infra/ekanayaka.io-software
6
0
Fork 0
Code Issues Pull requests Projects Releases 2 Packages Wiki Activity Actions
Third party software pipeline
3 commits 2 branches 2 tags 44 KiB
Find a file
Exact
Free 2378978cba Merge pull request 'software-publishing: Add release workflows' (#1) from engineer/software-publishing into main 
Reviewed-on: #1
2026-05-22 22:13:26 +01:00
.forgejo/workflows software-publishing: Add release workflows 2026-05-22 21:33:37 +01:00
README.md software-publishing: Add release workflows 2026-05-22 21:33:37 +01:00

README.md

ekanayaka.io software

This repository publishes opaque, non-apt software artifacts consumed by infra/ekanayaka.io deployments. It was bootstrapped for the work-area design in infra/ekanayaka.io issue #305 and implementation issue #313.

The repository is intentionally public so ./deploy install can download release assets anonymously over HTTPS.

Published artifacts

Tags are flat and artifact-prefixed:

  • pi-<version> publishes pi-<version>.tar.gz plus pi-<version>.tar.gz.sha256.
  • hermes-<version> publishes hermes-<version>.tar.gz plus hermes-<version>.tar.gz.sha256.

The tarball download URL is:

https://git.ekanayaka.io/infra/ekanayaka.io-software/releases/download/<artifact>-<version>/<artifact>-<version>.tar.gz

The .sha256 sidecar is a normal one-line sha256sum file:

<sha256-hex>  <artifact>-<version>.tar.gz

Build source

The Forgejo Actions workflows in .forgejo/workflows/ run on the existing carbon-forge host runner (debian:host, selected in workflow YAML as runs-on: debian). On tag push they check out this repository and then check out infra/ekanayaka.io at the head of its main branch to run the concrete builder scripts:

  • lib/build-pi-tarball
  • lib/build-hermes-tarball

That dependency on infra/ekanayaka.io main is deliberate: artifact tags in this repository identify artifact versions, not a pinned IaC commit. Renaming or moving the builder scripts in infra/ekanayaka.io must be coordinated with these workflows.

Immutability

Tags are the release identity. Do not delete, move, or force-push an existing pi-* or hermes-* tag. If a rebuild of the same upstream version is needed, bump the version suffix instead (for example pi-0.74.0-1).

Issue #313 verification found that this Forgejo instance currently allows force-updating and deleting ordinary tags. Treat the release tags as operator-enforced append-only state until tag protection is configured. The workflow also refuses to append an asset whose filename already exists on a release, so a rerun against an already-populated release fails instead of silently replacing bytes.