From 5669bae037c7369b681c9b88d627398bb6e3835b Mon Sep 17 00:00:00 2001 From: Anand Pant Date: Tue, 21 Apr 2026 09:02:50 -0500 Subject: [PATCH 1/4] feat: add meshix-cli-bin package --- README.md | 8 ++-- docs/setup.md | 17 ++++++--- meshix-cli-bin/.SRCINFO | 14 +++++++ meshix-cli-bin/PKGBUILD | 22 +++++++++++ meshix-cli-bin/meshix-cli-bin.install | 13 +++++++ osyrra-bin/.SRCINFO | 2 +- osyrra-bin/PKGBUILD | 4 +- scripts/update-meshix-cli-bin.sh | 54 +++++++++++++++++++++++++++ scripts/update-packages.sh | 10 ++++- scripts/validate-packages.sh | 6 +++ tabex-bin/.SRCINFO | 2 +- tabex-bin/PKGBUILD | 4 +- 12 files changed, 141 insertions(+), 15 deletions(-) create mode 100644 meshix-cli-bin/.SRCINFO create mode 100644 meshix-cli-bin/PKGBUILD create mode 100644 meshix-cli-bin/meshix-cli-bin.install create mode 100755 scripts/update-meshix-cli-bin.sh diff --git a/README.md b/README.md index 0c759d1..c274710 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ Arch Linux package definitions for SHPIT-maintained command-line tools. | Package | Upstream | Notes | |---|---|---| +| `meshix-cli-bin` | `shpitdev/meshix-observability` GitHub Releases | Public release assets. `makepkg` downloads the release tarball directly from GitHub Releases without any extra auth. | | `tabex-bin` | `shpitdev/tabex` GitHub Releases | Private release assets. The PKGBUILD is public, but `makepkg` needs GitHub access to the `shpitdev` org to download the release tarball. | | `osyrra-bin` | `shpitdev/osyrra` GitHub Releases | Private release assets. Same auth model as `tabex-bin`. | @@ -36,7 +37,8 @@ cd makepkg -si ``` -`gh auth login` must be configured with access to the `shpitdev` org before `makepkg` can download the private release assets. +`meshix-cli-bin` uses public release assets, so it does not need any GitHub auth. +`gh auth login` must still be configured with access to the `shpitdev` org before `makepkg` can download the private `tabex-bin` or `osyrra-bin` release assets. After installing `tabex-bin`, start with: @@ -50,12 +52,12 @@ The package includes an install hook that prints the same guidance after install - You can use this repo immediately without creating the AUR repositories or AUR secrets. - The scheduled/manual bump workflow uses the repository `GITHUB_TOKEN` for branch and PR operations in this repo. -- Without `SHPIT_GH_TOKEN`, the workflow skips the private package updates (both `tabex-bin` and `osyrra-bin` need it). +- Without `SHPIT_GH_TOKEN`, the workflow still updates `meshix-cli-bin` and skips the private package updates (`tabex-bin` and `osyrra-bin`). - Without AUR secrets, the publish workflow exits successfully without pushing anywhere. ## Secrets -- `SHPIT_GH_TOKEN` — required for GitHub Actions to refresh private SHPIT packages from their GitHub releases. +- `SHPIT_GH_TOKEN` — optional; required only for GitHub Actions to refresh the private SHPIT packages (`tabex-bin` and `osyrra-bin`) from their GitHub releases. - `AUR_USERNAME`, `AUR_EMAIL`, `AUR_SSH_PRIVATE_KEY` — optional until you actually want to publish to AUR. ## Local Auth diff --git a/docs/setup.md b/docs/setup.md index 6836434..42a69e8 100644 --- a/docs/setup.md +++ b/docs/setup.md @@ -16,9 +16,10 @@ Use this first. Result: - branch and PR creation use the repo `GITHUB_TOKEN` +- `meshix-cli-bin` updates from the public upstream release without any extra secret - `tabex-bin` and `osyrra-bin` update only if the repo has access to `SHPIT_GH_TOKEN` - AUR publishing is skipped without failing -- upstream `tabex` and `osyrra` release workflows can also trigger this workflow automatically with `gh workflow run version-bumps.yml`, but that depends on `SHPIT_WORKFLOW_DISPATCH_TOKEN` being available in their Depot CI repo secrets +- upstream `meshix-observability`, `tabex`, and `osyrra` release workflows can also trigger this workflow automatically with `gh workflow run version-bumps.yml`, but that depends on `SHPIT_WORKFLOW_DISPATCH_TOKEN` being available in their producer-repo Depot CI secrets ## GitHub UI Links @@ -28,7 +29,7 @@ Result: ## SHPIT_GH_TOKEN -Create the secret (org-level or repo-level) with access to read private releases on `shpitdev/tabex` and `shpitdev/osyrra`. An org-level secret with `selected` visibility is the cleanest option if you have multiple consuming repos. +Create the secret (org-level or repo-level) with access to read private releases on `shpitdev/tabex` and `shpitdev/osyrra`. An org-level secret with `selected` visibility is the cleanest option if you have multiple consuming repos. `meshix-cli-bin` does not need this secret because `shpitdev/meshix-observability` publishes public releases. Attach it to this repo with: @@ -50,12 +51,16 @@ Create a fine-grained PAT that can trigger workflow dispatches in: Store that PAT as the GitHub org secret `SHPIT_WORKFLOW_DISPATCH_TOKEN` with `selected` visibility for these producer repos: +- `shpitdev/meshix-observability` - `shpitdev/tabex` - `shpitdev/osyrra` Those producer release workflows run in Depot CI, so GitHub org secrets are not enough on their own. Mirror the same secret into Depot for each producer repo with one of these paths: ```bash +cd /home/anandpant/Development/shpitdev/meshix/meshix-observability +depot ci migrate secrets-and-vars -y + cd /home/anandpant/Development/shpitdev/tabex depot ci migrate secrets-and-vars -y @@ -66,6 +71,7 @@ depot ci migrate secrets-and-vars -y Or add the Depot secrets directly: ```bash +depot ci secrets add SHPIT_WORKFLOW_DISPATCH_TOKEN --repo shpitdev/meshix-observability depot ci secrets add SHPIT_WORKFLOW_DISPATCH_TOKEN --repo shpitdev/tabex depot ci secrets add SHPIT_WORKFLOW_DISPATCH_TOKEN --repo shpitdev/osyrra ``` @@ -79,7 +85,7 @@ If you are logged into GitHub locally with `gh auth login`, you can run: ./scripts/validate-packages.sh ``` -That uses your local GitHub CLI session for private release access. +That uses your local GitHub CLI session for private release access when a package needs it. `meshix-cli-bin` installs from the public GitHub release asset and does not need any extra GitHub auth. For `tabex-bin`, the package install hook now points users at: @@ -93,7 +99,7 @@ That is safe because `v0.0.4` is the first stable release that ships the source- When you are ready to publish to AUR: -1. Create the target AUR package repos (`tabex-bin`, `osyrra-bin`). +1. Create the target AUR package repos (`meshix-cli-bin`, `tabex-bin`, `osyrra-bin`). 2. Generate an SSH key that can push to those AUR repos. 3. Add these repo secrets: - `AUR_USERNAME` @@ -105,7 +111,8 @@ When you are ready to publish to AUR: ## Token Model - Same-repo automation uses the built-in `GITHUB_TOKEN`. -- Cross-repo private release access for `tabex-bin` and `osyrra-bin` needs a separate credential in Actions, because the workflow token is scoped to the repository that contains the workflow. +- `meshix-cli-bin` uses the public upstream release, so it does not need any extra release-read credential in Actions. +- Cross-repo private release access for `tabex-bin` and `osyrra-bin` still needs a separate credential in Actions, because the workflow token is scoped to the repository that contains the workflow. - Local runs can use your normal `gh auth login` session instead of any exported token. ## Recommended Follow-Up diff --git a/meshix-cli-bin/.SRCINFO b/meshix-cli-bin/.SRCINFO new file mode 100644 index 0000000..99d5126 --- /dev/null +++ b/meshix-cli-bin/.SRCINFO @@ -0,0 +1,14 @@ +pkgbase = meshix-cli-bin + pkgdesc = Meshix CLI for run inspection and generation workflows + pkgver = 0.0.1 + pkgrel = 1 + url = https://github.com/shpitdev/meshix-observability + install = meshix-cli-bin.install + arch = x86_64 + license = LicenseRef-proprietary + provides = meshix-cli + conflicts = meshix-cli + source = https://github.com/shpitdev/meshix-observability/releases/download/v0.0.1/meshix-cli_v0.0.1_linux_amd64.tar.gz + sha256sums = a6f8fa1b8c12fa8705bc508efe13b8f462c375016edee0683ceb577370ac1911 + +pkgname = meshix-cli-bin diff --git a/meshix-cli-bin/PKGBUILD b/meshix-cli-bin/PKGBUILD new file mode 100644 index 0000000..5638363 --- /dev/null +++ b/meshix-cli-bin/PKGBUILD @@ -0,0 +1,22 @@ +# Maintainer: Anand Pant + +pkgname=meshix-cli-bin +pkgver=0.0.1 +pkgrel=1 +pkgdesc="Meshix CLI for run inspection and generation workflows" +arch=('x86_64') +url="https://github.com/shpitdev/meshix-observability" +license=('LicenseRef-proprietary') +install="${pkgname}.install" +provides=('meshix-cli') +conflicts=('meshix-cli') + +_asset="meshix-cli_v${pkgver}_linux_amd64.tar.gz" +_sha256='a6f8fa1b8c12fa8705bc508efe13b8f462c375016edee0683ceb577370ac1911' +source=("${url}/releases/download/v${pkgver}/${_asset}") +sha256sums=("${_sha256}") + +package() { + install -Dm755 "meshix-cli_v${pkgver}_linux_amd64/meshix-cli" \ + "${pkgdir}/usr/bin/meshix-cli" +} diff --git a/meshix-cli-bin/meshix-cli-bin.install b/meshix-cli-bin/meshix-cli-bin.install new file mode 100644 index 0000000..5de5704 --- /dev/null +++ b/meshix-cli-bin/meshix-cli-bin.install @@ -0,0 +1,13 @@ +post_install() { + cat <<'EOF' +==> meshix-cli-bin: package-manager installs provide the stable meshix-cli command only. +==> Start with: +==> meshix-cli --help +==> +==> For a checkout-linked dev command, install meshix-cli-dev from a local checkout. +EOF +} + +post_upgrade() { + post_install +} diff --git a/osyrra-bin/.SRCINFO b/osyrra-bin/.SRCINFO index d6f4d64..fa93015 100644 --- a/osyrra-bin/.SRCINFO +++ b/osyrra-bin/.SRCINFO @@ -1,6 +1,6 @@ pkgbase = osyrra-bin pkgdesc = Osyrra silent email worker and operator TUI - pkgver = 0.0.2 + pkgver = 0.0.3 pkgrel = 1 url = https://github.com/shpitdev/osyrra arch = x86_64 diff --git a/osyrra-bin/PKGBUILD b/osyrra-bin/PKGBUILD index f6c9168..c232249 100644 --- a/osyrra-bin/PKGBUILD +++ b/osyrra-bin/PKGBUILD @@ -1,7 +1,7 @@ # Maintainer: Anand Pant pkgname=osyrra-bin -pkgver=0.0.2 +pkgver=0.0.3 pkgrel=1 pkgdesc="Osyrra silent email worker and operator TUI" arch=('x86_64') @@ -13,7 +13,7 @@ conflicts=('osyrra') # Public PKGBUILD, private release asset. Users need GitHub access to the shpitdev org. _asset="osyrra_v${pkgver}_linux_amd64.tar.gz" -_sha256='b169ace1b18d2be22a264f57524728d3f0985787558c8e2ba6796c0a80b81e71' +_sha256='0b2ba661104227faa1f4aff9579557633933544578d586abd5972f14802c810c' prepare() { gh release download "v${pkgver}" \ diff --git a/scripts/update-meshix-cli-bin.sh b/scripts/update-meshix-cli-bin.sh new file mode 100755 index 0000000..982a756 --- /dev/null +++ b/scripts/update-meshix-cli-bin.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env bash +set -euo pipefail + +optional=false +if (($# > 1)); then + echo "usage: $0 [--optional]" >&2 + exit 1 +fi +if (($# == 1)); then + if [[ "$1" != "--optional" ]]; then + echo "usage: $0 [--optional]" >&2 + exit 1 + fi + optional=true +fi + +repo_root="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")/.." && pwd)" +pkgbuild="${repo_root}/meshix-cli-bin/PKGBUILD" +repo="shpitdev/meshix-observability" + +release_json="$(gh api "repos/${repo}/releases/latest")" +pkgver="$(jq -r '.tag_name | ltrimstr("v")' <<<"${release_json}")" +asset_json="$(jq -c ' + .assets + | map(select(.name | test("_linux_amd64\\.tar\\.gz$"))) + | first +' <<<"${release_json}")" +release_asset="$(jq -r '.name // empty' <<<"${asset_json}")" +sha256="$(jq -r '.digest // empty' <<<"${asset_json}")" + +if [[ -z "${release_asset}" || "${release_asset}" == "null" ]]; then + if [[ "${optional}" == "true" ]]; then + echo "Skipping meshix-cli-bin: latest release is missing a linux amd64 archive." >&2 + exit 0 + fi + echo "meshix-cli latest release is missing a linux amd64 archive" >&2 + exit 1 +fi + +if [[ -z "${sha256}" || "${sha256}" == "null" ]]; then + if [[ "${optional}" == "true" ]]; then + echo "Skipping meshix-cli-bin: latest release is missing an asset digest." >&2 + exit 0 + fi + echo "meshix-cli latest release is missing an asset digest" >&2 + exit 1 +fi + +sha256="${sha256#sha256:}" + +perl -0pi -e "s/^pkgver=.*/pkgver=${pkgver}/m" "${pkgbuild}" +perl -0pi -e "s/^_sha256=.*/_sha256='${sha256}'/m" "${pkgbuild}" + +"${repo_root}/scripts/render-srcinfo.sh" "${repo_root}/meshix-cli-bin" diff --git a/scripts/update-packages.sh b/scripts/update-packages.sh index 2d57fe9..a20f20c 100755 --- a/scripts/update-packages.sh +++ b/scripts/update-packages.sh @@ -8,13 +8,14 @@ if (($# == 0)); then fi if [[ "$1" == "auto" ]]; then - packages=() + packages=(meshix-cli-bin) if [[ -n "${SHPIT_GH_TOKEN:-}" || -z "${GITHUB_ACTIONS:-}" ]]; then packages+=(tabex-bin) packages+=(osyrra-bin) fi elif [[ "$1" == "all" ]]; then packages=( + meshix-cli-bin tabex-bin osyrra-bin ) @@ -24,6 +25,13 @@ fi for package in "${packages[@]}"; do case "${package}" in + meshix-cli-bin) + if [[ "$1" == "auto" ]]; then + "${repo_root}/scripts/update-meshix-cli-bin.sh" --optional + else + "${repo_root}/scripts/update-meshix-cli-bin.sh" + fi + ;; tabex-bin) if [[ "$1" == "auto" ]]; then "${repo_root}/scripts/update-tabex-bin.sh" --optional diff --git a/scripts/validate-packages.sh b/scripts/validate-packages.sh index 6912d17..3cf718f 100755 --- a/scripts/validate-packages.sh +++ b/scripts/validate-packages.sh @@ -9,6 +9,12 @@ for package_dir in "${repo_root}"/*; do "${repo_root}/scripts/validate-package.sh" "${package_dir}" done +meshix_pkg="${repo_root}/meshix-cli-bin" +if [[ -f "${meshix_pkg}/PKGBUILD" ]]; then + grep -q 'source=("${url}/releases/download/v${pkgver}/${_asset}")' "${meshix_pkg}/PKGBUILD" + grep -q 'meshix-cli-dev' "${meshix_pkg}/meshix-cli-bin.install" +fi + tabex_pkg="${repo_root}/tabex-bin" if [[ -f "${tabex_pkg}/PKGBUILD" ]]; then grep -q 'install="${pkgname}\.install"' "${tabex_pkg}/PKGBUILD" diff --git a/tabex-bin/.SRCINFO b/tabex-bin/.SRCINFO index 6710fb9..00b58ad 100644 --- a/tabex-bin/.SRCINFO +++ b/tabex-bin/.SRCINFO @@ -1,6 +1,6 @@ pkgbase = tabex-bin pkgdesc = Tabex CLI for browser session, capture, and page inspection - pkgver = 0.0.4 + pkgver = 0.0.5 pkgrel = 1 url = https://github.com/shpitdev/tabex install = tabex-bin.install diff --git a/tabex-bin/PKGBUILD b/tabex-bin/PKGBUILD index 6f60e37..1cfcc9d 100644 --- a/tabex-bin/PKGBUILD +++ b/tabex-bin/PKGBUILD @@ -1,7 +1,7 @@ # Maintainer: Anand Pant pkgname=tabex-bin -pkgver=0.0.4 +pkgver=0.0.5 pkgrel=1 pkgdesc="Tabex CLI for browser session, capture, and page inspection" arch=('x86_64') @@ -14,7 +14,7 @@ conflicts=('tabex') # Public PKGBUILD, private release asset. Users need GitHub access to the shpitdev org. _asset="tabex_v${pkgver}_linux_amd64.tar.gz" -_sha256='f6f3f2e5912ba985453a4ec4d97522a59ecbb4278a44135264303d96c4451e70' +_sha256='c29a17a401d8a478a3e8f77031e950d0d3bfab8e4bb07d9111a48ab341860c22' prepare() { gh release download "v${pkgver}" \ From d8f5b353b757488786d26306f52602b2e998eea5 Mon Sep 17 00:00:00 2001 From: Anand Pant Date: Tue, 21 Apr 2026 14:44:58 -0500 Subject: [PATCH 2/4] fix: use authenticated meshix package updates --- .github/workflows/version-bumps.yml | 7 +++++- README.md | 9 +++---- docs/setup.md | 10 +++----- meshix-cli-bin/.SRCINFO | 3 +-- meshix-cli-bin/PKGBUILD | 14 +++++++++-- scripts/update-meshix-cli-bin.sh | 38 +++++++++++++++++++++++++---- scripts/validate-packages.sh | 3 ++- 7 files changed, 62 insertions(+), 22 deletions(-) diff --git a/.github/workflows/version-bumps.yml b/.github/workflows/version-bumps.yml index ba01442..dd06371 100644 --- a/.github/workflows/version-bumps.yml +++ b/.github/workflows/version-bumps.yml @@ -2,6 +2,10 @@ name: version-bumps on: workflow_dispatch: + inputs: + meshix_cli_version: + description: Optional Meshix CLI release tag to pin for this run (for example v0.0.2) + required: false schedule: - cron: '23 6 * * *' @@ -17,6 +21,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} SHPIT_GH_TOKEN: ${{ secrets.SHPIT_GH_TOKEN }} + MESHIX_CLI_VERSION: ${{ github.event.inputs.meshix_cli_version || '' }} UPDATE_BRANCH: automation/version-bumps steps: - name: Install updater dependencies @@ -51,7 +56,7 @@ jobs: if: ${{ steps.detect.outputs.changed == 'true' }} run: | git checkout -B "${UPDATE_BRANCH}" - git add README.md docs scripts .github/workflows tabex-bin osyrra-bin + git add README.md docs scripts .github/workflows meshix-cli-bin tabex-bin osyrra-bin git commit -m "chore(pkgbuilds): bump package versions" git push --force --set-upstream origin "${UPDATE_BRANCH}" diff --git a/README.md b/README.md index c274710..49475f4 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Arch Linux package definitions for SHPIT-maintained command-line tools. | Package | Upstream | Notes | |---|---|---| -| `meshix-cli-bin` | `shpitdev/meshix-observability` GitHub Releases | Public release assets. `makepkg` downloads the release tarball directly from GitHub Releases without any extra auth. | +| `meshix-cli-bin` | `shpitdev/meshix-observability` GitHub Releases | Private release assets. Same auth model as `tabex-bin` and `osyrra-bin`. | | `tabex-bin` | `shpitdev/tabex` GitHub Releases | Private release assets. The PKGBUILD is public, but `makepkg` needs GitHub access to the `shpitdev` org to download the release tarball. | | `osyrra-bin` | `shpitdev/osyrra` GitHub Releases | Private release assets. Same auth model as `tabex-bin`. | @@ -37,8 +37,7 @@ cd makepkg -si ``` -`meshix-cli-bin` uses public release assets, so it does not need any GitHub auth. -`gh auth login` must still be configured with access to the `shpitdev` org before `makepkg` can download the private `tabex-bin` or `osyrra-bin` release assets. +`gh auth login` must be configured with access to the `shpitdev` org before `makepkg` can download the private `meshix-cli-bin`, `tabex-bin`, or `osyrra-bin` release assets. After installing `tabex-bin`, start with: @@ -52,12 +51,12 @@ The package includes an install hook that prints the same guidance after install - You can use this repo immediately without creating the AUR repositories or AUR secrets. - The scheduled/manual bump workflow uses the repository `GITHUB_TOKEN` for branch and PR operations in this repo. -- Without `SHPIT_GH_TOKEN`, the workflow still updates `meshix-cli-bin` and skips the private package updates (`tabex-bin` and `osyrra-bin`). +- Without `SHPIT_GH_TOKEN`, the workflow skips the private package updates (`meshix-cli-bin`, `tabex-bin`, and `osyrra-bin`). - Without AUR secrets, the publish workflow exits successfully without pushing anywhere. ## Secrets -- `SHPIT_GH_TOKEN` — optional; required only for GitHub Actions to refresh the private SHPIT packages (`tabex-bin` and `osyrra-bin`) from their GitHub releases. +- `SHPIT_GH_TOKEN` — optional; required for GitHub Actions to refresh the private SHPIT packages (`meshix-cli-bin`, `tabex-bin`, and `osyrra-bin`) from their GitHub releases. - `AUR_USERNAME`, `AUR_EMAIL`, `AUR_SSH_PRIVATE_KEY` — optional until you actually want to publish to AUR. ## Local Auth diff --git a/docs/setup.md b/docs/setup.md index 42a69e8..5972ad8 100644 --- a/docs/setup.md +++ b/docs/setup.md @@ -16,8 +16,7 @@ Use this first. Result: - branch and PR creation use the repo `GITHUB_TOKEN` -- `meshix-cli-bin` updates from the public upstream release without any extra secret -- `tabex-bin` and `osyrra-bin` update only if the repo has access to `SHPIT_GH_TOKEN` +- `meshix-cli-bin`, `tabex-bin`, and `osyrra-bin` update only if the repo has access to `SHPIT_GH_TOKEN` - AUR publishing is skipped without failing - upstream `meshix-observability`, `tabex`, and `osyrra` release workflows can also trigger this workflow automatically with `gh workflow run version-bumps.yml`, but that depends on `SHPIT_WORKFLOW_DISPATCH_TOKEN` being available in their producer-repo Depot CI secrets @@ -29,7 +28,7 @@ Result: ## SHPIT_GH_TOKEN -Create the secret (org-level or repo-level) with access to read private releases on `shpitdev/tabex` and `shpitdev/osyrra`. An org-level secret with `selected` visibility is the cleanest option if you have multiple consuming repos. `meshix-cli-bin` does not need this secret because `shpitdev/meshix-observability` publishes public releases. +Create the secret (org-level or repo-level) with access to read private releases on `shpitdev/meshix-observability`, `shpitdev/tabex`, and `shpitdev/osyrra`. An org-level secret with `selected` visibility is the cleanest option if you have multiple consuming repos. Attach it to this repo with: @@ -85,7 +84,7 @@ If you are logged into GitHub locally with `gh auth login`, you can run: ./scripts/validate-packages.sh ``` -That uses your local GitHub CLI session for private release access when a package needs it. `meshix-cli-bin` installs from the public GitHub release asset and does not need any extra GitHub auth. +That uses your local GitHub CLI session for private release access. For `tabex-bin`, the package install hook now points users at: @@ -111,8 +110,7 @@ When you are ready to publish to AUR: ## Token Model - Same-repo automation uses the built-in `GITHUB_TOKEN`. -- `meshix-cli-bin` uses the public upstream release, so it does not need any extra release-read credential in Actions. -- Cross-repo private release access for `tabex-bin` and `osyrra-bin` still needs a separate credential in Actions, because the workflow token is scoped to the repository that contains the workflow. +- Cross-repo private release access for `meshix-cli-bin`, `tabex-bin`, and `osyrra-bin` needs a separate credential in Actions, because the workflow token is scoped to the repository that contains the workflow. - Local runs can use your normal `gh auth login` session instead of any exported token. ## Recommended Follow-Up diff --git a/meshix-cli-bin/.SRCINFO b/meshix-cli-bin/.SRCINFO index 99d5126..4c11f3f 100644 --- a/meshix-cli-bin/.SRCINFO +++ b/meshix-cli-bin/.SRCINFO @@ -6,9 +6,8 @@ pkgbase = meshix-cli-bin install = meshix-cli-bin.install arch = x86_64 license = LicenseRef-proprietary + makedepends = github-cli provides = meshix-cli conflicts = meshix-cli - source = https://github.com/shpitdev/meshix-observability/releases/download/v0.0.1/meshix-cli_v0.0.1_linux_amd64.tar.gz - sha256sums = a6f8fa1b8c12fa8705bc508efe13b8f462c375016edee0683ceb577370ac1911 pkgname = meshix-cli-bin diff --git a/meshix-cli-bin/PKGBUILD b/meshix-cli-bin/PKGBUILD index 5638363..fb83cc1 100644 --- a/meshix-cli-bin/PKGBUILD +++ b/meshix-cli-bin/PKGBUILD @@ -8,13 +8,23 @@ arch=('x86_64') url="https://github.com/shpitdev/meshix-observability" license=('LicenseRef-proprietary') install="${pkgname}.install" +makedepends=('github-cli') provides=('meshix-cli') conflicts=('meshix-cli') +# Public PKGBUILD, private release asset. Users need GitHub access to the shpitdev org. _asset="meshix-cli_v${pkgver}_linux_amd64.tar.gz" _sha256='a6f8fa1b8c12fa8705bc508efe13b8f462c375016edee0683ceb577370ac1911' -source=("${url}/releases/download/v${pkgver}/${_asset}") -sha256sums=("${_sha256}") + +prepare() { + gh release download "v${pkgver}" \ + --repo shpitdev/meshix-observability \ + --pattern "${_asset}" \ + --dir . --clobber + + echo "${_sha256} ${_asset}" | sha256sum -c + tar xzf "${_asset}" +} package() { install -Dm755 "meshix-cli_v${pkgver}_linux_amd64/meshix-cli" \ diff --git a/scripts/update-meshix-cli-bin.sh b/scripts/update-meshix-cli-bin.sh index 982a756..05b81de 100755 --- a/scripts/update-meshix-cli-bin.sh +++ b/scripts/update-meshix-cli-bin.sh @@ -17,8 +17,36 @@ fi repo_root="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")/.." && pwd)" pkgbuild="${repo_root}/meshix-cli-bin/PKGBUILD" repo="shpitdev/meshix-observability" +requested_version="${MESHIX_CLI_VERSION:-latest}" -release_json="$(gh api "repos/${repo}/releases/latest")" +resolve_release_json() { + local version="$1" + local endpoint + + if [[ -z "${version}" || "${version}" == "latest" ]]; then + endpoint="repos/${repo}/releases/latest" + else + if [[ "${version}" != v* ]]; then + version="v${version}" + fi + endpoint="repos/${repo}/releases/tags/${version}" + fi + + if [[ -n "${SHPIT_GH_TOKEN:-}" ]]; then + GH_TOKEN="${SHPIT_GH_TOKEN}" gh api "${endpoint}" + elif [[ -n "${GITHUB_ACTIONS:-}" ]]; then + if [[ "${optional}" == "true" ]]; then + echo "Skipping meshix-cli-bin: SHPIT_GH_TOKEN is not configured in GitHub Actions." >&2 + exit 0 + fi + echo "SHPIT_GH_TOKEN is required in GitHub Actions to read the private meshix-cli release." >&2 + exit 1 + else + gh api "${endpoint}" + fi +} + +release_json="$(resolve_release_json "${requested_version}")" pkgver="$(jq -r '.tag_name | ltrimstr("v")' <<<"${release_json}")" asset_json="$(jq -c ' .assets @@ -30,19 +58,19 @@ sha256="$(jq -r '.digest // empty' <<<"${asset_json}")" if [[ -z "${release_asset}" || "${release_asset}" == "null" ]]; then if [[ "${optional}" == "true" ]]; then - echo "Skipping meshix-cli-bin: latest release is missing a linux amd64 archive." >&2 + echo "Skipping meshix-cli-bin: release is missing a linux amd64 archive." >&2 exit 0 fi - echo "meshix-cli latest release is missing a linux amd64 archive" >&2 + echo "meshix-cli release is missing a linux amd64 archive" >&2 exit 1 fi if [[ -z "${sha256}" || "${sha256}" == "null" ]]; then if [[ "${optional}" == "true" ]]; then - echo "Skipping meshix-cli-bin: latest release is missing an asset digest." >&2 + echo "Skipping meshix-cli-bin: release is missing an asset digest." >&2 exit 0 fi - echo "meshix-cli latest release is missing an asset digest" >&2 + echo "meshix-cli release is missing an asset digest" >&2 exit 1 fi diff --git a/scripts/validate-packages.sh b/scripts/validate-packages.sh index 3cf718f..52f6978 100755 --- a/scripts/validate-packages.sh +++ b/scripts/validate-packages.sh @@ -11,7 +11,8 @@ done meshix_pkg="${repo_root}/meshix-cli-bin" if [[ -f "${meshix_pkg}/PKGBUILD" ]]; then - grep -q 'source=("${url}/releases/download/v${pkgver}/${_asset}")' "${meshix_pkg}/PKGBUILD" + grep -q 'gh release download "v${pkgver}"' "${meshix_pkg}/PKGBUILD" + grep -q 'install="${pkgname}\.install"' "${meshix_pkg}/PKGBUILD" grep -q 'meshix-cli-dev' "${meshix_pkg}/meshix-cli-bin.install" fi From 34a639512de3396b8c26000fada54b7f61cd1043 Mon Sep 17 00:00:00 2001 From: Anand Pant Date: Tue, 21 Apr 2026 14:47:13 -0500 Subject: [PATCH 3/4] fix: skip meshix package bumps without release access --- scripts/update-meshix-cli-bin.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/scripts/update-meshix-cli-bin.sh b/scripts/update-meshix-cli-bin.sh index 05b81de..ceddf90 100755 --- a/scripts/update-meshix-cli-bin.sh +++ b/scripts/update-meshix-cli-bin.sh @@ -22,6 +22,7 @@ requested_version="${MESHIX_CLI_VERSION:-latest}" resolve_release_json() { local version="$1" local endpoint + local output="" if [[ -z "${version}" || "${version}" == "latest" ]]; then endpoint="repos/${repo}/releases/latest" @@ -33,7 +34,16 @@ resolve_release_json() { fi if [[ -n "${SHPIT_GH_TOKEN:-}" ]]; then - GH_TOKEN="${SHPIT_GH_TOKEN}" gh api "${endpoint}" + if output="$(GH_TOKEN="${SHPIT_GH_TOKEN}" gh api "${endpoint}" 2>/dev/null)"; then + printf '%s' "${output}" + return 0 + fi + if [[ -n "${GITHUB_ACTIONS:-}" && "${optional}" == "true" ]]; then + echo "Skipping meshix-cli-bin: SHPIT_GH_TOKEN does not currently grant release access to ${repo}." >&2 + exit 0 + fi + echo "SHPIT_GH_TOKEN could not read the private meshix-cli release in ${repo}." >&2 + exit 1 elif [[ -n "${GITHUB_ACTIONS:-}" ]]; then if [[ "${optional}" == "true" ]]; then echo "Skipping meshix-cli-bin: SHPIT_GH_TOKEN is not configured in GitHub Actions." >&2 From a6911f31a29a71b11d52d981b199d58c11a73bb2 Mon Sep 17 00:00:00 2001 From: Anand Pant Date: Tue, 21 Apr 2026 15:06:01 -0500 Subject: [PATCH 4/4] fix: tighten meshix package update guidance --- docs/setup.md | 2 +- scripts/update-meshix-cli-bin.sh | 13 +++++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/docs/setup.md b/docs/setup.md index 5972ad8..f7555c2 100644 --- a/docs/setup.md +++ b/docs/setup.md @@ -117,5 +117,5 @@ When you are ready to publish to AUR: Replace the org-level token with a narrower machine credential when practical: -1. Create a dedicated machine user token with only the repo access needed for private release reads on `shpitdev/tabex` and `shpitdev/osyrra`. +1. Create a dedicated machine user token with only the repo access needed for private release reads on `shpitdev/meshix-observability`, `shpitdev/tabex`, and `shpitdev/osyrra`. 2. Or use a GitHub App installation token flow for the cleanest long-term setup. diff --git a/scripts/update-meshix-cli-bin.sh b/scripts/update-meshix-cli-bin.sh index ceddf90..0536784 100755 --- a/scripts/update-meshix-cli-bin.sh +++ b/scripts/update-meshix-cli-bin.sh @@ -40,23 +40,28 @@ resolve_release_json() { fi if [[ -n "${GITHUB_ACTIONS:-}" && "${optional}" == "true" ]]; then echo "Skipping meshix-cli-bin: SHPIT_GH_TOKEN does not currently grant release access to ${repo}." >&2 - exit 0 + printf '__SKIP__' + return 0 fi echo "SHPIT_GH_TOKEN could not read the private meshix-cli release in ${repo}." >&2 - exit 1 + return 1 elif [[ -n "${GITHUB_ACTIONS:-}" ]]; then if [[ "${optional}" == "true" ]]; then echo "Skipping meshix-cli-bin: SHPIT_GH_TOKEN is not configured in GitHub Actions." >&2 - exit 0 + printf '__SKIP__' + return 0 fi echo "SHPIT_GH_TOKEN is required in GitHub Actions to read the private meshix-cli release." >&2 - exit 1 + return 1 else gh api "${endpoint}" fi } release_json="$(resolve_release_json "${requested_version}")" +if [[ "${release_json}" == "__SKIP__" ]]; then + exit 0 +fi pkgver="$(jq -r '.tag_name | ltrimstr("v")' <<<"${release_json}")" asset_json="$(jq -c ' .assets