# Debian packaging & apt repo

- `build-deb.sh <pg-major>` — runs `cargo pgrx package` against the system
  `postgresql-server-dev-<major>`, then wraps the staged tree into
  `postgresql-<major>-pg-replica_<version>_<arch>.deb` with `dpkg-deb`.
- `build-apt-repo.sh [deb-dir]` — lays out `pool/` + `dists/stable/main/binary-<arch>/`,
  generates `Packages(.gz)` (`dpkg-scanpackages`) and a `Release` (`apt-ftparchive`), then
  GPG-signs it (`Release.gpg` + `InRelease`) and drops the public key (`pg_replica.gpg`) and
  `install.sh` at the repo root.
- `install.sh` — installs the public key to `/usr/share/keyrings/pg_replica.gpg` and adds a
  `signed-by` apt source pointing at the Pages URL.
- `.github/workflows/packages.yml` — on a `[cd]` commit to `main` (or manual dispatch),
  builds the matrix (PG 18 amd64/arm64), assembles + signs the repo, and deploys it to
  GitHub Pages.

## One-time repo setup

1. **Signing key.** Generate a *passphrase-less* signing key (CI can't type a passphrase):

   ```bash
   gpg --batch --quick-generate-key "pg_replica apt <info@nordlet.com>" rsa4096 sign never
   gpg --armor --export-secret-keys "pg_replica apt" > private.asc
   ```

   Add the contents of `private.asc` as the repo secret **`GPG_PRIVATE_KEY`**
   (`gh secret set GPG_PRIVATE_KEY < private.asc`), then delete `private.asc`.

2. **Pages.** Repo → Settings → Pages → Source = **GitHub Actions**.

3. **Permissions.** The workflow already requests `pages: write` + `id-token: write`.

After that, push a commit containing `[cd]` (or run the workflow manually) to publish.

## Local test (Debian/Ubuntu or WSL)

```bash
sudo apt-get install -y postgresql-server-dev-18 build-essential clang libclang-dev
cargo install cargo-pgrx --version 0.18.1 --locked
bash packaging/build-deb.sh 18
sudo apt-get install -y ./dist/postgresql-18-pg-replica_*.deb
```

`build-apt-repo.sh` additionally needs `dpkg-dev apt-utils gnupg` and a `GPG_KEY_ID` env var.