aur pkg #1562

Ghost-chu · 2026-01-16T13:23:55Z

Arch Linux 的包管理器软件包打包流程

Summary by CodeRabbit

新功能
- 新增 Arch Linux AUR 打包支持，用户可从 AUR 安装 PeerBanHelper。
- 添加 systemd 服务、专用运行用户及运行时目录/权限配置，便于以专用用户管理与运行。
工程管理
- CI/CD 集成 AUR 构建流程，生成并保存打包产物以纳入发布与后续上传流程。
- 安装/升级提示信息改善，提供启用/重启服务的操作指引。

_{✏️ Tip: You can customize this high-level summary in your review settings.}

coderabbitai · 2026-01-16T13:24:10Z

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

新增 AUR 打包支持：添加可复用 GitHub Actions 工作流在 archlinux:base-devel 容器中构建 AUR 包，新增 PKGBUILD 与 systemd/sysusers/tmpfiles/install 文件，并在 jvm-release 发布流程中集成 aur-dist 构建产物。

Changes

Cohort / File(s)	变更摘要
GitHub Actions：AUR 工作流 `/.github/workflows/build_aur.yml`	新增可复用工作流“ AUR Package Build”：在 archlinux:base-devel 容器中安装构建依赖、调用 YunaBraska/java-info-action 获取版本、更新 `PKGBUILD` pkgver、以非 root builder 用户生成 `.SRCINFO` 并运行 `makepkg`，上传 `aur-dist`（`PKGBUILD`、`.SRCINFO`、生成的包）。
发布工作流更新 `/.github/workflows/jvm-release.yml`	新增 `Build_AUR` job（uses: `./.github/workflows/build_aur.yml`, needs: `Build_Executable`），并将其加入 downstream 依赖（`Empty_Old_S3_Files`、`Upload_Updates_To_S3`、`Upload_Artifacts`）；`Upload_Artifacts` 增加下载 `aur-dist` 到 `build/media` 步骤。
AUR 打包脚本 `pkg/aur/PKGBUILD`	新增 PKGBUILD：包元数据、基于 Git 的 `pkgver()`、`prepare`（pnpm 安装 WebUI 依赖）、`build`（构建 WebUI、Gradle 构建 JAR 并复制依赖）、`package`（安装 JAR 与 systemd/sysusers/tmpfiles 文件）。所有 `sha256sums` 标记为 `SKIP`。
系统集成与安装脚本 `pkg/aur/peerbanhelper.install`, `pkg/aur/peerbanhelper.service`, `pkg/aur/peerbanhelper.sysusers`, `pkg/aur/peerbanhelper.tmpfiles`	新增 `post_install`/`post_upgrade` 提示脚本；新增 systemd 单元（以 `peerbanhelper` 用户运行、工作目录、JVM 启动参数、CAP_NET_ADMIN、Restart 策略）；新增 sysusers 条目声明 `peerbanhelper` 用户；新增 tmpfiles 条目创建并设置 `/var/lib/peerbanhelper`、`/var/log/peerbanhelper`、`/etc/peerbanhelper` 目录权限。

Sequence Diagram(s)

sequenceDiagram
    participant GA as GitHub Actions
    participant Runner as Ubuntu Runner
    participant AC as Arch Container (archlinux:base-devel)
    participant JI as YunaBraska/java-info-action
    participant Storage as Artifact Storage

    GA->>Runner: 触发 jvm-release 包含 Build_AUR
    Runner->>AC: 启动 archlinux:base-devel 容器并运行工作流步骤
    AC->>AC: 安装构建依赖 (git, jdk, gradle, node, pnpm)
    AC->>AC: 检出仓库并修复权限
    AC->>JI: 调用 java-info-action 获取 x_version
    JI-->>AC: 返回 x_version
    AC->>AC: 更新 PKGBUILD pkgver 并创建非 root builder 用户
    AC->>AC: 以 builder 运行 makepkg 生成 .SRCINFO 并构建包
    AC->>Storage: 上传 aur-dist（PKGBUILD、.SRCINFO、包文件）
    Storage-->>GA: aur-dist 可供后续作业下载

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

Debian Improvements #732: 修改/添加了与包与 systemd/sysusers/tmpfiles 相关的文件，与本次 systemd 与系统集成改动高度相关。
fnos pkg #1564: 添加或修改 CI 中的可复用包构建工作流并在发布流程中集成，与本次新增 AUR 工作流和 jvm-release 集成直接相关。

Suggested reviewers

Gaojianli

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	PR标题"aur pkg"过于简洁和通用，虽然确实涉及AUR包打包，但未能充分传达变更的具体内容和主要目的。	建议将标题扩展为更具描述性的内容，例如"Add AUR package build workflow and PKGBUILD configuration"或"设置Arch Linux AUR包打包流程"，以更清楚地说明此PR的核心变更。

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch aur

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

gemini-code-assist · 2026-01-16T13:24:12Z

Summary of Changes

Hello @Ghost-chu, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces the necessary files to create an Arch User Repository (AUR) package for PeerBanHelper. It streamlines the installation and management of the PeerBanHelper application on Arch Linux systems by providing a PKGBUILD script, systemd service definitions, and configuration for system users and temporary files. This significantly simplifies the process for users to install, run, and maintain PeerBanHelper.

Highlights

New AUR Package Addition: This pull request introduces a new Arch User Repository (AUR) package for 'PeerBanHelper', enabling easy installation and management on Arch Linux systems.
Comprehensive PKGBUILD Script: A detailed PKGBUILD script is included, defining all necessary steps for building, packaging, and installing the PeerBanHelper application, including its web UI and Java components.
System Integration: The package includes systemd service, sysusers, and tmpfiles configurations to ensure proper system integration, dedicated user execution, and management of application directories.
User Guidance: Post-installation and post-upgrade scripts are provided to guide users on how to enable, start, and restart the PeerBanHelper systemd service.

Ignored Files

Ignored by pattern: .github/workflows/** (2)
- .github/workflows/build_aur.yml
- .github/workflows/jvm-release.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

gemini-code-assist

Code Review

您好，感谢您为 PeerBanHelper 创建 AUR 软件包。这是一个很好的开始。我主要在 PKGBUILD 文件中发现了一些需要改进的地方，以更好地遵循 Arch Linux 的打包规范和安全最佳实践。

主要问题包括：

安全问题：本地源文件缺少 SHA256 校验和，这会带来安全风险。
命名规范：由于软件包是从 git 最新代码构建的，根据 AUR 的惯例，包名应以 -git 结尾。
版本控制：pkgver() 函数中硬编码了版本号，这会导致版本更新不正确。

其他文件（如 systemd service 文件）看起来很不错，遵循了现代的最佳实践。请查看我的具体评论以获取详细信息和修改建议。

pkg/aur/PKGBUILD

Copilot

Pull request overview

This pull request adds AUR (Arch User Repository) packaging support for PeerBanHelper, enabling distribution through Arch Linux's package management system.

Changes:

Adds AUR package build workflow and integration with the release process
Creates PKGBUILD and supporting systemd configuration files for Arch Linux packaging
Updates the release workflow to include AUR package generation alongside existing package formats

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
pkg/aur/PKGBUILD	AUR package build script defining dependencies, build process, and installation for Arch Linux
pkg/aur/peerbanhelper.service	Systemd service unit file for running PeerBanHelper as a system service
pkg/aur/peerbanhelper.tmpfiles	Systemd tmpfiles configuration for creating required directories with proper permissions
pkg/aur/peerbanhelper.sysusers	Systemd sysusers configuration for creating the peerbanhelper system user
pkg/aur/peerbanhelper.install	Post-installation and post-upgrade scripts providing user instructions
.github/workflows/build_aur.yml	GitHub Actions workflow for building the AUR package in an Arch Linux container
.github/workflows/jvm-release.yml	Updates release workflow to include AUR package build job and artifact handling

pkg/aur/PKGBUILD

.github/workflows/build_aur.yml

pkg/aur/PKGBUILD

.github/workflows/build_aur.yml

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/build_aur.yml:
- Line 13: Replace the unsafe package install command "pacman -Sy --noconfirm
git jdk-openjdk gradle nodejs pnpm" with a full system upgrade invocation by
using "pacman -Syu --noconfirm" followed by the package list; update the
workflow step that runs this command so the package database is synced and
installed packages are upgraded atomically to avoid partial-upgrade issues.

🧹 Nitpick comments (8)

.github/workflows/build_aur.yml (2)
7-9: 建议为 AUR 构建任务添加超时配置

根据编码规范，构建任务应配置适当的超时时间。AUR 包构建可能需要较长时间，建议添加 timeout-minutes 配置。
♻️ 建议修复
 jobs:
   aur:
     runs-on: ubuntu-latest
     container: archlinux:base-devel
+    timeout-minutes: 30
     steps:
21-22: 将外部 Action 版本固定为具体的提交哈希以增强安全性

使用 @main 引用外部 Action 存在供应链安全风险，因为分支引用是可变的，上游维护者（或攻击者）可以改动该分支，导致任意代码执行。应将其固定到完整的提交哈希值（commit SHA），或至少固定到具体的版本标签。当前工作流中的其他 Action（如 actions/checkout@v4、actions/upload-artifact@v4）已经采用版本固定，建议此处保持一致。最新版本为 v2.1.90。
pkg/aur/peerbanhelper.service (2)
5-11: 建议添加 systemd 安全加固选项

当前服务配置缺少常见的安全加固选项。对于作为非 root 用户运行的守护进程，建议添加以下安全限制以减少攻击面：
🔒 建议添加的安全加固配置
 [Service]
 User=peerbanhelper
 WorkingDirectory=/usr/lib/peerbanhelper
 ExecStart=/usr/bin/java --enable-native-access=ALL-UNNAMED -XX:+UseCompactObjectHeaders -Dpbh.release=arch -Dpbh.datadir=/var/lib/peerbanhelper -Dpbh.configdir=/etc/peerbanhelper -Dpbh.logsdir=/var/log/peerbanhelper -Dpbh.log.level=WARN -Djdk.attach.allowAttachSelf=true -XX:MaxRAMPercentage=85.0 -XX:+UseZGC -XX:SoftMaxHeapSize=386M -XX:ZUncommitDelay=1 -Xss512k -XX:+UseStringDeduplication -XX:-ShrinkHeapInSteps -jar PeerBanHelper.jar
 SuccessExitStatus=143
 AmbientCapabilities=CAP_NET_ADMIN
 Restart=on-failure
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+ReadWritePaths=/var/lib/peerbanhelper /var/log/peerbanhelper /etc/peerbanhelper
11-11: 建议配置重启延迟和限制

Restart=on-failure 是合理的，但建议添加 RestartSec 和 StartLimitBurst/StartLimitIntervalSec 以防止服务在持续失败时频繁重启消耗系统资源。
♻️ 建议的配置
 Restart=on-failure
+RestartSec=5
pkg/aur/PKGBUILD (4)
19-23: 本地文件应提供校验和

虽然 git 源使用 SKIP 是可接受的做法，但本地配置文件（peerbanhelper.sysusers、peerbanhelper.tmpfiles、peerbanhelper.service、peerbanhelper.install）应提供实际的 sha256 校验和以确保文件完整性。

可以使用以下命令生成校验和：
sha256sum peerbanhelper.sysusers peerbanhelper.tmpfiles peerbanhelper.service peerbanhelper.install
10-10: 建议使用 SPDX 许可证标识符

根据 Arch Wiki 的 PKGBUILD 指南，license 字段应使用 SPDX 标识符格式。
♻️ 建议的修改
-license=('GPL3')
+license=('GPL-3.0-or-later')
25-29: 版本号硬编码重复

pkgver() 函数中硬编码了 "9.2.5"，与第 5 行的 pkgver=9.2.5 重复。如果版本更新，需要在两处同时修改，容易造成不一致。
♻️ 建议使用变量或从单一来源获取版本
 pkgver() {
   cd "$srcdir/$_pkgname"
   # Generate version string based on git
-  printf "%s.r%s.g%s" "9.2.5" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
+  # 从 gradle.properties 或 git tag 获取基础版本
+  local _basever=$(grep -oP 'version\s*=\s*\K[\d.]+' gradle.properties 2>/dev/null || echo "$pkgver")
+  printf "%s.r%s.g%s" "$_basever" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
 }
或者如果项目使用 git tags 进行版本管理：
 pkgver() {
   cd "$srcdir/$_pkgname"
-  printf "%s.r%s.g%s" "9.2.5" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
+  git describe --long --tags | sed 's/^v//;s/$[^-]*-g$/r\1/;s/-/./g'
 }
56-56: cp -r 可能无法正确设置文件权限

使用 cp -r 复制 libraries 目录可能会保留源文件的权限，但更推荐使用 install 命令或 cp -a 以确保权限一致性，或在复制后显式设置权限。
♻️ 建议的修改
-  cp -r build/libraries "$pkgdir/usr/lib/$pkgname/"
+  cp -r build/libraries "$pkgdir/usr/lib/$pkgname/"
+  chmod -R 644 "$pkgdir/usr/lib/$pkgname/libraries"
+  find "$pkgdir/usr/lib/$pkgname/libraries" -type d -exec chmod 755 {} \;

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2bef4c0 and 6fd4f14.

📒 Files selected for processing (7)

.github/workflows/build_aur.yml
.github/workflows/jvm-release.yml
pkg/aur/PKGBUILD
pkg/aur/peerbanhelper.install
pkg/aur/peerbanhelper.service
pkg/aur/peerbanhelper.sysusers
pkg/aur/peerbanhelper.tmpfiles

🧰 Additional context used

📓 Path-based instructions (5)

{pom.xml,Dockerfile,.github/**/*.{yml,yaml}}