Skip to content

Add AUR package and move distribution actions to subfolder (#1319)#1322

Open
spoorcc wants to merge 7 commits into
mainfrom
claude/distribution-actions-subfolder-m75vs5
Open

Add AUR package and move distribution actions to subfolder (#1319)#1322
spoorcc wants to merge 7 commits into
mainfrom
claude/distribution-actions-subfolder-m75vs5

Conversation

@spoorcc

@spoorcc spoorcc commented Jun 27, 2026

Copy link
Copy Markdown
Contributor
  • Create aur/PKGBUILD and aur/.SRCINFO for the dfetch-bin AUR package
  • Add .github/workflows/distribution/aur-publish.yml to publish to AUR on
    each release using AUR_SSH_KEY stored in the 'aur' environment
  • Move python-publish.yml and winget-publish.yml into
    .github/workflows/distribution/ subfolder alongside the new aur-publish.yml
  • Update installation docs with Arch Linux / AUR installation instructions
  • Extend threat model with AUR boundary (A-11), AUR_SSH_KEY asset (A-12),
    dataflows DF-30–DF-32, threat DFT-36, and controls C-044/C-046
  • Update security/tm_controls_data.py file-path references for moved workflows

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com
Claude-Session: https://claude.ai/code/session_013RYDLTQX5YRoR7gV5vFRM9

Summary by CodeRabbit

  • New Features
    • Added an Arch Linux dfetch-bin package via the AUR, including an automated AUR publish workflow.
  • Bug Fixes
    • Expanded build artifact handling so the Linux tarball is packaged, published, and included in SBOM attestation/verification and build provenance checks.
  • Documentation
    • Updated the installation tutorial and supply-chain threat model to cover AUR publishing, installation, and independent provenance verification.
  • Chores
    • Updated security controls and threat records to reflect the AUR deployment and verification path.

claude added 6 commits June 27, 2026 14:11
- Create aur/PKGBUILD and aur/.SRCINFO for the dfetch-bin AUR package
- Add .github/workflows/distribution/aur-publish.yml to publish to AUR on
  each release using AUR_SSH_KEY stored in the 'aur' environment
- Move python-publish.yml and winget-publish.yml into
  .github/workflows/distribution/ subfolder alongside the new aur-publish.yml
- Update installation docs with Arch Linux / AUR installation instructions
- Extend threat model with AUR boundary (A-11), AUR_SSH_KEY asset (A-12),
  dataflows DF-30–DF-32, threat DFT-36, and controls C-044/C-046
- Update security/tm_controls_data.py file-path references for moved workflows

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013RYDLTQX5YRoR7gV5vFRM9
Add a header comment block covering: AUR account creation, dedicated
SSH key pair generation, public key registration with AUR, GitHub 'aur'
environment setup with the AUR_SSH_KEY secret, initial package creation
via git clone/push, and local testing with makepkg.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013RYDLTQX5YRoR7gV5vFRM9
Link each setup step to the relevant Arch Wiki or GitHub Docs page:
- Step 1 → AUR submission guidelines (creating a new package)
- Step 2 → AUR submission guidelines (authentication / SSH keys)
- Step 4c → GitHub docs on required reviewers for environments
- Step 4d → GitHub docs on environment secrets
- Step 5 → AUR submission guidelines (submitting packages)
- Step 6 → Arch Wiki makepkg page

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013RYDLTQX5YRoR7gV5vFRM9
On push or pull_request touching aur/ or the workflow itself, build the
PKGBUILD in an archlinux container: resolve the latest release tag, compute
the real SHA256, run makepkg, then install and verify with dfetch --version.
The existing publish job is unchanged and still fires only on releases.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013RYDLTQX5YRoR7gV5vFRM9
Test job changes:
- Trigger only on push to main (removes pull_request and release-based API call)
- Split into build-binary (ubuntu-latest, Nuitka) + test (archlinux container)
- build-binary compiles the current commit and creates dfetch-<tag>-nix.tar.gz
- test downloads the artifact, patches PKGBUILD with local tarball + real SHA256,
  runs makepkg, installs, and verifies dfetch --version

PKGBUILD fix:
- Nuitka standalone mode creates a binary + companion dfetch.dist/ directory;
  copying just the binary to /usr/bin is insufficient
- Install entire build output to /opt/dfetch/ (mirroring the .deb layout)
  and symlink /usr/bin/dfetch -> /opt/dfetch/dfetch

publish job fix:
- Tighten if: condition to explicitly match only release and workflow_dispatch,
  preventing the new push trigger from inadvertently firing publish

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013RYDLTQX5YRoR7gV5vFRM9
build.yml:
- Create dfetch-<ver>-nix.tar.gz (Linux only) from the Nuitka dist dir;
  this was the critical missing piece — the AUR publish job downloaded a
  URL that never existed in any release
- Include *.tar.gz in SBOM attest, build-provenance attest, VSA attest,
  and all corresponding verify loops, so the AUR tarball has the same
  attestation chain as every other binary format

aur-publish.yml (publish job):
- Split the single "update checksums" step into two: first download the
  tarball, verify its Sigstore SLSA build-provenance attestation with
  gh attestation verify, then compute SHA256 from the already-downloaded
  file; workflow aborts before any AUR push if attestation fails
- Add sigstore egress endpoints (fulcio, rekor, tuf-repo-cdn) to
  harden-runner allowlist to support gh attestation verify

aur/PKGBUILD:
- Expand placeholder comment: warn explicitly that the SKIP checksum
  means manual makepkg from this repo will not verify the binary, and
  direct users to the AUR package where the real checksum is set

installation.rst:
- Note that dfetch-bin is a pre-built binary (no Python or compilation
  needed on the user's machine)
- Mention that the AUR helper verifies the SHA256, and link to the
  gh attestation tool for independent provenance verification

security/tm_controls_data.py + threat_model_supply_chain.rst:
- Add C-047: AUR release tarball build-provenance verified before PKGBUILD
  update; referenced from DFT-36 mitigations

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013RYDLTQX5YRoR7gV5vFRM9
@coderabbitai

coderabbitai Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Important

Review skipped

No new commits to review since the last review.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: a20122d8-7ed4-4acf-a6cb-818d5d7b5d96

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Walkthrough

Adds AUR packaging for dfetch-bin, a new AUR publish workflow, Linux tarball handling in the build pipeline, and matching supply-chain model, control, and documentation updates.

Changes

AUR Binary Distribution

Layer / File(s) Summary
AUR package metadata
aur/PKGBUILD, aur/.SRCINFO
Adds dfetch-bin package metadata, source tarball handling, checksum placeholder, and install layout under /opt/dfetch with a /usr/bin/dfetch symlink.
Tarball creation and release coverage
.github/workflows/build.yml
Creates build/dfetch-package/*.tar.gz on Linux versioned releases and includes it in SBOM, provenance, attestation, artifact upload, and release upload steps.
AUR publish workflow
.github/workflows/distribution/aur-publish.yml
Adds trigger handling plus build, test, and publish jobs for AUR publishing, including tarball verification and AUR deployment.
Threat model and security controls
security/tm_supply_chain.py, security/tm_controls_data.py, security/threats.json
Adds AUR assets, dataflows, threat response, new supply-chain controls, and the new threat record for compromised AUR SSH key usage.
Docs and changelog
doc/explanation/threat_model_supply_chain.rst, doc/tutorials/installation.rst, CHANGELOG.rst
Updates the threat model, installation tutorial, and changelog to describe AUR distribution.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

Possibly related PRs

  • dfetch-org/dfetch#900: Both PRs update .github/workflows/build.yml to expand artifact/SBOM-related handling in the build pipeline.
  • dfetch-org/dfetch#1176: Both PRs extend build attestation coverage in .github/workflows/build.yml for binary artifacts.
  • dfetch-org/dfetch#1190: Both PRs modify provenance verification logic in .github/workflows/build.yml for packaged artifacts.

Suggested labels

development, github_actions

Suggested reviewers

  • ben-edna
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main changes: adding AUR packaging and moving distribution workflows into a subfolder.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/distribution-actions-subfolder-m75vs5

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Around line 141-146: The Linux tarball step currently names the archive from
dfetch.__version__, which can drift from the AUR release tag contract. Update
the Create AUR tarball logic in the build workflow to use the same release
identifier that aur/PKGBUILD and the AUR publish workflow expect
(dfetch-${pkgver}-nix.tar.gz), or add a guard that fails the job when the
version and release tag do not match. Keep the naming logic aligned in this step
so downstream AUR source URLs continue to resolve correctly.

In @.github/workflows/distribution/aur-publish.yml:
- Around line 64-79: The AUR workflow only runs on release, manual dispatch, and
push to main, so makepkg validation is skipped on pull requests. Add a
pull_request trigger for the aur paths and update the validation job conditions
in the workflow so the makepkg checks run for PRs as well as pushes. Keep the
existing job logic in the aur-publish workflow, but adjust the github.event_name
gating on the validation steps/jobs to include pull_request instead of limiting
them to push only.
- Around line 39-49: The bootstrap instructions for the AUR initial import are
allowing a live push with SKIP checksums copied from aur/PKGBUILD and
aur/.SRCINFO. Update the guidance around the dfetch-bin initial import so the
first public AUR commit uses a real release tarball sha256 checksum instead of
SKIP, or explicitly instruct computing and replacing the checksum before the git
add/git commit steps in the AUR package creation flow.
- Around line 130-131: The AUR publish job uses a mutable Arch container image,
so update the container definition in the workflow to reference the archlinux
image by immutable digest instead of archlinux:latest. Keep the change localized
to the container.image setting in the distribution/aur-publish workflow so the
job environment stays reproducible across runs.

In `@doc/tutorials/installation.rst`:
- Around line 67-70: The installation tutorial wording is incorrect about what
the AUR flow verifies. Update the text in the AUR helper section to say the
SHA256 checksum is checked for the release tarball/archive referenced by the
PKGBUILD before install, not the downloaded binary, and keep the attestation
sentence aligned with that same artifact description.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5d442637-c185-4133-85a6-26427e3da683

📥 Commits

Reviewing files that changed from the base of the PR and between 8e608df and e9775b8.

📒 Files selected for processing (12)
  • .github/workflows/build.yml
  • .github/workflows/distribution/aur-publish.yml
  • .github/workflows/distribution/python-publish.yml
  • .github/workflows/distribution/winget-publish.yml
  • CHANGELOG.rst
  • aur/.SRCINFO
  • aur/PKGBUILD
  • doc/explanation/threat_model_supply_chain.rst
  • doc/tutorials/installation.rst
  • security/threats.json
  • security/tm_controls_data.py
  • security/tm_supply_chain.py

Comment thread .github/workflows/build.yml Outdated
Comment thread .github/workflows/distribution/aur-publish.yml
Comment thread .github/workflows/distribution/aur-publish.yml
Comment thread .github/workflows/distribution/aur-publish.yml Outdated
Comment thread doc/tutorials/installation.rst Outdated
…t, docs

- Add pull_request trigger to aur-publish.yml so makepkg validation runs
  on PRs touching aur/ or the workflow file, not just pushes to main
- Fix AUR tarball naming in build.yml to use inputs.release_id directly
  instead of dfetch.__version__, which can drift for dev builds; also
  gate the step on versioned releases (not 'latest')
- Pin archlinux container to immutable digest for reproducible test runs
- Expand step-5 setup instructions to compute real SHA256 before the
  initial AUR push rather than copying the SKIP placeholder
- Correct installation.rst wording: the AUR helper verifies the release
  tarball checksum, not the downloaded binary

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013RYDLTQX5YRoR7gV5vFRM9
@ben-edna

Copy link
Copy Markdown
Contributor

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/distribution/aur-publish.yml (1)

110-115: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Allow blob storage for artifact upload in the hardened job. This actions/upload-artifact step runs under step-security/harden-runner, and the job currently only allows GitHub/PyPI endpoints. Add *.blob.core.windows.net:443 here so the tarball upload doesn’t fail.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/distribution/aur-publish.yml around lines 110 - 115, The
hardened artifact upload step is missing the Azure Blob Storage endpoint needed
by actions/upload-artifact. Update the allowed-endpoints list in the aur-publish
workflow to include *.blob.core.windows.net:443 alongside the existing GitHub
and PyPI entries so the upload step can reach the storage backend.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/distribution/aur-publish.yml:
- Around line 110-115: The hardened artifact upload step is missing the Azure
Blob Storage endpoint needed by actions/upload-artifact. Update the
allowed-endpoints list in the aur-publish workflow to include
*.blob.core.windows.net:443 alongside the existing GitHub and PyPI entries so
the upload step can reach the storage backend.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 249c88b7-1b2a-455f-9b42-9aae86a75349

📥 Commits

Reviewing files that changed from the base of the PR and between e9775b8 and d9394e8.

📒 Files selected for processing (3)
  • .github/workflows/build.yml
  • .github/workflows/distribution/aur-publish.yml
  • doc/tutorials/installation.rst

@ben-edna

Copy link
Copy Markdown
Contributor

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 28, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants