diff --git a/.github/workflows/aur.yml b/.github/workflows/aur.yml index 994bcd5..cfc19de 100644 --- a/.github/workflows/aur.yml +++ b/.github/workflows/aur.yml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: KSXGitHub/github-actions-deploy-aur@2ac5a4c1d7035885d46b10e3193393be8460b6f1 # v4.1.1 + - uses: KSXGitHub/github-actions-deploy-aur@da03e160361ce01bf087e790b6ffd196d7dccff7 # v4.1.3 with: pkgname: rdc-cli-git pkgbuild: aur/PKGBUILD @@ -69,7 +69,7 @@ jobs: sed -i "s/^pkgver=.*/pkgver=${VERSION}/" aur/stable/PKGBUILD sed -i "s/'PLACEHOLDER'/'${SHA256}'/" aur/stable/PKGBUILD - - uses: KSXGitHub/github-actions-deploy-aur@2ac5a4c1d7035885d46b10e3193393be8460b6f1 # v4.1.1 + - uses: KSXGitHub/github-actions-deploy-aur@da03e160361ce01bf087e790b6ffd196d7dccff7 # v4.1.3 with: pkgname: rdc-cli pkgbuild: aur/stable/PKGBUILD diff --git a/openspec/changes/2026-05-17-fix-aur-deploy-action-v413/proposal.md b/openspec/changes/2026-05-17-fix-aur-deploy-action-v413/proposal.md new file mode 100644 index 0000000..3872ba1 --- /dev/null +++ b/openspec/changes/2026-05-17-fix-aur-deploy-action-v413/proposal.md @@ -0,0 +1,101 @@ +# Fix AUR Deploy Action Pin: v4.1.1 → v4.1.3 + +## Problem + +### Symptom + +`AUR Publish` workflow run 26001352704, job `Publish rdc-cli (stable)`, failed on +the v0.5.5 tag with: + +``` +bash: --command: invalid option +``` + +The job exited before `/build.sh` ran. The `aur-git` job was not triggered (it +fires on branch push only). The v0.5.5 PyPI release and GitHub Release were +already shipped; the AUR `rdc-cli` package was not updated. + +### Root cause + +Both jobs pin +`KSXGitHub/github-actions-deploy-aur@2ac5a4c1d7035885d46b10e3193393be8460b6f1` +(v4.1.1). That action's `entrypoint.sh` ends with: + +```sh +exec runuser builder --command 'bash -l -c /build.sh' +``` + +With the `util-linux` `runuser` binary now present in the current `archlinux:base` +Docker image, the `--command` flag is parsed as an option to `bash` (su(1)-compat +syntax passes the argument onward), and bash has no `--command` option. The process +crashes before `/build.sh` ever runs. + +This latent bug existed in v3.0.1 through v4.1.1 of the action. Earlier workflow +runs on v0.5.2/v0.5.3 were green because the then-current `archlinux:base` image +did not expose the issue. A recent Arch base image update surfaced it. + +### Why `post_process: git checkout -B master` is innocent + +`build.sh` (which clones the AUR repo, evaluates `$post_process`, commits, and +force-pushes to AUR master) is byte-identical across v4.1.1, v4.1.2, and v4.1.3. +The crash happens in `entrypoint.sh` before `build.sh` is ever invoked, so +`post_process` was never reached and plays no role in the failure. + +### Fix-forward context + +The v0.5.5 PyPI package and GitHub Release are already published and cannot be +retracted. The only outstanding item is the AUR `rdc-cli` package backfill, which +requires a successful workflow run for version 0.5.5. + +## Solution + +Bump the action pin on **both** jobs in `.github/workflows/aur.yml`: + +| Location | Current | After | +|---|---|---| +| Line 25, job `aur-git` | `2ac5a4c1d7035885d46b10e3193393be8460b6f1 # v4.1.1` | `da03e160361ce01bf087e790b6ffd196d7dccff7 # v4.1.3` | +| Line 72, job `aur-stable` | `2ac5a4c1d7035885d46b10e3193393be8460b6f1 # v4.1.1` | `da03e160361ce01bf087e790b6ffd196d7dccff7 # v4.1.3` | + +All other inputs on both jobs (`force_push: true`, `post_process: git checkout -B +master`, `pkgname`, `pkgbuild`, credential secrets) remain unchanged. + +v4.1.3 fixes `entrypoint.sh` to: + +```sh +exec runuser -u builder -- bash -l /build.sh +``` + +This is the POSIX-correct `runuser` invocation that does not pass arguments to +bash. v4.1.2 used `runuser -u builder -- bash -l -c /build.sh` (also correct); +v4.1.3 drops the redundant `-c`. + +## Why the bump is safe with respect to #183 and #184 + +The `post_process: git checkout -B master` input (PR #183, detached-HEAD fix) and +`force_push: true` input (PR #184) are passed to `build.sh` as environment +variables, not to `entrypoint.sh`. Because `build.sh` is byte-identical across +v4.1.1, v4.1.2, and v4.1.3, both fixes are fully preserved by this pin bump. + +## Residual risk + +The action uses `FROM archlinux:base` with no image digest pin. A future update to +the Arch base image could introduce a different incompatibility regardless of the +action tag. This is inherent to the action's design; no mitigation is proposed +here beyond monitoring workflow runs after future Arch base image refreshes. + +## Spec delta + +There is no existing spec in `openspec/specs/` covering AUR publishing or CI +release workflows. No spec delta applies. + +## Post-merge backfill (operational, not a code change) + +After this PR merges, manually trigger `AUR Publish` via `workflow_dispatch` with +input `version=0.5.5`. The `aur-stable` job will: +1. Normalize version → `0.5.5` +2. Checkout `refs/tags/v0.5.5` (already exists) +3. `curl` the tarball and compute sha256 +4. Patch `aur/stable/PKGBUILD` +5. Deploy to AUR via the fixed action + +This is the acceptance gate for this change. diff --git a/openspec/changes/2026-05-17-fix-aur-deploy-action-v413/tasks.md b/openspec/changes/2026-05-17-fix-aur-deploy-action-v413/tasks.md new file mode 100644 index 0000000..4f1ccd9 --- /dev/null +++ b/openspec/changes/2026-05-17-fix-aur-deploy-action-v413/tasks.md @@ -0,0 +1,12 @@ +# Tasks: AUR Deploy Action Pin v4.1.1 → v4.1.3 + +- [ ] Opus review of `proposal.md` and `test-plan.md`; revise as needed +- [ ] `.github/workflows/aur.yml` line 25: bump action pin from `2ac5a4c1d7035885d46b10e3193393be8460b6f1 # v4.1.1` to `da03e160361ce01bf087e790b6ffd196d7dccff7 # v4.1.3` +- [ ] `.github/workflows/aur.yml` line 72: same pin bump (job `aur-stable`) +- [ ] Static checks: grep confirms new SHA appears exactly twice, old SHA absent, both jobs retain `force_push: true` and `post_process: git checkout -B master`, YAML parses cleanly +- [ ] Fresh review of the two-line diff +- [ ] Open PR targeting `master` +- [ ] After merge: trigger `AUR Publish` via `workflow_dispatch` with `version=0.5.5` +- [ ] Verify job `Publish rdc-cli (stable)` succeeds (no `bash: --command` crash) +- [ ] Verify AUR `rdc-cli` package shows `pkgver=0.5.5` +- [ ] Archive this OpenSpec folder diff --git a/openspec/changes/2026-05-17-fix-aur-deploy-action-v413/test-plan.md b/openspec/changes/2026-05-17-fix-aur-deploy-action-v413/test-plan.md new file mode 100644 index 0000000..293c130 --- /dev/null +++ b/openspec/changes/2026-05-17-fix-aur-deploy-action-v413/test-plan.md @@ -0,0 +1,34 @@ +# Test Plan: AUR Deploy Action Pin v4.1.1 → v4.1.3 + +There are no unit tests for a workflow YAML change. Verification is static +inspection followed by a live workflow run. + +## Static verification (pre-merge) + +1. **Pin appears exactly twice.** `grep` for + `da03e160361ce01bf087e790b6ffd196d7dccff7` in + `.github/workflows/aur.yml` returns exactly 2 lines, one per job. + +2. **Old pin is absent.** `grep` for `2ac5a4c1d7035885d46b10e3193393be8460b6f1` + or `v4.1.1` returns no matches. + +3. **Version comment is present on both lines.** Both occurrences of the new SHA + are followed by the comment `# v4.1.3`. + +4. **Preserved inputs — both jobs.** `grep` confirms both jobs retain: + - `force_push: true` + - `post_process: git checkout -B master` + +5. **YAML parses cleanly.** `python3 -c "import yaml, sys; yaml.safe_load(sys.stdin)" + < .github/workflows/aur.yml` exits 0. (The repo does not include actionlint or + yamllint; Python's yaml module is the available static check.) + +## Live verification (post-merge) + +6. **workflow_dispatch v0.5.5 succeeds.** Trigger `AUR Publish` via + `workflow_dispatch` with input `version=0.5.5`. Job `Publish rdc-cli (stable)` + must complete with a green check — specifically, the `entrypoint.sh` crash + (`bash: --command: invalid option`) must not appear. + +7. **AUR package updated.** After the dispatch run, the AUR `rdc-cli` package page + shows `pkgver=0.5.5`. This is the acceptance gate.