Update .github/workflows/update-repo.yml

.github/workflows/update-repo.yml

@@ -1,4 +1,4 @@
-name: Update Arch Repository
+name: Update Arch Repository 
 
 on:
   push:
@@ -23,29 +23,21 @@ jobs:
       - name: Build and Sign Repository
         run: |
           cd x86_64
-          # Remove ALL old metadata and symlinks to start fresh
           rm -f hyprarch-repo.db* hyprarch-repo.files*
           
-          # 1. Export public key
           gpg --export --armor 236328A7F2C2001E > pubkey.gpg
 
-          # 2. Sign packages (Force BINARY by removing --armor)
+          # --- FIX: DETACHED BINARY SIGNATURES ---
           for pkg in *.pkg.tar.zst; do
-            echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --local-user 236328A7F2C2001E --passphrase-fd 0 --detach-sign "$pkg"
+            echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --local-user 236328A7F2C2001E --passphrase-fd 0 --no-armor --detach-sign "$pkg"
           done
           
-          # 3. Build DB using Python helper (Ensure you updated the script on the Pi as well)
           python3 ~/build_db.py
           
-          # 4. Finalize Files (NO SYMLINKS)
+          # --- FIX: NO SYMLINKS, BINARY DB SIGNATURE ---
-          # We manually copy instead of linking so the web server sees real files
           cp hyprarch-repo.db.tar.gz hyprarch-repo.db
           cp hyprarch-repo.db.tar.gz hyprarch-repo.files
-          
+          echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --local-user 236328A7F2C2001E --passphrase-fd 0 --no-armor --detach-sign hyprarch-repo.db
-          # 5. Sign the DB (Binary)
-          echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --local-user 236328A7F2C2001E --passphrase-fd 0 --detach-sign hyprarch-repo.db
-          
-          # 6. Ensure .sig files match the main files exactly
           cp hyprarch-repo.db.sig hyprarch-repo.db.tar.gz.sig
 
       - name: Generate Subfolder Index
@@ -76,10 +68,7 @@ jobs:
                   a:hover { text-decoration: underline; }
                   .container { max-width: 900px; margin: auto; background: #3b4252; padding: 20px; border-radius: 8px; }
                   h1 { border-bottom: 2px solid #4c566a; padding-bottom: 10px; color: #81a1c1; }
-                  h2 { color: #a3be8c; margin-top: 30px; }
                   pre { background: #2e3440; padding: 15px; border-radius: 5px; color: #ebcb8b; overflow-x: auto; border: 1px solid #4c566a; }
-                  code { color: #d08770; }
-                  .step { background: #434c5e; padding: 10px 15px; border-left: 4px solid #81a1c1; margin: 10px 0; }
               </style>
           </head>
           <body>
@@ -91,9 +80,6 @@ jobs:
                   <pre>[hyprarch-repo]
           SigLevel = Required DatabaseOptional
           Server = https://repo.stuple.net/\$arch</pre>
-                  <h2>3. Sync</h2>
-                  <div class="step"><code>sudo pacman -Syy</code></div>
-                  <hr style="margin-top:40px; border: 0; border-top: 1px solid #4c566a;">
                   <p><a href="./x86_64/">📁 Browse File Index</a></p>
                   <p><small>Last updated: '$(date)'</small></p>
               </div>
@@ -101,9 +87,15 @@ jobs:
           </html>
           EOF
 
-      - name: Deploy to Local Web Folder
+      - name: Deploy and Fix Permissions
         run: |
-          # Clean the destination first to ensure no old symlinks remain
+          # 1. Clean destination
           rm -rf /var/www/hyprarch-repo/x86_64/*
           mkdir -p /var/www/hyprarch-repo/x86_64
-          cp -rf . /var/www/hyprarch-repo/
+          
+          # 2. Copy files
+          cp -rf . /var/www/hyprarch-repo/
+          
+          # 3. Ensure Nginx (www-data) can read them
+          sudo chown -R stui:www-data /var/www/hyprarch-repo
+          sudo chmod -R 755 /var/www/hyprarch-repo