From 30f8c4100fcbeaa93897eeca4fd278d08c30c099 Mon Sep 17 00:00:00 2001
From: nevaforget <dom@moonarch.de>
Date: Mon, 20 Apr 2026 11:26:01 +0200
Subject: [PATCH] docs(ci): harden pacman -Sy comment against future -Syu
 regressions

Explicit warning in the workflow so nobody reintroduces the -Syu that
took the Gitea host down on 2026-04-20.
---
 .gitea/workflows/build-and-publish.yaml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/build-and-publish.yaml b/.gitea/workflows/build-and-publish.yaml
index 3b5bc2b..05db4e5 100644
--- a/.gitea/workflows/build-and-publish.yaml
+++ b/.gitea/workflows/build-and-publish.yaml
@@ -29,8 +29,12 @@ jobs:
 
           echo "Changed packages: $CHANGED"
 
-          # Sync pacman DB so -s can pull current versions (Arch rolling).
-          # -Sy only: full -Syu overwhelms the shared runner host with I/O.
+          # Sync pacman DB so makepkg -s can resolve current deps.
+          # NEVER change this to -Syu. The runner shares I/O with the host
+          # (act_runner runs in network-host mode on the Gitea server). A full
+          # system upgrade here took the host down on 2026-04-20 and required
+          # a hard reboot + Contabo abuse-block recovery. -Sy syncs the DB
+          # only; -s picks targeted makedepends via pacman.
           sudo pacman -Sy --noconfirm
 
           for pkg in $CHANGED; do