ci: pacman-key --init/--populate before keyring upgrade
Some checks failed
CI / build-test-release (pull_request) Failing after 12m22s
Some checks failed
CI / build-test-release (pull_request) Failing after 12m22s
archlinux:latest slim image has no local pacman master key and an
unpopulated upstream keyring, so:
- the archlinux-keyring upgrade fails with "no secret key available to
sign with" because pacman can't sign the keyring it's rewriting
- falling through to -Syu hits the original "unknown trust" errors on
libseccomp and zip
Run pacman-key --init then --populate archlinux before any pacman -S.
This is the documented bootstrap for slim Arch CI containers.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
fa202c49f1
commit
f0b1fd899c
1 changed files with 11 additions and 4 deletions
|
|
@ -13,10 +13,17 @@ jobs:
|
|||
steps:
|
||||
- name: Install build dependencies
|
||||
run: |
|
||||
# archlinux:latest images ship a snapshot keyring; new packages
|
||||
# signed after that snapshot fail PGP verification. Refresh the
|
||||
# keyring first, then everything else.
|
||||
pacman -Sy --noconfirm archlinux-keyring
|
||||
# The slim archlinux:latest image arrives without a populated
|
||||
# pacman keyring AND without a local pacman master key, so:
|
||||
# 1. --init generates the local signing key (needed when pacman
|
||||
# itself rewrites the keyring during package upgrades)
|
||||
# 2. --populate archlinux imports the upstream master keys so
|
||||
# currently-shipping signatures verify
|
||||
# After that we can refresh archlinux-keyring to pick up keys for
|
||||
# packagers added after the image's snapshot, then -Syu the rest.
|
||||
pacman-key --init
|
||||
pacman-key --populate archlinux
|
||||
pacman -Sy --noconfirm --needed archlinux-keyring
|
||||
pacman -Syu --noconfirm --needed \
|
||||
base-devel git zip tar \
|
||||
clang lld libc++ cmake \
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue