Skip to content

tailrocks/holla-apt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
.github/workflows
.github/workflows
 
 
conf
conf
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
holla.gpg
holla.gpg
 
 
renovate.json
renovate.json
 
 

Repository files navigation

holla-apt

apt repository for holla — the adaptive dev environment CLI. Installs and upgrades holla with native apt.

The signed repository is published to GitHub Pages at:

https://holla-apt.tailrocks.com/

Install

# 1. trust the signing key (scoped to this repo via signed-by)
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://holla-apt.tailrocks.com/holla.gpg \
  | sudo tee /etc/apt/keyrings/holla.gpg > /dev/null

# 2. add the repo
echo "deb [signed-by=/etc/apt/keyrings/holla.gpg] https://holla-apt.tailrocks.com stable main" \
  | sudo tee /etc/apt/sources.list.d/holla.list

# 3. install
sudo apt update
sudo apt install holla

# 4. use it
holla

Debian packages (.deb) for amd64 and arm64 are also attached to every GitHub Release of holla and can be installed directly with dpkg -i holla_*.deb.

Upgrade

sudo apt update && sudo apt upgrade

A new tagged release of holla adds a new .deb to this repo; apt upgrade picks it up.

How it is built

  1. On tag push (or manual dispatch for an existing tag), the dedicated release-deb.yml in the holla repo builds the .deb(s) for the Linux targets using cargo-deb (targeting latest Debian / recent glibc only — amd64 native, arm64 via zigbuild, --deb-version to pin to the tag). This is a separate workflow from the main tarball + Homebrew release, exactly as velnor does with its release-deb.yml. (The broad glibc 2.17 compat is only for the portable tarballs.)
  2. It attaches the .deb(s) to the source (holla) GitHub Release, then uploads them (cross-repo, using GH_HOLLA_APT_TOKEN) to this (holla-apt) repository's GitHub Releases under the same tag. The apt publisher only needs to read from its own releases (the .deb is part of the original project's release process).
  3. The publish.yml workflow here is triggered (via gh workflow run ... -f version=... or repository_dispatch), downloads the .deb from this repo's release, adds it to the apt pool with reprepro (which GPG-signs Release / InRelease), uploads the resulting tree as a GitHub Pages artifact, and deploys it using GitHub Actions. GitHub Pages is deployed via GitHub Actions (the index includes only currently published versions; old .debs remain in historical Releases but are not part of the current apt repo).

Design notes: modeled directly on the velnor-apt + velnor-runner pattern. See holla's full design doc docs/debian-apt-repo.md (includes the proper serving host holla-apt.tailrocks.com as used in the ChainArgos environment), release-deb.yml, Cargo.toml (the [package.metadata.deb] section), and the debian/ maintainer scripts.

One-time setup (maintainer)

  • GPG key: Create a dedicated GPG signing key for this apt repository (do not reuse across projects for security isolation). Store the private key and passphrase securely. Manually copy the full armored private key into the GitHub secret APT_GPG_PRIVATE_KEY and the passphrase into APT_GPG_PASSPHRASE. Commit/publish the public half as holla.gpg (and into the published tree).
  • Set SignWith: in conf/distributions to the key id (uncomment and replace the placeholder).
  • Enable GitHub Pages for this repo → Source: GitHub Actions (you should always use GitHub Actions for Pages deployments in these setups; never "Deploy from a branch").
  • Set Custom domain to holla-apt.tailrocks.com.
  • In the main tailrocks/holla repo, add a PAT (fine-grained with Contents:write + Actions:write on tailrocks/holla-apt, or a classic PAT with repo scope) as GH_HOLLA_APT_TOKEN. This is used by holla's release-deb.yml (the dedicated flow, exactly like velnor's release-deb.yml) to create a release on this repo and upload the .deb assets (cross-repo), plus trigger the publish workflow. This is the same pattern used by velnor / velnor-apt. Without the token, you can still publish manually via gh workflow run or the web UI.
  • (Optional but recommended) Also wire the dispatch so the publish runs automatically after the debs land here.

GPG key handling (maintainer only)

Use a dedicated key per apt repository. Keep the private key material and passphrase in a secure location accessible only to maintainers. Manually populate the GitHub repository secrets APT_GPG_PRIVATE_KEY (armored private key) and APT_GPG_PASSPHRASE. The public key is committed as holla.gpg and published at the root of the site.

Triggering a publish

Manual:

# From the holla-apt repo
gh workflow run publish.yml -f version=vX.Y.Z

From the holla release workflow (or manually), you can also dispatch:

gh api repos/tailrocks/holla-apt/dispatches \
  -f event_type=publish-deb \
  -F client_payload[version]=vX.Y.Z

The publish.yml accepts workflow_dispatch (with version input) and repository_dispatch (type publish-deb, optional client_payload.version).

License

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

holla v0.4.2 (debs) Latest
Jun 11, 2026

Packages

 
 
 

Contributors