Skip to content

Followup to #190: harden release job and drop arm64 scaffolding#203

Merged
pinodeca merged 4 commits into
mainfrom
followup/package-release-amd64-cleanup
Jun 10, 2026
Merged

Followup to #190: harden release job and drop arm64 scaffolding#203
pinodeca merged 4 commits into
mainfrom
followup/package-release-amd64-cleanup

Conversation

@pinodeca

@pinodeca pinodeca commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Followup to #190 (merged) addressing review feedback and self-review items that were not part of the squashed merge.

Changes

  • Drop unused arm64 scaffolding — the build/validate matrices and README are amd64-only, so the arm64/aarch64 branches in scripts/package-deb.sh and scripts/validate-deb-package.sh were dead code. They now reject unsupported architectures explicitly. (Addresses the Copilot review comments on Add release package workflow #190 about the arm64 description/implementation mismatch.)
  • Least-privilege permissions — scope contents: write to the release job only; the rest of the workflow runs with contents: read.
  • Publish .deb assets directly — upload the .deb files as release assets instead of wrapping them in zips, matching the README's documented asset names. Removes the now-unused zip step and zip build dependency.
  • Asset integrity — publish a SHA256SUMS file so downloaders can verify release assets; README updated to mention it.

Validation

  • python3 -c "import yaml; yaml.safe_load(...)" on the workflow
  • bash -n on both packaging scripts
  • git diff --check

@pinodeca pinodeca force-pushed the followup/package-release-amd64-cleanup branch from 7503cf4 to 03e4ed9 Compare June 4, 2026 15:40
pinodeca and others added 4 commits June 10, 2026 07:20
@pinodeca @gdecandia
Drop unused arm64 packaging scaffolding
d88d3f9 
The build/validate matrix and README only target amd64, so the arm64
branches in the packaging scripts were dead code. Remove them so the
scripts reject unsupported architectures explicitly.
@pinodeca @gdecandia
Publish .deb assets directly and harden release job
53780cc 
- Scope contents:write to the release job only; the rest of the
  workflow runs read-only (least privilege).
- Upload the .deb files as release assets directly instead of wrapping
  them in zips, matching the README's documented asset names.
- Publish a SHA256SUMS file so downloaders can verify assets.
- Drop the now-unused zip packaging step and build dependency.
@pinodeca @gdecandia
ci: source release tooling from workflow commit, not target tag
74051e1
@gdecandia
Harden Debian package release workflow
b65759a
@pinodeca pinodeca force-pushed the followup/package-release-amd64-cleanup branch from 03e4ed9 to b65759a Compare June 10, 2026 13:05
@pinodeca pinodeca merged commit 3a873fa into main Jun 10, 2026
18 of 19 checks passed
@pinodeca pinodeca deleted the followup/package-release-amd64-cleanup branch June 10, 2026 19:25
@pinodeca pinodeca mentioned this pull request Jun 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pinodeca @gdecandia