v1.2.5: CI self-hosted apt-lock fix (v1.2.4 release was incomplete)

v1.2.4 tagged cleanly but its CI failed — parallel Linux matrix jobs
on the self-hosted runners all raced on `/var/lib/apt/lists/lock` and
failed the `sudo apt-get install` step within ~20s. v1.2.4's release
job therefore skipped and no assets were published.

Fix:

- Pre-installed every apt dependency the workflow needs on both
  self-hosted runners (eframe system libs, gcc-aarch64-linux-gnu,
  gcc-arm-linux-gnueabihf).
- Seeded per-runner cargo linker configs at
  /home/ghrunner/cargo-{01,02}/config.toml so the "echo
  [target.xxx] linker = ..." workflow step is also unnecessary.
- Gated the "Install Linux eframe system deps" and the two cross-
  compile-toolchain steps on `runner.environment == 'github-hosted'`
  so only hosted runners call apt-get; self-hosted runners skip the
  whole thing and use pre-installed tooling.

Re-tagging as v1.2.5 since v1.2.4 is an abandoned tag (git tag exists
but no GitHub Release was cut for it).

Same code changes as what v1.2.4 was meant to ship: PR #78 range-
parallel validation, PR #79 port-collision rejection, README note
on Android 7+ user-CA trust.

.github/workflows/release.yml

@@ -112,11 +112,12 @@ jobs:
           key: ${{ matrix.target }}
 
       # eframe needs a few system libs on Linux for window management, keyboard,
-      # and OpenGL/X11/Wayland. On self-hosted these persist across runs so this
+      # and OpenGL/X11/Wayland. Gated to GitHub-hosted runners only — the
-      # is a no-op after the first time; on GH-hosted macOS/Windows the step
+      # self-hosted runners pre-install all of these once at setup time, and
-      # is guarded out anyway.
+      # letting multiple parallel matrix jobs race on `sudo apt-get install`
+      # fights over /var/lib/apt/lists/lock and fails them all.
       - name: Install Linux eframe system deps
-        if: runner.os == 'Linux'
+        if: runner.os == 'Linux' && runner.environment == 'github-hosted'
         run: |
           sudo apt-get update
           sudo apt-get install -y \
@@ -126,8 +127,13 @@ jobs:
             libx11-dev \
             libgl1-mesa-dev libglib2.0-dev libgtk-3-dev
 
+      # Cross-compile toolchains. Same story as above — gated to hosted
+      # runners; self-hosted has gcc-aarch64-linux-gnu + gcc-arm-linux-gnueabihf
+      # pre-installed, and the linker entries live in
+      # /home/ghrunner/cargo-{01,02}/config.toml (seeded once at runner
+      # setup time, picked up via CARGO_HOME env).
       - name: Install aarch64 cross-compile toolchain (Linux only)
-        if: matrix.target == 'aarch64-unknown-linux-gnu'
+        if: matrix.target == 'aarch64-unknown-linux-gnu' && runner.environment == 'github-hosted'
         run: |
           sudo apt-get update
           sudo apt-get install -y gcc-aarch64-linux-gnu
@@ -135,7 +141,7 @@ jobs:
           echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config.toml
 
       - name: Install armhf cross-compile toolchain (Linux only)
-        if: matrix.target == 'arm-unknown-linux-gnueabihf'
+        if: matrix.target == 'arm-unknown-linux-gnueabihf' && runner.environment == 'github-hosted'
         run: |
           sudo apt-get update
           sudo apt-get install -y gcc-arm-linux-gnueabihf

Cargo.lock

@@ -2186,7 +2186,7 @@ dependencies = [
 
 [[package]]
 name = "mhrv-rs"
-version = "1.2.4"
+version = "1.2.5"
 dependencies = [
  "base64 0.22.1",
  "bytes",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "mhrv-rs"
-version = "1.2.4"
+version = "1.2.5"
 edition = "2021"
 description = "Rust port of MasterHttpRelayVPN -- DPI bypass via Google Apps Script relay with domain fronting"
 license = "MIT"

android/app/build.gradle.kts

@@ -14,8 +14,8 @@ android {
         applicationId = "com.therealaleph.mhrv"
         minSdk = 24 // Android 7.0 — covers 99%+ of live devices.
         targetSdk = 34
-        versionCode = 124
+        versionCode = 125
-        versionName = "1.2.4"
+        versionName = "1.2.5"
 
         // Ship all four mainstream Android ABIs:
         //   - arm64-v8a      — 95%+ of real-world Android phones since 2019

docs/changelog/v1.2.5.md

@@ -2,7 +2,9 @@
 • سخت‌کردن range-parallel: اعتبارسنجی هدر `Content-Range` قبل از دوختن پاسخ‌های ۲۰۶. پاسخ‌های نامعتبر دیگه به صورت ۲۰۰ OK جعلی ترکیب نمی‌شن — probe نامعتبر به GET تکی برمی‌گرده، چانک‌های نامعتبر به پاسخ probe برمی‌گرده (PR #78)
 • رد configهایی که HTTP و SOCKS5 رو روی یک پورت تنظیم کرده‌اند قبل از bind failure زمان اجرا. هم در load config و هم در فرم UI چک می‌شه (PR #79)
 • یادداشت README درباره محدودیت user-CA اندروید 7+ — اپ‌هایی مثل Telegram / WhatsApp / Instagram به CA ما اعتماد نمی‌کنن، برای اون‌ها از PROXY_ONLY یا upstream_socks5 استفاده کنید (issues #74 #81)
+• رفع زیرساخت CI: مراحل apt-get در buildهای Linux فقط روی runnerهای GitHub-hosted اجرا می‌شن. روی runnerهای self-hosted جدید، چندین job موازی روی `/var/lib/apt/lists/lock` رقابت می‌کردن و همه fail می‌شدن. بسته‌ها اکنون در setup runner پیش‌نصب هستند
 ---
 • Range-parallel hardening: validate `Content-Range` before stitching 206 responses. Invalid responses no longer combine into a fake 200 OK — invalid probe falls back to a normal single GET, invalid later chunks fall back to the probe response (PR #78)
 • Reject configs that set HTTP and SOCKS5 to the same port before the runtime bind failure. Enforced both at config-load time and in the UI form (PR #79)
 • README note on the Android 7+ user-CA trust limit — apps like Telegram / WhatsApp / Instagram don't trust user-installed CAs, use PROXY_ONLY or upstream_socks5 for those (issues #74 #81)
+• CI infrastructure fix: apt-get steps on Linux build jobs gated to GitHub-hosted runners only. On the new self-hosted runners, multiple parallel matrix jobs were racing on `/var/lib/apt/lists/lock` and failing all at once. Packages now pre-installed at runner setup time