unarr

torrentclaw/unarr

Fork 0

Commit graph

Author	SHA1	Message	Date
Deivid Soto	1757bdabf5	feat(release): sign release checksums (ed25519), enforce + bake pubkey Releases were shipping UNSIGNED: ship.sh never invoked sign-checksums, the goreleaser pubkey ldflag defaulted to empty, and publish-cli-release.sh did not upload a .sig — so the self-updater's signature check was silently skipped (1.0.0-beta had no checksums.txt.sig). Make signing unconditional: - internal/upgrade/signature.go: bake the canonical release public key as the compiled-in default (public, safe to commit; removes the empty-env footgun). - .goreleaser.yml: drop the pubkey ldflag (committed default is authoritative) + add a signs: block that runs scripts/sign-checksums over checksums.txt. sign-checksums requires -key, so an unset RELEASE_SIGNING_KEY fails the build instead of shipping unsigned. - scripts/ship.sh: source RELEASE_SIGNING_KEY from ~/.config/unarr-release/signing.key (or the env), die if absent, and assert checksums.txt.sig was produced. Private key lives outside the repo (gitignored keyfile + operator's vault); public key verified to match (priv[32:] == baked pubkey).	2026-06-03 19:23:19 +02:00
Deivid Soto	7a20ddb4ea	feat(scripts): prune Forgejo releases >90 days in ship.sh Some checks failed CI / Test (push) Successful in 2m42s Details CI / Build (push) Successful in 1m34s Details CI / Build-1 (push) Successful in 1m59s Details CI / Build-2 (push) Successful in 1m33s Details CI / Build-3 (push) Successful in 1m33s Details CI / Build-4 (push) Successful in 1m34s Details CI / Build-5 (push) Successful in 1m33s Details CI / Lint (push) Failing after 2m29s Details CI / Coverage (push) Successful in 2m50s Details CI / Vet (push) Successful in 2m6s Details Adds step 6 to scripts/ship.sh: after smoke checks, list Forgejo releases and delete any with created_at older than FORGEJO_PRUNE_DAYS (default 90). Bounded retention prevents the tc-git CPX11 disk from filling up (each release ≈ 511MB of attachments × 1/week pace). Skipped silently with a warn if FORGEJO_TOKEN is not exported, so the step is opt-in via secret presence (no token = no destructive action). Tunables: FORGEJO_PRUNE_DAYS, FORGEJO_REPO, FORGEJO_BASE, SKIP_FORGEJO_PRUNE.	2026-05-27 18:19:08 +02:00
Deivid Soto	23b79f6411	chore(release): add ship.sh end-to-end pipeline as GH Actions backup GitHub Actions release.yml + docker job currently doesn't fire (org shadow-ban). ship.sh replicates the CI pipeline locally so releases keep landing on Hetzner + Docker Hub without depending on CI: 1. Sanity checks: clean tree, tag at HEAD, version.go match 2. goreleaser release --skip=publish (build dist/*) 3. publish-cli-release.sh (rsync to Hetzner + flip version.txt) 4. docker buildx --push multi-arch (amd64 + arm64) 5. Smoke: torrentclaw.com/version + docker run image version 6. Optional --push to git-push tag to GH Exposed via make targets: ship, ship-dry, ship-push.	2026-05-27 12:35:01 +02:00

Author

SHA1

Message

Date

Deivid Soto

1757bdabf5

feat(release): sign release checksums (ed25519), enforce + bake pubkey

Releases were shipping UNSIGNED: ship.sh never invoked sign-checksums, the
goreleaser pubkey ldflag defaulted to empty, and publish-cli-release.sh did not
upload a .sig — so the self-updater's signature check was silently skipped
(1.0.0-beta had no checksums.txt.sig). Make signing unconditional:

- internal/upgrade/signature.go: bake the canonical release public key as the
  compiled-in default (public, safe to commit; removes the empty-env footgun).
- .goreleaser.yml: drop the pubkey ldflag (committed default is authoritative)
  + add a signs: block that runs scripts/sign-checksums over checksums.txt.
  sign-checksums requires -key, so an unset RELEASE_SIGNING_KEY fails the build
  instead of shipping unsigned.
- scripts/ship.sh: source RELEASE_SIGNING_KEY from ~/.config/unarr-release/signing.key
  (or the env), die if absent, and assert checksums.txt.sig was produced.

Private key lives outside the repo (gitignored keyfile + operator's vault);
public key verified to match (priv[32:] == baked pubkey).

2026-06-03 19:23:19 +02:00

Deivid Soto

7a20ddb4ea

feat(scripts): prune Forgejo releases >90 days in ship.sh

CI / Test (push) Successful in 2m42s

Details

CI / Build (push) Successful in 1m34s

Details

CI / Build-1 (push) Successful in 1m59s

Details

CI / Build-2 (push) Successful in 1m33s

Details

CI / Build-3 (push) Successful in 1m33s

Details

CI / Build-4 (push) Successful in 1m34s

Details

CI / Build-5 (push) Successful in 1m33s

Details

CI / Lint (push) Failing after 2m29s

Details

CI / Coverage (push) Successful in 2m50s

Details

CI / Vet (push) Successful in 2m6s

Details

Adds step 6 to scripts/ship.sh: after smoke checks, list Forgejo
releases and delete any with created_at older than FORGEJO_PRUNE_DAYS
(default 90). Bounded retention prevents the tc-git CPX11 disk from
filling up (each release ≈ 511MB of attachments × 1/week pace).

Skipped silently with a warn if FORGEJO_TOKEN is not exported, so
the step is opt-in via secret presence (no token = no destructive
action). Tunables: FORGEJO_PRUNE_DAYS, FORGEJO_REPO, FORGEJO_BASE,
SKIP_FORGEJO_PRUNE.

2026-05-27 18:19:08 +02:00

Deivid Soto

23b79f6411

chore(release): add ship.sh end-to-end pipeline as GH Actions backup

GitHub Actions release.yml + docker job currently doesn't fire (org
shadow-ban). ship.sh replicates the CI pipeline locally so releases
keep landing on Hetzner + Docker Hub without depending on CI:

  1. Sanity checks: clean tree, tag at HEAD, version.go match
  2. goreleaser release --skip=publish  (build dist/*)
  3. publish-cli-release.sh  (rsync to Hetzner + flip version.txt)
  4. docker buildx --push multi-arch (amd64 + arm64)
  5. Smoke: torrentclaw.com/version + docker run image version
  6. Optional --push to git-push tag to GH

Exposed via make targets: ship, ship-dry, ship-push.

2026-05-27 12:35:01 +02:00

3 commits