Merge pull request #415 from LebedevRI/debian

apt repo readme: mention pinning

.github/workflows/deb-buildd.yml

@@ -119,7 +119,6 @@ jobs:
           EOT
       - name: Configure sbuild
         timeout-minutes: 1
-        if: steps.gpg.conclusion != 'skipped'
         run: |
           set -xe
           BUILD_DIR="$GITHUB_WORKSPACE/deb-bin/${{ inputs.dist-version }}/${{ inputs.arch }}"

.github/workflows/deb-orchestrator.yml

@@ -58,6 +58,7 @@ jobs:
       GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
   publish:
     needs: [ source-only, buildd ]
+    if: github.event_name != 'pull_request' && (github.ref_type == 'tag' || (github.ref_type == 'branch' && github.ref_name == 'master'))
     uses: ./.github/workflows/deb-publish.yml
     secrets:
       GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }}

.github/workflows/deb-publish.yml

@@ -157,7 +157,9 @@ jobs:
           fi
           REPO_ROOT="$MOUNTPOINT/public_html"
           mkdir -p "$REPO_ROOT"
+          if [ -n "${{ secrets.GPG_SECRET_SUBKEYS }}" ]; then
           cp -f /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc "$REPO_ROOT"
+          fi
           cat > "$REPO_ROOT/README.txt" <<EOR
           To add this repository to your computer, do:
 
@@ -168,9 +170,7 @@ jobs:
           Types: deb deb-src
           URIs: https://apt.bcachefs.org/unstable/
           # Or replace unstable with your distro's release name
-          Suites: bcachefs-tools-snapshot
-          # or:
-          # Suites: bcachefs-tools-release
+          Suites: bcachefs-tools-release
           Components: main
           Signed-By: /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
           EOS
@@ -181,9 +181,29 @@ jobs:
           Or you can use add-apt-repository tool:
 
 
-          sudo add-apt-repository "deb https://apt.bcachefs.org/unstable bcachefs-tools-snapshot main"
+          sudo add-apt-repository "deb https://apt.bcachefs.org/unstable bcachefs-tools-release main"
 
 
+          Note: this will give you packages for the latest release of bcachefs-tools.
+          If you need packages for the latest git master commit,
+          replace `bcachefs-tools-release` with `bcachefs-tools-snapshot`.
+
+          If you want to ensure that the packages from this repository are always preferred, do:
+
+          mkdir -p /etc/apt/preferences.d
+          sudo cat > "/etc/apt/preferences.d/apt.bcachefs.org.pref " <<EOP
+          Package: *
+          Pin: origin apt.bcachefs.org
+          Pin-Priority: 1000
+          EOP
+
+
+          Note that yes, you should always prefer `Pin: origin <hostname>`,
+          over `Pin: release o=<origin>`, because pinning by origin
+          will *actually* pin by the full hostname of APT repository,
+          whereas any repository can claim anything in it's `Origin: ` field,
+          and thus pinning by origin label is inherently insecure!
+
 
           For more information, see:
           https://wiki.debian.org/DebianRepository/UseThirdParty

.github/workflows/deb-src.yml

@@ -116,7 +116,6 @@ jobs:
           EOT
       - name: Configure sbuild
         timeout-minutes: 1
-        if: steps.gpg.conclusion != 'skipped'
         run: |
           set -xe
           BUILD_DIR="$GITHUB_WORKSPACE/deb-src"