Add AUR package and move distribution actions to subfolder (#1319)#1322
Add AUR package and move distribution actions to subfolder (#1319)#1322spoorcc wants to merge 7 commits into
Conversation
- Create aur/PKGBUILD and aur/.SRCINFO for the dfetch-bin AUR package - Add .github/workflows/distribution/aur-publish.yml to publish to AUR on each release using AUR_SSH_KEY stored in the 'aur' environment - Move python-publish.yml and winget-publish.yml into .github/workflows/distribution/ subfolder alongside the new aur-publish.yml - Update installation docs with Arch Linux / AUR installation instructions - Extend threat model with AUR boundary (A-11), AUR_SSH_KEY asset (A-12), dataflows DF-30–DF-32, threat DFT-36, and controls C-044/C-046 - Update security/tm_controls_data.py file-path references for moved workflows Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013RYDLTQX5YRoR7gV5vFRM9
Add a header comment block covering: AUR account creation, dedicated SSH key pair generation, public key registration with AUR, GitHub 'aur' environment setup with the AUR_SSH_KEY secret, initial package creation via git clone/push, and local testing with makepkg. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013RYDLTQX5YRoR7gV5vFRM9
Link each setup step to the relevant Arch Wiki or GitHub Docs page: - Step 1 → AUR submission guidelines (creating a new package) - Step 2 → AUR submission guidelines (authentication / SSH keys) - Step 4c → GitHub docs on required reviewers for environments - Step 4d → GitHub docs on environment secrets - Step 5 → AUR submission guidelines (submitting packages) - Step 6 → Arch Wiki makepkg page Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013RYDLTQX5YRoR7gV5vFRM9
On push or pull_request touching aur/ or the workflow itself, build the PKGBUILD in an archlinux container: resolve the latest release tag, compute the real SHA256, run makepkg, then install and verify with dfetch --version. The existing publish job is unchanged and still fires only on releases. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013RYDLTQX5YRoR7gV5vFRM9
Test job changes: - Trigger only on push to main (removes pull_request and release-based API call) - Split into build-binary (ubuntu-latest, Nuitka) + test (archlinux container) - build-binary compiles the current commit and creates dfetch-<tag>-nix.tar.gz - test downloads the artifact, patches PKGBUILD with local tarball + real SHA256, runs makepkg, installs, and verifies dfetch --version PKGBUILD fix: - Nuitka standalone mode creates a binary + companion dfetch.dist/ directory; copying just the binary to /usr/bin is insufficient - Install entire build output to /opt/dfetch/ (mirroring the .deb layout) and symlink /usr/bin/dfetch -> /opt/dfetch/dfetch publish job fix: - Tighten if: condition to explicitly match only release and workflow_dispatch, preventing the new push trigger from inadvertently firing publish Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013RYDLTQX5YRoR7gV5vFRM9
build.yml: - Create dfetch-<ver>-nix.tar.gz (Linux only) from the Nuitka dist dir; this was the critical missing piece — the AUR publish job downloaded a URL that never existed in any release - Include *.tar.gz in SBOM attest, build-provenance attest, VSA attest, and all corresponding verify loops, so the AUR tarball has the same attestation chain as every other binary format aur-publish.yml (publish job): - Split the single "update checksums" step into two: first download the tarball, verify its Sigstore SLSA build-provenance attestation with gh attestation verify, then compute SHA256 from the already-downloaded file; workflow aborts before any AUR push if attestation fails - Add sigstore egress endpoints (fulcio, rekor, tuf-repo-cdn) to harden-runner allowlist to support gh attestation verify aur/PKGBUILD: - Expand placeholder comment: warn explicitly that the SKIP checksum means manual makepkg from this repo will not verify the binary, and direct users to the AUR package where the real checksum is set installation.rst: - Note that dfetch-bin is a pre-built binary (no Python or compilation needed on the user's machine) - Mention that the AUR helper verifies the SHA256, and link to the gh attestation tool for independent provenance verification security/tm_controls_data.py + threat_model_supply_chain.rst: - Add C-047: AUR release tarball build-provenance verified before PKGBUILD update; referenced from DFT-36 mitigations Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013RYDLTQX5YRoR7gV5vFRM9
|
Important Review skippedNo new commits to review since the last review. ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
WalkthroughAdds AUR packaging for ChangesAUR Binary Distribution
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Possibly related issues
Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/build.yml:
- Around line 141-146: The Linux tarball step currently names the archive from
dfetch.__version__, which can drift from the AUR release tag contract. Update
the Create AUR tarball logic in the build workflow to use the same release
identifier that aur/PKGBUILD and the AUR publish workflow expect
(dfetch-${pkgver}-nix.tar.gz), or add a guard that fails the job when the
version and release tag do not match. Keep the naming logic aligned in this step
so downstream AUR source URLs continue to resolve correctly.
In @.github/workflows/distribution/aur-publish.yml:
- Around line 64-79: The AUR workflow only runs on release, manual dispatch, and
push to main, so makepkg validation is skipped on pull requests. Add a
pull_request trigger for the aur paths and update the validation job conditions
in the workflow so the makepkg checks run for PRs as well as pushes. Keep the
existing job logic in the aur-publish workflow, but adjust the github.event_name
gating on the validation steps/jobs to include pull_request instead of limiting
them to push only.
- Around line 39-49: The bootstrap instructions for the AUR initial import are
allowing a live push with SKIP checksums copied from aur/PKGBUILD and
aur/.SRCINFO. Update the guidance around the dfetch-bin initial import so the
first public AUR commit uses a real release tarball sha256 checksum instead of
SKIP, or explicitly instruct computing and replacing the checksum before the git
add/git commit steps in the AUR package creation flow.
- Around line 130-131: The AUR publish job uses a mutable Arch container image,
so update the container definition in the workflow to reference the archlinux
image by immutable digest instead of archlinux:latest. Keep the change localized
to the container.image setting in the distribution/aur-publish workflow so the
job environment stays reproducible across runs.
In `@doc/tutorials/installation.rst`:
- Around line 67-70: The installation tutorial wording is incorrect about what
the AUR flow verifies. Update the text in the AUR helper section to say the
SHA256 checksum is checked for the release tarball/archive referenced by the
PKGBUILD before install, not the downloaded binary, and keep the attestation
sentence aligned with that same artifact description.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 5d442637-c185-4133-85a6-26427e3da683
📒 Files selected for processing (12)
.github/workflows/build.yml.github/workflows/distribution/aur-publish.yml.github/workflows/distribution/python-publish.yml.github/workflows/distribution/winget-publish.ymlCHANGELOG.rstaur/.SRCINFOaur/PKGBUILDdoc/explanation/threat_model_supply_chain.rstdoc/tutorials/installation.rstsecurity/threats.jsonsecurity/tm_controls_data.pysecurity/tm_supply_chain.py
…t, docs - Add pull_request trigger to aur-publish.yml so makepkg validation runs on PRs touching aur/ or the workflow file, not just pushes to main - Fix AUR tarball naming in build.yml to use inputs.release_id directly instead of dfetch.__version__, which can drift for dev builds; also gate the step on versioned releases (not 'latest') - Pin archlinux container to immutable digest for reproducible test runs - Expand step-5 setup instructions to compute real SHA256 before the initial AUR push rather than copying the SKIP placeholder - Correct installation.rst wording: the AUR helper verifies the release tarball checksum, not the downloaded binary Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013RYDLTQX5YRoR7gV5vFRM9
|
@coderabbitai review |
✅ Action performedReview finished.
|
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/distribution/aur-publish.yml (1)
110-115: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick winAllow blob storage for artifact upload in the hardened job. This
actions/upload-artifactstep runs understep-security/harden-runner, and the job currently only allows GitHub/PyPI endpoints. Add*.blob.core.windows.net:443here so the tarball upload doesn’t fail.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/distribution/aur-publish.yml around lines 110 - 115, The hardened artifact upload step is missing the Azure Blob Storage endpoint needed by actions/upload-artifact. Update the allowed-endpoints list in the aur-publish workflow to include *.blob.core.windows.net:443 alongside the existing GitHub and PyPI entries so the upload step can reach the storage backend.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/distribution/aur-publish.yml:
- Around line 110-115: The hardened artifact upload step is missing the Azure
Blob Storage endpoint needed by actions/upload-artifact. Update the
allowed-endpoints list in the aur-publish workflow to include
*.blob.core.windows.net:443 alongside the existing GitHub and PyPI entries so
the upload step can reach the storage backend.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 249c88b7-1b2a-455f-9b42-9aae86a75349
📒 Files selected for processing (3)
.github/workflows/build.yml.github/workflows/distribution/aur-publish.ymldoc/tutorials/installation.rst
|
@coderabbitai review |
✅ Action performedReview finished.
|
each release using AUR_SSH_KEY stored in the 'aur' environment
.github/workflows/distribution/ subfolder alongside the new aur-publish.yml
dataflows DF-30–DF-32, threat DFT-36, and controls C-044/C-046
Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com
Claude-Session: https://claude.ai/code/session_013RYDLTQX5YRoR7gV5vFRM9
Summary by CodeRabbit
dfetch-binpackage via the AUR, including an automated AUR publish workflow.