Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s
52 lines
2.1 KiB
Markdown
52 lines
2.1 KiB
Markdown
# Burrow Native Package Repositories
|
|
|
|
Burrow publishes native daemon packages through repository formats that Linux
|
|
desktops already understand:
|
|
|
|
- APT repository for Debian and Ubuntu
|
|
- RPM repository for Fedora, RHEL-family systems, and openSUSE-family systems
|
|
- pacman repository for Arch-family systems
|
|
- AUR source package repository for Arch users who prefer local builds
|
|
- Flatpak repository descriptor for the GTK GUI, with the daemon still supplied
|
|
by a native package
|
|
- NixOS flake/module for NixOS
|
|
|
|
APT, RPM, and pacman repository metadata is signed with OpenPGP signatures
|
|
produced by `Scripts/package/google-kms-openpgp.py`. The OpenPGP public keys are
|
|
derived from the Google Cloud KMS public keys, while the private RSA signing
|
|
operation happens inside Google Cloud KMS. Each repository format has its own
|
|
KMS key:
|
|
|
|
- `package-apt-repository`
|
|
- `package-rpm-repository`
|
|
- `package-pacman-repository`
|
|
- `package-flatpak-repository`
|
|
- `package-aur-source`
|
|
|
|
Build repository metadata from package artifacts with:
|
|
|
|
```sh
|
|
BURROW_PACKAGE_INPUT_DIR=dist/packages \
|
|
BURROW_APT_REPO_KMS_PUBLIC_KEY_PEM=.kms/apt.pem \
|
|
BURROW_RPM_REPO_KMS_PUBLIC_KEY_PEM=.kms/rpm.pem \
|
|
BURROW_PACMAN_REPO_KMS_PUBLIC_KEY_PEM=.kms/pacman.pem \
|
|
Scripts/package/build-repositories.sh all
|
|
```
|
|
|
|
The builder writes repository trees under `publish/repositories` by default:
|
|
|
|
- `apt/dists/<suite>/...`
|
|
- `rpm/<channel>/<basearch>/...`
|
|
- `arch/burrow/<arch>/...`
|
|
- `keys/*.asc`
|
|
|
|
The Forgejo workflow `.forgejo/workflows/publish-package-repositories.yml`
|
|
builds Linux package artifacts, exports KMS public keys, signs repository
|
|
metadata through Google KMS, uploads the repository tree as a workflow artifact,
|
|
and publishes the tree to the package GCS bucket when `publish_gcs` is enabled.
|
|
The workflow authenticates to the Burrow Google project through Authentik-backed
|
|
Workload Identity Federation before it calls Google KMS or writes objects.
|
|
|
|
PackageKit is an optional install frontend. It is not the repository format and
|
|
it is not available everywhere. The Flatpak GUI should try PackageKit only as a
|
|
convenience path, then degrade to native repository setup instructions.
|