Skip to content

fix: dynamic series detection and debsign#117

Merged
rtibbles merged 1 commit intomainfrom
fix/dynamic-series-and-debsign
Mar 4, 2026
Merged

fix: dynamic series detection and debsign#117
rtibbles merged 1 commit intomainfrom
fix/dynamic-series-and-debsign

Conversation

@rtibbles
Copy link
Member

@rtibbles rtibbles commented Mar 4, 2026

Summary

  • Dynamic series detection: Replace hardcoded jammy everywhere with auto-detection from /etc/os-release. When ubuntu-latest moves to 26.04, everything transitions seamlessly.
  • Fix debsign signing: Use --passphrase-file and -k $GPG_KEY_ID instead of broken -p"gpg --passphrase $(MAKE_VAR)" approach that mangled arguments.
  • Fix copy-to-series: Was silently doing nothing because it looked for packages in noble (runner OS) but they were uploaded to jammy (changelog). Now the changelog distribution is patched to match the runner at build time.

Changes

File What changed
test/setup_ppa.sh Auto-detect Ubuntu series; require PPA_SERIES env var for Debian
Makefile Fix sign-and-upload: --passphrase-file, -k $$GPG_KEY_ID, shell ($$) not Make ($()) expansion
build_debian.yml Patch changelog distribution at build time; configure allow-loopback-pinentry
installtest.yml Build job outputs detected series → test jobs pass it as PPA_SERIES

Test plan

  • setup_ppa.sh tested on Ubuntu container (auto-detects noble)
  • setup_ppa.sh tested on Debian container with PPA_SERIES=noble
  • setup_ppa.sh tested on Debian container without PPA_SERIES (errors with helpful message)
  • Changelog sed patching verified (jammynoble on line 1 only)
  • debsign with --passphrase-file tested end-to-end with passphrase-protected key
  • CI install tests pass
  • build_debian.yml succeeds on next release (requires secrets)

🤖 Generated with Claude Code

@rtibbles @claude
fix: use dynamic series detection and fix debsign
124105e 
- setup_ppa.sh: detect Ubuntu series from /etc/os-release instead of
  hardcoding jammy; require PPA_SERIES env var for non-Ubuntu systems
- build_debian.yml: patch debian/changelog distribution to match the
  runner's OS at build time so copy-to-series finds the uploaded package;
  configure allow-loopback-pinentry for GPG signing
- installtest.yml: build job outputs detected series, test jobs pass it
  to setup_ppa.sh via PPA_SERIES for Debian containers
- Makefile sign-and-upload: use --passphrase-file instead of inline
  --passphrase (avoids shell quoting issues); use $GPG_KEY_ID with -k
  flag (was set but never used); use shell expansion ($$) not Make
  expansion ($()) for env vars

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@rtibbles rtibbles merged commit 45040b8 into main Mar 4, 2026
14 checks passed
@rtibbles rtibbles deleted the fix/dynamic-series-and-debsign branch March 4, 2026 06:21
bjester
bjester reviewed Mar 4, 2026
View reviewed changes
Makefile
@printf '%s' "$$GPG_PASSPHRASE" > /tmp/.gpg-passphrase
debsign -p"gpg --batch --pinentry-mode loopback --passphrase-file /tmp/.gpg-passphrase" \
-k"$$GPG_KEY_ID" dist/*.changes
@rm -f /tmp/.gpg-passphrase
Copy link
Member

@bjester bjester Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If debsign fails, this never occurs.

This was referenced Mar 21, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bjester bjester bjester left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rtibbles @bjester