feat(aur): publish runner-run + runner-run-bin with shell completions

[kjanat]

Summary

• New release channel: AUR. Two packages, automated end-to-end.
  • runner-run — builds from source via cargo (x86_64, aarch64)
  • runner-run-bin — installs prebuilt release binaries (x86_64, aarch64, armv7h); provides/conflicts runner-run
• Both packages ship shell completions for bash, zsh, fish, and pwsh — bash/zsh/fish auto-load from canonical dirs, pwsh installed to /usr/share/runner/runner.ps1 for $PROFILE dot-sourcing.
• .github/workflows/aur-release.yml fires on release: published; gated behind the aur GitHub Environment so the SSH key is only readable from that job. Matrix runs both pkgs in parallel with fail-fast: false. Manual workflow_dispatch with dry-run toggle for validation.
• .github/scripts/publish/aur-prepare.sh rewrites pkgver/pkgrel and — for the -bin pkg — injects per-arch sha256sums_* read directly from the release's published .sha256 companion assets (updpkgsums on x86_64 CI can't compute aarch64/armv7h sums).
• Side sweep on this branch: pinned all third-party action uses: references in the existing release workflows to commit SHAs.

Implementation notes

runner completions <shell> is the only completion generator and emits a single stream covering both runner AND run, with the path of the invoking binary baked in via current_exe(). The PKGBUILDs handle both wrinkles inside package():

1. Generate the combined stream for each shell.
2. sed-rewrite the baked $srcdir path to /usr/bin/{runner,run}. Longer match first — …/run is a prefix of …/runner.
3. awk-split bash + zsh on their start-of-line boundaries (_clap_complete_run\(\) \{ for bash, #compdef run for zsh) so each command lands in its own autoload file. Fish and pwsh stay as one file.

Final installed surface per package:

Shell	Path	Mode
bash	/usr/share/bash-completion/completions/{runner,run}	autoload
zsh	/usr/share/zsh/site-functions/{_runner,_run}	autoload
fish	/usr/share/fish/vendor_completions.d/runner.fish	autoload
pwsh	/usr/share/runner/runner.ps1	manual . /usr/share/runner/runner.ps1

Test plan

• aur-prepare.sh exercised against live v0.12.0 release; injected sha256 sums byte-equal to published .sha256 assets for all three arches.
• runner-run-bin built locally with makepkg --nodeps --noconfirm → 6 completion files present at canonical paths, all baked paths rewritten to /usr/bin/{runner,run}, zero $srcdir residue.
• runner-run's package() block simulated against the working-tree binaries — identical outcome.
• bash -n, zsh -n, fish -n pass on their respective installed files.
• [Parser]::ParseFile (pwsh's reflected parser) passes on runner.ps1.
• namcap on the built -bin package: zero errors (residual warnings are the known false-positive Rust libgcc/glibc-stub linkage notes).
• actionlint clean on aur-release.yml; YAML parses; case() usage matches the convention of the three existing release workflows.
• First real publish — pending a future tagged release. Can dry-run sooner via Actions → aur-release → Run workflow with dry-run: true.

[coderabbitai]

📝 Walkthrough

Add AUR release channel with two packages, automated publishing, shell completions and CI hardening.

Introduce two AUR packages under aur/ and end-to-end automation to publish them from GitHub Releases:

• AUR packages

  • runner-run: builds from source via cargo (x86_64, aarch64). Implements prepare/build/check/package phases, produces and installs completions for bash, zsh, fish and PowerShell.
  • runner-run-bin: installs prebuilt GitHub release tarballs (x86_64, aarch64, armv7h); declares provides=('runner-run') and conflicts=('runner-run') so it can act as a drop-in replacement. Installs binaries, docs and the same completions; CI injects per-arch sha256sums into the PKGBUILD.

• Shell completions

  • Completions are emitted by runner completions as a combined stream covering both runner and run with current_exe() baked in.
  • PKGBUILDs rewrite baked $srcdir paths to /usr/bin/{runner,run}; bash and zsh combined streams are split into per-command autoload files and installed to canonical dirs; fish installs the combined stream under both runner.fish and run.fish so both basenames autoload; PowerShell is installed to /usr/share/runner/runner.ps1 for manual dot-sourcing from $PROFILE on Linux.

• Automated publishing

  • .github/workflows/aur-release.yml triggers on release: published and via workflow_dispatch (tag + dry-run). Runs a matrix for both packages in parallel with fail-fast: false and per-package concurrency groups to avoid AUR push races.
  • Workflow is gated by the aur GitHub Environment so the AUR SSH key is only readable inside the deployment job.
  • PKGBUILDs are prepared by .github/scripts/publish/aur-prepare.sh which enforces semver for the supplied version, updates pkgver/pkgrel, and for runner-run-bin downloads the release’s .sha256 assets (via gh release download) to inject and validate 64-hex SHA‑256 sums into sha256sums_{carch}.
  • Deployment uses KSXGitHub/github-actions-deploy-aur with configured commit identity; updpkgsums is used only for the source package.

• Packaging & helpers

  • Add aur/runner-run/PKGBUILD and aur/runner-run-bin/PKGBUILD implementing build/install and completion installation logic, plus aur/README.md documenting packages, completion behaviour and publishing automation.
  • Add .github/scripts/publish/aur-prepare.sh to automate PKGBUILD updates and sha256 injection for the binary package.

• CI hardening & reproducibility

  • Pin third-party GitHub Actions to specific commit SHAs across release/publish workflows (actions/checkout, Rust toolchain/cache actions, crates-io auth, setup-node, etc.) to improve supply-chain security and reproducibility.
  • Workflows: matrix builds for per-package publishing, manual dry-run support, persisted-credentials and concurrency/serialization controls added.

• Validation & tests

  • aur-prepare.sh exercised against v0.12.0 with matching .sha256 assets; local makepkg for runner-run-bin produced expected completion files with rewritten paths; runner-run simulation produced equivalent output.
  • Bash/zsh/fish syntax checks, PowerShell parser check, namcap on -bin (zero errors, known false-positive warnings), and actionlint/YAML checks passed.
  • First real publish pending a tagged release; dry-run available via Actions → aur-release.

This change delivers a documented AUR release pipeline for source and binary packages, installs comprehensive shell completions, and secures CI/release workflows by pinning third-party action references.

Walkthrough

This PR adds AUR publishing automation and pins Actions in release pipelines. It introduces .github/scripts/publish/aur-prepare.sh (updates PKGBUILD pkgver/pkgrel and injects per-architecture sha256sums for runner-run-bin), a new .github/workflows/aur-release.yml (matrixed publish of runner-run and runner-run-bin with dry-run support and conditional deploy), two PKGBUILD recipes under aur/ for source and binary packaging (build/install/completions), updates aur/ README, and pins multiple Actions to specific commit SHAs across crates-release, npm-release and the main release workflow.

sequenceDiagram
  participant Release as GitHub Release
  participant Workflow as .github/workflows/aur-release.yml
  participant Prep as .github/scripts/publish/aur-prepare.sh
  participant Assets as GitHub Release Assets
  participant Deploy as KSXGitHub/github-actions-deploy-aur
  participant AUR as AUR git repo

  Release->>Workflow: published release / manual dispatch
  Workflow->>Prep: run for pkgname, version (strip leading v)
  Prep->>Assets: download per-arch .sha256 assets (runner-run-bin)
  Prep->>Prep: extract & validate digest, inject into PKGBUILD
  Workflow->>Deploy: conditional deploy (unless dry-run)
  Deploy->>AUR: push updated aur/<pkgname>/PKGBUILD

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• kjanat/runner#8: related action pinning on crates-release.yml

Suggested labels

enhancement, documentation

"Avast! PKGBUILDs trimmed and tight,
Checksums plundered from release hold,
Actions lashed to trusty SHAs,
Dry-run set, or hoist and push full sail,
Shipshape AUR, ready for the cold."

🚥 Pre-merge checks | ✅ 8

✅ Passed checks (8 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title clearly describes the main change: adding AUR package publishing with shell completions, using 'feat' prefix and specific scope 'aur' as per conventional commits.
Description check	✅ Passed	Description is comprehensive and directly related to the changeset, covering package structure, shell completions, CI automation, implementation details, and test results.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Changelog Update	✅ Passed	All changes are CI, documentation, or packaging files explicitly excluded by the check. No application source code modifications requiring CHANGELOG.md update detected.
Semver Version Bump Validation	✅ Passed	No source code modifications present in PR—only CI workflows, documentation, and AUR packaging files added. Per check instructions, CI/docs changes are excluded from version-bump requirements.
Agents.Md Documentation Updated	✅ Passed	No AGENTS.md file exists in the repository, so the check's precondition is not met; the check is inapplicable to this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch worktree-aur-releases

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Line 140: The env mapping currently written as env: {
CARGO_UNSTABLE_BUILD_STD: std, panic_abort } splits into two keys (making
panic_abort null) so cargo-build-std does not get "std,panic_abort"; update the
release.yml env for CARGO_UNSTABLE_BUILD_STD (the env mapping that mentions
CARGO_UNSTABLE_BUILD_STD and cargo-build-std) to provide a single string value
containing the comma-separated targets, e.g. set CARGO_UNSTABLE_BUILD_STD to
"std,panic_abort" (or use a proper YAML block mapping with
CARGO_UNSTABLE_BUILD_STD: "std,panic_abort") so the action receives the intended
value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e0796c54-2914-4a85-b89a-5ed6f866a57b

📥 Commits

Reviewing files that changed from the base of the PR and between 2100d1f and 3ef39f4.

📒 Files selected for processing (6)

• .github/scripts/publish/aur-prepare.sh
• .github/workflows/aur-release.yml
• .github/workflows/npm-release.yml
• .github/workflows/release.yml
• aur/runner-run-bin/PKGBUILD
• aur/runner-run/PKGBUILD

📜 Review details

⏰ Context from checks skipped due to timeout of 18000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Analyze (rust)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (actions)
• GitHub Check: verify

🧰 Additional context used

📓 Path-based instructions (1)

.github/**/*.{yml,yaml}

⚙️ CodeRabbit configuration file

Do not ever warn about stylistic yamllint shit. Do warn about security related shit. Insecure shell handling of user supplied / defined strings: think of branch names, inputs, pr content, anything needs to be string interpolation and permission safe.

Files:

• .github/workflows/aur-release.yml
• .github/workflows/npm-release.yml
• .github/workflows/release.yml

🧠 Learnings (1)

📚 Learning: 2026-05-04T15:23:38.296Z

Learnt from: kjanat
Repo: kjanat/runner PR: 5
File: .github/workflows/release.yml:73-73
Timestamp: 2026-05-04T15:23:38.296Z
Learning: For GitHub Actions workflows in this repository (kjanat/runner), maintain the maintainer’s preference for “floating” action tags (e.g., `v6`, `v7`) instead of pinned full commit SHAs. During code review, do not flag action usages in `.github/workflows/**/*.yml` for not being pinned to full commit SHAs or suggest switching to SHA pinning.

Applied to files:

• .github/workflows/aur-release.yml
• .github/workflows/npm-release.yml
• .github/workflows/release.yml

🔇 Additional comments (12)

.github/scripts/publish/aur-prepare.sh (2)

20-28: Aye, the version validation be shipshape now! 🏴‍☠️

LGTM! The semver regex properly rejects malicious characters (&, /, \, newlines) before they can keelhaul the sed substitution. This addresses the previous concern about injection through workflow_dispatch.

---

30-37: LGTM!

Also applies to: 39-58, 61-62

.github/workflows/aur-release.yml (3)

27-28: Arr, the concurrency guard be properly hoisted! 🏴‍☠️

LGTM! The per-package concurrency group prevents dispatch and release-triggered runs from racing each other to the AUR push.

---

1-21: LGTM!

Also applies to: 29-42

---

44-62: LGTM!

aur/runner-run-bin/PKGBUILD (2)

62-67: Shiver me timbers, the fish be properly rigged now! 🐟🏴‍☠️

LGTM! Installing fish.combined under both runner.fish and run.fish ensures each command's tab-completion works in a fresh shell without depending on session order. This addresses the previous concern about fish's basename-based autoloading.

---

1-28: LGTM!

Also applies to: 30-61, 68-71

aur/runner-run/PKGBUILD (2)

76-81: Arr, same fix as the -bin package, properly doubling up the fish files! 🐟🏴‍☠️

LGTM! Both runner.fish and run.fish are now installed, ensuring tab-completion works regardless of which command the user invokes first.

---

1-40: LGTM!

Also applies to: 42-75, 82-85

.github/workflows/npm-release.yml (1)

82-105: LGTM!

.github/workflows/release.yml (2)

34-34: persist-credentials: false on these checkouts — splendid bit o' hardening, that.

Keeps the auto-injected token off disk where it isn't needed. No quarrel from me.

LGTM!

Also applies to: 98-98

---

45-59: Shell handling o' the release tag be done right — RELEASE_TAG/GITHUB_REPOSITORY passed via env and quoted, no raw ${{ }} injection into the script.

github.ref_name flows through an env var and is quoted in the shell body, so no command-injection plank to walk here.

LGTM!

Also applies to: 200-209

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
python3 - <<'EOF'
import yaml
print(yaml.safe_load("{ CARGO_UNSTABLE_BUILD_STD: std, panic_abort }"))
print(yaml.safe_load('{ CARGO_UNSTABLE_BUILD_STD: "std,panic_abort" }'))
EOF

Repository: kjanat/runner

Length of output: 162

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
sed -n '120,160p' .github/workflows/release.yml | cat -n

Repository: kjanat/runner

Length of output: 2085

---

Fix broken YAML env for cargo-build-std (line 140)

That flow-mapping env: { CARGO_UNSTABLE_BUILD_STD: std, panic_abort } gets parsed as:

• CARGO_UNSTABLE_BUILD_STD: 'std'
• panic_abort: null

So cargo-build-std won’t receive std,panic_abort like it’s meant to.

🐛 Proposed fix

-        env: { CARGO_UNSTABLE_BUILD_STD: std, panic_abort }
+        env: { CARGO_UNSTABLE_BUILD_STD: "std,panic_abort" }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	env: { CARGO_UNSTABLE_BUILD_STD: std, panic_abort }
	env: { CARGO_UNSTABLE_BUILD_STD: "std,panic_abort" }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 140, The env mapping currently written
as env: { CARGO_UNSTABLE_BUILD_STD: std, panic_abort } splits into two keys
(making panic_abort null) so cargo-build-std does not get "std,panic_abort";
update the release.yml env for CARGO_UNSTABLE_BUILD_STD (the env mapping that
mentions CARGO_UNSTABLE_BUILD_STD and cargo-build-std) to provide a single
string value containing the comma-separated targets, e.g. set
CARGO_UNSTABLE_BUILD_STD to "std,panic_abort" (or use a proper YAML block
mapping with CARGO_UNSTABLE_BUILD_STD: "std,panic_abort") so the action receives
the intended value.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/npm-release.yml (1)

40-45: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate workflow_dispatch inputs before trusting 'em.

Ahoy: inputs.tag and inputs.run-id be operator-supplied, but this path only proves run-id is numeric. That still lets a mismatched run-id/tag pair fetch and publish the wrong npm-dist artefact, and the “Trusted trigger metadata only” note papers over that trust boundary. Please verify that the supplied run actually belongs to a successful release.yml run for RELEASE_TAG before writing it to GITHUB_OUTPUT. As per coding guidelines, .github/**/*.{yml,yaml} should warn about insecure handling of user supplied / defined strings and keep interpolation permission-safe.

Also applies to: 75-105

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/npm-release.yml around lines 40 - 45, The workflow
currently trusts operator-supplied inputs.tag and inputs.run-id when setting
RELEASE_TAG and writing to GITHUB_OUTPUT; update the workflow_dispatch handling
to first validate that the provided run-id corresponds to a completed successful
run of the release workflow that produced the same tag: fetch the workflow run
metadata (using the GitHub API) for the given run-id, verify its workflow
name/file is release.yml (or expected workflow id), confirm its conclusion is
success and its associated tag/release equals RELEASE_TAG, and only then set
RELEASE_TAG / write outputs (GITHUB_OUTPUT); reject or fail the job if any check
fails to avoid mismatched run-id/tag pairs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/npm-release.yml:
- Around line 40-45: The workflow currently trusts operator-supplied inputs.tag
and inputs.run-id when setting RELEASE_TAG and writing to GITHUB_OUTPUT; update
the workflow_dispatch handling to first validate that the provided run-id
corresponds to a completed successful run of the release workflow that produced
the same tag: fetch the workflow run metadata (using the GitHub API) for the
given run-id, verify its workflow name/file is release.yml (or expected workflow
id), confirm its conclusion is success and its associated tag/release equals
RELEASE_TAG, and only then set RELEASE_TAG / write outputs (GITHUB_OUTPUT);
reject or fail the job if any check fails to avoid mismatched run-id/tag pairs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: dbd1b2c1-85bb-4821-b99d-c0c15db4ef32

📥 Commits

Reviewing files that changed from the base of the PR and between 3ef39f4 and b7c817e.

📒 Files selected for processing (2)

• .github/workflows/aur-release.yml
• .github/workflows/npm-release.yml

📜 Review details

🧰 Additional context used

📓 Path-based instructions (1)

.github/**/*.{yml,yaml}

⚙️ CodeRabbit configuration file

Do not ever warn about stylistic yamllint shit. Do warn about security related shit. Insecure shell handling of user supplied / defined strings: think of branch names, inputs, pr content, anything needs to be string interpolation and permission safe.

Files:

• .github/workflows/npm-release.yml
• .github/workflows/aur-release.yml

🧠 Learnings (1)

📚 Learning: 2026-05-04T15:23:38.296Z

Learnt from: kjanat
Repo: kjanat/runner PR: 5
File: .github/workflows/release.yml:73-73
Timestamp: 2026-05-04T15:23:38.296Z
Learning: For GitHub Actions workflows in this repository (kjanat/runner), maintain the maintainer’s preference for “floating” action tags (e.g., `v6`, `v7`) instead of pinned full commit SHAs. During code review, do not flag action usages in `.github/workflows/**/*.yml` for not being pinned to full commit SHAs or suggest switching to SHA pinning.

Applied to files:

• .github/workflows/npm-release.yml
• .github/workflows/aur-release.yml

🔇 Additional comments (2)

.github/workflows/aur-release.yml (1)

28-29: LGTM!

Also applies to: 32-32

.github/workflows/npm-release.yml (1)

60-68: LGTM!