feat(workflows): add manual package removal workflow

[mairas]

Summary

Adds a manually-triggered workflow for removing packages from specific distributions in the APT repository.

Use Case

This workflow is needed to clean up packages that were:

• Published to the wrong distribution (e.g., unstable instead of trixie-unstable)
• Need to be yanked/removed from the repository
• Published with errors and need to be removed before republishing

Features

Manual Trigger with Inputs:

• package_name: Name of package to remove (e.g., cockpit-apt)
• distribution: Target distribution (stable, unstable, trixie-unstable, etc.)
• architecture: Package architecture (all, arm64, amd64)

Workflow Steps:

1. ✅ Removes all matching .deb files from the distribution pool
2. ✅ Rebuilds repository metadata (Packages, Packages.gz)
3. ✅ Regenerates Release file with checksums
4. ✅ Re-signs the repository with GPG
5. ✅ Commits and pushes changes

Usage

1. Go to Actions → Remove Package from APT Repository
2. Click "Run workflow"
3. Fill in:
   - Package name: cockpit-apt
   - Distribution: unstable
   - Architecture: all
4. Click "Run workflow"

Example: Remove cockpit-apt from unstable

This will remove the cockpit-apt package that was incorrectly published to unstable/main (should have been trixie-unstable/main):

package_name: cockpit-apt
distribution: unstable
architecture: all

Safety

• Only removes packages matching the exact name pattern
• Rebuilds metadata to keep repository consistent
• Creates a commit showing what was removed and by whom
• Can be run multiple times safely (idempotent)

🤖 Generated with Claude Code

[Copilot]

Pull Request Overview

This PR adds a manually-triggered GitHub Actions workflow for removing packages from the APT repository. The workflow allows operators to clean up incorrectly published packages or remove packages that need to be yanked from specific distributions.

Key Changes:

• New workflow with manual trigger (workflow_dispatch) accepting package name, distribution, and architecture inputs
• Implements package removal, metadata regeneration, and repository re-signing
• Creates audit trail through Git commits showing who triggered the removal and what was removed

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The GPG signing command is missing the --batch flag that's used in the existing update-repo.yml workflow. This flag prevents GPG from prompting for user input, which is important for automation.

Add the --batch flag for consistency:

gpg --batch --yes --default-key "$GPG_KEY_ID" --armor --detach-sign -o Release.gpg Release

Suggested change

	gpg --default-key "$GPG_KEY_ID" --armor --detach-sign --yes -o Release.gpg Release
	gpg --batch --default-key "$GPG_KEY_ID" --armor --detach-sign --yes -o Release.gpg Release

[Copilot]

The package name input is not validated and is directly used in shell commands and file operations. A malicious actor could potentially inject shell commands or path traversal sequences (e.g., ../../../etc/passwd).

Add input validation before using the package name:

PACKAGE="${{ github.event.inputs.package_name }}"

# Validate package name (only allow alphanumeric, dash, underscore, dot)
if ! [[ "$PACKAGE" =~ ^[a-zA-Z0-9._+-]+$ ]]; then
  echo "❌ Invalid package name. Only alphanumeric characters, dots, dashes, underscores, and plus signs are allowed."
  exit 1
fi

Suggested change

	# Validate package name (only allow alphanumeric, dot, dash, underscore, plus)
	if ! [[ "$PACKAGE" =~ ^[a-zA-Z0-9._+-]+$ ]]; then
	echo "❌ Invalid package name. Only alphanumeric characters, dots, dashes, underscores, and plus signs are allowed."
	exit 1
	fi

[Copilot]

The dpkg-scanpackages command uses a different path pattern than the existing update-repo.yml workflow. The existing workflow uses dpkg-scanpackages -a $arch "pool/$dist/" /dev/null, scanning the entire pool directory for the distribution.

For consistency with the existing workflow (update-repo.yml line 275), consider using:

dpkg-scanpackages -a $arch "pool/$DIST/" /dev/null > "$ARCH_DIR/Packages" 2>/dev/null || touch "$ARCH_DIR/Packages"

Also add the || touch fallback to handle cases where no packages exist, preventing the Packages file from being empty/nonexistent.

Suggested change

	dpkg-scanpackages --arch $arch "pool/$DIST/main" /dev/null > "$ARCH_DIR/Packages"
	dpkg-scanpackages --arch $arch "pool/$DIST/" /dev/null > "$ARCH_DIR/Packages" 2>/dev/null || touch "$ARCH_DIR/Packages"

[Copilot]

The gzip command uses different flags than the existing update-repo.yml workflow. The existing workflow uses gzip -kf which keeps the original file and forces overwrite, while this uses -9c with output redirection.

For consistency with the existing workflow (update-repo.yml line 276), use:

gzip -kf "$ARCH_DIR/Packages"

This is simpler and consistent with the rest of the codebase.

Suggested change

	gzip -9c "$ARCH_DIR/Packages" > "$ARCH_DIR/Packages.gz"
	gzip -kf "$ARCH_DIR/Packages"

[Copilot]

The amd64 architecture is listed as an option, but the existing update-repo.yml workflow only creates and manages arm64 and all architectures. This means if a user tries to remove an amd64 package, the workflow will fail because the binary-amd64 directory doesn't exist in the repository structure.

Either remove amd64 from the options if it's not supported, or ensure the workflow can handle it properly:

options:
  - all
  - arm64

Suggested change

- amd64

[Copilot]

The REMOVED_COUNT variable is being incremented inside a subshell created by the while read loop in a pipe. This means the counter will not persist outside the loop, and line 73 will always evaluate to 0.

To fix this, use process substitution instead:

while read -r debfile; do
  echo "  Removing: $debfile"
  rm -f "$debfile"
  REMOVED_COUNT=$((REMOVED_COUNT + 1))
done < <(find "$POOL_DIR" -name "${PACKAGE}_*_${ARCH}.deb" -type f)

Suggested change

	find "$POOL_DIR" -name "${PACKAGE}_*_${ARCH}.deb" -type f | while read -r debfile; do
	echo " Removing: $debfile"
	rm -f "$debfile"
	REMOVED_COUNT=$((REMOVED_COUNT + 1))
	done
	while read -r debfile; do
	echo " Removing: $debfile"
	rm -f "$debfile"
	REMOVED_COUNT=$((REMOVED_COUNT + 1))
	done < <(find "$POOL_DIR" -name "${PACKAGE}_*_${ARCH}.deb" -type f)

[Copilot]

The manual checksum generation using find, awk, and stat is complex and error-prone. The existing update-repo.yml workflow uses apt-ftparchive release . which automatically generates all checksums (MD5Sum, SHA256, SHA512) in the correct format.

Replace lines 116-125 with:

# Add checksums
apt-ftparchive release . >> Release

This is simpler, more reliable, and consistent with the existing workflow.

Suggested change

	echo "MD5Sum:" >> Release
	find main -type f | while read file; do
	md5sum "$file" | awk '{print " " $1 " " size " " file}' size=$(stat -c%s "$file" 2>/dev/null || stat -f%z "$file") file="$file" >> Release
	done
	echo "SHA256:" >> Release
	find main -type f | while read file; do
	sha256sum "$file" | awk '{print " " $1 " " size " " file}' size=$(stat -c%s "$file" 2>/dev/null || stat -f%z "$file") file="$file" >> Release
	done
	apt-ftparchive release . >> Release

[Copilot]

The GPG command incorrectly combines --detach-sign with --clearsign. The --clearsign option creates an inline signature, not a detached signature, so these options are mutually exclusive.

The correct command based on the existing update-repo.yml workflow should be:

gpg --default-key "$GPG_KEY_ID" --batch --yes --clear-sign -o InRelease Release

Note: Also removed --armor since --clear-sign already produces ASCII-armored output.

Suggested change

	gpg --default-key "$GPG_KEY_ID" --armor --detach-sign --yes --clearsign -o InRelease Release
	gpg --default-key "$GPG_KEY_ID" --batch --yes --clear-sign -o InRelease Release

[Copilot]

Pull Request Overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull Request Overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 9 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The Description field is inconsistent with the existing update-repo.yml workflow. In update-repo.yml (lines 290-310), the descriptions use "Hat Labs product packages (stable)" and "Halos packages for Debian" for versioned distributions. This inconsistency could confuse users. Consider aligning with the existing format used in update-repo.yml.

Suggested change

	DESCRIPTION="Hat Labs Stable APT Repository"
	;;
	unstable)
	SUITE="unstable"
	CODENAME="unstable"
	DESCRIPTION="Hat Labs Unstable APT Repository"
	;;
	bookworm-stable)
	SUITE="stable"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Stable APT Repository"
	;;
	bookworm-unstable)
	SUITE="unstable"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Unstable APT Repository"
	;;
	trixie-stable)
	SUITE="stable"
	CODENAME="trixie"
	DESCRIPTION="Hat Labs Trixie Stable APT Repository"
	;;
	trixie-unstable)
	SUITE="unstable"
	CODENAME="trixie"
	DESCRIPTION="Hat Labs Trixie Unstable APT Repository"
	;;
	*)
	SUITE="$DIST"
	CODENAME="$DIST"
	DESCRIPTION="Hat Labs APT Repository"
	DESCRIPTION="Hat Labs product packages (stable)"
	;;
	unstable)
	SUITE="unstable"
	CODENAME="unstable"
	DESCRIPTION="Hat Labs product packages (unstable)"
	;;
	bookworm-stable)
	SUITE="stable"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs product packages (bookworm-stable)"
	;;
	bookworm-unstable)
	SUITE="unstable"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs product packages (bookworm-unstable)"
	;;
	trixie-stable)
	SUITE="stable"
	CODENAME="trixie"
	DESCRIPTION="Hat Labs product packages (trixie-stable)"
	;;
	trixie-unstable)
	SUITE="unstable"
	CODENAME="trixie"
	DESCRIPTION="Hat Labs product packages (trixie-unstable)"
	;;
	*)
	SUITE="$DIST"
	CODENAME="$DIST"
	DESCRIPTION="Hat Labs product packages ($DIST)"

[Copilot]

The Suite value is inconsistent with update-repo.yml. For bookworm-stable, this sets Suite="stable", but update-repo.yml (line 299) sets Suite="bookworm-stable" (using the full distribution name). This inconsistency could break APT repository functionality. The Suite should be set to "$DIST" instead of "stable" to match the existing workflow.

Suggested change

	SUITE="stable"
	CODENAME="stable"
	DESCRIPTION="Hat Labs Stable APT Repository"
	;;
	unstable)
	SUITE="unstable"
	CODENAME="unstable"
	DESCRIPTION="Hat Labs Unstable APT Repository"
	;;
	bookworm-stable)
	SUITE="stable"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Stable APT Repository"
	;;
	bookworm-unstable)
	SUITE="unstable"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Unstable APT Repository"
	;;
	trixie-stable)
	SUITE="stable"
	CODENAME="trixie"
	DESCRIPTION="Hat Labs Trixie Stable APT Repository"
	;;
	trixie-unstable)
	SUITE="unstable"
	SUITE="$DIST"
	CODENAME="stable"
	DESCRIPTION="Hat Labs Stable APT Repository"
	;;
	unstable)
	SUITE="$DIST"
	CODENAME="unstable"
	DESCRIPTION="Hat Labs Unstable APT Repository"
	;;
	bookworm-stable)
	SUITE="$DIST"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Stable APT Repository"
	;;
	bookworm-unstable)
	SUITE="$DIST"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Unstable APT Repository"
	;;
	trixie-stable)
	SUITE="$DIST"
	CODENAME="trixie"
	DESCRIPTION="Hat Labs Trixie Stable APT Repository"
	;;
	trixie-unstable)
	SUITE="$DIST"

[Copilot]

The Suite value is inconsistent with update-repo.yml. For bookworm-unstable, this sets Suite="unstable", but update-repo.yml (line 299) sets Suite="bookworm-unstable" (using the full distribution name). This inconsistency could break APT repository functionality. The Suite should be set to "$DIST" instead of "unstable" to match the existing workflow.

Suggested change

	SUITE="stable"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Stable APT Repository"
	;;
	bookworm-unstable)
	SUITE="unstable"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Unstable APT Repository"
	;;
	trixie-stable)
	SUITE="stable"
	CODENAME="trixie"
	DESCRIPTION="Hat Labs Trixie Stable APT Repository"
	;;
	trixie-unstable)
	SUITE="unstable"
	SUITE="$DIST"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Stable APT Repository"
	;;
	bookworm-unstable)
	SUITE="$DIST"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Unstable APT Repository"
	;;
	trixie-stable)
	SUITE="$DIST"
	CODENAME="trixie"
	DESCRIPTION="Hat Labs Trixie Stable APT Repository"
	;;
	trixie-unstable)
	SUITE="$DIST"

[Copilot]

The Suite value is inconsistent with update-repo.yml. For trixie-stable, this sets Suite="stable", but update-repo.yml (line 299) sets Suite="trixie-stable" (using the full distribution name). This inconsistency could break APT repository functionality. The Suite should be set to "$DIST" instead of "stable" to match the existing workflow.

Suggested change

	SUITE="stable"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Stable APT Repository"
	;;
	bookworm-unstable)
	SUITE="unstable"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Unstable APT Repository"
	;;
	trixie-stable)
	SUITE="stable"
	CODENAME="trixie"
	DESCRIPTION="Hat Labs Trixie Stable APT Repository"
	;;
	trixie-unstable)
	SUITE="unstable"
	SUITE="$DIST"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Stable APT Repository"
	;;
	bookworm-unstable)
	SUITE="$DIST"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Unstable APT Repository"
	;;
	trixie-stable)
	SUITE="$DIST"
	CODENAME="trixie"
	DESCRIPTION="Hat Labs Trixie Stable APT Repository"
	;;
	trixie-unstable)
	SUITE="$DIST"

[Copilot]

The Suite value is inconsistent with update-repo.yml. For trixie-unstable, this sets Suite="unstable", but update-repo.yml (line 299) sets Suite="trixie-unstable" (using the full distribution name). This inconsistency could break APT repository functionality. The Suite should be set to "$DIST" instead of "unstable" to match the existing workflow.

Suggested change

	SUITE="unstable"
	SUITE="$DIST"

[Copilot]

The Description field is inconsistent with the existing update-repo.yml workflow. In update-repo.yml (lines 290-310), the descriptions use "Halos packages for Debian Bookworm (stable)" format. This inconsistency could confuse users. Consider aligning with the existing format used in update-repo.yml.

Suggested change

	DESCRIPTION="Hat Labs Stable APT Repository"
	;;
	unstable)
	SUITE="unstable"
	CODENAME="unstable"
	DESCRIPTION="Hat Labs Unstable APT Repository"
	;;
	bookworm-stable)
	SUITE="stable"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Stable APT Repository"
	;;
	bookworm-unstable)
	SUITE="unstable"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Unstable APT Repository"
	;;
	trixie-stable)
	SUITE="stable"
	CODENAME="trixie"
	DESCRIPTION="Hat Labs Trixie Stable APT Repository"
	;;
	trixie-unstable)
	SUITE="unstable"
	CODENAME="trixie"
	DESCRIPTION="Hat Labs Trixie Unstable APT Repository"
	;;
	*)
	SUITE="$DIST"
	CODENAME="$DIST"
	DESCRIPTION="Hat Labs APT Repository"
	DESCRIPTION="Halos packages for Debian Stable (stable)"
	;;
	unstable)
	SUITE="unstable"
	CODENAME="unstable"
	DESCRIPTION="Halos packages for Debian Unstable (unstable)"
	;;
	bookworm-stable)
	SUITE="stable"
	CODENAME="bookworm"
	DESCRIPTION="Halos packages for Debian Bookworm (stable)"
	;;
	bookworm-unstable)
	SUITE="unstable"
	CODENAME="bookworm"
	DESCRIPTION="Halos packages for Debian Bookworm (unstable)"
	;;
	trixie-stable)
	SUITE="stable"
	CODENAME="trixie"
	DESCRIPTION="Halos packages for Debian Trixie (stable)"
	;;
	trixie-unstable)
	SUITE="unstable"
	CODENAME="trixie"
	DESCRIPTION="Halos packages for Debian Trixie (unstable)"
	;;
	*)
	SUITE="$DIST"
	CODENAME="$DIST"
	DESCRIPTION="Halos packages for Debian $DIST"

[Copilot]

The Description field is inconsistent with the existing update-repo.yml workflow. In update-repo.yml (lines 290-310), the descriptions use "Halos packages for Debian Trixie (stable)" format. This inconsistency could confuse users. Consider aligning with the existing format used in update-repo.yml.

Suggested change

	DESCRIPTION="Hat Labs Stable APT Repository"
	;;
	unstable)
	SUITE="unstable"
	CODENAME="unstable"
	DESCRIPTION="Hat Labs Unstable APT Repository"
	;;
	bookworm-stable)
	SUITE="stable"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Stable APT Repository"
	;;
	bookworm-unstable)
	SUITE="unstable"
	CODENAME="bookworm"
	DESCRIPTION="Hat Labs Bookworm Unstable APT Repository"
	;;
	trixie-stable)
	SUITE="stable"
	CODENAME="trixie"
	DESCRIPTION="Hat Labs Trixie Stable APT Repository"
	;;
	trixie-unstable)
	SUITE="unstable"
	CODENAME="trixie"
	DESCRIPTION="Hat Labs Trixie Unstable APT Repository"
	;;
	*)
	SUITE="$DIST"
	CODENAME="$DIST"
	DESCRIPTION="Hat Labs APT Repository"
	DESCRIPTION="Halos packages for Debian Stable (stable)"
	;;
	unstable)
	SUITE="unstable"
	CODENAME="unstable"
	DESCRIPTION="Halos packages for Debian Unstable (unstable)"
	;;
	bookworm-stable)
	SUITE="stable"
	CODENAME="bookworm"
	DESCRIPTION="Halos packages for Debian Bookworm (stable)"
	;;
	bookworm-unstable)
	SUITE="unstable"
	CODENAME="bookworm"
	DESCRIPTION="Halos packages for Debian Bookworm (unstable)"
	;;
	trixie-stable)
	SUITE="stable"
	CODENAME="trixie"
	DESCRIPTION="Halos packages for Debian Trixie (stable)"
	;;
	trixie-unstable)
	SUITE="unstable"
	CODENAME="trixie"
	DESCRIPTION="Halos packages for Debian Trixie (unstable)"
	;;
	*)
	SUITE="$DIST"
	CODENAME="$DIST"
	DESCRIPTION="Halos packages for Debian $DIST"

[Copilot]

The Label field value "Hat Labs" is inconsistent with the existing update-repo.yml workflow, which uses "Hat Labs APT Repository" (line 315). This inconsistency could cause confusion. Consider using "Hat Labs APT Repository" to match the existing workflow.

Suggested change

	Label: Hat Labs
	Label: Hat Labs APT Repository

[Copilot]

The Release file is missing the "Version: 1.0" field that's present in the update-repo.yml workflow (line 318). For consistency across workflows, consider adding this field after the Codename line.