Wire Forge-native release infrastructure
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s

This commit is contained in:
Conrad Kramer 2026-06-07 05:51:12 -07:00
parent 97c569fb35
commit 002bd382e9
199 changed files with 14268 additions and 185 deletions

View file

@ -0,0 +1,52 @@
# Burrow Native Package Repositories
Burrow publishes native daemon packages through repository formats that Linux
desktops already understand:
- APT repository for Debian and Ubuntu
- RPM repository for Fedora, RHEL-family systems, and openSUSE-family systems
- pacman repository for Arch-family systems
- AUR source package repository for Arch users who prefer local builds
- Flatpak repository descriptor for the GTK GUI, with the daemon still supplied
by a native package
- NixOS flake/module for NixOS
APT, RPM, and pacman repository metadata is signed with OpenPGP signatures
produced by `Scripts/package/google-kms-openpgp.py`. The OpenPGP public keys are
derived from the Google Cloud KMS public keys, while the private RSA signing
operation happens inside Google Cloud KMS. Each repository format has its own
KMS key:
- `package-apt-repository`
- `package-rpm-repository`
- `package-pacman-repository`
- `package-flatpak-repository`
- `package-aur-source`
Build repository metadata from package artifacts with:
```sh
BURROW_PACKAGE_INPUT_DIR=dist/packages \
BURROW_APT_REPO_KMS_PUBLIC_KEY_PEM=.kms/apt.pem \
BURROW_RPM_REPO_KMS_PUBLIC_KEY_PEM=.kms/rpm.pem \
BURROW_PACMAN_REPO_KMS_PUBLIC_KEY_PEM=.kms/pacman.pem \
Scripts/package/build-repositories.sh all
```
The builder writes repository trees under `publish/repositories` by default:
- `apt/dists/<suite>/...`
- `rpm/<channel>/<basearch>/...`
- `arch/burrow/<arch>/...`
- `keys/*.asc`
The Forgejo workflow `.forgejo/workflows/publish-package-repositories.yml`
builds Linux package artifacts, exports KMS public keys, signs repository
metadata through Google KMS, uploads the repository tree as a workflow artifact,
and publishes the tree to the package GCS bucket when `publish_gcs` is enabled.
The workflow authenticates to the Burrow Google project through Authentik-backed
Workload Identity Federation before it calls Google KMS or writes objects.
PackageKit is an optional install frontend. It is not the repository format and
it is not available everywhere. The Flatpak GUI should try PackageKit only as a
convenience path, then degrade to native repository setup instructions.