
           apt clean
       - name: Pre-Configure gpg-agent / ssh
         timeout-minutes: 1
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
           mkdir -p ~/.gnupg ~/.ssh
@@ -79,34 +133,35 @@ jobs:
           gpgconf --kill gpg-agent
           gpgconf --launch gpg-agent
           export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
-          echo "SSH_AUTH_SOCK=$(echo ${SSH_AUTH_SOCK})" >> $GITHUB_ENV
+          echo "SSH_AUTH_SOCK=$(echo ${SSH_AUTH_SOCK})" >> ~/.env
           echo "" >> /etc/ssh/ssh_known_hosts
           echo "${{ secrets.SSH_SERVER_KEYS }}" >> /etc/ssh/ssh_known_hosts
-      - name: Import GPG key
+      - name: Import/Configure GPG
         timeout-minutes: 1
         id: gpg
         if: github.event_name != 'pull_request'
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
-        with:
-          gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
-          fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
-          trust_level: 5
-      - name: Finish configuring gpg-agent / ssh
-        timeout-minutes: 1
-        if: steps.gpg.conclusion != 'skipped'
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          gpg-connect-agent 'keyattr ${{ secrets.GPG_AUTH_SUBKEY_KEYGRIP }} Use-for-ssh: true' /bye
-      - name: Configure GPG
-        timeout-minutes: 1
-        if: steps.gpg.conclusion != 'skipped'
-        run: |
-          set -xe
-          gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          gpg --import <<EOT
+          ${{ secrets.GPG_SECRET_SUBKEYS }}
+          EOT
+          gpg \
+            --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
+            --armor \
+            --export \
+            ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} \
+          ;
           rm -f ~/.gnupg/trustedkeys.gpg
-          gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
+          gpg \
+            --no-default-keyring \
+            --keyring ~/.gnupg/trustedkeys.gpg \
+            --import \
+            /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
+          ;
           tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
           default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          trusted-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
           EOT
           tee -a ~/.gbp.conf > /dev/null <<EOT
           [buildpackage]
@@ -121,43 +176,83 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: 'bcachefs-tools'
+      - name: Ensure that the download directory does not exist
+        timeout-minutes: 1
+        run: |
+          set -xe
+          rm -rf "${{ github.workspace }}/packed-artifacts"
       - name: Download all artifacts
         timeout-minutes: 1
         uses: actions/download-artifact@v5
         with:
           path: packed-artifacts
-      - name: Unpack all artifacts
-        timeout-minutes: 1
+      - name: Check attestation of all incoming artifact archives
+        timeout-minutes: 2
+        if: github.event_name != 'pull_request'
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
           set -xe
-          SRC_DIR="$GITHUB_WORKSPACE/incoming/src-artifacts"
+          cd "${{ github.workspace }}/packed-artifacts"
+          find . -type f -print0 | xargs --null -I'{}' sh -c "                 \
+            echo '::group::Attestation check for {}' &&                        \
+            (                                                                  \
+              gh attestation verify                                            \
+                {}                                                             \
+                --repo        ${{ github.repository }}                         \
+                --signer-repo ${{ github.repository }}                         \
+                --source-digest ${{ github.sha }}                              \
+                --signer-digest ${{ github.sha }}                              \
+              ||                                                               \
+              (                                                                \
+                echo '::error file={}::NOT ATTESTED!' &&                       \
+                echo '::endgroup::' &&                                         \
+                exit 1                                                         \
+              )                                                                \
+            ) &&                                                               \
+            echo 'ok.' &&                                                      \
+            echo '::endgroup::'                                                \
+          "
+      - name: Unpack all artifacts
+        timeout-minutes: 1
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
+        run: |
+          set -xe
+          SRC_DIR="${{ github.workspace }}/incoming/src-artifacts"
           mkdir -p "$SRC_DIR"
-          find "$GITHUB_WORKSPACE/packed-artifacts" -type f -name artifact-src.tar -exec tar -xf {} -C "$SRC_DIR" ';' -delete
-          BIN_DIR="$GITHUB_WORKSPACE/incoming/bin-artifacts"
+          find "${{ github.workspace }}/packed-artifacts" -type f -name artifact-src.tar -exec tar -xf {} -C "$SRC_DIR" ';' -delete
+          BIN_DIR="${{ github.workspace }}/incoming/bin-artifacts"
           mkdir -p "$BIN_DIR"
-          find "$GITHUB_WORKSPACE/packed-artifacts" -type f -name '*.tar' -exec tar -xf {} -C "$BIN_DIR" ';' -delete
-          rm -rf "$GITHUB_WORKSPACE/packed-artifacts"
+          find "${{ github.workspace }}/packed-artifacts" -type f -name 'artifact-bin-*.tar' -exec tar -xf {} -C "$BIN_DIR" ';' -delete
+          rm -rf "${{ github.workspace }}/packed-artifacts"
       - name: Ensure that all incoming artifacts are signed
         timeout-minutes: 1
         if: steps.gpg.conclusion != 'skipped'
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          cd "$GITHUB_WORKSPACE/incoming"
-          find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
-               echo 'Processing {}' \
-            && ( \
-                 gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}     \
-              || gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
-              || (echo 'Processing {}: NOT SIGNED!' && exit 1) \
-            ) \
-            && echo 'Processing {}: ok' \
+          cd "${{ github.workspace }}/incoming"
+          find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "                     \
+            echo '::group::Signature check for {}' &&                                                  \
+            (                                                                                          \
+              gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}     || \
+              gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig || \
+              (                                                                                        \
+                echo '::error file={}::NOT SIGNED!' &&                                                 \
+                echo '::endgroup::' &&                                                                 \
+                exit 1                                                                                 \
+              )                                                                                        \
+            ) &&                                                                                       \
+            echo 'ok.' &&                                                                              \
+            echo '::endgroup::'                                                                        \
           "
       - name: Create and populate repos
         timeout-minutes: 60
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          ls -lahR
-          MOUNTPOINT="$GITHUB_WORKSPACE/remotefs"
+          . ~/.env
+          MOUNTPOINT="${{ github.workspace }}/remotefs"
           mkdir -p "$MOUNTPOINT"
           if [ -n "${{ secrets.SSH_HOST }}" ]; then
           sshfs ${{ secrets.SSH_HOST }}/uploads "$MOUNTPOINT"
@@ -169,18 +264,20 @@ jobs:
           fi
           if [ "${{ (github.event_name == 'push' && github.ref_type == 'branch' && github.ref_name == 'master') && 'true' || 'false' }}" = "true" ]; then
           export GPG_SIGNING_SUBKEY_FINGERPRINT=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
-          envsubst < "$GITHUB_WORKSPACE/bcachefs-tools/doc/apt.bcachefs.org-README.md" | pandoc --from=markdown --to=html --output="$REPO_ROOT/.footer/README"
+          envsubst < "${{ github.workspace }}/bcachefs-tools/doc/apt.bcachefs.org-README.md" | \
+            pandoc --from=markdown --to=html --output="$REPO_ROOT/.footer/README"
           fi
-          cd "$GITHUB_WORKSPACE/incoming/bin-artifacts"
+          cd "${{ github.workspace }}/incoming/bin-artifacts"
           for DIST in *
           do
-          SRCDIR="$GITHUB_WORKSPACE/incoming/bin-artifacts/$DIST"
+          echo "::group::Distribution $DIST"
+          SRCDIR="${{ github.workspace }}/incoming/bin-artifacts/$DIST"
           cd "$SRCDIR"
           REPO="$REPO_ROOT/$DIST"
           mkdir -p "$REPO/conf/distributions"
-          tee "$REPO/conf/distributions/$SUITE.conf" > /dev/null <<EOT
-          Codename: bcachefs-tools-$SUITE
-          Architectures: source amd64 arm64
+          tee "$REPO/conf/distributions/${{ env.SUITE }}.conf" > /dev/null <<EOT
+          Codename: bcachefs-tools-${{ env.SUITE }}
+          Architectures: source amd64 arm64 ppc64el
           Components: main
           Contents:
           Origin: apt.bcachefs.org
@@ -197,12 +294,13 @@ jobs:
           verbose
           ignore longkeyid
           EOT
-          reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE "$GITHUB_WORKSPACE/incoming/src-artifacts/"*.changes
+          reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-${{ env.SUITE }} "${{ github.workspace }}/incoming/src-artifacts/"*.changes
           for f in "$SRCDIR"/*/*.changes
           do
-          reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE $f
+          reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-${{ env.SUITE }} $f
           done
           reprepro --basedir "$REPO" createsymlinks
           reprepro --basedir "$REPO" export
+          echo '::endgroup::'
           done
           umount "$MOUNTPOINT" || /bin/true
diff --git a/.github/workflows/deb-reprotest.yml b/.github/workflows/deb-reprotest.yml
index 9d093639..ca8d8913 100644
--- a/.github/workflows/deb-reprotest.yml
+++ b/.github/workflows/deb-reprotest.yml
@@ -23,41 +23,89 @@ on:
 jobs:
   linux:
     runs-on: ${{ inputs.runs-on }}
-    container:
-      image: debian:unstable-slim
-      options: --privileged --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --tmpfs /tmp:exec --tmpfs /var/lib/schroot/unpack:exec --tmpfs /var/lib/schroot/union/overlay:exec --tmpfs /var/lib/schroot/session:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}
     permissions:
       id-token: write
       contents: read
       attestations: write
     steps:
-      - name: Install necessary packages
+      - name: Configure baseline system
         timeout-minutes: 1
+        id: init
+        shell: sudo sh "{0}"
         run: |
           set -xe
-          tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT
-          force-unsafe-io
-          EOT
-          tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT
-          Dir::Cache::Archives "/tmp/apt/archives";
+          mount -t tmpfs tmpfs ${{ github.workspace }}
+          echo "set man-db/auto-update false" | debconf-communicate
+          dpkg-reconfigure man-db
+          mkdir -p /etc/apt/apt.conf.d
+          mkdir -p /etc/dpkg/dpkg.cfg.d
+          tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
           APT::ExtractTemplates::TempDir "/tmp/apt/temp";
-          EOT
-          mkdir -p /tmp/apt/archives
-          tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
           Acquire::Retries "10";
-          EOT
-          tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
           APT::Install-Recommends "false";
-          EOT
-          tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
           APT::Install-Suggests "false";
-          EOT
-          tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
           APT::Get::Assume-Yes "true";
-          EOT
-          tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
           APT::Get::Fix-Missing "true";
           EOT
+          tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
+          force-unsafe-io
+          force-confdef
+          EOT
+          rm -rf /var/lib/apt/lists/*
+          rm -rf /etc/apt/sources.list*
+          tee /etc/apt/sources.list > /dev/null <<EOT
+          deb http://archive.ubuntu.com/ubuntu noble main universe
+          EOT
+          apt update
+          apt install eatmydata
+          eatmydata apt install \
+            podman \
+          ;
+          apt clean
+      - name: Start the container
+        timeout-minutes: 1
+        shell: sudo eatmydata sh "{0}"
+        run: |
+          set -xe
+          export IMAGE=debian:unstable-slim
+          podman pull ${IMAGE}
+          podman run \
+            --name container \
+            --image-volume=tmpfs \
+            --tmpfs=/run \
+            --tmpfs=/tmp \
+            --tmpfs=/var/tmp \
+            --tmpfs=/var/lib/schroot/union/overlay \
+            --volume=/home/runner:/home/runner \
+            --volume=${{ github.workspace }}:${{ github.workspace }} \
+            --privileged \
+            --cap-add=SYS_ADMIN \
+            --security-opt=apparmor:unconfined \
+            --interactive \
+            --tty \
+            --detach \
+            ${IMAGE} \
+            /usr/bin/sh \
+          ;
+      - name: Install necessary packages
+        timeout-minutes: 1
+        shell: sudo podman exec --interactive --tty container sh "{0}"
+        run: |
+          set -xe
+          mkdir -p /etc/apt/apt.conf.d
+          mkdir -p /etc/dpkg/dpkg.cfg.d
+          tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
+          APT::ExtractTemplates::TempDir "/tmp/apt/temp";
+          Acquire::Retries "10";
+          APT::Install-Recommends "false";
+          APT::Install-Suggests "false";
+          APT::Get::Assume-Yes "true";
+          APT::Get::Fix-Missing "true";
+          EOT
+          tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
+          force-unsafe-io
+          force-confdef
+          EOT
           rm -rf /var/lib/apt/lists/*
           rm -rf /etc/apt/sources.list*
           tee /etc/apt/sources.list > /dev/null <<EOT
@@ -82,57 +130,104 @@ jobs:
           apt clean
           USER=`whoami`
           usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
-      - name: Import GPG key
+      - name: Import/Configure GPG
         timeout-minutes: 1
         id: gpg
         if: github.event_name != 'pull_request'
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
-        with:
-          gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
-          fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
-          trust_level: 5
-      - name: Configure GPG
-        timeout-minutes: 1
-        if: steps.gpg.conclusion != 'skipped'
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          gpg --import <<EOT
+          ${{ secrets.GPG_SECRET_SUBKEYS }}
+          EOT
+          set -xe
+          gpg \
+            --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
+            --armor \
+            --export \
+            ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} \
+          ;
           rm -f ~/.gnupg/trustedkeys.gpg
-          gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
+          gpg \
+            --no-default-keyring \
+            --keyring ~/.gnupg/trustedkeys.gpg \
+            --import \
+            /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
+          ;
+      - name: Ensure that the download directory does not exist
+        timeout-minutes: 1
+        run: |
+          set -xe
+          rm -rf "${{ github.workspace }}/deb-src"
       - name: Download source-only .deb to be built
         timeout-minutes: 1
         uses: actions/download-artifact@v5
         with:
           artifact-ids: ${{ inputs.deb-src-artifact-id }}
           path: deb-src
-      - name: Unpack the downloaded tarball
+      - name: Check attestation of all incoming artifact archives
         timeout-minutes: 1
+        if: github.event_name != 'pull_request'
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
           set -xe
-          cd "$GITHUB_WORKSPACE/deb-src"
-          tar -xf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar"
-          rm "$GITHUB_WORKSPACE/deb-src/artifact-src.tar"
+          cd "${{ github.workspace }}/deb-src"
+          find . -type f -print0 | xargs --null -I'{}' sh -c "                 \
+            echo '::group::Attestation check for {}' &&                        \
+            (                                                                  \
+              gh attestation verify                                            \
+                {}                                                             \
+                --repo        ${{ github.repository }}                         \
+                --signer-repo ${{ github.repository }}                         \
+                --source-digest ${{ github.sha }}                              \
+                --signer-digest ${{ github.sha }}                              \
+              ||                                                               \
+              (                                                                \
+                echo '::error file={}::NOT ATTESTED!' &&                       \
+                echo '::endgroup::' &&                                         \
+                exit 1                                                         \
+              )                                                                \
+            ) &&                                                               \
+            echo 'ok.' &&                                                      \
+            echo '::endgroup::'                                                \
+          "
+      - name: Unpack the downloaded tarball
+        timeout-minutes: 1
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
+        run: |
+          set -xe
+          cd "${{ github.workspace }}/deb-src"
+          tar -xf "${{ github.workspace }}/deb-src/artifact-src.tar"
+          rm "${{ github.workspace }}/deb-src/artifact-src.tar"
       - name: Ensure that all incoming source artifacts are signed
         timeout-minutes: 1
         if: steps.gpg.conclusion != 'skipped'
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          cd "$GITHUB_WORKSPACE/deb-src"
-          find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
-               echo 'Processing {}' \
-            && ( \
-                 gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}     \
-              || gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
-              || (echo 'Processing {}: NOT SIGNED!' && exit 1) \
-            ) \
-            && echo 'Processing {}: ok' \
+          cd "${{ github.workspace }}/deb-src"
+          find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "                     \
+            echo '::group::Signature check for {}' &&                                                  \
+            (                                                                                          \
+              gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}     || \
+              gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig || \
+              (                                                                                        \
+                echo '::error file={}::NOT SIGNED!' &&                                                 \
+                echo '::endgroup::' &&                                                                 \
+                exit 1                                                                                 \
+              )                                                                                        \
+            ) &&                                                                                       \
+            echo 'ok.' &&                                                                              \
+            echo '::endgroup::'                                                                        \
           "
       - name: Create container for reprotest
         timeout-minutes: 1
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
           mkdir -p /tmp/chroot/unstable-amd64-sbuild
-          eatmydata mmdebstrap \
+          mmdebstrap \
             --comp=main \
             --variant=apt \
             --skip=output/mknod \
@@ -146,7 +241,10 @@ jobs:
             --aptopt='APT::Get::Fix-Missing "true";' \
             --dpkgopt='force-unsafe-io' \
             --dpkgopt='force-confdef' \
-            unstable /tmp/chroot/unstable-amd64-sbuild http://deb.debian.org/debian
+            unstable \
+            /tmp/chroot/unstable-amd64-sbuild \
+            http://deb.debian.org/debian \
+          ;
           chroot /tmp/chroot/unstable-amd64-sbuild apt update
           mkdir -p /etc/schroot/chroot.d
           tee /etc/schroot/chroot.d/unstable-amd64-sbuild > /dev/null <<EOT
@@ -158,10 +256,21 @@ jobs:
           EOT
       - name: Run reprotest
         timeout-minutes: 10
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
           useradd -U first-user
           useradd -U second-user
-          cd "$GITHUB_WORKSPACE/deb-src"
+          cd "${{ github.workspace }}/deb-src"
           # FIXME: not reproducible without --vary=-build_path
-          eatmydata reprotest --no-diffoscope --vary=-build_path --vary=user_group.available+=first-user:first-user --vary=user_group.available+=second-user:second-user --vary=domain_host.use_sudo=1 "$GITHUB_WORKSPACE/deb-src"/*.dsc -- schroot unstable-amd64-sbuild
+          reprotest \
+            --no-diffoscope \
+            --vary=-build_path \
+            --vary=user_group.available+=first-user:first-user \
+            --vary=user_group.available+=second-user:second-user \
+            --vary=domain_host.use_sudo=1 \
+            "${{ github.workspace }}/deb-src"/*.dsc \
+            -- \
+            schroot \
+            unstable-amd64-sbuild \
+          ;
diff --git a/.github/workflows/deb-src.yml b/.github/workflows/deb-src.yml
index 0f1275b4..55b34bf9 100644
--- a/.github/workflows/deb-src.yml
+++ b/.github/workflows/deb-src.yml
@@ -4,12 +4,6 @@ on:
       runs-on:
         required: true
         type: string
-      dist-name:
-        required: true
-        type: string
-      dist-version:
-        required: true
-        type: string
     outputs:
       deb-src-artifact-id:
         value: ${{ jobs.linux.outputs.deb-src-artifact-id }}
@@ -20,43 +14,88 @@ on:
 jobs:
   linux:
     runs-on: ${{ inputs.runs-on }}
-    container:
-      image: debian:unstable-slim
-      options: --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --tmpfs /tmp:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}
     env:
       RUST_VERSION: 1.89.0
       DEBFULLNAME: apt.bcachefs.org CI bot
       DEBEMAIL: linux-bcachefs@vger.kernel.org
-      DEB_SIGN_KEYID: "${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}"
       DEBPKG_EPOCH: 1
     steps:
-      - name: Install necessary packages
-        timeout-minutes: 2
+      - name: Configure baseline system
+        timeout-minutes: 1
+        id: init
+        shell: sudo sh "{0}"
         run: |
           set -xe
-          tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT
-          force-unsafe-io
-          EOT
-          tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT
-          Dir::Cache::Archives "/tmp/apt/archives";
+          mount -t tmpfs tmpfs ${{ github.workspace }}
+          echo "set man-db/auto-update false" | debconf-communicate
+          dpkg-reconfigure man-db
+          mkdir -p /etc/apt/apt.conf.d
+          mkdir -p /etc/dpkg/dpkg.cfg.d
+          tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
           APT::ExtractTemplates::TempDir "/tmp/apt/temp";
-          EOT
-          mkdir -p /tmp/apt/archives
-          tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
           Acquire::Retries "10";
-          EOT
-          tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
           APT::Install-Recommends "false";
-          EOT
-          tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
           APT::Install-Suggests "false";
-          EOT
-          tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
           APT::Get::Assume-Yes "true";
-          EOT
-          tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
           APT::Get::Fix-Missing "true";
           EOT
+          tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
+          force-unsafe-io
+          force-confdef
+          EOT
+          rm -rf /var/lib/apt/lists/*
+          rm -rf /etc/apt/sources.list*
+          tee /etc/apt/sources.list > /dev/null <<EOT
+          deb http://archive.ubuntu.com/ubuntu noble main universe
+          EOT
+          apt update
+          apt install eatmydata
+          eatmydata apt install \
+            podman \
+          ;
+          apt clean
+      - name: Start the container
+        timeout-minutes: 1
+        shell: sudo eatmydata sh "{0}"
+        run: |
+          set -xe
+          export IMAGE=debian:unstable-slim
+          podman pull ${IMAGE}
+          podman run \
+            --name container \
+            --image-volume=tmpfs \
+            --tmpfs=/run \
+            --tmpfs=/tmp \
+            --tmpfs=/var/tmp \
+            --volume=/home/runner:/home/runner \
+            --volume=${{ github.workspace }}:${{ github.workspace }} \
+            --cap-add=SYS_ADMIN \
+            --security-opt=apparmor:unconfined \
+            --interactive \
+            --tty \
+            --detach \
+            ${IMAGE} \
+            /usr/bin/sh \
+          ;
+      - name: Install necessary packages
+        timeout-minutes: 1
+        shell: sudo podman exec --interactive --tty container sh "{0}"
+        run: |
+          set -xe
+          mkdir -p /etc/apt/apt.conf.d
+          mkdir -p /etc/dpkg/dpkg.cfg.d
+          tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
+          APT::ExtractTemplates::TempDir "/tmp/apt/temp";
+          Acquire::Retries "10";
+          APT::Install-Recommends "false";
+          APT::Install-Suggests "false";
+          APT::Get::Assume-Yes "true";
+          APT::Get::Fix-Missing "true";
+          EOT
+          tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
+          force-unsafe-io
+          force-confdef
+          EOT
           rm -rf /var/lib/apt/lists/*
           rm -rf /etc/apt/sources.list*
           tee /etc/apt/sources.list > /dev/null <<EOT
@@ -66,8 +105,8 @@ jobs:
           apt install eatmydata
           eatmydata apt full-upgrade
           eatmydata apt install \
-            ${{ inputs.dist-name }}-keyring \
             curl \
+            debian-keyring \
             devscripts \
             git \
             git-buildpackage \
@@ -75,33 +114,40 @@ jobs:
             iproute2 \
             mmdebstrap \
             sbuild \
-            sudo \
             tar \
             uidmap \
             xz-utils \
-            zip
+            zip \
+          ;
           apt clean
           USER=`whoami`
-          sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
-      - name: Import GPG key
+          usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
+      - name: Import/Configure GPG
         timeout-minutes: 1
         id: gpg
         if: github.event_name != 'pull_request'
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
-        with:
-          gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
-          fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
-          trust_level: 5
-      - name: Configure GPG
-        timeout-minutes: 1
-        if: steps.gpg.conclusion != 'skipped'
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          gpg --import <<EOT
+          ${{ secrets.GPG_SECRET_SUBKEYS }}
+          EOT
+          gpg \
+            --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
+            --armor \
+            --export \
+            ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} \
+          ;
           rm -f ~/.gnupg/trustedkeys.gpg
-          gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
+          gpg \
+            --no-default-keyring \
+            --keyring ~/.gnupg/trustedkeys.gpg \
+            --import \
+            /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
+          ;
           tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
           default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          trusted-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
           EOT
           tee -a ~/.gbp.conf > /dev/null <<EOT
           [buildpackage]
@@ -113,13 +159,17 @@ jobs:
           EOT
           tee -a ~/.sbuildrc > /dev/null <<EOT
           \$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}';
-          \$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign'];
+          \$dpkg_buildpackage_user_options = [
+            '--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}',
+            '--force-sign'
+          ];
           EOT
       - name: Configure sbuild
         timeout-minutes: 1
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          BUILD_DIR="$GITHUB_WORKSPACE/deb-src"
+          BUILD_DIR="${{ github.workspace }}/deb-src"
           mkdir -p "$BUILD_DIR"
           tee -a ~/.sbuildrc > /dev/null <<EOT
           \$verbose = 1;
@@ -131,12 +181,18 @@ jobs:
           EOT
           tee -a ~/.sbuildrc > /dev/null <<EOT
           \$external_commands = {
-            'chroot-setup-commands' => [ "export LD_PRELOAD=/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so" ]
+            'chroot-setup-commands' => [
+              "export LD_PRELOAD=/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so"
+            ]
           };
           \$build_environment = {
-            "LD_PRELOAD" => "/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so"
+            "LD_PRELOAD" =>
+              "/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so"
           };
-          \$environment_filter = [Dpkg::BuildInfo::get_build_env_allowed(), '^LD_PRELOAD$'];
+          \$environment_filter = [
+            Dpkg::BuildInfo::get_build_env_allowed(),
+            '^LD_PRELOAD$'
+          ];
           push @{\$unshare_mmdebstrap_extra_args}, "*", [
             '--include=eatmydata',
             '--hook-dir=/usr/share/mmdebstrap/hooks/eatmydata',
@@ -148,10 +204,11 @@ jobs:
           EOT
       - name: Install Rust / cargo
         timeout-minutes: 1
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          eatmydata curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
-            eatmydata sh -s -- --default-toolchain $RUST_VERSION --profile minimal -y
+          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
+            sh -s -- --default-toolchain ${{ env.RUST_VERSION }} --profile minimal -y
           . "$HOME/.cargo/env"
       - name: Fetch our git repository
         timeout-minutes: 1
@@ -162,11 +219,15 @@ jobs:
           fetch-tags: true
       - name: Update package version/changelog
         timeout-minutes: 1
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          git config --global user.email "${{ env.DEBFULLNAME }}"
-          git config --global user.name "${{ env.DEBEMAIL }}"
-          cd "$GITHUB_WORKSPACE/bcachefs-tools"
+          export DEBFULLNAME="${{ env.DEBFULLNAME }}"
+          export DEBEMAIL="${{ env.DEBEMAIL }}"
+          git config --global user.email "${DEBFULLNAME}"
+          git config --global user.name "${DEBEMAIL}"
+          cd "${{ github.workspace }}/bcachefs-tools"
+          git config --global --add safe.directory .
           CURR_TAG="$(git describe --abbrev=0 --tags $(git rev-list HEAD --tags --skip=0 --max-count=1))"
           PREV_TAG="$(git describe --abbrev=0 --tags $(git rev-list HEAD --tags --skip=1 --max-count=1))"
           NEW_VERSION="${{ env.DEBPKG_EPOCH }}:$(echo $CURR_TAG | sed 's/^v//')"
@@ -179,32 +240,51 @@ jobs:
           fi
       - name: Build the source-only .deb package
         timeout-minutes: 10
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
           . "$HOME/.cargo/env"
-          cd "$GITHUB_WORKSPACE/bcachefs-tools"
-          mkdir -p "$GITHUB_WORKSPACE/deb-src"
+          export DEBFULLNAME="${{ env.DEBFULLNAME }}"
+          export DEBEMAIL="${{ env.DEBEMAIL }}"
+          cd "${{ github.workspace }}/bcachefs-tools"
+          mkdir -p "${{ github.workspace }}/deb-src"
           # FIXME: pubkey is not avaliable in chroot, .dsc signature verification fails
-          eatmydata gbp buildpackage --git-verbose --git-ignore-branch --no-clean --git-dist=${{ inputs.dist-version }} --git-builder=sbuild --source --source-only-changes --no-arch-all --no-arch-any
+          echo '::group::Building the package'
+          gbp buildpackage \
+            --git-verbose \
+            --git-ignore-branch \
+            --no-clean \
+            --git-dist=${{ inputs.dist-version }} \
+            --git-builder=sbuild \
+            --source \
+            --source-only-changes \
+            --no-arch-all \
+            --no-arch-any \
+          ;
+          echo '::endgroup::'
       - name: Ensure that all source artifacts are signed, or sign them
         timeout-minutes: 1
         if: steps.gpg.conclusion != 'skipped'
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          cd "$GITHUB_WORKSPACE/deb-src"
-          find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
-            echo 'Processing {}' && ( \
-                 gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}     \
-              || gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
-              || gpg --verbose --detach-sign {}                                                        \
-            ) \
+          cd "${{ github.workspace }}/deb-src"
+          find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "                     \
+            echo '::group::Signing {}' &&                                                              \
+            (                                                                                          \
+              gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}     || \
+              gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig || \
+              gpg --verbose --detach-sign {}                                                           \
+            ) &&                                                                                       \
+            echo '::endgroup::'                                                                        \
           "
       - name: Archive source build artifacts
         timeout-minutes: 1
+        shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
         run: |
           set -xe
-          cd "$GITHUB_WORKSPACE/deb-src"
-          tar -cf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar" *
+          cd "${{ github.workspace }}/deb-src"
+          tar -cf "${{ github.workspace }}/deb-src/artifact-src.tar" *
       - name: Attest the source-only .deb package artifact
         timeout-minutes: 1
         if: github.event_name != 'pull_request'
diff --git a/debian/control b/debian/control
index 0345f84a..794ab9dc 100644
--- a/debian/control
+++ b/debian/control
@@ -56,7 +56,8 @@ Depends: ${misc:Depends},
 	 initramfs-tools | linux-initramfs-tool,
 	 linux-headers-generic (>= 6.16) | pve-headers (>= 6.16) [amd64] |
 	 linux-headers-amd64 (>= 6.16) [amd64] | linux-headers-cloud-amd64 (>= 6.16) [amd64] | linux-headers-rt-amd64 (>= 6.16) [amd64] |
-	 linux-headers-arm64 (>= 6.16) [arm64] | linux-headers-cloud-arm64 (>= 6.16) [arm64] | linux-headers-rt-arm64 (>= 6.16) [arm64]
+	 linux-headers-arm64 (>= 6.16) [arm64] | linux-headers-cloud-arm64 (>= 6.16) [arm64] | linux-headers-rt-arm64 (>= 6.16) [arm64] |
+	 linux-headers-ppc64el (>= 6.16) [ppc64el] | linux-headers-cloud-ppc64el (>= 6.16) [ppc64el] | linux-headers-rt-ppc64el (>= 6.16) [ppc64el]
 Pre-Depends: bcachefs-tools (= ${binary:Version}),
 Provides: bcachefs-kernel
 Description: bcachefs kernel module DKMS source