Fix Forgejo workflows for the actual server capabilities

- package.yml: use correct Arch registry upload (octet-stream + binary body
  + PUT /api/packages/Breadway/arch/os), drop --privileged, remove
  actions/checkout (archlinux image has no Node) in favour of a manual
  shell clone, use the built-in Actions token instead of a stored secret,
  and --nocheck (tests belong in CI, not packaging)
- mirror.yml: clone --mirror + explicit refs/heads + refs/tags push with
  --prune, instead of pushing refs/remotes pollution from a checkout
- pacman.conf: correct Server URL to the Forgejo Arch registry format

Requires only the GITHUB_MIRROR_TOKEN secret (GitHub PAT, repo scope) for
the mirror job; package publishing uses the automatic per-run token.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.forgejo/workflows/mirror.yml

@@ -9,12 +9,13 @@ jobs:
   mirror:
     runs-on: [self-hosted, hestia]
     steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Push to GitHub
+      - name: Mirror to GitHub
         run: |
-          git remote add github \
-            "https://x-access-token:${{ secrets.GITHUB_MIRROR_TOKEN }}@github.com/Breadway/bos.git"
-          git push github --mirror
+          set -euo pipefail
+          git clone --mirror "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" repo.git
+          cd repo.git
+          # Mirror only branches and tags (not refs/pull/*, which GitHub rejects);
+          # --prune deletes GitHub refs that no longer exist on Forgejo.
+          git push --prune \
+            "https://x-access-token:${{ secrets.GITHUB_MIRROR_TOKEN }}@github.com/Breadway/bos.git" \
+            '+refs/heads/*:refs/heads/*' '+refs/tags/*:refs/tags/*'

.forgejo/workflows/package.yml

@@ -9,38 +9,32 @@ jobs:
     runs-on: [self-hosted, hestia]
     container:
       image: archlinux:latest
-      options: --privileged
-
     steps:
-      - uses: actions/checkout@v4
-
-      - name: Set version
-        run: echo "VERSION=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
-
-      - name: Install build dependencies
-        run: pacman -Syu --noconfirm base-devel git rust cargo gtk4 glib2
-
-      - name: Create builder user
-        run: useradd -m builder
-
-      - name: Prepare source
+      # Note: no actions/checkout — the archlinux image has no Node, which JS
+      # actions require. Everything runs as shell steps and clones manually.
+      - name: Build and publish
+        env:
+          PUBLISH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          git archive --format=tar.gz \
-            --prefix=bos-settings-${VERSION}/ \
-            HEAD > packaging/arch/bos-settings-${VERSION}.tar.gz
+          set -euo pipefail
+          VERSION="${GITHUB_REF_NAME#v}"
+          pacman -Syu --noconfirm base-devel git rust cargo gtk4 glib2
+          useradd -m builder
+          git config --global --add safe.directory '*'
+          git clone --branch "${GITHUB_REF_NAME}" --depth 1 \
+            "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" /home/builder/src
+          cd /home/builder/src
+          git archive --format=tar.gz --prefix="bos-settings-${VERSION}/" HEAD \
+            > packaging/arch/bos-settings-${VERSION}.tar.gz
           SHA=$(sha256sum packaging/arch/bos-settings-${VERSION}.tar.gz | awk '{print $1}')
           sed -i "s/^pkgver=.*/pkgver=${VERSION}/" packaging/arch/PKGBUILD
           sed -i "s/^sha256sums=.*/sha256sums=('${SHA}')/" packaging/arch/PKGBUILD
-          cp -r . /home/builder/src
           chown -R builder:builder /home/builder/src
-
-      - name: Build package
-        run: su builder -c "cd /home/builder/src/packaging/arch && makepkg -sf --noconfirm"
-
-      - name: Publish to Forgejo registry
-        run: |
+          # --nocheck: packaging builds the artifact; tests belong in a CI job.
+          su builder -c "cd /home/builder/src/packaging/arch && makepkg -f --noconfirm --nocheck"
           PKG=$(find /home/builder/src/packaging/arch -name '*.pkg.tar.zst' | head -1)
           curl -fsS -X PUT \
-            -H "Authorization: token ${{ secrets.FORGEJO_TOKEN }}" \
-            --upload-file "${PKG}" \
-            "https://git.breadway.dev/api/packages/breadway/arch/push?distrib=breadway"
+            -H "Authorization: token ${PUBLISH_TOKEN}" \
+            -H "Content-Type: application/octet-stream" \
+            --data-binary "@${PKG}" \
+            "https://git.breadway.dev/api/packages/Breadway/arch/os"

iso/pacman.conf

@@ -30,10 +30,12 @@ Include = /etc/pacman.d/mirrorlist
 # bread ecosystem packages (bread, breadbar, breadbox, breadcrumbs, breadpad,
 # bos-settings).
 #
-# Packages are published here by the Forgejo Actions package.yml workflow
-# in each repo. See git.breadway.dev/api/packages/breadway/arch for the
-# package registry.
+# Packages are published to the Forgejo Arch registry (group "os") by the
+# .forgejo/workflows/package.yml workflow in each repo, on tag push.
+#
+# TODO: packages are currently unsigned (TrustAll). For production, sign
+# them in CI with a GPG key and switch to SigLevel = Required.
 # -----------------------------------------------------------------------
 [breadway]
 SigLevel = Optional TrustAll
-Server = https://git.breadway.dev/api/packages/breadway/arch/breadway/$arch
+Server = https://git.breadway.dev/api/packages/Breadway/arch/os/$arch