From 09f7bdf063808d016676ef38f507edb787cd805a Mon Sep 17 00:00:00 2001 From: Sean Casey <4674433+CaseyLabs@users.noreply.github.com> Date: Fri, 3 Apr 2026 15:01:58 -0600 Subject: [PATCH 1/9] Feature: add GitHub Actions workflow for publishing Arch Linux AUR package --- .github/workflows/publish-aur.yml | 152 ++++++++++++++++++++++++++++++ PKGBUILD | 50 ++++++++++ README.md | 3 + 3 files changed, 205 insertions(+) create mode 100644 .github/workflows/publish-aur.yml create mode 100644 PKGBUILD diff --git a/.github/workflows/publish-aur.yml b/.github/workflows/publish-aur.yml new file mode 100644 index 0000000..53dc7b2 --- /dev/null +++ b/.github/workflows/publish-aur.yml @@ -0,0 +1,152 @@ +# `publish-aur.yml` - Arch Linux AUR Package Workflow +# -------------------- +# This workflow automates the validation and publishing of the 'numa-git' package to the +# Arch User Repository (AUR). The AUR is a community-driven repository for Arch Linux users. +# +# Workflow Overview: +# 1. Validate: Builds and tests the package on both x86_64 and aarch64 (ARM64) +# architectures using clean Arch Linux containers. +# 2. Audit: Checks Rust dependencies for known security vulnerabilities using 'cargo-audit'. +# 3. Publish: If on the 'main' branch, it pushes the updated PKGBUILD and .SRCINFO to the AUR. +# +# Security Best Practices: +# - SHA Pinning: All GitHub Actions are pinned to a full-length commit SHA (e.g., v4.1.7 @ SHA) +# to ensure the code is immutable and protects against supply-chain attacks where a tag +# might be maliciously moved to a compromised commit. +# - SSH Hygiene: Uses ssh-agent to keep the private key in memory rather than on disk. +# - Audit: Runs 'cargo audit' to prevent publishing known vulnerable dependencies. + +name: Publish - Arch Linux AUR Package + +on: + push: + branches: [main] + workflow_dispatch: + +permissions: + contents: read + +jobs: + # The 'validate' job ensures that the PKGBUILD is correct and the software builds/tests + # successfully on Arch Linux before we attempt to publish it. + validate: + name: Validate PKGBUILD (${{ matrix.arch }}) + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + # We test both standard PC (x86_64) and ARM64 (aarch64) architectures. + arch: [x86_64, aarch64] + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + # QEMU allows us to run ARM64 containers on x86_64 GitHub runners. + - name: Set up QEMU + if: matrix.arch == 'aarch64' + uses: docker/setup-qemu-action@6882732593b27c7f95a044d559b586a46371a68e # v3.0.0 + + - name: Build and Test Package + timeout-minutes: 60 + env: + AUR_PKGNAME: ${{ secrets.AUR_PACKAGE_NAME }} + run: | + # Select the appropriate Arch Linux image for the architecture. + if [ "${{ matrix.arch }}" = "x86_64" ]; then + IMAGE="archlinux:latest" + else + IMAGE="agners/archlinuxarm:latest" + fi + + # We use a temporary directory to avoid Docker permission issues with the workspace. + mkdir -p build-dir + cp PKGBUILD build-dir/ + + docker run --rm -v $PWD/build-dir:/pkg -w /pkg $IMAGE /bin/bash -c " + # ARCH LINUX SECURITY REQUIREMENT: + # 'makepkg' (the tool that builds Arch packages) refuses to run as root for safety. + # We must create a standard user and give them sudo access. + useradd -m builduser + chown -R builduser:builduser /pkg + + # Install build-time dependencies. + # 'base-devel' includes essential tools like gcc, make, and binutils. + pacman -Syu --noconfirm --needed base-devel cargo git sudo cargo-audit + + # Allow the build user to install dependencies during the build process. + echo 'builduser ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/builduser + + # SECURITY AUDIT: + # Fail early if any dependencies have known security vulnerabilities. + sudo -u builduser cargo audit + + # BUILD & TEST: + # 'makepkg -s' will: + # 1. Download source files (cloning this repo) + # 2. Run prepare(), build(), and check() (running cargo test) + # 3. Create the final .pkg.tar.zst package + sudo -u builduser makepkg -s --noconfirm + " + + # The 'publish' job updates the AUR repository with our latest PKGBUILD and .SRCINFO. + publish: + name: Publish to AUR + needs: validate + runs-on: ubuntu-latest + if: github.event_name == 'push' && github.ref == 'refs/heads/main' + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + # Securely configure SSH for AUR access. + - name: Configure SSH + run: | + mkdir -p ~/.ssh + # Official AUR Ed25519 fingerprint (prevents Man-in-the-Middle attacks). + echo "aur.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEu46S9S6YfBD5C8GeOBip8Z11+4" >> ~/.ssh/known_hosts + + # Use ssh-agent to keep the private key in memory rather than writing it to disk. + eval $(ssh-agent -s) + echo "${{ secrets.AUR_SSH_PRIVATE_KEY }}" | tr -d '\r' | ssh-add - + + # Export the agent socket so subsequent 'git' commands can use it. + echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> $GITHUB_ENV + echo "SSH_AGENT_PID=$SSH_AGENT_PID" >> $GITHUB_ENV + + - name: Push to AUR + env: + AUR_PKGNAME: ${{ secrets.AUR_PACKAGE_NAME }} + AUR_EMAIL: ${{ secrets.AUR_EMAIL }} + AUR_USER: ${{ secrets.AUR_USERNAME }} + run: | + # AUR repos are managed via Git. Each package has its own repo at: + # ssh://aur@aur.archlinux.org/.git + git clone ssh://aur@aur.archlinux.org/$AUR_PKGNAME.git aur-repo + + cp PKGBUILD aur-repo/ + cd aur-repo + + # METADATA GENERATION: + # '.SRCINFO' is a machine-readable version of the PKGBUILD. + # The AUR website uses this file to display package details like dependencies and version. + # We generate it inside an Arch container to ensure 'makepkg' is available. + docker run --rm -v $(pwd):/pkg archlinux:latest /bin/bash -c " + pacman -Syu --noconfirm --needed binutils git + cd /pkg + git config --global --add safe.directory '*' + makepkg --printsrcinfo > .SRCINFO + " + + # Set the commit identity using secrets for security and auditability. + git config user.name "$AUR_USER" + git config user.email "$AUR_EMAIL" + + # Stage and commit both the human-readable PKGBUILD and machine-readable .SRCINFO. + git add PKGBUILD .SRCINFO + + if ! git diff --cached --quiet; then + git commit -m "chore: update PKGBUILD to ${{ github.sha }}" + git push origin master + else + echo "No changes to commit (metadata and PKGBUILD are already up-to-date)." + fi diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 0000000..7c761ae --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,50 @@ +# Maintainer: razvandimescu +pkgname=numa-git +_pkgname=numa +pkgver=0.9.1.r0.g1234abc # Updated by pkgver() +pkgrel=1 +pkgdesc="Portable DNS resolver in Rust — .numa local domains, ad blocking, developer overrides, DNS-over-HTTPS" +arch=('x86_64' 'aarch64') +url="https://github.com/razvandimescu/numa" +license=('MIT') +depends=('gcc-libs' 'glibc') +makedepends=('cargo' 'git') +provides=("$_pkgname") +conflicts=("$_pkgname") +source=("$_pkgname::git+$url.git") +sha256sums=('SKIP') + +pkgver() { + cd "$_pkgname" + git describe --long --tags | sed 's/\([^-]*-g\)/r\1/;s/-/./g' | sed 's/^v//' +} + +prepare() { + cd "$_pkgname" + export RUSTUP_TOOLCHAIN=stable + cargo fetch --locked +} + +build() { + cd "$_pkgname" + export RUSTUP_TOOLCHAIN=stable + cargo build --frozen --release +} + +check() { + cd "$_pkgname" + export RUSTUP_TOOLCHAIN=stable + cargo test --frozen +} + +package() { + cd "$_pkgname" + install -Dm755 "target/release/$_pkgname" "$pkgdir/usr/bin/$_pkgname" + + # Install service file with patched path + sed 's|/usr/local/bin/numa|/usr/bin/numa|g' numa.service > numa.service.patched + install -Dm644 "numa.service.patched" "$pkgdir/usr/lib/systemd/system/numa.service" + + install -Dm644 "numa.toml" "$pkgdir/etc/numa.toml" + install -Dm644 "LICENSE" "$pkgdir/usr/share/licenses/$pkgname/LICENSE" +} diff --git a/README.md b/README.md index e96ecda..86194c8 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,9 @@ brew install razvandimescu/tap/numa # Linux curl -fsSL https://raw.githubusercontent.com/razvandimescu/numa/main/install.sh | sh +# Arch Linux (AUR) +yay -S numa-git + # Windows — download from GitHub Releases # All platforms cargo install numa -- 2.34.1 From f0461242eab6b4a306a1ef348f48db91ee1254be Mon Sep 17 00:00:00 2001 From: Sean Casey <4674433+CaseyLabs@users.noreply.github.com> Date: Fri, 3 Apr 2026 15:57:54 -0600 Subject: [PATCH 2/9] Fix issues in Arch Linux AUR publishing process --- .SRCINFO | 18 ++++++++++++++++++ .github/workflows/publish-aur.yml | 12 +++++++----- PKGBUILD | 17 ++++++++++------- 3 files changed, 35 insertions(+), 12 deletions(-) create mode 100644 .SRCINFO diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 0000000..a79aadb --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,18 @@ +pkgbase = numa-git + pkgdesc = Portable DNS resolver in Rust — .numa local domains, ad blocking, developer overrides, DNS-over-HTTPS + pkgver = 0.9.1.r0.g1234abc + pkgrel = 1 + url = https://github.com/razvandimescu/numa + arch = x86_64 + arch = aarch64 + license = MIT + makedepends = cargo + makedepends = git + depends = gcc-libs + depends = glibc + provides = numa + conflicts = numa + source = numa::git+https://github.com/razvandimescu/numa.git + sha256sums = SKIP + +pkgname = numa-git diff --git a/.github/workflows/publish-aur.yml b/.github/workflows/publish-aur.yml index 53dc7b2..cece93a 100644 --- a/.github/workflows/publish-aur.yml +++ b/.github/workflows/publish-aur.yml @@ -128,13 +128,15 @@ jobs: # METADATA GENERATION: # '.SRCINFO' is a machine-readable version of the PKGBUILD. - # The AUR website uses this file to display package details like dependencies and version. - # We generate it inside an Arch container to ensure 'makepkg' is available. + # We must run this as a non-root user ('builduser') inside the container. docker run --rm -v $(pwd):/pkg archlinux:latest /bin/bash -c " - pacman -Syu --noconfirm --needed binutils git + pacman -Syu --noconfirm --needed binutils git sudo + useradd -m builduser + chown -R builduser:builduser /pkg cd /pkg - git config --global --add safe.directory '*' - makepkg --printsrcinfo > .SRCINFO + sudo -u builduser git config --global --add safe.directory '*' + # "makepkg -od" fetches the source first so pkgver() can calculate the version. + sudo -u builduser makepkg -od && sudo -u builduser makepkg --printsrcinfo > .SRCINFO " # Set the commit identity using secrets for security and auditability. diff --git a/PKGBUILD b/PKGBUILD index 7c761ae..f9fee77 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -15,34 +15,37 @@ source=("$_pkgname::git+$url.git") sha256sums=('SKIP') pkgver() { - cd "$_pkgname" - git describe --long --tags | sed 's/\([^-]*-g\)/r\1/;s/-/./g' | sed 's/^v//' + cd "$srcdir/$_pkgname" + ( set -o pipefail + git describe --long --tags 2>/dev/null | sed 's/\([^-]*-g\)/r\1/;s/-/./g' || + printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)" + ) | sed 's/^v//' } prepare() { - cd "$_pkgname" + cd "$srcdir/$_pkgname" export RUSTUP_TOOLCHAIN=stable cargo fetch --locked } build() { - cd "$_pkgname" + cd "$srcdir/$_pkgname" export RUSTUP_TOOLCHAIN=stable cargo build --frozen --release } check() { - cd "$_pkgname" + cd "$srcdir/$_pkgname" export RUSTUP_TOOLCHAIN=stable cargo test --frozen } package() { - cd "$_pkgname" + cd "$srcdir/$_pkgname" install -Dm755 "target/release/$_pkgname" "$pkgdir/usr/bin/$_pkgname" # Install service file with patched path - sed 's|/usr/local/bin/numa|/usr/bin/numa|g' numa.service > numa.service.patched + sed 's|ExecStart=/usr/local/bin/numa|ExecStart=/usr/bin/numa /etc/numa.toml|g' numa.service > numa.service.patched install -Dm644 "numa.service.patched" "$pkgdir/usr/lib/systemd/system/numa.service" install -Dm644 "numa.toml" "$pkgdir/etc/numa.toml" -- 2.34.1 From 869af2985181c44b1549fcaae79f46befad23eda Mon Sep 17 00:00:00 2001 From: Sean Casey <4674433+CaseyLabs@users.noreply.github.com> Date: Fri, 3 Apr 2026 16:13:02 -0600 Subject: [PATCH 3/9] Add patch to fix default Arch Linux binary path location issues --- PKGBUILD | 2 ++ 1 file changed, 2 insertions(+) diff --git a/PKGBUILD b/PKGBUILD index f9fee77..b616dfc 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -24,6 +24,8 @@ pkgver() { prepare() { cd "$srcdir/$_pkgname" + # Patch hardcoded paths to match Arch Linux standard (/usr/bin) + sed -i 's|/usr/local/bin/numa|/usr/bin/numa|g' src/system_dns.rs export RUSTUP_TOOLCHAIN=stable cargo fetch --locked } -- 2.34.1 From 2d320f93d91ee430b8011cb3395d360c0b849b72 Mon Sep 17 00:00:00 2001 From: Razvan Dimescu Date: Wed, 8 Apr 2026 19:31:11 +0300 Subject: [PATCH 4/9] fix: PKGBUILD compatibility with numa v0.10.1, fix QEMU action SHA pin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Three small bug fixes that make this PR mergeable end-to-end against current main, without changing the package design (still numa-git, still pushed on every main commit, still tracking HEAD via pkgver()): 1. Simplified prepare() — drop the obsolete sed patching for /usr/local/bin/numa. That literal only appears in a comment in current main; the actual binary path is determined at runtime via std::env::current_exe(). Additionally, numa v0.10.1 ships PR #43 which makes numa FHS-compliant on Linux out of the box (/var/lib/numa for data dir), so no source patching is needed at all on Arch. 2. Fixed package() sed for the systemd unit. The previous sed targeted "ExecStart=/usr/local/bin/numa" but numa.service actually uses "{{exe_path}}" as a templating placeholder that's substituted at runtime by replace_exe_path() when `numa install` runs. The sed silently did nothing, and the AUR-installed unit file would have a literal "{{exe_path}}" that systemd cannot start. Fixed sed: sed 's|{{exe_path}}|/usr/bin/numa /etc/numa.toml|g' \ numa.service > numa.service.patched 3. Fixed broken docker/setup-qemu-action SHA pin in publish-aur.yml. The pinned SHA 6882732593b27c7f95a044d559b586a46371a68e doesn't exist as a commit in upstream docker/setup-qemu-action. Verified v3.0.0 SHA is 68827325e0b33c7199eb31dd4e31fbe9023e06e3. Without this fix the aarch64 validate job would fail to load the action at workflow start. Also refreshed the stale pkgver placeholder in PKGBUILD and .SRCINFO from 0.9.1.r0.g1234abc to 0.10.1.r0.g0000000 — purely cosmetic since pkgver() auto-overrides on every makepkg run, but at least the in-VC value reflects the current era. Co-Authored-By: Claude Opus 4.6 (1M context) --- .SRCINFO | 2 +- .github/workflows/publish-aur.yml | 2 +- PKGBUILD | 19 ++++++++++++------- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/.SRCINFO b/.SRCINFO index a79aadb..6fb1dc3 100644 --- a/.SRCINFO +++ b/.SRCINFO @@ -1,6 +1,6 @@ pkgbase = numa-git pkgdesc = Portable DNS resolver in Rust — .numa local domains, ad blocking, developer overrides, DNS-over-HTTPS - pkgver = 0.9.1.r0.g1234abc + pkgver = 0.10.1.r0.g0000000 pkgrel = 1 url = https://github.com/razvandimescu/numa arch = x86_64 diff --git a/.github/workflows/publish-aur.yml b/.github/workflows/publish-aur.yml index cece93a..fe2f321 100644 --- a/.github/workflows/publish-aur.yml +++ b/.github/workflows/publish-aur.yml @@ -44,7 +44,7 @@ jobs: # QEMU allows us to run ARM64 containers on x86_64 GitHub runners. - name: Set up QEMU if: matrix.arch == 'aarch64' - uses: docker/setup-qemu-action@6882732593b27c7f95a044d559b586a46371a68e # v3.0.0 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Build and Test Package timeout-minutes: 60 diff --git a/PKGBUILD b/PKGBUILD index b616dfc..0f5c19c 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -1,7 +1,7 @@ # Maintainer: razvandimescu pkgname=numa-git _pkgname=numa -pkgver=0.9.1.r0.g1234abc # Updated by pkgver() +pkgver=0.10.1.r0.g0000000 # Placeholder — pkgver() rewrites this on each makepkg run pkgrel=1 pkgdesc="Portable DNS resolver in Rust — .numa local domains, ad blocking, developer overrides, DNS-over-HTTPS" arch=('x86_64' 'aarch64') @@ -24,8 +24,10 @@ pkgver() { prepare() { cd "$srcdir/$_pkgname" - # Patch hardcoded paths to match Arch Linux standard (/usr/bin) - sed -i 's|/usr/local/bin/numa|/usr/bin/numa|g' src/system_dns.rs + # numa v0.10.1+ uses FHS-compliant paths on Linux by default + # (/var/lib/numa for data, journalctl for logs), so no source + # patching is needed. The earlier sed targeted /usr/local/bin/numa, + # which only appears in a comment in current main. export RUSTUP_TOOLCHAIN=stable cargo fetch --locked } @@ -45,11 +47,14 @@ check() { package() { cd "$srcdir/$_pkgname" install -Dm755 "target/release/$_pkgname" "$pkgdir/usr/bin/$_pkgname" - - # Install service file with patched path - sed 's|ExecStart=/usr/local/bin/numa|ExecStart=/usr/bin/numa /etc/numa.toml|g' numa.service > numa.service.patched + + # numa.service uses {{exe_path}} as a placeholder substituted by + # `numa install` at runtime via replace_exe_path(). For an AUR + # package install (no `numa install` step), we substitute it + # statically here so systemd gets a real ExecStart path. + sed 's|{{exe_path}}|/usr/bin/numa /etc/numa.toml|g' numa.service > numa.service.patched install -Dm644 "numa.service.patched" "$pkgdir/usr/lib/systemd/system/numa.service" - + install -Dm644 "numa.toml" "$pkgdir/etc/numa.toml" install -Dm644 "LICENSE" "$pkgdir/usr/share/licenses/$pkgname/LICENSE" } -- 2.34.1 From 6d4593683f6a91c2513e2ca619d81607058fe2cc Mon Sep 17 00:00:00 2001 From: Sean Casey <4674433+CaseyLabs@users.noreply.github.com> Date: Wed, 8 Apr 2026 13:29:40 -0700 Subject: [PATCH 5/9] fix: make AUR packaging x86_64-only and stabilize local validation Turns out Arch Linux doesn't officially support aarch64 architecture, so we will drop if from this AUR build process. Changes: - drop aarch64 from PKGBUILD, .SRCINFO, and AUR validation workflow - keep AUR process aligned with official Arch Linux x86_64 support - install rust directly in CI to avoid Arch cargo provider prompts - fetch sources before running cargo audit and audit inside the fetched repo - disable makepkg LTO for this package to avoid Arch packaging link failures - mark /etc/numa.toml as a backup file - Add local AUR build scratch directory exclusion to .gitignore --- .SRCINFO | 3 ++- .github/workflows/publish-aur.yml | 32 +++++++++++++------------------ .gitignore | 1 + PKGBUILD | 4 +++- 4 files changed, 19 insertions(+), 21 deletions(-) diff --git a/.SRCINFO b/.SRCINFO index 6fb1dc3..66d3218 100644 --- a/.SRCINFO +++ b/.SRCINFO @@ -4,14 +4,15 @@ pkgbase = numa-git pkgrel = 1 url = https://github.com/razvandimescu/numa arch = x86_64 - arch = aarch64 license = MIT + options = !lto makedepends = cargo makedepends = git depends = gcc-libs depends = glibc provides = numa conflicts = numa + backup = etc/numa.toml source = numa::git+https://github.com/razvandimescu/numa.git sha256sums = SKIP diff --git a/.github/workflows/publish-aur.yml b/.github/workflows/publish-aur.yml index fe2f321..5473cc0 100644 --- a/.github/workflows/publish-aur.yml +++ b/.github/workflows/publish-aur.yml @@ -35,50 +35,44 @@ jobs: strategy: fail-fast: false matrix: - # We test both standard PC (x86_64) and ARM64 (aarch64) architectures. - arch: [x86_64, aarch64] + arch: [x86_64] steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - # QEMU allows us to run ARM64 containers on x86_64 GitHub runners. - - name: Set up QEMU - if: matrix.arch == 'aarch64' - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - - name: Build and Test Package timeout-minutes: 60 env: AUR_PKGNAME: ${{ secrets.AUR_PACKAGE_NAME }} run: | - # Select the appropriate Arch Linux image for the architecture. - if [ "${{ matrix.arch }}" = "x86_64" ]; then - IMAGE="archlinux:latest" - else - IMAGE="agners/archlinuxarm:latest" - fi - # We use a temporary directory to avoid Docker permission issues with the workspace. mkdir -p build-dir cp PKGBUILD build-dir/ - docker run --rm -v $PWD/build-dir:/pkg -w /pkg $IMAGE /bin/bash -c " + docker run --rm -v $PWD/build-dir:/pkg -w /pkg archlinux:latest /bin/bash -c " # ARCH LINUX SECURITY REQUIREMENT: # 'makepkg' (the tool that builds Arch packages) refuses to run as root for safety. # We must create a standard user and give them sudo access. - useradd -m builduser - chown -R builduser:builduser /pkg # Install build-time dependencies. # 'base-devel' includes essential tools like gcc, make, and binutils. - pacman -Syu --noconfirm --needed base-devel cargo git sudo cargo-audit + # Install 'rust' directly to avoid the interactive virtual-package + # prompt for 'cargo' on current Arch images. + pacman -Syu --noconfirm --needed base-devel rust git sudo cargo-audit + + useradd -m builduser + chown -R builduser:builduser /pkg # Allow the build user to install dependencies during the build process. echo 'builduser ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/builduser + # Fetch the source tree first so pkgver() and cargo-audit have a + # real Cargo.lock to inspect. + sudo -u builduser makepkg -o --nobuild --nocheck --nodeps --noprepare + # SECURITY AUDIT: # Fail early if any dependencies have known security vulnerabilities. - sudo -u builduser cargo audit + sudo -u builduser sh -lc 'cd /pkg/src/numa && cargo audit' # BUILD & TEST: # 'makepkg -s' will: diff --git a/.gitignore b/.gitignore index 9dcba3d..1c510fd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ /target +/build-dir CLAUDE.md docs/ site/blog/posts/ diff --git a/PKGBUILD b/PKGBUILD index 0f5c19c..b3e3f6b 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -4,13 +4,15 @@ _pkgname=numa pkgver=0.10.1.r0.g0000000 # Placeholder — pkgver() rewrites this on each makepkg run pkgrel=1 pkgdesc="Portable DNS resolver in Rust — .numa local domains, ad blocking, developer overrides, DNS-over-HTTPS" -arch=('x86_64' 'aarch64') +arch=('x86_64') url="https://github.com/razvandimescu/numa" license=('MIT') +options=('!lto') depends=('gcc-libs' 'glibc') makedepends=('cargo' 'git') provides=("$_pkgname") conflicts=("$_pkgname") +backup=('etc/numa.toml') source=("$_pkgname::git+$url.git") sha256sums=('SKIP') -- 2.34.1 From 0c84f386faf48b280b3bef174d16c84bf9f94dd6 Mon Sep 17 00:00:00 2001 From: Sean Casey <4674433+CaseyLabs@users.noreply.github.com> Date: Wed, 8 Apr 2026 13:35:56 -0700 Subject: [PATCH 6/9] Add temporary AUR test workflow --- .github/workflows/publish-aur-test.yml | 62 ++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 .github/workflows/publish-aur-test.yml diff --git a/.github/workflows/publish-aur-test.yml b/.github/workflows/publish-aur-test.yml new file mode 100644 index 0000000..96047fb --- /dev/null +++ b/.github/workflows/publish-aur-test.yml @@ -0,0 +1,62 @@ +name: Test - Arch Linux AUR Package + +on: + push: + branches: + - feat/add-arch-linux-support + workflow_dispatch: + +permissions: + contents: read + +jobs: + validate: + name: Validate PKGBUILD + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Build and Test Package + timeout-minutes: 60 + run: | + mkdir -p build-dir + cp PKGBUILD build-dir/ + + docker run --rm -v $PWD/build-dir:/pkg -w /pkg archlinux:latest /bin/bash -c " + pacman -Syu --noconfirm --needed base-devel rust git sudo cargo-audit + + useradd -m builduser + chown -R builduser:builduser /pkg + echo 'builduser ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/builduser + + sudo -u builduser makepkg -o --nobuild --nocheck --nodeps --noprepare + sudo -u builduser sh -lc 'cd /pkg/src/numa && cargo audit' + sudo -u builduser makepkg -s --noconfirm + " + + dry-run-srcinfo: + name: Dry Run .SRCINFO + runs-on: ubuntu-latest + needs: validate + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Generate .SRCINFO Without Pushing + timeout-minutes: 30 + run: | + mkdir -p aur-dry-run + cp PKGBUILD aur-dry-run/ + cd aur-dry-run + + docker run --rm -v $(pwd):/pkg -w /pkg archlinux:latest /bin/bash -c " + pacman -Syu --noconfirm --needed binutils git sudo rust + useradd -m builduser + chown -R builduser:builduser /pkg + sudo -u builduser makepkg -od --nocheck + sudo -u builduser makepkg --printsrcinfo > .SRCINFO + " + + echo 'Generated .SRCINFO for dry-run validation:' + sed -n '1,120p' .SRCINFO -- 2.34.1 From c0f1f86f01ae091edd3b709de8f58855c358715e Mon Sep 17 00:00:00 2001 From: Sean Casey <4674433+CaseyLabs@users.noreply.github.com> Date: Wed, 8 Apr 2026 13:55:52 -0700 Subject: [PATCH 7/9] Update github actions checkout workflow version --- .github/workflows/publish-aur-test.yml | 4 ++-- .github/workflows/publish-aur.yml | 16 +++++++++------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/publish-aur-test.yml b/.github/workflows/publish-aur-test.yml index 96047fb..7527f71 100644 --- a/.github/workflows/publish-aur-test.yml +++ b/.github/workflows/publish-aur-test.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build and Test Package timeout-minutes: 60 @@ -41,7 +41,7 @@ jobs: needs: validate steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Generate .SRCINFO Without Pushing timeout-minutes: 30 diff --git a/.github/workflows/publish-aur.yml b/.github/workflows/publish-aur.yml index 5473cc0..cab44f9 100644 --- a/.github/workflows/publish-aur.yml +++ b/.github/workflows/publish-aur.yml @@ -4,13 +4,15 @@ # Arch User Repository (AUR). The AUR is a community-driven repository for Arch Linux users. # # Workflow Overview: -# 1. Validate: Builds and tests the package on both x86_64 and aarch64 (ARM64) -# architectures using clean Arch Linux containers. -# 2. Audit: Checks Rust dependencies for known security vulnerabilities using 'cargo-audit'. -# 3. Publish: If on the 'main' branch, it pushes the updated PKGBUILD and .SRCINFO to the AUR. +# 1. Validate: Builds and tests the package for Arch Linux x86_64 using a clean +# Arch Linux container. +# 2. Audit: Checks Rust dependencies for known security vulnerabilities using +# 'cargo-audit'. +# 3. Publish: If on the 'main' branch, it pushes the updated PKGBUILD and +# .SRCINFO to the AUR. # # Security Best Practices: -# - SHA Pinning: All GitHub Actions are pinned to a full-length commit SHA (e.g., v4.1.7 @ SHA) +# - SHA Pinning: All GitHub Actions are pinned to a full-length commit SHA (e.g., v6.0.2 @ SHA) # to ensure the code is immutable and protects against supply-chain attacks where a tag # might be maliciously moved to a compromised commit. # - SSH Hygiene: Uses ssh-agent to keep the private key in memory rather than on disk. @@ -38,7 +40,7 @@ jobs: arch: [x86_64] steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build and Test Package timeout-minutes: 60 @@ -90,7 +92,7 @@ jobs: if: github.event_name == 'push' && github.ref == 'refs/heads/main' steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Securely configure SSH for AUR access. - name: Configure SSH -- 2.34.1 From db2f73df2af1695785d729e97fa02af76c96622e Mon Sep 17 00:00:00 2001 From: Sean Casey <4674433+CaseyLabs@users.noreply.github.com> Date: Wed, 8 Apr 2026 14:05:02 -0700 Subject: [PATCH 8/9] remove temporary AUR test workflow --- .github/workflows/publish-aur-test.yml | 62 -------------------------- 1 file changed, 62 deletions(-) delete mode 100644 .github/workflows/publish-aur-test.yml diff --git a/.github/workflows/publish-aur-test.yml b/.github/workflows/publish-aur-test.yml deleted file mode 100644 index 7527f71..0000000 --- a/.github/workflows/publish-aur-test.yml +++ /dev/null @@ -1,62 +0,0 @@ -name: Test - Arch Linux AUR Package - -on: - push: - branches: - - feat/add-arch-linux-support - workflow_dispatch: - -permissions: - contents: read - -jobs: - validate: - name: Validate PKGBUILD - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - - name: Build and Test Package - timeout-minutes: 60 - run: | - mkdir -p build-dir - cp PKGBUILD build-dir/ - - docker run --rm -v $PWD/build-dir:/pkg -w /pkg archlinux:latest /bin/bash -c " - pacman -Syu --noconfirm --needed base-devel rust git sudo cargo-audit - - useradd -m builduser - chown -R builduser:builduser /pkg - echo 'builduser ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/builduser - - sudo -u builduser makepkg -o --nobuild --nocheck --nodeps --noprepare - sudo -u builduser sh -lc 'cd /pkg/src/numa && cargo audit' - sudo -u builduser makepkg -s --noconfirm - " - - dry-run-srcinfo: - name: Dry Run .SRCINFO - runs-on: ubuntu-latest - needs: validate - steps: - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - - name: Generate .SRCINFO Without Pushing - timeout-minutes: 30 - run: | - mkdir -p aur-dry-run - cp PKGBUILD aur-dry-run/ - cd aur-dry-run - - docker run --rm -v $(pwd):/pkg -w /pkg archlinux:latest /bin/bash -c " - pacman -Syu --noconfirm --needed binutils git sudo rust - useradd -m builduser - chown -R builduser:builduser /pkg - sudo -u builduser makepkg -od --nocheck - sudo -u builduser makepkg --printsrcinfo > .SRCINFO - " - - echo 'Generated .SRCINFO for dry-run validation:' - sed -n '1,120p' .SRCINFO -- 2.34.1 From 2737cef248d2ea0c5ed1f420697a3d17532fbd99 Mon Sep 17 00:00:00 2001 From: Razvan Dimescu Date: Thu, 9 Apr 2026 12:54:01 +0300 Subject: [PATCH 9/9] fix: correct AUR SSH host key fingerprint The previously pinned ed25519 key was truncated (52 chars) and did not match the actual aur.archlinux.org host key. Verified via ssh-keyscan. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/publish-aur.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-aur.yml b/.github/workflows/publish-aur.yml index cab44f9..03831c9 100644 --- a/.github/workflows/publish-aur.yml +++ b/.github/workflows/publish-aur.yml @@ -99,7 +99,7 @@ jobs: run: | mkdir -p ~/.ssh # Official AUR Ed25519 fingerprint (prevents Man-in-the-Middle attacks). - echo "aur.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEu46S9S6YfBD5C8GeOBip8Z11+4" >> ~/.ssh/known_hosts + echo "aur.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuBKrPzbawxA/k2g6NcyV5jmqwJ2s+zpgZGZ7tpLIcN" >> ~/.ssh/known_hosts # Use ssh-agent to keep the private key in memory rather than writing it to disk. eval $(ssh-agent -s) -- 2.34.1