diff --git a/.SRCINFO b/.SRCINFO index 6fb1dc3..66d3218 100644 --- a/.SRCINFO +++ b/.SRCINFO @@ -4,14 +4,15 @@ pkgbase = numa-git pkgrel = 1 url = https://github.com/razvandimescu/numa arch = x86_64 - arch = aarch64 license = MIT + options = !lto makedepends = cargo makedepends = git depends = gcc-libs depends = glibc provides = numa conflicts = numa + backup = etc/numa.toml source = numa::git+https://github.com/razvandimescu/numa.git sha256sums = SKIP diff --git a/.github/workflows/publish-aur.yml b/.github/workflows/publish-aur.yml index fe2f321..5473cc0 100644 --- a/.github/workflows/publish-aur.yml +++ b/.github/workflows/publish-aur.yml @@ -35,50 +35,44 @@ jobs: strategy: fail-fast: false matrix: - # We test both standard PC (x86_64) and ARM64 (aarch64) architectures. - arch: [x86_64, aarch64] + arch: [x86_64] steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - # QEMU allows us to run ARM64 containers on x86_64 GitHub runners. - - name: Set up QEMU - if: matrix.arch == 'aarch64' - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - - name: Build and Test Package timeout-minutes: 60 env: AUR_PKGNAME: ${{ secrets.AUR_PACKAGE_NAME }} run: | - # Select the appropriate Arch Linux image for the architecture. - if [ "${{ matrix.arch }}" = "x86_64" ]; then - IMAGE="archlinux:latest" - else - IMAGE="agners/archlinuxarm:latest" - fi - # We use a temporary directory to avoid Docker permission issues with the workspace. mkdir -p build-dir cp PKGBUILD build-dir/ - docker run --rm -v $PWD/build-dir:/pkg -w /pkg $IMAGE /bin/bash -c " + docker run --rm -v $PWD/build-dir:/pkg -w /pkg archlinux:latest /bin/bash -c " # ARCH LINUX SECURITY REQUIREMENT: # 'makepkg' (the tool that builds Arch packages) refuses to run as root for safety. # We must create a standard user and give them sudo access. - useradd -m builduser - chown -R builduser:builduser /pkg # Install build-time dependencies. # 'base-devel' includes essential tools like gcc, make, and binutils. - pacman -Syu --noconfirm --needed base-devel cargo git sudo cargo-audit + # Install 'rust' directly to avoid the interactive virtual-package + # prompt for 'cargo' on current Arch images. + pacman -Syu --noconfirm --needed base-devel rust git sudo cargo-audit + + useradd -m builduser + chown -R builduser:builduser /pkg # Allow the build user to install dependencies during the build process. echo 'builduser ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/builduser + # Fetch the source tree first so pkgver() and cargo-audit have a + # real Cargo.lock to inspect. + sudo -u builduser makepkg -o --nobuild --nocheck --nodeps --noprepare + # SECURITY AUDIT: # Fail early if any dependencies have known security vulnerabilities. - sudo -u builduser cargo audit + sudo -u builduser sh -lc 'cd /pkg/src/numa && cargo audit' # BUILD & TEST: # 'makepkg -s' will: diff --git a/.gitignore b/.gitignore index 9dcba3d..1c510fd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ /target +/build-dir CLAUDE.md docs/ site/blog/posts/ diff --git a/PKGBUILD b/PKGBUILD index 0f5c19c..b3e3f6b 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -4,13 +4,15 @@ _pkgname=numa pkgver=0.10.1.r0.g0000000 # Placeholder — pkgver() rewrites this on each makepkg run pkgrel=1 pkgdesc="Portable DNS resolver in Rust — .numa local domains, ad blocking, developer overrides, DNS-over-HTTPS" -arch=('x86_64' 'aarch64') +arch=('x86_64') url="https://github.com/razvandimescu/numa" license=('MIT') +options=('!lto') depends=('gcc-libs' 'glibc') makedepends=('cargo' 'git') provides=("$_pkgname") conflicts=("$_pkgname") +backup=('etc/numa.toml') source=("$_pkgname::git+$url.git") sha256sums=('SKIP')