ci: pacman-key --init/--populate before keyring upgrade

archlinux:latest slim image has no local pacman master key and an unpopulated upstream keyring, so: - the archlinux-keyring upgrade fails with "no secret key available to sign with" because pacman can't sign the keyring it's rewriting - falling through to -Syu hits the original "unknown trust" errors on libseccomp and zip Run pacman-key --init then --populate archlinux before any pacman -S. This is the documented bootstrap for slim Arch CI containers. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-28 23:40:27 +02:00 · 2026-04-28 23:40:27 +02:00 · f0b1fd899c
commit f0b1fd899c
parent fa202c49f1
1 changed files with 11 additions and 4 deletions
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@ -13,10 +13,17 @@ jobs:
    steps:
      - name: Install build dependencies
        run: |
-          # archlinux:latest images ship a snapshot keyring; new packages
+          # The slim archlinux:latest image arrives without a populated
-          # signed after that snapshot fail PGP verification. Refresh the
+          # pacman keyring AND without a local pacman master key, so:
-          # keyring first, then everything else.
+          #   1. --init  generates the local signing key (needed when pacman
-          pacman -Sy --noconfirm archlinux-keyring
+          #      itself rewrites the keyring during package upgrades)
          #   2. --populate archlinux  imports the upstream master keys so
          #      currently-shipping signatures verify
          # After that we can refresh archlinux-keyring to pick up keys for
          # packagers added after the image's snapshot, then -Syu the rest.
          pacman-key --init
          pacman-key --populate archlinux
          pacman -Sy --noconfirm --needed archlinux-keyring
          pacman -Syu --noconfirm --needed \
            base-devel git zip tar \
            clang lld libc++ cmake \