Address remaining PR review comments

- Pin cache-apt-pkgs-action to commit SHA for supply-chain safety
- Fix Homebrew post_install to use with_env block instead of env hash
  in system() call (idiomatic Homebrew pattern)
- Add clarifying comments to service file, preremove.sh, and nfpm.yaml
  explaining user/group creation, directory ownership, and upgrade handling

https://claude.ai/code/session_01Vx1EsNrNySgsc8Y67dGzCn

pkg/debian/archivebox.service

@@ -1,3 +1,6 @@
+# The archivebox user/group and /var/lib/archivebox directory are created by
+# postinstall.sh (which runs after dpkg unpacks the package contents).
+
 [Unit]
 Description=ArchiveBox Web Archiving Server
 After=network.target

pkg/debian/nfpm.yaml

@@ -55,7 +55,7 @@ contents:
     file_info:
       mode: 0644
 
-  # Create data directory
+  # Create data directory (unpacked as root; postinstall.sh chowns to archivebox user)
   - dst: /var/lib/archivebox
     type: dir
     file_info:

pkg/debian/scripts/preremove.sh

@@ -2,7 +2,9 @@
 # preremove script for archivebox .deb package
 set -e
 
-# Only clean up on full removal, not during upgrade
+# Only clean up on full removal, not during upgrade.
+# dpkg passes "$1" as "remove", "purge", or "upgrade" — we skip cleanup on
+# upgrade so the venv and service persist across package version bumps.
 if [ "$1" = "remove" ] || [ "$1" = "purge" ]; then
     # Stop the service if running
     if command -v systemctl >/dev/null 2>&1 && [ -d /run/systemd/system ]; then