Bootstrap apt repository + prove publish pipeline end-to-end

[eggfly]

What this PR does

Sets up the initial shape of m5stack/CardputerZeroRepository as a Debian apt repo for CardputerZero, using GitHub Pages (metadata) + Releases (deb binaries). Then actually runs the pipeline on this branch and commits the output so reviewers can see every artifact before it ships to production.

Feasibility report (short)

Git LFS is not viable for this use case. Free plan is 1 GB storage + 1 GB bandwidth/month, and bandwidth is not exempt for public repos. 100–500 .debs × 1–20 MB at even low traffic would blow through both.

Recommended pattern (full writeup in docs/ARCHITECTURE.md): binaries in GitHub Releases, metadata (Packages, Release, InRelease) in a small text tree served by GitHub Pages. Two active projects proving this scales:

• ryanfortner/box64-debs — 4 years, daily CI, ~97 MB repo
• AdityaGarg8/t2-ubuntu-repo — same tooling

Public repo Actions minutes are free and unlimited; only concurrency/6h/35d caps apply. Enough headroom.

Proof: real CI run on this branch

Run 25421509030 — all green ✅. What it did:

1. Read the sentinel .deb from incoming/
2. Created apt-pool GitHub Release, uploaded the deb as an asset
3. Deleted the deb from incoming/
4. Ran apt-ftparchive → produced Packages / Packages.gz / Release
5. Logged a warning that GPG_PRIVATE_KEY isn't set yet (expected; unsigned index is tolerated during bootstrap)
6. Committed the metadata back to ci/bootstrap (commit 05ac0eb)
7. Pushed the staging tree to a gh-pages-preview branch — only main pushes to real gh-pages, so ci/** branches can dry-run the full pipeline without polluting production

The deb asset is live at the apt-pool release; the generated Packages file is visible on gh-pages-preview.

What's in the PR

• README.md — user-facing install instructions (key + sources.list)
• docs/ARCHITECTURE.md — design, limits table, prior art
• docs/MAINTAINERS.md — GPG key generation, key rotation, removal flow
• .github/workflows/validate-submission.yml — PR safety (no secrets, read-only token)
• .github/workflows/publish.yml — full build + sign + publish; gated to main OR ci/** so preview branches can exercise it
• .gitignore — keeps raw .deb out of git (only incoming/ transiently carries them during submission)
• dists/stable/... / pool/ — conventional Debian layout
• Auto-generated Packages/Packages.gz/Release from the CI run (bot commit 05ac0eb)

What still needs doing (out of scope for this PR)

1. Default branch switch to main (currently ci/bootstrap) — repo Settings
2. Enable GitHub Pages on gh-pages branch once the first real publish lands
3. Generate GPG key, set GPG_PRIVATE_KEY + GPG_PASSPHRASE secrets, commit KEY.gpg — see docs/MAINTAINERS.md. Until then the index is usable but unsigned (clients need [trusted=yes]).
4. Wire czdev upload in CardputerZero-AppBuilder to open submission PRs here

Security notes

• validate-submission.yml uses pull_request (no secrets) — safe for external contributor PRs
• publish.yml uses push only (no pull_request_target + PR-head checkout anti-pattern) — GPG key stays out of reach of PR code

🤖 Generated with Claude Code