From 37f0832effc78eb184e212f911d44e7dbb11c547 Mon Sep 17 00:00:00 2001
From: Richard Tibbles <richard@learningequality.org>
Date: Fri, 20 Mar 2026 16:32:02 -0700
Subject: [PATCH] fix: debsign argument parsing, PPA_SERIES precedence,
 passphrase cleanup

- Makefile: validate GPG_KEY_ID and GPG_PASSPHRASE are set before signing;
  space-separate -k from its value so empty key ID doesn't eat the filename
- setup_ppa.sh: PPA_SERIES env var takes precedence when set, ensuring all
  CI containers use the same series regardless of OS
- build_debian.yml: cleanup step also removes GPG passphrase temp file

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build_debian.yml |  4 ++--
 Makefile                           |  4 +++-
 test/setup_ppa.sh                  | 10 +++++++---
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build_debian.yml b/.github/workflows/build_debian.yml
index da5e82c..583e87d 100644
--- a/.github/workflows/build_debian.yml
+++ b/.github/workflows/build_debian.yml
@@ -81,9 +81,9 @@ jobs:
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
           GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
         run: make sign-and-upload
-      - name: Cleanup Launchpad credentials
+      - name: Cleanup credentials
         if: always()
-        run: rm -f /tmp/lp-creds.txt
+        run: rm -f /tmp/lp-creds.txt /tmp/.gpg-passphrase
   wait_for_source_builds:
     needs:
       - check_version
diff --git a/Makefile b/Makefile
index 942fa70..453cf11 100644
--- a/Makefile
+++ b/Makefile
@@ -56,9 +56,11 @@ dist: error-pages orig
 # build and sign (signing uses environment GPG_KEY_ID and GPG_PASSPHRASE)
 sign-and-upload: dist
 	@echo "Signing and uploading package..."
+	@test -n "$$GPG_KEY_ID" || { echo "Error: GPG_KEY_ID is not set"; exit 1; }
+	@test -n "$$GPG_PASSPHRASE" || { echo "Error: GPG_PASSPHRASE is not set"; exit 1; }
 	@printf '%s' "$$GPG_PASSPHRASE" > /tmp/.gpg-passphrase
 	debsign -p"gpg --batch --pinentry-mode loopback --passphrase-file /tmp/.gpg-passphrase" \
-		-k"$$GPG_KEY_ID" dist/*.changes
+		-k "$$GPG_KEY_ID" dist/*.changes
 	@rm -f /tmp/.gpg-passphrase
 	@echo "Uploading to PPA..."
 	dput --unchecked ppa:learningequality/kolibri-proposed dist/*.changes
diff --git a/test/setup_ppa.sh b/test/setup_ppa.sh
index 0ed7528..6acbefe 100755
--- a/test/setup_ppa.sh
+++ b/test/setup_ppa.sh
@@ -6,12 +6,16 @@ SUDO=""
 [ "$(id -u)" != "0" ] && SUDO="sudo"
 
 # Detect Ubuntu series for PPA source line
-# On Ubuntu: use the OS codename. On non-Ubuntu (e.g. Debian): require PPA_SERIES env var.
+# PPA_SERIES env var takes precedence (used by CI to ensure all containers use the same series).
+# On Ubuntu without PPA_SERIES: auto-detect from OS. On non-Ubuntu: PPA_SERIES is required.
 . /etc/os-release
-if [ "$ID" = "ubuntu" ]; then
+if [ -n "${PPA_SERIES:-}" ]; then
+  SERIES="$PPA_SERIES"
+elif [ "$ID" = "ubuntu" ]; then
   SERIES="$VERSION_CODENAME"
 else
-  SERIES="${PPA_SERIES:?PPA_SERIES must be set for non-Ubuntu systems (e.g. PPA_SERIES=noble)}"
+  echo "Error: PPA_SERIES must be set for non-Ubuntu systems (e.g. PPA_SERIES=noble)" >&2
+  exit 1
 fi
 
 gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys DC5BAA93F9E4AE4F0411F97C74F88ADB3194DD81