# `publish-aur.yml` - Arch Linux AUR Package Workflow # -------------------- # This workflow automates the validation and publishing of the 'numa-git' package to the # Arch User Repository (AUR). The AUR is a community-driven repository for Arch Linux users. # # Workflow Overview: # 1. Validate: Builds and tests the package for Arch Linux x86_64 using a clean # Arch Linux container. # 2. Audit: Checks Rust dependencies for known security vulnerabilities using # 'cargo-audit'. # 3. Publish: If on the 'main' branch, it pushes the updated PKGBUILD and # .SRCINFO to the AUR. # # Security Best Practices: # - SHA Pinning: All GitHub Actions are pinned to a full-length commit SHA (e.g., v6.0.2 @ SHA) # to ensure the code is immutable and protects against supply-chain attacks where a tag # might be maliciously moved to a compromised commit. # - SSH Hygiene: Uses ssh-agent to keep the private key in memory rather than on disk. # - Audit: Runs 'cargo audit' to prevent publishing known vulnerable dependencies. name: Publish - Arch Linux AUR Package on: push: branches: [main] workflow_dispatch: permissions: contents: read jobs: # The 'validate' job ensures that the PKGBUILD is correct and the software builds/tests # successfully on Arch Linux before we attempt to publish it. validate: name: Validate PKGBUILD (${{ matrix.arch }}) runs-on: ubuntu-latest strategy: fail-fast: false matrix: arch: [x86_64] steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build and Test Package timeout-minutes: 60 env: AUR_PKGNAME: ${{ secrets.AUR_PACKAGE_NAME }} run: | # We use a temporary directory to avoid Docker permission issues with the workspace. mkdir -p build-dir cp PKGBUILD build-dir/ docker run --rm -v $PWD/build-dir:/pkg -w /pkg archlinux:latest /bin/bash -c " # ARCH LINUX SECURITY REQUIREMENT: # 'makepkg' (the tool that builds Arch packages) refuses to run as root for safety. # We must create a standard user and give them sudo access. # Install build-time dependencies. # 'base-devel' includes essential tools like gcc, make, and binutils. # Install 'rust' directly to avoid the interactive virtual-package # prompt for 'cargo' on current Arch images. pacman -Syu --noconfirm --needed base-devel rust git sudo cargo-audit useradd -m builduser chown -R builduser:builduser /pkg # Allow the build user to install dependencies during the build process. echo 'builduser ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/builduser # Fetch the source tree first so pkgver() and cargo-audit have a # real Cargo.lock to inspect. sudo -u builduser makepkg -o --nobuild --nocheck --nodeps --noprepare # SECURITY AUDIT: # Fail early if any dependencies have known security vulnerabilities. sudo -u builduser sh -lc 'cd /pkg/src/numa && cargo audit' # BUILD & TEST: # 'makepkg -s' will: # 1. Download source files (cloning this repo) # 2. Run prepare(), build(), and check() (running cargo test) # 3. Create the final .pkg.tar.zst package sudo -u builduser makepkg -s --noconfirm " # The 'publish' job updates the AUR repository with our latest PKGBUILD and .SRCINFO. publish: name: Publish to AUR needs: validate runs-on: ubuntu-latest if: github.event_name == 'push' && github.ref == 'refs/heads/main' steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Securely configure SSH for AUR access. - name: Configure SSH run: | mkdir -p ~/.ssh # Official AUR Ed25519 fingerprint (prevents Man-in-the-Middle attacks). echo "aur.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuBKrPzbawxA/k2g6NcyV5jmqwJ2s+zpgZGZ7tpLIcN" >> ~/.ssh/known_hosts # Use ssh-agent to keep the private key in memory rather than writing it to disk. eval $(ssh-agent -s) echo "${{ secrets.AUR_SSH_PRIVATE_KEY }}" | tr -d '\r' | ssh-add - # Export the agent socket so subsequent 'git' commands can use it. echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> $GITHUB_ENV echo "SSH_AGENT_PID=$SSH_AGENT_PID" >> $GITHUB_ENV - name: Push to AUR env: AUR_PKGNAME: ${{ secrets.AUR_PACKAGE_NAME }} AUR_EMAIL: ${{ secrets.AUR_EMAIL }} AUR_USER: ${{ secrets.AUR_USERNAME }} run: | # AUR repos are managed via Git. Each package has its own repo at: # ssh://aur@aur.archlinux.org/.git git clone ssh://aur@aur.archlinux.org/$AUR_PKGNAME.git aur-repo cp PKGBUILD aur-repo/ cd aur-repo # METADATA GENERATION: # '.SRCINFO' is a machine-readable version of the PKGBUILD. # We must run this as a non-root user ('builduser') inside the container. docker run --rm -v $(pwd):/pkg archlinux:latest /bin/bash -c " pacman -Syu --noconfirm --needed binutils git sudo useradd -m builduser chown -R builduser:builduser /pkg cd /pkg sudo -u builduser git config --global --add safe.directory '*' # "makepkg -od" fetches the source first so pkgver() can calculate the version. sudo -u builduser makepkg -od && sudo -u builduser makepkg --printsrcinfo > .SRCINFO " # Reclaim ownership: the in-container 'chown -R builduser:builduser /pkg' # propagates through the bind mount, leaving .git/ owned by the container's # builduser UID. Without this, subsequent 'git config' on the host fails with # "could not lock config file .git/config: Permission denied". sudo chown -R "$(id -u):$(id -g)" . # Set the commit identity using secrets for security and auditability. git config user.name "$AUR_USER" git config user.email "$AUR_EMAIL" # Stage and commit both the human-readable PKGBUILD and machine-readable .SRCINFO. git add PKGBUILD .SRCINFO if ! git diff --cached --quiet; then git commit -m "chore: update PKGBUILD to ${{ github.sha }}" git push origin master else echo "No changes to commit (metadata and PKGBUILD are already up-to-date)." fi