ci: pull-based deploy to the Pi via rolling dev release

The Pi is on a closed travel-router LAN, so push-based deploy from a
runner can't reach it. Switch to pull: the runner builds + publishes,
the Pi fetches.

- build-dev.yaml: after the arm64 build, publish the binary + sha256 +
  version.txt to a rolling "dev" Gitea release (replaces the
  upload-artifact + repository_dispatch -> deploy-dev hop)
- remove deploy-dev.yaml (push/scp-based deploy no longer used)
- scripts/pi-update.sh: poll the dev release, verify sha256, install via
  deploy.sh (backup/restart/rollback); only updates when version changes
- scripts/remoterig-update.{service,timer}: run the updater every 5 min
- setup-pi.sh: install deploy.sh + pi-update.sh + update.env template +
  the updater timer; summary now reflects the pull flow
- README: document the pull-based CI/CD; fix stale GOARM=6 (Zero 2 W is
  arm64 on 64-bit OS / arm GOARM=7 on 32-bit)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.gitea/workflows/build-dev.yaml

@@ -7,8 +7,8 @@ on:
   workflow_dispatch:
 
 env:
-  GO_VERSION: "1.23"
-  NODE_VERSION: "20"
+  GO_VERSION: "1.25"
+  NODE_VERSION: "22"
   BINARY_NAME: remoterig
 
 jobs:
@@ -39,25 +39,34 @@ jobs:
             go build -ldflags="-s -w -X main.version=${GITHUB_SHA:0:8}" \
             -o ${{ env.BINARY_NAME }} ./cmd/server
 
-      - name: Upload build artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ env.BINARY_NAME }}
-          path: ${{ env.BINARY_NAME }}
-          retention-days: 5
+      # Pull-based deploy: publish the binary to a rolling "dev" release.
+      # The Pi polls this release and self-updates (scripts/pi-update.sh);
+      # the runner never needs to reach the closed RemoteRig network.
+      - name: Publish to rolling dev release
+        env:
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SERVER: ${{ github.server_url }}
+          REPO: ${{ github.repository }}
+          SHA: ${{ github.sha }}
+        run: |
+          set -euo pipefail
+          command -v jq >/dev/null || sudo apt-get update -qq && sudo apt-get install -y -qq jq
+          API="$SERVER/api/v1/repos/$REPO"
+          AUTH="Authorization: token $TOKEN"
+          VERSION="${SHA:0:8}"
+          echo "$VERSION" > version.txt
+          sha256sum "$BINARY_NAME" | awk '{print $1}' > "$BINARY_NAME.sha256"
 
-      - name: Trigger deploy workflow
-        if: success()
-        uses: actions/github-script@v7
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            await github.rest.repos.createDispatchEvent({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              event_type: 'dev-build-success',
-              client_payload: {
-                sha: context.sha,
-                ref: context.ref
-              }
-            })
+          # Roll the "dev" release forward to this commit (delete old release + tag).
+          REL_ID=$(curl -sf -H "$AUTH" "$API/releases/tags/dev" | jq -r '.id // empty' || true)
+          [ -n "$REL_ID" ] && curl -sf -X DELETE -H "$AUTH" "$API/releases/$REL_ID" || true
+          curl -sf -X DELETE -H "$AUTH" "$API/tags/dev" || true
+
+          REL_ID=$(curl -sf -X POST -H "$AUTH" -H "Content-Type: application/json" "$API/releases" \
+            -d "{\"tag_name\":\"dev\",\"target_commitish\":\"$SHA\",\"name\":\"dev ($VERSION)\",\"body\":\"Rolling dev build $SHA\",\"prerelease\":true}" \
+            | jq -r '.id')
+
+          for f in "$BINARY_NAME" "$BINARY_NAME.sha256" version.txt; do
+            curl -sf -X POST -H "$AUTH" -F "attachment=@$f" "$API/releases/$REL_ID/assets?name=$f"
+          done
+          echo "Published dev release $VERSION"

.gitea/workflows/deploy-dev.yaml

@@ -1,115 +0,0 @@
-name: Deploy (Dev)
-
-on:
-  repository_dispatch:
-    types:
-      - dev-build-success
-  workflow_dispatch:
-
-env:
-  BINARY_NAME: remoterig
-  DEV_HOST: ${{ secrets.DEV_HOST }}
-  DEV_USER: ${{ secrets.DEV_USER }}
-  DEPLOY_PATH: /opt/remoterig/remoterig
-
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Download build artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: ${{ env.BINARY_NAME }}
-
-      - name: Ensure binary is executable
-        run: chmod +x ${{ env.BINARY_NAME }}
-
-      - name: Write deploy script
-        run: |
-          cat > deploy.sh <<'SCRIPT'
-          #!/usr/bin/env bash
-          set -euo pipefail
-          BINARY="${1:-remoterig}"
-          DEPLOY_PATH="${2:-/opt/remoterig/remoterig}"
-          SERVICE="${3:-remoterig}"
-          TIMESTAMP=$(date +%Y%m%d%H%M%S)
-          BACKUP="${DEPLOY_PATH}.${TIMESTAMP}.bak"
-
-          echo "::backup:: copying current binary"
-          if [ -f "$DEPLOY_PATH" ]; then
-            cp "$DEPLOY_PATH" "$BACKUP"
-          fi
-
-          echo "::deploy:: installing new binary"
-          cp "$BINARY" "$DEPLOY_PATH"
-          chmod +x "$DEPLOY_PATH"
-
-          echo "::restart:: reloading service"
-          systemctl reload-or-restart "$SERVICE" || systemctl restart "$SERVICE"
-
-          echo "::health:: waiting for service"
-          sleep 3
-          if systemctl is-active --quiet "$SERVICE"; then
-            echo "deploy ok — ${SERVICE} is active"
-          else
-            echo "::rollback:: service failed, restoring backup"
-            if [ -f "$BACKUP" ]; then
-              cp "$BACKUP" "$DEPLOY_PATH"
-              systemctl restart "$SERVICE"
-            fi
-            echo "rolled back to previous binary"
-            exit 1
-          fi
-
-          echo "::cleanup:: removing old backups (keeping last 3)"
-          ls -t "${DEPLOY_PATH}."*.bak 2>/dev/null | tail -n +4 | xargs -r rm -f
-          SCRIPT
-          chmod +x deploy.sh
-
-      - name: Deploy config.yaml (if present)
-        run: |
-          if [ -f config.yaml ]; then
-            echo "config.yaml found, will deploy alongside binary"
-            echo "config.yaml" >> deploy-files.txt
-          else
-            echo "no config.yaml in repo, skipping"
-          fi
-
-      - name: Deploy to dev server
-        uses: appleboy/scp-action@v0.1.7
-        with:
-          host: ${{ env.DEV_HOST }}
-          username: ${{ env.DEV_USER }}
-          key: ${{ secrets.DEV_SSH_KEY }}
-          source: "${{ env.BINARY_NAME }},deploy.sh,config.yaml"
-          target: "/tmp/remoterig-deploy"
-
-      - name: Execute deploy on dev server
-        uses: appleboy/ssh-action@v1
-        with:
-          host: ${{ env.DEV_HOST }}
-          username: ${{ env.DEV_USER }}
-          key: ${{ secrets.DEV_SSH_KEY }}
-          script: |
-            set -euo pipefail
-            cd /tmp/remoterig-deploy
-            sudo ./deploy.sh "${{ env.BINARY_NAME }}" "${{ env.DEPLOY_PATH }}" "remoterig"
-            if [ -f config.yaml ]; then
-              echo "::config:: deploying config.yaml"
-              sudo mkdir -p "$(dirname "${{ env.DEPLOY_PATH }}")"
-              sudo cp config.yaml "$(dirname "${{ env.DEPLOY_PATH }}")/config.yaml"
-            fi
-            rm -rf /tmp/remoterig-deploy
-
-      - name: Notify on failure
-        if: failure()
-        uses: appleboy/ssh-action@v1
-        with:
-          host: ${{ env.DEV_HOST }}
-          username: ${{ env.DEV_USER }}
-          key: ${{ secrets.DEV_SSH_KEY }}
-          script: |
-            echo "deploy failed for commit ${{ github.sha }} on ${{ github.repository }}" > /tmp/remoterig-deploy-failure.txt