From 124105efca874e7665c07b60f6337ddd88de24e2 Mon Sep 17 00:00:00 2001
From: Richard Tibbles <richard@learningequality.org>
Date: Tue, 3 Mar 2026 22:11:06 -0800
Subject: [PATCH] fix: use dynamic series detection and fix debsign

- setup_ppa.sh: detect Ubuntu series from /etc/os-release instead of
  hardcoding jammy; require PPA_SERIES env var for non-Ubuntu systems
- build_debian.yml: patch debian/changelog distribution to match the
  runner's OS at build time so copy-to-series finds the uploaded package;
  configure allow-loopback-pinentry for GPG signing
- installtest.yml: build job outputs detected series, test jobs pass it
  to setup_ppa.sh via PPA_SERIES for Debian containers
- Makefile sign-and-upload: use --passphrase-file instead of inline
  --passphrase (avoids shell quoting issues); use $GPG_KEY_ID with -k
  flag (was set but never used); use shell expansion ($$) not Make
  expansion ($()) for env vars

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/build_debian.yml |  9 ++++++++-
 .github/workflows/installtest.yml  | 10 ++++++++++
 Makefile                           |  7 +++++--
 test/setup_ppa.sh                  | 11 ++++++++++-
 4 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build_debian.yml b/.github/workflows/build_debian.yml
index 8d4faf3..da5e82c 100644
--- a/.github/workflows/build_debian.yml
+++ b/.github/workflows/build_debian.yml
@@ -43,6 +43,11 @@ jobs:
     steps:
       - name: checkout codebase
         uses: actions/checkout@v4
+      - name: Set changelog distribution to runner series
+        run: |
+          SERIES=$(. /etc/os-release && echo "$VERSION_CODENAME")
+          sed -i "1s/) [a-z]*;/) ${SERIES};/" debian/changelog
+          echo "Targeting series: ${SERIES}"
       - name: Install build and upload dependencies
         run: make install-upload-deps
       - name: Install Kolibri
@@ -68,6 +73,8 @@ jobs:
         if: steps.check_source.outputs.already_uploaded != 'true'
         run: |
           echo -n "${{ secrets.GPG_SIGNING_KEY }}" | base64 --decode | gpg --import --no-tty --batch --yes
+          echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
+          gpgconf --kill gpg-agent
       - name: Sign and upload package
         if: steps.check_source.outputs.already_uploaded != 'true'
         env:
@@ -119,7 +126,7 @@ jobs:
           LP_CREDENTIALS: ${{ secrets.LP_CREDENTIALS }}
         run: |
           echo "$LP_CREDENTIALS" > /tmp/lp-creds.txt
-      - name: Copy from jammy to supported series
+      - name: Copy to other supported series
         env:
           LP_CREDENTIALS_FILE: /tmp/lp-creds.txt
         run: |
diff --git a/.github/workflows/installtest.yml b/.github/workflows/installtest.yml
index 47760a9..e0cea8a 100644
--- a/.github/workflows/installtest.yml
+++ b/.github/workflows/installtest.yml
@@ -10,9 +10,17 @@ jobs:
   build:
     name: Build kolibri-server .deb package
     runs-on: ubuntu-latest
+    outputs:
+      ppa_series: ${{ steps.detect_series.outputs.PPA_SERIES }}
     steps:
       - name: Checkout codebase
         uses: actions/checkout@v4
+      - name: Detect runner series
+        id: detect_series
+        run: |
+          SERIES=$(. /etc/os-release && echo "$VERSION_CODENAME")
+          echo "PPA_SERIES=${SERIES}" >> "$GITHUB_OUTPUT"
+          echo "Detected series: ${SERIES}"
       - name: Install build dependencies
         run: make install-build-deps
       - name: Install Kolibri
@@ -47,6 +55,8 @@ jobs:
           ln -s /usr/share/zoneinfo/America/New_York /etc/localtime
           dpkg-reconfigure -f noninteractive tzdata
       - name: Setup Kolibri PPA
+        env:
+          PPA_SERIES: ${{ needs.build.outputs.ppa_series }}
         run: ./test/setup_ppa.sh
       - name: Configure debconf selections
         run: |
diff --git a/Makefile b/Makefile
index 95abaea..942fa70 100644
--- a/Makefile
+++ b/Makefile
@@ -53,10 +53,13 @@ dist: error-pages orig
 	dpkg-buildpackage -S -us -uc
 	mv ../kolibri-server_$(VERSION)* dist/
 	@echo "Package built successfully!"
-# build and sign (signing uses environment GPG_PASSPHRASE and KEYID)
+# build and sign (signing uses environment GPG_KEY_ID and GPG_PASSPHRASE)
 sign-and-upload: dist
 	@echo "Signing and uploading package..."
-	debsign -p"gpg --batch --yes --pinentry-mode loopback --passphrase $(GPG_PASSPHRASE)" dist/*.changes
+	@printf '%s' "$$GPG_PASSPHRASE" > /tmp/.gpg-passphrase
+	debsign -p"gpg --batch --pinentry-mode loopback --passphrase-file /tmp/.gpg-passphrase" \
+		-k"$$GPG_KEY_ID" dist/*.changes
+	@rm -f /tmp/.gpg-passphrase
 	@echo "Uploading to PPA..."
 	dput --unchecked ppa:learningequality/kolibri-proposed dist/*.changes
 	@echo "Upload completed successfully!"
diff --git a/test/setup_ppa.sh b/test/setup_ppa.sh
index f5d539e..0ed7528 100755
--- a/test/setup_ppa.sh
+++ b/test/setup_ppa.sh
@@ -5,9 +5,18 @@ set -e
 SUDO=""
 [ "$(id -u)" != "0" ] && SUDO="sudo"
 
+# Detect Ubuntu series for PPA source line
+# On Ubuntu: use the OS codename. On non-Ubuntu (e.g. Debian): require PPA_SERIES env var.
+. /etc/os-release
+if [ "$ID" = "ubuntu" ]; then
+  SERIES="$VERSION_CODENAME"
+else
+  SERIES="${PPA_SERIES:?PPA_SERIES must be set for non-Ubuntu systems (e.g. PPA_SERIES=noble)}"
+fi
+
 gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys DC5BAA93F9E4AE4F0411F97C74F88ADB3194DD81
 gpg --output /tmp/learningequality-kolibri.gpg --export DC5BAA93F9E4AE4F0411F97C74F88ADB3194DD81
 $SUDO mv /tmp/learningequality-kolibri.gpg /usr/share/keyrings/learningequality-kolibri.gpg
 
-echo "deb [signed-by=/usr/share/keyrings/learningequality-kolibri.gpg] http://ppa.launchpad.net/learningequality/kolibri/ubuntu jammy main" \
+echo "deb [signed-by=/usr/share/keyrings/learningequality-kolibri.gpg] http://ppa.launchpad.net/learningequality/kolibri/ubuntu $SERIES main" \
   | $SUDO tee /etc/apt/sources.list.d/learningequality-ubuntu-kolibri.list > /dev/null