Fix Forgejo workflows for the actual server capabilities

- package.yml: correct Arch registry upload (octet-stream + binary body),
  drop --privileged, manual shell clone (archlinux image has no Node),
  built-in Actions token, --nocheck
- mirror.yml: clone --mirror + explicit refs push with --prune

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.forgejo/workflows/mirror.yml

@@ -9,12 +9,13 @@ jobs:
   mirror:
     runs-on: [self-hosted, hestia]
     steps:
-      - uses: actions/checkout@v4
+      - name: Mirror to GitHub
-        with:
-          fetch-depth: 0
-
-      - name: Push to GitHub
         run: |
-          git remote add github \
+          set -euo pipefail
-            "https://x-access-token:${{ secrets.GITHUB_MIRROR_TOKEN }}@github.com/Breadway/breadpad.git"
+          git clone --mirror "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" repo.git
-          git push github --mirror
+          cd repo.git
+          # Mirror only branches and tags (not refs/pull/*, which GitHub rejects);
+          # --prune deletes GitHub refs that no longer exist on Forgejo.
+          git push --prune \
+            "https://x-access-token:${{ secrets.GITHUB_MIRROR_TOKEN }}@github.com/Breadway/breadpad.git" \
+            '+refs/heads/*:refs/heads/*' '+refs/tags/*:refs/tags/*'

.forgejo/workflows/package.yml

@@ -9,38 +9,32 @@ jobs:
     runs-on: [self-hosted, hestia]
     container:
       image: archlinux:latest
-      options: --privileged
-
     steps:
-      - uses: actions/checkout@v4
+      # Note: no actions/checkout — the archlinux image has no Node, which JS
-
+      # actions require. Everything runs as shell steps and clones manually.
-      - name: Set version
+      - name: Build and publish
-        run: echo "VERSION=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
+        env:
-
+          PUBLISH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Install build dependencies
-        run: pacman -Syu --noconfirm base-devel git rust cargo gtk4 gtk4-layer-shell
-
-      - name: Create builder user
-        run: useradd -m builder
-
-      - name: Prepare source
         run: |
-          git archive --format=tar.gz \
+          set -euo pipefail
-            --prefix=breadpad-${VERSION}/ \
+          VERSION="${GITHUB_REF_NAME#v}"
-            HEAD > packaging/arch/breadpad-${VERSION}.tar.gz
+          pacman -Syu --noconfirm base-devel git rust cargo gtk4 gtk4-layer-shell
+          useradd -m builder
+          git config --global --add safe.directory '*'
+          git clone --branch "${GITHUB_REF_NAME}" --depth 1 \
+            "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" /home/builder/src
+          cd /home/builder/src
+          git archive --format=tar.gz --prefix="breadpad-${VERSION}/" HEAD \
+            > packaging/arch/breadpad-${VERSION}.tar.gz
           SHA=$(sha256sum packaging/arch/breadpad-${VERSION}.tar.gz | awk '{print $1}')
           sed -i "s/^pkgver=.*/pkgver=${VERSION}/" packaging/arch/PKGBUILD
           sed -i "s/^sha256sums=.*/sha256sums=('${SHA}')/" packaging/arch/PKGBUILD
-          cp -r . /home/builder/src
           chown -R builder:builder /home/builder/src
-
+          # --nocheck: packaging builds the artifact; tests belong in a CI job.
-      - name: Build package
+          su builder -c "cd /home/builder/src/packaging/arch && makepkg -f --noconfirm --nocheck"
-        run: su builder -c "cd /home/builder/src/packaging/arch && makepkg -sf --noconfirm"
-
-      - name: Publish to Forgejo registry
-        run: |
           PKG=$(find /home/builder/src/packaging/arch -name '*.pkg.tar.zst' | head -1)
           curl -fsS -X PUT \
-            -H "Authorization: token ${{ secrets.FORGEJO_TOKEN }}" \
+            -H "Authorization: token ${PUBLISH_TOKEN}" \
-            --upload-file "${PKG}" \
+            -H "Content-Type: application/octet-stream" \
-            "https://git.breadway.dev/api/packages/breadway/arch/push?distrib=breadway"
+            --data-binary "@${PKG}" \
+            "https://git.breadway.dev/api/packages/Breadway/arch/os"