From fa202c49f11edb303f07b90d75878fbb28ab453d Mon Sep 17 00:00:00 2001
From: Jorijn van der Graaf <jorijnvdgraaf@catcrafts.net>
Date: Tue, 28 Apr 2026 23:36:51 +0200
Subject: [PATCH] ci: refresh archlinux-keyring before installing deps

archlinux:latest container ships a snapshot keyring; packages signed by
keys added after the snapshot date fail PGP verification (zip-3.0-13 hit
this with a "signature from Robin Candau is unknown trust" error). Update
the keyring first via pacman -Sy archlinux-keyring, then -Syu the rest.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .forgejo/workflows/ci.yaml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.forgejo/workflows/ci.yaml b/.forgejo/workflows/ci.yaml
index 4bb4297..ee9af78 100644
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@@ -13,8 +13,11 @@ jobs:
     steps:
       - name: Install build dependencies
         run: |
-          pacman -Sy --noconfirm
-          pacman -S --noconfirm --needed \
+          # archlinux:latest images ship a snapshot keyring; new packages
+          # signed after that snapshot fail PGP verification. Refresh the
+          # keyring first, then everything else.
+          pacman -Sy --noconfirm archlinux-keyring
+          pacman -Syu --noconfirm --needed \
             base-devel git zip tar \
             clang lld libc++ cmake \
             mingw-w64-gcc \