burrow/package/repositories/README.md
Conrad Kramer 002bd382e9
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s
Wire Forge-native release infrastructure
2026-06-07 05:51:12 -07:00

2.1 KiB

Burrow Native Package Repositories

Burrow publishes native daemon packages through repository formats that Linux desktops already understand:

  • APT repository for Debian and Ubuntu
  • RPM repository for Fedora, RHEL-family systems, and openSUSE-family systems
  • pacman repository for Arch-family systems
  • AUR source package repository for Arch users who prefer local builds
  • Flatpak repository descriptor for the GTK GUI, with the daemon still supplied by a native package
  • NixOS flake/module for NixOS

APT, RPM, and pacman repository metadata is signed with OpenPGP signatures produced by Scripts/package/google-kms-openpgp.py. The OpenPGP public keys are derived from the Google Cloud KMS public keys, while the private RSA signing operation happens inside Google Cloud KMS. Each repository format has its own KMS key:

  • package-apt-repository
  • package-rpm-repository
  • package-pacman-repository
  • package-flatpak-repository
  • package-aur-source

Build repository metadata from package artifacts with:

BURROW_PACKAGE_INPUT_DIR=dist/packages \
BURROW_APT_REPO_KMS_PUBLIC_KEY_PEM=.kms/apt.pem \
BURROW_RPM_REPO_KMS_PUBLIC_KEY_PEM=.kms/rpm.pem \
BURROW_PACMAN_REPO_KMS_PUBLIC_KEY_PEM=.kms/pacman.pem \
Scripts/package/build-repositories.sh all

The builder writes repository trees under publish/repositories by default:

  • apt/dists/<suite>/...
  • rpm/<channel>/<basearch>/...
  • arch/burrow/<arch>/...
  • keys/*.asc

The Forgejo workflow .forgejo/workflows/publish-package-repositories.yml builds Linux package artifacts, exports KMS public keys, signs repository metadata through Google KMS, uploads the repository tree as a workflow artifact, and publishes the tree to the package GCS bucket when publish_gcs is enabled. The workflow authenticates to the Burrow Google project through Authentik-backed Workload Identity Federation before it calls Google KMS or writes objects.

PackageKit is an optional install frontend. It is not the repository format and it is not available everywhere. The Flatpak GUI should try PackageKit only as a convenience path, then degrade to native repository setup instructions.