feat(packaging): add Arch Linux AUR package with automated publishing workflow

[akshajtiwari]

Addressed Issues:

Fixes #946

Screenshots/Recordings:

Tested on Endeavour OS (Arch-based). App installs and runs correctly via makepkg -si — all three services start, desktop entry and icons show up, user data goes to the right places.

Additional Notes:

Adds Arch Linux AUR packaging support for PictoPy.
Maintainers need to add these secrets for the workflow:

• AUR_USERNAME
• AUR_EMAIL
• AUR_SSH_PRIVATE_KEY

Files added:

• publishing/PKGBUILD — builds pictopy-bin from the official GitHub release .deb
• publishing/pictopy-bin.install — cleans up Tauri app state on uninstall so reinstall starts fresh from onboarding. User database, models and thumbnails are preserved.
• .github/workflows/aur-publish.yml — runs daily, detects new releases, updates pkgver and sha256sums automatically, and pushes to AUR

Also fixes Tauri filesystem scope to allow thumbnails to load from ~/.local/share/.

AI Usage Disclosure:

• This PR contains AI-generated code. I have read the AI Usage Policy and this PR complies with this policy. I have tested the code locally and I am responsible for it.

I have used the following AI models and tools: Claude.

Checklist

• My PR addresses a single issue, fixes a single bug or makes a single improvement.
• My code follows the project's code style and conventions
• If applicable, I have made corresponding changes or additions to the documentation
• If applicable, I have made corresponding changes or additions to tests
• My changes generate no new warnings or errors
• I have joined the Discord server and I will share a link to this PR with the project maintainers there
• I have read the Contribution Guidelines
• Once I submit my PR, CodeRabbit AI will automatically review it and I will address CodeRabbit's comments.
• I have filled this PR template completely and carefully, and I understand that my PR may be closed without review otherwise.

Summary by CodeRabbit

• New Features

  • Added support for Arch Linux package distribution via the Arch User Repository (AUR)

• Security

  • Restricted file access permissions to thumbnail directories only

• Chores

  • Added automated AUR package publishing workflow
  • Added package cleanup logic on removal

[coderabbitai]

Warning

Rate limit exceeded

@akshajtiwari has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 42 minutes and 1 second before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9e8a0cad-c0ef-4ee3-afb3-ac5401e4c546

📥 Commits

Reviewing files that changed from the base of the PR and between b338673 and 7d82cfe.

📒 Files selected for processing (3)

• .github/workflows/aur-publish.yml
• frontend/src-tauri/tauri.conf.json
• publishing/PKGBUILD

Walkthrough

This PR adds official Arch User Repository (AUR) support by introducing a PKGBUILD package definition, automated CI/CD workflow to detect and publish version updates to AUR, and refines asset protocol security scope in the Tauri configuration.

Changes

AUR Package Support

Layer / File(s)	Summary
Arch package definition and install hooks publishing/PKGBUILD, publishing/pictopy-bin.install	PKGBUILD metadata defines pictopy-bin package (version 1.0.0) with gtk3/python/hicolor-icon-theme/binutils dependencies; package() extracts prebuilt amd64 .deb and unpacks data.tar.gz into package directory. post_remove() hook recursively deletes per-user PictoPy cache and local-share directories across all /home/* entries on uninstall.
AUR automated publish workflow .github/workflows/aur-publish.yml	Daily cron and manual dispatch trigger update_version job that compares latest GitHub Release tag against PKGBUILD pkgver; on mismatch, downloads .deb, computes sha256, updates PKGBUILD via sed, commits, pushes, and artifacts the result. Dependent publish_aur job downloads artifact and invokes ulises-jeremias/github-actions-aur-publish action with SSH credentials when need_update=true.
Asset protocol scope restriction frontend/src-tauri/tauri.conf.json	Tauri security.assetProtocol.scope narrowed from broad wildcard ("**") to specific thumbnail directory pattern ($HOME/.local/share/PictoPy/thumbnails/**).
Build workflow environment formatting .github/workflows/build-and-release.yml	Reformatted env variable indentation in publish-tauri step, re-emitting GITHUB_TOKEN, TAURI_SIGNING_PRIVATE_KEY, and TAURI_SIGNING_PRIVATE_KEY_PASSWORD secret references.

Sequence Diagram

sequenceDiagram
  participant Release as GitHub Releases
  participant Workflow as aur-publish Job
  participant PKGBUILD as publishing/PKGBUILD
  participant AUR as AUR Repository
  Workflow->>Release: Check latest PictoPy tag
  Workflow->>Workflow: Compare tag vs pkgver
  alt Version mismatch
    Workflow->>Release: Download amd64 .deb
    Workflow->>Workflow: Compute sha256sum
    Workflow->>PKGBUILD: Update pkgver/pkgrel/sha256sums via sed
    Workflow->>Workflow: Commit and push updated PKGBUILD
    Workflow->>Workflow: Upload artifact
    Workflow->>AUR: Publish via AUR publish action
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• AOSSIE-Org/PictoPy#449: Modifies Tauri signing key/password secret handling in the same .github/workflows/build-and-release.yml publish-tauri job, switching from plaintext to secrets references.

• AOSSIE-Org/PictoPy#457: Also modifies tauri-apps/tauri-action step configuration in .github/workflows/build-and-release.yml, affecting the same publish-tauri workflow.

Poem

🐰 A binary hops to AUR's golden door,
PKGBUILD and workflow dance evermore,
With sha256 computed and versions aligned,
Arch users rejoice—packaging refined!
Security scopes trim with care and grace,
PictoPy finds its rightful place. 📦✨

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the primary feature: adding Arch Linux AUR packaging support with automated publishing workflow, matching the core changes.
Linked Issues check	✅ Passed	All coding requirements from issue #946 are fulfilled: AUR packaging files created, automated publishing workflow implemented, Tauri filesystem scope updated for thumbnails.
Out of Scope Changes check	✅ Passed	Minor formatting change in build-and-release.yml (indentation fix) is incidental and necessary for workflow function; all other changes directly support AUR packaging objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 8

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/aur-publish.yml:
- Around line 8-11: The workflow's update_version job performs a git push but
lacks explicit permissions; add a job-level permissions block for update_version
(e.g., set permissions: contents: write) so the GITHUB_TOKEN can push; update
the job named update_version in the workflow to include this permissions entry
to allow the push step to succeed.
- Around line 29-31: The LATEST_VERSION extraction using curl | grep is brittle;
change the fetch to use curl with --fail -sS (or check the HTTP status), pipe to
jq to robustly parse .tag_name, validate the extracted LATEST_VERSION is
non-empty/matches a semver pattern, and abort the job with a clear error if
validation fails; apply the same hardening (curl --fail -sS, JSON parsing with
jq, non-empty/format validation, and retry/backoff) to the subsequent SHA/commit
fetch steps so those variables also fail fast on HTTP/API errors.
- Line 89: Replace the floating tag in the GitHub Actions step that currently
uses "uses: ulises-jeremias/github-actions-aur-publish@v1" with the full commit
SHA by changing it to "uses:
ulises-jeremias/github-actions-aur-publish@85567876543210abcdef1234567890abcdef12345678";
this pins the action to a specific immutable revision for supply-chain security
and prevents tag-rewrite attacks, and also make a note (or separate PR) to
evaluate maintained alternatives such as KSXGitHub/github-actions-deploy-aur
since ulises-jeremias/github-actions-aur-publish appears unmaintained.

In `@frontend/src-tauri/tauri.conf.json`:
- Line 62: Add an automated test that verifies the tauri allowlist scope entry
"scope": ["$HOME/.local/share/PictoPy/thumbnails/**"] actually permits loading
thumbnails and denies nearby disallowed paths: implement a test that (1) writes
a sample thumbnail under $HOME/.local/share/PictoPy/thumbnails/, calls the
thumbnail-rendering entrypoint used by the app (or invokes the Tauri API used
for file access), and asserts the thumbnail loads successfully, and (2) attempts
the same read from a nearby path (e.g.,
$HOME/.local/share/PictoPy/thumbnail_blocked.png or ../outside.png) and asserts
the access is rejected/throws; place this test in the frontend Tauri/integration
test suite and use the same runtime APIs the app uses so it fails on regression
if the scope/config or access logic changes.
- Line 62: The scope entry using a Linux-specific path should be replaced with
Tauri's cross-platform variable: update the "scope" array element that currently
contains "$HOME/.local/share/PictoPy/thumbnails/**" to use
"$APPDATA/PictoPy/thumbnails/**" so the asset scope resolves correctly on
Windows, macOS and Linux; locate the "scope" key in tauri.conf.json and make
this string replacement.

In `@publishing/pictopy-bin.install`:
- Around line 1-6: The post_remove() hook is overly destructive because it
iterates /home/* and force-deletes every user's ~/.local/share/picto_py and
~/.cache/picto_py, contradicting the uninstall goal of preserving
DB/models/thumbnails; update post_remove() to avoid mass deletion by only
targeting the invoking user's home (e.g., $HOME), or require an explicit opt-in
flag/confirmation before removing data, and ensure it does not remove
DB/models/thumbnails (leave paths for models/DB/thumbnail intact or check for an
app-specific marker before deleting). Locate the post_remove() function and
replace the /home/* loop with logic that limits deletion to the current user (or
adds a safe prompt/opt-in), and restrict deletions to well-scoped package
runtime files only.

In `@publishing/PKGBUILD`:
- Line 13: The PKGBUILD currently uses sha256sums=('SKIP'), which disables
source integrity verification; replace the SKIP entry in the sha256sums array
with the actual SHA-256 checksum of the release artifact referenced by the
source array in this PKGBUILD (compute the checksum after downloading the exact
source tarball used for the package and paste that hex string into
sha256sums=('...')), ensuring the sha256sums value matches the source to restore
integrity checks before publishing.
- Around line 17-18: The PKGBUILD currently hardcodes extracting data.tar.gz;
change the extraction to handle any data.tar.* produced by ar x. After running
ar x "${pkgname}-${pkgver}.deb" (in the PKGBUILD), detect the actual archive by
globbing for data.tar.* (or using ar t to list and capture the filename) and
pass that filename to tar (e.g., iterate over data.tar.* and run tar -xf "$file"
-C "$pkgdir"). Update the line that calls tar xf data.tar.gz -C "$pkgdir" to use
the discovered data.tar.* filename(s) so data.tar.xz / data.tar.zst /
data.tar.gz are all supported.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5b885099-342e-4d9f-bef7-a9212b313ee3

📥 Commits

Reviewing files that changed from the base of the PR and between e3ee7e6 and b338673.

📒 Files selected for processing (5)

• .github/workflows/aur-publish.yml
• .github/workflows/build-and-release.yml
• frontend/src-tauri/tauri.conf.json
• publishing/PKGBUILD
• publishing/pictopy-bin.install

[akshajtiwari]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.