From f6f28a4529010b1f2377f10690cef719bb8df82d Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Sun, 1 Feb 2026 22:30:22 +0100
Subject: [PATCH] fix(ci): robust chromium install for arm64 with os detection
 and gpg retries

---
 .gitea/workflows/deploy.yml | 44 ++++++++++++++++++++++++++++---------
 1 file changed, 34 insertions(+), 10 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 8a91dad2..88c82c3d 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -345,18 +345,42 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
-      - name: 🔍 Install Chromium (Native)
+      - name: 🔍 Install Chromium (Native & ARM64)
         run: |
           apt-get update
-          apt-get install -y gnupg wget
-          # Manually add xtradeb PPA with modern signed-by (avoids software-properties-common dependency)
-          # Works for Ubuntu; uses port 80 for better keyserver reliability
-          export CODENAME=$(. /etc/os-release && echo $VERSION_CODENAME)
-          mkdir -p /etc/apt/keyrings
-          wget -qO- "http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x290d73d2240900b5" | gpg --dearmor > /etc/apt/keyrings/xtradeb.gpg
-          echo "deb [signed-by=/etc/apt/keyrings/xtradeb.gpg] http://ppa.launchpad.net/xtradeb/apps/ubuntu $CODENAME main" > /etc/apt/sources.list.d/xtradeb-ppa.list
-          apt-get update
-          apt-get install -y chromium
+          apt-get install -y gnupg wget ca-certificates
+          
+          # Detect OS
+          OS_ID=$(. /etc/os-release && echo $ID)
+          CODENAME=$(. /etc/os-release && echo $VERSION_CODENAME)
+          
+          if [ "$OS_ID" = "debian" ]; then
+            echo "🎯 Debian detected - installing native chromium"
+            apt-get install -y chromium
+          else
+            echo "🎯 Ubuntu detected - adding xtradeb PPA for native chromium (non-snap)"
+            mkdir -p /etc/apt/keyrings
+            # Robust key fetch with retries and fallback servers
+            for server in "hkp://keyserver.ubuntu.com:80" "hkp://keyserver.ubuntu.com:11371"; do
+              echo "Trying keyserver: $server"
+              if gpg --homedir /tmp --no-default-keyring --keyring /tmp/xtradeb-temp.gpg --keyserver "$server" --recv-keys 290D73D2240900B5; then
+                gpg --homedir /tmp --no-default-keyring --keyring /tmp/xtradeb-temp.gpg --export > /etc/apt/keyrings/xtradeb.gpg
+                break
+              fi
+            done
+            
+            if [ -f /etc/apt/keyrings/xtradeb.gpg ]; then
+              echo "deb [signed-by=/etc/apt/keyrings/xtradeb.gpg] http://ppa.launchpad.net/xtradeb/apps/ubuntu $CODENAME main" > /etc/apt/sources.list.d/xtradeb-ppa.list
+              apt-get update
+              apt-get install -y chromium || apt-get install -y chromium-browser
+            else
+              echo "⚠️ Could not fetch GPG key, trying fallback install..."
+              apt-get install -y chromium || apt-get install -y chromium-browser
+            fi
+          fi
+          
+          # Ensure consistent paths for Lighthouse
+          [ -f /usr/bin/chromium ] && ln -sf /usr/bin/chromium /usr/bin/chromium-browser || true
         continue-on-error: true
 
       - name: 🧪 Run PageSpeed (Lighthouse)