feat(packaging): add Arch Linux package (.pkg.tar.zst) and AUR publishing

[cserby]

Closes #255

Summary

• nfpm: add archlinux packager alongside deb/rpm in xtask/src/linux.rs; cargo run -p xtask -- package-linux now produces a .pkg.tar.zst in addition to .deb/.rpm
• nfpm.yaml: add archlinux: section (packager metadata); update header comment with the archlinux example invocation
• release CI: collect .pkg.tar.zst in the linux-packages job (fixes the compound-extension problem — ext="${pkg##*.}" was giving zst, not pkg.tar.zst); include in SHA256SUMS, minisign loop, R2 upload, and GitHub Release files
• packaging/aur/PKGBUILD.tmpl: template for the openlogi-bin AUR package — downloads the nfpm-built .pkg.tar.zst from the GitHub Release for the matching architecture, extracts it (stripping pacman metadata files) into pkgdir
• packaging/aur/openlogi.install: pacman install-script hooks (post_install/post_upgrade/post_remove) equivalent to the existing nfpm-scripts/
• release CI aur-publish job: runs in archlinux:base-devel container after publish; skipped unless AUR_SSH_KEY secret is set; stamps version + SHA256 checksums into PKGBUILD, generates .SRCINFO via makepkg --printsrcinfo, and pushes to aur.archlinux.org/openlogi-bin.git

Setup required

To activate AUR publishing, add a secret named AUR_SSH_KEY to the repository containing an Ed25519 private key registered with an AUR account that has maintainer access to openlogi-bin. The AUR package itself needs to be created once manually (clone the empty AUR repo, push the initial PKGBUILD).

Test plan

• cargo run -p xtask -- package-linux --no-build (with binaries already built) produces target/release/openlogi-*.pkg.tar.zst
• The .pkg.tar.zst installs cleanly on an Arch Linux system with pacman -U
• linux-packages CI job artifact includes *.pkg.tar.zst
• GitHub Release includes the Arch package in SHA256SUMS

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR extends the Linux packaging pipeline to produce Arch Linux .pkg.tar.zst artifacts via nfpm, wires them through the entire release CI (checksums, minisign, R2, GitHub Release), and adds an aur-publish job that stamps version/checksums into a PKGBUILD template and pushes to the AUR.

• nfpm + xtask: archlinux packager added alongside deb/rpm; one-line change in linux.rs and a new archlinux: section in nfpm.yaml.
• Release CI: .pkg.tar.zst compound-extension collected separately, included in SHA256SUMS/minisign/R2/GitHub Release; previous review issues (.MTREE exclusion, secret-in-job-if, set -o pipefail) are all addressed.
• AUR packaging: New PKGBUILD.tmpl downloads the nfpm-built archive, strips its metadata files, and re-packages via makepkg; openlogi.install mirrors the existing nfpm post-install/post-remove scripts faithfully.

Confidence Score: 5/5

Safe to merge — all blocking issues from prior review rounds are resolved and no new defects were found in the changed code.

The Arch Linux packaging path is end-to-end correct: nfpm produces the archive, the release CI collects/checksums/signs it, the PKGBUILD template downloads from the published release and extracts with all metadata files (including .MTREE) properly excluded, and the AUR push is gated on a working pipefail-protected checksum step. The only findings are minor style nits.

No files require special attention; packaging/aur/PKGBUILD.tmpl has a trivial missing-default-case nit in its case block.

Important Files Changed

Filename	Overview
.github/workflows/release.yml	Adds .pkg.tar.zst handling throughout the release pipeline (collect, checksum, minisign, R2, GitHub Release) plus aur-check/aur-publish jobs; previous review issues (MTREE exclusion, secret-in-job-if, pipefail) are all addressed
packaging/aur/PKGBUILD.tmpl	New AUR package template; correctly declares per-arch sources and excludes all nfpm metadata files (including .MTREE); minor: case lacks a default clause so unsupported CARCH produces a cryptic bsdtar error
packaging/aur/openlogi.install	Pacman install hooks faithfully mirror nfpm-scripts (sed @bindir@, udevadm, icon/desktop caches); post_remove omits a hint to disable the user service, matching the same minor gap in nfpm-scripts/postremove.sh
packaging/linux/nfpm.yaml	Adds archlinux: packager: section and updates header comment; minimal and correct
xtask/src/linux.rs	Adds archlinux to the packager loop; one-line change, straightforward

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[git tag pushed] --> B[linux-packages job\nnfpm: deb + rpm + archlinux]
    A --> C[macos / windows jobs]
    B --> D[Collect packages\ncopy .deb .rpm .pkg.tar.zst to dist/]
    D --> E[upload-artifact\nOpenLogi-linux-packages-*]
    C --> F[publish job]
    E --> F
    F --> G[Generate SHA256SUMS\n*.dmg *.exe *.msi *.deb *.rpm *.pkg.tar.zst]
    G --> H[minisign all artifacts]
    H --> I[R2 upload]
    I --> J[GitHub Release\nwith all artifacts + SHA256SUMS]
    J --> K[aur-check job\ncheck AUR_SSH_KEY secret]
    K -->|enabled=false| L[skip aur-publish]
    K -->|enabled=true| M[aur-publish job\narchlinux:base-devel container]
    M --> N[curl .pkg.tar.zst from GH Release\ncompute sha256 with pipefail]
    N --> O[sed PKGBUILD.tmpl\nstamp version + checksums]
    O --> P[makepkg --printsrcinfo\ngenerate .SRCINFO as builder user]
    P --> Q[git push to AUR\naur.archlinux.org/openlogi-bin.git]

Loading

_{Reviews (3): Last reviewed commit: "fix(ci): add pipefail to AUR checksum st..." | Re-trigger Greptile}