Add AUR packaging workflow#414
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5f967f2eb5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| AUR_DIR=/work/dist/aur ./scripts/aur/render-aur-package.sh | ||
| cd /work/dist/aur | ||
| makepkg --printsrcinfo > .SRCINFO |
There was a problem hiding this comment.
In this workflow the Arch container is started without --user, so this makepkg --printsrcinfo runs as UID 0. Arch's makepkg documentation lists --printsrcinfo as a makepkg mode and documents exit code 10 for "User attempted to run makepkg as root" (https://man.archlinux.org/man/makepkg.8.en), so every manual AUR workflow dispatch will fail here before uploading or publishing the rendered package files. Create/chown a build user in the container and run makepkg under that user.
Useful? React with 👍 / 👎.
|
|
||
| if [ "${AUR_PUBLISH:-false}" = "true" ]; then | ||
| archive_url="${AUR_SOURCE_REPO}/archive/${AUR_SOURCE_REF}.tar.gz" | ||
| AUR_SOURCE_SHA256="$(curl -fsSL "$archive_url" | sha256sum | cut -d" " -f1)" |
There was a problem hiding this comment.
When publish=true, this records the checksum of GitHub's generated .tar.gz bytes in the AUR sha256sums. GitHub documents that source archives are generated on request/cache and that the same archive content can later be served with a different compressed byte layout (https://docs.github.com/repositories/working-with-files/using-files/downloading-source-code-archives), so once GitHub regenerates this archive, makepkg will reject the source before the package can build even though the commit is unchanged. Use a VCS source, SKIP for this generated archive, or a stable release asset instead.
Useful? React with 👍 / 👎.
|
|
||
| _source_ref="__SOURCE_REF__" | ||
| _dmg_url="__DMG_URL__" | ||
| _repo_dir="codex-desktop-linux-${_source_ref}" |
There was a problem hiding this comment.
If the source_ref input is a normal fully qualified Git ref such as refs/tags/v1.0 or a branch name containing /, this embeds the slash into _repo_dir, and the later cd "${srcdir}/${_repo_dir}" expects nested directories that GitHub's archive extraction will not create for that ref. That breaks the advertised "Git ref or commit" override; resolve the input to a commit or derive the extracted directory name independently from the raw ref.
Useful? React with 👍 / 👎.
| - name: Render and validate in Arch Linux | ||
| run: | | ||
| set -euo pipefail | ||
| docker run --rm \ |
There was a problem hiding this comment.
Because this accepts source_ref as a generic Git ref and writes it unchanged into the published PKGBUILD, choosing a branch such as main publishes a package whose checksum was computed for the branch at dispatch time but whose source URL will fetch the branch's later contents after it advances. In that scenario AUR users hit a checksum failure even though the workflow succeeded; resolve any input ref to an immutable commit SHA before rendering and hashing the package.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1679f80115
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| fi | ||
|
|
||
| if [ "${AUR_PUBLISH:-false}" = "true" ]; then | ||
| AUR_DMG_SHA256="$(curl -fL --retry 3 "$AUR_DMG_URL" | sha256sum | cut -d" " -f1)" |
There was a problem hiding this comment.
When publish=true, this records a checksum for AUR_DMG_URL, but the rendered PKGBUILD still downloads the same rolling https://persistent.oaistatic.com/codex-app-prod/Codex.dmg later. This repo already treats that DMG as mutable via the Nix hash refresh flow, so after upstream replaces the DMG, AUR users building the last published package will fail checksum validation until this workflow is rerun; publish an immutable DMG URL/asset or intentionally use SKIP with another integrity mechanism.
Useful? React with 👍 / 👎.
| export CODEX_LINUX_SOURCE_BRANCH="" | ||
| export CODEX_LINUX_SOURCE_DESCRIBE="${pkgver}-${pkgrel}" | ||
|
|
||
| ./install.sh "${srcdir}/Codex.dmg" |
There was a problem hiding this comment.
In makepkg environments that fetch sources first and build later without network access, this ./install.sh step still downloads the managed Node runtime, Electron runtime, and npm packages, but none of those inputs are listed in source/sha256sums. That makes the AUR package non-reproducible and unable to build from the declared source set; add these archives/packages to the PKGBUILD sources or provide a source-only/cache mode that install.sh uses during AUR builds.
Useful? React with 👍 / 👎.
| cd /tmp/aur-codex-desktop-linux | ||
| git config user.name "github-actions[bot]" | ||
| git config user.email "github-actions[bot]@users.noreply.github.com" | ||
| if git diff --quiet -- PKGBUILD .SRCINFO *.install; then |
There was a problem hiding this comment.
When the AUR repository is empty, the copied PKGBUILD, .SRCINFO, and install hook are all untracked, and git diff --quiet -- ... ignores untracked files. The first publish therefore exits as “No AUR package changes to publish” without committing anything, so the workflow cannot populate the package as described; check git status --porcelain or stage before deciding there are no changes.
Useful? React with 👍 / 👎.
| } | ||
|
|
||
| sed_escape_replacement() { | ||
| printf '%s' "$1" | sed -e 's/[\/&]/\\&/g' |
There was a problem hiding this comment.
This is an auto review done by revuto.
The renderer uses | as the sed delimiter for __SOURCE_REPO__ and __DMG_URL__ below, but sed_escape_replacement only escapes / and &. If either URL contains a literal | (allowed in a configured AUR_SOURCE_REPO/AUR_DMG_URL override), the generated sed expression is split and rendering fails. This repo has the same packaging invariant for PKGBUILD substitutions: escape the delimiter you use (or use a delimiter not present in the replacement).
| # shellcheck source=/dev/null | ||
| . "$PWD/scripts/lib/package-common.sh" | ||
|
|
||
| stage_common_package_files "$pkgdir" |
There was a problem hiding this comment.
This is an auto review done by revuto.
stage_common_package_files copies the staged app from $APP_DIR, but the AUR package never runs ensure_app_layout before calling it. If install.sh exits without producing codex-app/start.sh (for example after an upstream layout drift that still leaves the checkout present), cp -aT "$APP_DIR" will be the first failure and makepkg reports a low-level copy error rather than the repository's explicit "Run ./install.sh first" invariant. Please call ensure_app_layout before staging, matching the local pacman builder's precondition check.
|
I would not merge this yet. The overall AUR direction can be useful, but there are a couple of concrete blockers to fix first:
I’m also cautious about the support cost here: this AUR package intentionally uses the normal networked |
|
Yeah makes sense will fix that shortly |
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 897db3a4cf
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "Codex.dmg::${_dmg_url}" | ||
| ) | ||
| sha256sums=( | ||
| '__SOURCE_SHA256__' | ||
| '__DMG_SHA256__' |
There was a problem hiding this comment.
When the upstream Codex.dmg URL is replaced after this PKGBUILD is published, makepkg will fetch the new DMG because its checksum is SKIP, but the Electron archive remains fixed by _electron_version. The installer then detects the Electron version from the DMG (scripts/lib/dmg.sh:102-104) while download_electron blindly unpacks the fixed CODEX_ELECTRON_ZIP_SOURCE (scripts/lib/native-modules.sh:299-305), so an upstream Electron bump can silently produce a package with native modules built for one Electron version and a different runtime. Please either pin/verify the DMG checksum used for the rendered package or fail when the detected DMG Electron version does not match the declared AUR Electron source.
Useful? React with 👍 / 👎.
| -e AUR_PKGNAME="$AUR_PKGNAME" \ | ||
| -e AUR_SOURCE_REPO="$AUR_SOURCE_REPO" \ | ||
| -e AUR_SOURCE_REF="${{ steps.source-ref.outputs.source_ref }}" \ | ||
| -e AUR_PKGVER="${{ inputs.pkgver }}" \ |
There was a problem hiding this comment.
When a workflow-dispatch caller supplies a pkgver containing shell metacharacters, this expression is expanded into the run: script before bash parses the docker run command, unlike source_ref which is first placed in env. A value with a quote or command substitution can therefore alter the workflow command before the renderer's validate_pkgver runs. Please route this input through an environment variable (and quote that variable) before passing it to Docker.
Useful? React with 👍 / 👎.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: eaff9a9321
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| source=( | ||
| "${_repo_dir}.tar.gz::__SOURCE_REPO__/archive/${_source_ref}.tar.gz" | ||
| "Codex.dmg::${_dmg_url}" |
There was a problem hiding this comment.
Because this AUR source entry points at the floating Codex.dmg URL while the Electron archive is pinned by _electron_version and install.sh now aborts on a detected-version mismatch, the same published AUR revision will start failing as soon as upstream replaces that DMG before a new AUR update is published. In that scenario makepkg downloads the newer DMG but still fetches the old Electron zip, so users rebuilding from a clean cache cannot install the package. Use an immutable/versioned DMG source or publish and verify a matching DMG checksum/version together with the Electron pin.
Useful? React with 👍 / 👎.
| set -euo pipefail | ||
| pacman -Syu --noconfirm --needed curl git | ||
| useradd -m builder | ||
| chown -R builder:builder /work |
There was a problem hiding this comment.
On GitHub-hosted runners where the host runner UID differs from the Arch container's newly-created builder UID, this chown -R leaves the mounted checkout, including .git, owned by the container user after Docker exits. The later artifact/publish steps only read the rendered files, but checkout's post-job cleanup still has to update the repository metadata and can fail with permission denied, causing the manual publish workflow to fail after rendering. Create builder with the mounted workspace UID or chown the workspace back before leaving the container.
Useful? React with 👍 / 👎.
|
|
||
| validate_pkgver() { | ||
| case "$1" in | ||
| ""|*[-:[:space:]]*) |
There was a problem hiding this comment.
This is an auto review done by revuto.
This validation still allows shell metacharacters even though the value is later emitted as an unquoted pkgver=__PKGVER__ assignment in the PKGBUILD and makepkg --printsrcinfo sources that file. For example, a workflow-dispatch pkgver like 1$(id>/tmp/aur-pkgver) contains no hyphen, colon, or whitespace, so it passes here; the command substitution is then executed when makepkg reads the rendered PKGBUILD. Please switch this to an allowlist for Arch pkgver characters (for example alnum plus ._+) or otherwise render the value so it cannot be evaluated as shell syntax.
|
Thanks again for working on this and for being willing to address the review feedback. Sorry for closing the PR without a clearer note after you had already put time into it.\n\nFor now we decided not to merge the AUR packaging workflow, mostly because we want to keep the supported package/update paths narrower until the AUR support and its maintenance expectations are clearer. This does not mean the idea is rejected permanently; we may come back to AUR support later, and your work here will be useful context if we do.\n\nI appreciate the contribution and the validation you did. |
3 participants
Summary
Adds an AUR packaging path alongside the existing local pacman package builder.
codex-desktop-linuxscripts/aur/render-aur-package.shplusmake aurandmake aur-srcinfoCloses #402
The AUR package builds from the upstream repository source URL,
https://github.com/ilysenko/codex-desktop-linux. This PR does not changecodex-update-manager; it only omits the updater from the AUR package payload so Arch users update through pacman/AUR helpers instead.How maintainers publish to AUR after merge
Publishing is not automatic until the workflow is run manually with
publish=true.Create the AUR package repository once, if it does not already exist:
The first successful workflow push can populate the empty AUR Git repository with
PKGBUILD,.SRCINFO, andcodex-desktop-linux.install.Add an SSH private key that can push to the AUR package as the
AUR_SSH_PRIVATE_KEYGitHub Actions secret. The matching public key must be registered on the maintainer's AUR account.Optionally add
AUR_KNOWN_HOSTS. If omitted, the workflow runsssh-keyscan aur.archlinux.orgduring setup.Open GitHub Actions in this repository and run
Publish AUR Packagemanually withpublishset totrue.Optionally set
pkgverfor a specific package version. If omitted, the workflow uses a UTC timestamp inYYYY.MM.DD.HHMMSSformat.Optionally set
source_reffor a specific commit, tag, or branch. If omitted, the workflow uses the workflow run's commit SHA. The workflow resolves this value to a full commit SHA before renderingPKGBUILD.The workflow keeps the GitHub source archive and DMG checksums as
SKIP, while computing checksums for declared runtime archives whenpublish=true. GitHub-generated source archives can be regenerated with different compressed bytes, and the Codex DMG is consumed from the stable upstream download URL. Package freshness is handled by rerunning the publish workflow for a new AUR revision.The AUR build now declares the large runtime archives that already have installer override hooks: managed Node, Electron, and Browser Use
node_replon x86_64. The remaining networked part is npm rebuild inputs for native modules; making those source-declared would require a larger npm/cache mode outside this PR.Validation
bash -n install.shbash -n scripts/aur/render-aur-package.shmake aur-srcinfo AUR_PKGVER=2026.06.05AUR_SOURCE_REF=refs/tags/v1 AUR_PKGVER=2026.06.05 ./scripts/aur/render-aur-package.shfails with the expected full-SHA validation errormakepkg -si --needed --noconfirmpacman -U dist/aur/codex-desktop-linux-2026.06.05-1-x86_64.pkg.tar.zstafter removing the previouscodex-desktoppackage