Two bugs in the update-apt-repo job of .github/workflows/release.yml:
-
Wrong action: Download .deb artifact step uses actions/upload-artifact instead of actions/download-artifact — causes the job to fail when trying to fetch the .deb built in build-deb.
-
Hardcoded fingerprint: The Update apt repository step passes 45160BC066817A6E710F7BA0208922A1DA3B0CEC as the GPG key ID. This should be derived dynamically from the imported key so that rotating GPG_PRIVATE_KEY does not require a code change.
Fix
- Replace
actions/upload-artifact with actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 in the update-apt-repo job.
- After importing the GPG key, extract the fingerprint with:
FINGERPRINT=$(gpg --with-colons --list-secret-keys 2>/dev/null | grep '^fpr' | head -1 | cut -d: -f10)
update_apt_repo.sh instead of the hardcoded value.
Two bugs in the
update-apt-repojob of.github/workflows/release.yml:Wrong action:
Download .deb artifactstep usesactions/upload-artifactinstead ofactions/download-artifact— causes the job to fail when trying to fetch the.debbuilt inbuild-deb.Hardcoded fingerprint: The
Update apt repositorystep passes45160BC066817A6E710F7BA0208922A1DA3B0CECas the GPG key ID. This should be derived dynamically from the imported key so that rotatingGPG_PRIVATE_KEYdoes not require a code change.Fix
actions/upload-artifactwithactions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4in theupdate-apt-repojob.FINGERPRINT=$(gpg --with-colons --list-secret-keys 2>/dev/null | grep '^fpr' | head -1 | cut -d: -f10)update_apt_repo.shinstead of the hardcoded value.