From 2f0b52bf8599479e1bbdf7086588467a5c73f900 Mon Sep 17 00:00:00 2001
From: Roman Lebedev <lebedev.ri@gmail.com>
Date: Sat, 20 Sep 2025 22:05:10 +0300
Subject: [PATCH 1/4] apt repo readme: mention pinning

---
 .github/workflows/deb-publish.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/workflows/deb-publish.yml b/.github/workflows/deb-publish.yml
index 4aff5a52..5ae266d8 100644
--- a/.github/workflows/deb-publish.yml
+++ b/.github/workflows/deb-publish.yml
@@ -185,6 +185,23 @@ jobs:
 
 
 
+          If you want to ensure that the packages from this repository are always preferred, do:
+
+          mkdir -p /etc/apt/preferences.d
+          sudo cat > "/etc/apt/preferences.d/apt.bcachefs.org.pref " <<EOP
+          Package: *
+          Pin: origin apt.bcachefs.org
+          Pin-Priority: 1000
+          EOP
+
+
+          Note that yes, you should always prefer `Pin: origin <hostname>`,
+          over `Pin: release o=<origin>`, because pinning by origin
+          will *actually* pin by the full hostname of APT repository,
+          whereas any repository can claim anything in it's `Origin: ` field,
+          and thus pinning by origin label is inherently insecure!
+
+
           For more information, see:
           https://wiki.debian.org/DebianRepository/UseThirdParty
 

From 931678d4aa48f57030eaca43b9544c5fbc259a40 Mon Sep 17 00:00:00 2001
From: Roman Lebedev <lebedev.ri@gmail.com>
Date: Sat, 20 Sep 2025 22:46:34 +0300
Subject: [PATCH 2/4] apt repo readme: suggest releases by default

---
 .github/workflows/deb-publish.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/deb-publish.yml b/.github/workflows/deb-publish.yml
index 5ae266d8..8c726df1 100644
--- a/.github/workflows/deb-publish.yml
+++ b/.github/workflows/deb-publish.yml
@@ -168,9 +168,7 @@ jobs:
           Types: deb deb-src
           URIs: https://apt.bcachefs.org/unstable/
           # Or replace unstable with your distro's release name
-          Suites: bcachefs-tools-snapshot
-          # or:
-          # Suites: bcachefs-tools-release
+          Suites: bcachefs-tools-release
           Components: main
           Signed-By: /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
           EOS
@@ -181,9 +179,12 @@ jobs:
           Or you can use add-apt-repository tool:
 
 
-          sudo add-apt-repository "deb https://apt.bcachefs.org/unstable bcachefs-tools-snapshot main"
+          sudo add-apt-repository "deb https://apt.bcachefs.org/unstable bcachefs-tools-release main"
 
 
+          Note: this will give you packages for the latest release of bcachefs-tools.
+          If you need packages for the latest git master commit,
+          replace `bcachefs-tools-release` with `bcachefs-tools-snapshot`.
 
           If you want to ensure that the packages from this repository are always preferred, do:
 

From e61199c01f6472eaec0f20ed1e9d1a4d91041f26 Mon Sep 17 00:00:00 2001
From: Roman Lebedev <lebedev.ri@gmail.com>
Date: Sun, 21 Sep 2025 19:46:54 +0300
Subject: [PATCH 3/4] CI: unbreak debian pkg builds for PR's

---
 .github/workflows/deb-buildd.yml  | 1 -
 .github/workflows/deb-publish.yml | 2 ++
 .github/workflows/deb-src.yml     | 1 -
 3 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deb-buildd.yml b/.github/workflows/deb-buildd.yml
index affab1b2..3961dc1b 100644
--- a/.github/workflows/deb-buildd.yml
+++ b/.github/workflows/deb-buildd.yml
@@ -119,7 +119,6 @@ jobs:
           EOT
       - name: Configure sbuild
         timeout-minutes: 1
-        if: steps.gpg.conclusion != 'skipped'
         run: |
           set -xe
           BUILD_DIR="$GITHUB_WORKSPACE/deb-bin/${{ inputs.dist-version }}/${{ inputs.arch }}"
diff --git a/.github/workflows/deb-publish.yml b/.github/workflows/deb-publish.yml
index 8c726df1..b56374d2 100644
--- a/.github/workflows/deb-publish.yml
+++ b/.github/workflows/deb-publish.yml
@@ -157,7 +157,9 @@ jobs:
           fi
           REPO_ROOT="$MOUNTPOINT/public_html"
           mkdir -p "$REPO_ROOT"
+          if [ -n "${{ secrets.GPG_SECRET_SUBKEYS }}" ]; then
           cp -f /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc "$REPO_ROOT"
+          fi
           cat > "$REPO_ROOT/README.txt" <<EOR
           To add this repository to your computer, do:
 
diff --git a/.github/workflows/deb-src.yml b/.github/workflows/deb-src.yml
index 917d907d..c6c83a90 100644
--- a/.github/workflows/deb-src.yml
+++ b/.github/workflows/deb-src.yml
@@ -116,7 +116,6 @@ jobs:
           EOT
       - name: Configure sbuild
         timeout-minutes: 1
-        if: steps.gpg.conclusion != 'skipped'
         run: |
           set -xe
           BUILD_DIR="$GITHUB_WORKSPACE/deb-src"

From 97a7748c35d2582e3370f5b83dabbccc320b27c4 Mon Sep 17 00:00:00 2001
From: Roman Lebedev <lebedev.ri@gmail.com>
Date: Sun, 21 Sep 2025 20:03:29 +0300
Subject: [PATCH 4/4] CI: debian pkgs: re-disable publish job for PR's

---
 .github/workflows/deb-orchestrator.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/deb-orchestrator.yml b/.github/workflows/deb-orchestrator.yml
index 9db55061..37c70b22 100644
--- a/.github/workflows/deb-orchestrator.yml
+++ b/.github/workflows/deb-orchestrator.yml
@@ -58,6 +58,7 @@ jobs:
       GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
   publish:
     needs: [ source-only, buildd ]
+    if: github.event_name != 'pull_request' && (github.ref_type == 'tag' || (github.ref_type == 'branch' && github.ref_name == 'master'))
     uses: ./.github/workflows/deb-publish.yml
     secrets:
       GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }}