diff --git a/.github/workflows/update-repo.yml b/.github/workflows/update-repo.yml index 0c7853f..df35e79 100644 --- a/.github/workflows/update-repo.yml +++ b/.github/workflows/update-repo.yml @@ -21,30 +21,36 @@ jobs: - name: Import GPG Key run: | - # Ensure you have added GPG_PRIVATE_KEY to your GitHub Secrets! - echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --import --batch + if [ -z "${{ secrets.GPG_PRIVATE_KEY }}" ]; then + echo "ERROR: GPG_PRIVATE_KEY secret is empty!" + exit 1 + fi + # Import and set trust to avoid prompt errors + echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --import --batch --yes + echo "236328A7F2C2001E:6:" | gpg --import-ownertrust --batch - name: Update Repository Database run: | cd x86_64 - # Remove all old DB and sig files to ensure a 100% clean rebuild rm -f hyprarch-repo.db* hyprarch-repo.files* mkdir -p db_temp + # GPG Arguments to prevent 'Inappropriate ioctl' + # We force loopback pinentry so it doesn't look for a real keyboard/screen + GPG_OPTS="--batch --yes --pinentry-mode loopback --local-user 236328A7F2C2001E" + for pkg in *.pkg.tar.zst; do - # 1. Sign the package file - gpg --detach-sign --batch --no-armor --local-user 236328A7F2C2001E "$pkg" + # 1. Sign the package + gpg $GPG_OPTS --detach-sign --no-armor "$pkg" - # 2. Extract specific metadata (Strict Cleaning) - # This logic avoids grabbing comments like "# Generated by..." + # 2. Extract Metadata pkgname=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^pkgname =" | cut -d' ' -f3) pkgver=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^pkgver =" | cut -d' ' -f3) pkgdesc=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^pkgdesc =" | cut -d' ' -f3- | sed "s/['\"]//g") mkdir -p "db_temp/$pkgname-$pkgver" - # Manually construct a clean 'desc' file for Pacman { echo "%NAME%" echo "$pkgname" @@ -65,20 +71,18 @@ jobs: echo "$(bsdtar -xOf "$pkg" .PKGINFO | grep "^size =" | cut -d' ' -f3)" echo "" echo "%PGPSIG%" - gpg --detach-sign --stdout --no-armor --local-user 236328A7F2C2001E "$pkg" | base64 | tr -d '\n' + gpg $GPG_OPTS --detach-sign --stdout --no-armor "$pkg" | base64 | tr -d '\n' echo "" } > "db_temp/$pkgname-$pkgver/desc" done - # 3. Pack the database metadata + # 3. Pack and Sign DB cd db_temp tar -c * | gzip -9 > ../hyprarch-repo.db.tar.gz cd .. + gpg $GPG_OPTS --detach-sign --no-armor hyprarch-repo.db.tar.gz - # 4. Sign the database itself - gpg --detach-sign --batch --no-armor --local-user 236328A7F2C2001E hyprarch-repo.db.tar.gz - - # 5. Finalize files (Ensure both .db and .files are clean) + # 4. Finalize cp hyprarch-repo.db.tar.gz hyprarch-repo.db cp hyprarch-repo.db.tar.gz.sig hyprarch-repo.db.sig cp hyprarch-repo.db.tar.gz hyprarch-repo.files @@ -133,13 +137,13 @@ jobs: ' > index.html - - name: Commit and Push changes + - name: Commit and Push run: | git config --global user.name "github-actions[bot]" git config --global user.email "github-actions[bot]@users.noreply.github.com" git add . if ! git diff-index --quiet HEAD; then - git commit -m "Final Infrastructure Fix: Clean DB/Files and GPG Signing" + git commit -m "Fix GPG ioctl error and rebuild signed DB" git push else echo "Nothing to change."