feat(debian): publish .deb packages + signed apt repo

[kjanat]

Adds a Debian/apt distribution channel alongside crates.io, npm, and AUR.

What's included

Packages — runner-run .debs for amd64 / arm64 / armhf, repackaged from the prebuilt GitHub-release tarballs (glibc, dynamically linked), exactly like the AUR -bin and npm channels — the shipped binaries are byte-for-byte the released ones. Each ships runner + run, bash/zsh/fish completions in the canonical autoload dirs, the pwsh script, DEP-5 copyright, and a native changelog.gz.

apt repository — signed repo served at https://apt.runner.kjanat.dev (GitHub Pages, custom domain):

sudo install -d -m 0755 /etc/apt/keyrings
curl -fsSL https://apt.runner.kjanat.dev/runner-run.gpg | sudo tee /etc/apt/keyrings/runner-run.gpg >/dev/null
echo "deb [signed-by=/etc/apt/keyrings/runner-run.gpg] https://apt.runner.kjanat.dev stable main" | sudo tee /etc/apt/sources.list.d/runner-run.list >/dev/null
sudo apt update && sudo apt install runner-run

pool/ is rebuilt from the published branch each release (old versions stay installable); dists/ is regenerated and GPG-signed (InRelease + detached Release.gpg).

CI — .github/workflows/debian-release.yml on release: published + workflow_dispatch/dry-run:

• build-deb: repackage → lintian --fail-on error → attach .debs to the release. No secrets, always runs.
• publish-apt: assemble + sign + push to gh-pages. Gated behind an apt Environment, inert until APT_GPG_PRIVATE_KEY is set.

Docs — README + site install entries, debian/README.md, CHANGELOG.

Validated locally (end-to-end)

• dpkg-deb builds all three; lintian --fail-on error clean on the arch-matched package (libyaml false positive overridden + documented; only benign no-manual-page warnings remain)
• installed the .deb, ran the binaries, confirmed completions rewritten to /usr/bin with no staging/tmp leaks, zsh split correct
• throwaway-key signed repo + isolated apt-get update → signature verified, apt-cache resolves runner-run 0.12.0 with correct pool/ Filename; gpgv Good on InRelease and Release.gpg
• shellcheck + dprint clean, workflow YAML parses

Maintainer setup to go live (apt repo is inert until done)

• Create an apt GitHub Environment; add APT_GPG_PRIVATE_KEY (+ APT_GPG_PASSPHRASE if the key has one). Key-gen snippet in debian/README.md.
• After the first publish creates gh-pages: Settings → Pages → Deploy from a branch → gh-pages / root.
• DNS apt.runner.kjanat.dev → kjanat.github.io

The .deb files attach to the next release with no setup; only the hosted repo needs the above. Validate first via Actions → debian-release → Run workflow → set tag + tick dry-run.

Notes

Packages are native (version 0.12.0, no Debian revision) since upstream owns the packaging; a semver -rc.N prerelease maps to a Debian ~rc.N so it sorts before the final release.

https://claude.ai/code/session_018uA1KjrCHk6PPK2t6zaYYH

---

Generated by Claude Code

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	runner	6c73689	Commit Preview URL Branch Preview URL	Jun 04 2026, 09:34 AM

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 53c8a00a-4a87-48ad-b0b4-c89349839a75

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch feat/debian-apt-channel

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}