feat(packaging): add Arch Linux AUR package with automated publishing workflow

[akshajtiwari]

Addressed Issues:

Fixes #946

Screenshots/Recordings:

Tested on Endeavour OS (Arch-based). App installs and runs correctly via makepkg -si — all three services start, desktop entry and icons show up, user data goes to the right places.

Additional Notes:

Adds Arch Linux AUR packaging support for PictoPy.
Maintainers need to add these secrets for the workflow:

• AUR_USERNAME
• AUR_EMAIL
• AUR_SSH_PRIVATE_KEY

Files added:

• publishing/PKGBUILD — builds pictopy-bin from the official GitHub release .deb
• publishing/pictopy-bin.install — cleans up Tauri app state on uninstall so reinstall starts fresh from onboarding. User database, models and thumbnails are preserved.
• .github/workflows/aur-publish.yml — runs daily, detects new releases, updates pkgver and sha256sums automatically, and pushes to AUR

Also fixes Tauri filesystem scope to allow thumbnails to load from ~/.local/share/.

AI Usage Disclosure:

• This PR contains AI-generated code. I have read the AI Usage Policy and this PR complies with this policy. I have tested the code locally and I am responsible for it.

I have used the following AI models and tools: Claude.

Checklist

• My PR addresses a single issue, fixes a single bug or makes a single improvement.
• My code follows the project's code style and conventions
• If applicable, I have made corresponding changes or additions to the documentation
• If applicable, I have made corresponding changes or additions to tests
• My changes generate no new warnings or errors
• I have joined the Discord server and I will share a link to this PR with the project maintainers there
• I have read the Contribution Guidelines
• Once I submit my PR, CodeRabbit AI will automatically review it and I will address CodeRabbit's comments.
• I have filled this PR template completely and carefully, and I understand that my PR may be closed without review otherwise.

Summary by CodeRabbit

• New Features

  • Added support for distributing the app via Arch Linux (AUR) binary packages, including packaging and installation behavior.

• Security

  • Scoped app file access to include explicit thumbnail directories (platform-specific) while retaining broader fallback.

• Chores

  • Added automated workflow to detect new releases and publish AUR updates.
  • Added install/remove hooks to clean up per-user app data on package removal.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e10b67bb-d6e0-4097-8890-e70b510c3a61

📥 Commits

Reviewing files that changed from the base of the PR and between 24b523a and 83eb6d3.

📒 Files selected for processing (1)

• frontend/src-tauri/tauri.conf.json

---

Walkthrough

Adds Arch packaging (PKGBUILD + install hook), a GitHub Actions workflow to detect release updates and publish pictopy-bin to AUR, adjusts Tauri asset scope to include thumbnail directories, and applies a small YAML formatting change in the build workflow.

Changes

AUR Package Support

Layer / File(s)	Summary
Arch package definition and install hooks publishing/PKGBUILD, publishing/pictopy-bin.install	PKGBUILD metadata for pictopy-bin (source: GitHub Release .deb) and package() that extracts the .deb contents into the package tree; post_remove() removes per-user PictoPy cache and local-share directories.
AUR workflow: check and update PKGBUILD .github/workflows/aur-publish.yml	update_version job checks GitHub Releases for latest tag, compares with publishing/PKGBUILD pkgver, downloads matching amd64 .deb, computes sha256, updates pkgver/pkgrel/sha256sums, commits/pushes the PKGBUILD change, and uploads publishing/PKGBUILD + publishing/pictopy-bin.install artifact when an update is needed.
AUR workflow: gated publish job .github/workflows/aur-publish.yml	publish_aur job runs only when need_update=true, downloads the artifact and invokes the AUR deploy action with AUR_USERNAME, AUR_EMAIL, and AUR_SSH_PRIVATE_KEY, using v<latest_version> as the commit message and updpkgsums: false.
Tauri assetProtocol.scope update frontend/src-tauri/tauri.conf.json	security.assetProtocol.scope expanded from ["**"] to include platform-specific thumbnail directory globs ($HOME/.local/share/PictoPy/thumbnails/**, $HOME/Library/Application Support/PictoPy/thumbnails/**) plus the existing catch-all.
Build workflow env formatting .github/workflows/build-and-release.yml	Reformatted env block in publish-tauri step; same secret-backed variables (GITHUB_TOKEN, TAURI_SIGNING_PRIVATE_KEY, TAURI_SIGNING_PRIVATE_KEY_PASSWORD).

Sequence Diagram

sequenceDiagram
  participant Releases as GitHub Releases
  participant Workflow as aur-publish (update_version)
  participant PKGBUILD as publishing/PKGBUILD
  participant ArtifactStorage as Actions Artifact
  participant AUR as AUR Publish Action
  Releases->>Workflow: Query latest PictoPy tag
  Workflow->>Workflow: Compare tag vs PKGBUILD pkgver
  alt Version mismatch
    Workflow->>Releases: Download PictoPy_<version>_amd64.deb
    Workflow->>Workflow: Compute sha256sum
    Workflow->>PKGBUILD: Update pkgver/pkgrel/sha256sums
    Workflow->>Workflow: Commit and push PKGBUILD
    Workflow->>ArtifactStorage: Upload PKGBUILD + install artifact
    AUR->>ArtifactStorage: Download artifact (publish_aur)
    AUR->>AUR: Create AUR commit using AUR credentials and v<latest_version>
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Possibly related PRs

• AOSSIE-Org/PictoPy#449: Modifies Tauri signing key/password secret handling in the same .github/workflows/build-and-release.yml publish-tauri job.

Poem

🐰 I found a PKGBUILD in the glen,
I hashed the bytes and pushed again,
Thumbnails guarded, secrets kept tight,
AUR doors opened in the moonlight,
Hopping updates—pack and send delight.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: adding Arch Linux AUR packaging support and an automated publishing workflow.
Linked Issues check	✅ Passed	All coding requirements from issue #946 are met: PKGBUILD for AUR packaging, automated publishing workflow, Tauri scope adjustment for thumbnails, and installation/uninstallation support.
Out of Scope Changes check	✅ Passed	All changes directly support AUR packaging objectives; only incidental formatting adjustment in build-and-release.yml is present but related to the overall release infrastructure.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 8

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/aur-publish.yml:
- Around line 8-11: The workflow's update_version job performs a git push but
lacks explicit permissions; add a job-level permissions block for update_version
(e.g., set permissions: contents: write) so the GITHUB_TOKEN can push; update
the job named update_version in the workflow to include this permissions entry
to allow the push step to succeed.
- Around line 29-31: The LATEST_VERSION extraction using curl | grep is brittle;
change the fetch to use curl with --fail -sS (or check the HTTP status), pipe to
jq to robustly parse .tag_name, validate the extracted LATEST_VERSION is
non-empty/matches a semver pattern, and abort the job with a clear error if
validation fails; apply the same hardening (curl --fail -sS, JSON parsing with
jq, non-empty/format validation, and retry/backoff) to the subsequent SHA/commit
fetch steps so those variables also fail fast on HTTP/API errors.
- Line 89: Replace the floating tag in the GitHub Actions step that currently
uses "uses: ulises-jeremias/github-actions-aur-publish@v1" with the full commit
SHA by changing it to "uses:
ulises-jeremias/github-actions-aur-publish@85567876543210abcdef1234567890abcdef12345678";
this pins the action to a specific immutable revision for supply-chain security
and prevents tag-rewrite attacks, and also make a note (or separate PR) to
evaluate maintained alternatives such as KSXGitHub/github-actions-deploy-aur
since ulises-jeremias/github-actions-aur-publish appears unmaintained.

In `@frontend/src-tauri/tauri.conf.json`:
- Line 62: Add an automated test that verifies the tauri allowlist scope entry
"scope": ["$HOME/.local/share/PictoPy/thumbnails/**"] actually permits loading
thumbnails and denies nearby disallowed paths: implement a test that (1) writes
a sample thumbnail under $HOME/.local/share/PictoPy/thumbnails/, calls the
thumbnail-rendering entrypoint used by the app (or invokes the Tauri API used
for file access), and asserts the thumbnail loads successfully, and (2) attempts
the same read from a nearby path (e.g.,
$HOME/.local/share/PictoPy/thumbnail_blocked.png or ../outside.png) and asserts
the access is rejected/throws; place this test in the frontend Tauri/integration
test suite and use the same runtime APIs the app uses so it fails on regression
if the scope/config or access logic changes.
- Line 62: The scope entry using a Linux-specific path should be replaced with
Tauri's cross-platform variable: update the "scope" array element that currently
contains "$HOME/.local/share/PictoPy/thumbnails/**" to use
"$APPDATA/PictoPy/thumbnails/**" so the asset scope resolves correctly on
Windows, macOS and Linux; locate the "scope" key in tauri.conf.json and make
this string replacement.

In `@publishing/pictopy-bin.install`:
- Around line 1-6: The post_remove() hook is overly destructive because it
iterates /home/* and force-deletes every user's ~/.local/share/picto_py and
~/.cache/picto_py, contradicting the uninstall goal of preserving
DB/models/thumbnails; update post_remove() to avoid mass deletion by only
targeting the invoking user's home (e.g., $HOME), or require an explicit opt-in
flag/confirmation before removing data, and ensure it does not remove
DB/models/thumbnails (leave paths for models/DB/thumbnail intact or check for an
app-specific marker before deleting). Locate the post_remove() function and
replace the /home/* loop with logic that limits deletion to the current user (or
adds a safe prompt/opt-in), and restrict deletions to well-scoped package
runtime files only.

In `@publishing/PKGBUILD`:
- Line 13: The PKGBUILD currently uses sha256sums=('SKIP'), which disables
source integrity verification; replace the SKIP entry in the sha256sums array
with the actual SHA-256 checksum of the release artifact referenced by the
source array in this PKGBUILD (compute the checksum after downloading the exact
source tarball used for the package and paste that hex string into
sha256sums=('...')), ensuring the sha256sums value matches the source to restore
integrity checks before publishing.
- Around line 17-18: The PKGBUILD currently hardcodes extracting data.tar.gz;
change the extraction to handle any data.tar.* produced by ar x. After running
ar x "${pkgname}-${pkgver}.deb" (in the PKGBUILD), detect the actual archive by
globbing for data.tar.* (or using ar t to list and capture the filename) and
pass that filename to tar (e.g., iterate over data.tar.* and run tar -xf "$file"
-C "$pkgdir"). Update the line that calls tar xf data.tar.gz -C "$pkgdir" to use
the discovered data.tar.* filename(s) so data.tar.xz / data.tar.zst /
data.tar.gz are all supported.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5b885099-342e-4d9f-bef7-a9212b313ee3

📥 Commits

Reviewing files that changed from the base of the PR and between e3ee7e6 and b338673.

📒 Files selected for processing (5)

• .github/workflows/aur-publish.yml
• .github/workflows/build-and-release.yml
• frontend/src-tauri/tauri.conf.json
• publishing/PKGBUILD
• publishing/pictopy-bin.install

[akshajtiwari]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[rahulharpal1603]

Thanks @akshajtiwari!

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/aur-publish.yml (1)

7-8: 💤 Low value

Consider scoping contents: write to the update_version job only.

Only the update_version job performs git push (line 68). Scoping permissions to the job level reduces the attack surface if other jobs are added later.

♻️ Suggested change

 on:
   # schedule:
   #   - cron: '0 0 * * *'
   workflow_dispatch:
-permissions: 
-  contents: write

 jobs:
   update_version:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     outputs:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/aur-publish.yml around lines 7 - 8, Top-level permission
"contents: write" should be scoped to the specific job that needs to push (the
update_version job); remove or change the repo-level "permissions: contents:
write" to a safer default (e.g., read-only or remove) and add a job-level block
under the update_version job with "permissions: contents: write" so only
update_version can push, leaving other jobs with no write access.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/aur-publish.yml:
- Line 94: The AUR deploy step references pkgbuild: ./PKGBUILD but the uploaded
artifact lives under publishing/, so update the deploy configuration referenced
by the AUR action (the pkgbuild: entry in the deploy job) to point to the
uploaded location (publishing/PKGBUILD) or change the upload artifact layout to
place PKGBUILD at the repo root; specifically edit the deploy job's pkgbuild key
to use publishing/PKGBUILD so the action can find the uploaded PKGBUILD and
pictopy-bin.install files.

In `@frontend/src-tauri/tauri.conf.json`:
- Around line 62-66: The scope array currently includes a catch-all entry
"\"**\"" which makes the explicit thumbnail paths
("$HOME/.local/share/PictoPy/thumbnails/**" and "$HOME/Library/Application
Support/PictoPy/thumbnails/**") redundant; decide whether you intend to restrict
access to only those thumbnail directories or to allow full filesystem access:
if you want restriction, remove the "\"**\"" entry from the "scope" array so
only the two thumbnail paths remain; if full access is intentional, remove the
explicit thumbnail entries (or add a clarifying comment/documentation) so the
configuration isn’t confusing while keeping the "\"**\"" entry in the "scope"
key.

---

Nitpick comments:
In @.github/workflows/aur-publish.yml:
- Around line 7-8: Top-level permission "contents: write" should be scoped to
the specific job that needs to push (the update_version job); remove or change
the repo-level "permissions: contents: write" to a safer default (e.g.,
read-only or remove) and add a job-level block under the update_version job with
"permissions: contents: write" so only update_version can push, leaving other
jobs with no write access.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5b98d2d1-b571-4283-8324-dc7c6facab94

📥 Commits

Reviewing files that changed from the base of the PR and between b338673 and 24b523a.

📒 Files selected for processing (3)

• .github/workflows/aur-publish.yml
• frontend/src-tauri/tauri.conf.json
• publishing/PKGBUILD

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the artifact upload paths match the expected download structure
grep -A5 "Upload artifacts" .github/workflows/aur-publish.yml
echo "---"
echo "Files are uploaded from 'publishing/' subdirectory."
echo "download-artifact preserves directory structure, so files will be at ./publishing/*"

Repository: AOSSIE-Org/PictoPy

Length of output: 409

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/aur-publish.yml"

echo "=== Upload artifacts block ==="
# Print around the upload step with enough context to include the full `path:` list
rg -n "name: PKGBUILD|Upload artifacts for publish job|actions/upload-artifact@v4" "$FILE"
python3 - <<'PY'
import pathlib, re
file = pathlib.Path(".github/workflows/aur-publish.yml")
lines = file.read_text().splitlines()
# find upload-artifact section
for i,l in enumerate(lines):
    if "Upload artifacts for publish job" in l:
        start=max(0,i-5); end=min(len(lines), i+40)
        for j in range(start,end):
            print(f"{j+1:4d}:{lines[j]}")
        break
else:
    print("Upload block not found")
PY

echo
echo "=== Download artifacts block ==="
python3 - <<'PY'
import pathlib
file = pathlib.Path(".github/workflows/aur-publish.yml")
lines = file.read_text().splitlines()
for i,l in enumerate(lines):
    if "download-artifact" in l or "actions/download-artifact" in l or "Download artifacts" in l:
        start=max(0,i-5); end=min(len(lines), i+60)
        for j in range(start,end):
            print(f"{j+1:4d}:{lines[j]}")
        break
else:
    print("Download block not found")
PY

echo
echo "=== pkgbuild line ==="
python3 - <<'PY'
import pathlib, re
file = pathlib.Path(".github/workflows/aur-publish.yml")
for i,l in enumerate(file.read_text().splitlines(), start=1):
    if re.search(r"\bpkgbuild\s*:", l):
        print(f"{i}:{l}")
PY

Repository: AOSSIE-Org/PictoPy

Length of output: 2546

---

Fix AUR deploy pkgbuild path mismatch with uploaded artifact layout

The workflow uploads publishing/PKGBUILD (and publishing/pictopy-bin.install) but the AUR deploy step references pkgbuild: ./PKGBUILD, so the publish job will fail to find the PKGBUILD. (upload: lines 70-77, deploy: line 94)

🐛 Proposed fix

       - name: Publish to AUR
         uses: KSXGitHub/github-actions-deploy-aur@v4.1.3
         with:
           pkgname: pictopy-bin
-          pkgbuild: ./PKGBUILD
+          pkgbuild: ./publishing/PKGBUILD
           commit_username: ${{ secrets.AUR_USERNAME }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/aur-publish.yml at line 94, The AUR deploy step references
pkgbuild: ./PKGBUILD but the uploaded artifact lives under publishing/, so
update the deploy configuration referenced by the AUR action (the pkgbuild:
entry in the deploy job) to point to the uploaded location (publishing/PKGBUILD)
or change the upload artifact layout to place PKGBUILD at the repo root;
specifically edit the deploy job's pkgbuild key to use publishing/PKGBUILD so
the action can find the uploaded PKGBUILD and pictopy-bin.install files.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

The "**" wildcard makes the explicit paths redundant.

The catch-all "**" pattern already grants access to all filesystem paths, so the explicit thumbnail directory entries ($HOME/.local/share/PictoPy/thumbnails/** and $HOME/Library/Application Support/PictoPy/thumbnails/**) have no functional effect.

If the intent is to restrict access to only thumbnail directories for security, remove the "**" entry:

        "scope": [
-        "$HOME/.local/share/PictoPy/thumbnails/**",
-        "**",
-        "$HOME/Library/Application Support/PictoPy/thumbnails/**"
+          "$HOME/.local/share/PictoPy/thumbnails/**",
+          "$HOME/Library/Application Support/PictoPy/thumbnails/**"
        ],

If "**" is intentionally kept for other asset access needs, please clarify that intent and consider documenting it—or remove the now-redundant explicit paths to avoid confusion.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src-tauri/tauri.conf.json` around lines 62 - 66, The scope array
currently includes a catch-all entry "\"**\"" which makes the explicit thumbnail
paths ("$HOME/.local/share/PictoPy/thumbnails/**" and "$HOME/Library/Application
Support/PictoPy/thumbnails/**") redundant; decide whether you intend to restrict
access to only those thumbnail directories or to allow full filesystem access:
if you want restriction, remove the "\"**\"" entry from the "scope" array so
only the two thumbnail paths remain; if full access is intentional, remove the
explicit thumbnail entries (or add a clarifying comment/documentation) so the
configuration isn’t confusing while keeping the "\"**\"" entry in the "scope"
key.