PKGBUILD: pin source sha256 + wire real CI pipeline

- distcc-3.4 tarball hash + local support files hashed (no more SKIP)
- .gitea/workflows/build.yml now builds, signs, repo-adds and rsyncs
  to nc via the marfrit-repo-deploy key. Triggers on push to arch/**
  or manual workflow_dispatch.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/build.yml

@@ -1,50 +1,106 @@
 name: build and publish packages
 
-# STUB — wired in a follow-up session. Current design sketch:
+on:
-#
+  push:
-#   jobs:
+    branches: [main]
-#     arch-aarch64:
+    paths:
-#       runs-on: [self-hosted, alarm, aarch64]
+      - 'arch/**'
-#       steps:
+      - '.gitea/workflows/build.yml'
-#         - uses: actions/checkout@v4
+  workflow_dispatch:
-#         - name: makepkg
+
-#           run: |
-#             cd arch/distcc-avahi
-#             makepkg --nocheck --noconfirm --syncdeps
-#         - name: import signing key
-#           env:
-#             KEY: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
-#             PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
-#           run: |
-#             echo "$KEY" | gpg --import
-#             echo "$PASS" > /tmp/pass
-#         - name: sign package
-#           run: |
-#             gpg --batch --pinentry-mode loopback --passphrase-file /tmp/pass \
-#                 --detach-sign --yes arch/distcc-avahi/*.pkg.tar.zst
-#         - name: publish to packages.reauktion.de
-#           env:
-#             SSH_KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
-#           run: |
-#             mkdir -p ~/.ssh && echo "$SSH_KEY" > ~/.ssh/id_ed25519
-#             chmod 600 ~/.ssh/id_ed25519
-#             scp arch/distcc-avahi/*.pkg.tar.zst{,.sig} \
-#                 mfritsche@nc.reauktion.de:/srv/packages/arch/aarch64/
-#             # Regenerate db remotely (on an aarch64 runner with pacman):
-#             ssh mfritsche@nc.reauktion.de 'cd /srv/packages/arch/aarch64 && \
-#                 repo-add --sign --key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C \
-#                 marfrit.db.tar.gz *.pkg.tar.zst'
-#
-# Runner requirements:
-#   - feynman (CT115 on data) currently has the Actions runner for ARM
-#     bare-metal builds. For ALARM packages we'd want either:
-#       (a) a dedicated ALARM runner container, OR
-#       (b) makechrootpkg inside feynman with an ALARM pacstrap.
-#   - x86_64 Arch runner: can live on any nuccie.
-#   - Debian runners: debootstrap bookworm/trixie for each arch.
-on: workflow_dispatch
 jobs:
-  placeholder:
+  distcc-avahi-aarch64:
-    runs-on: ubuntu-latest
+    runs-on: arch-aarch64
     steps:
-      - run: echo "build pipeline not yet wired — see file header"
+      - name: checkout
+        uses: actions/checkout@v4
+
+      - name: install builder deps (idempotent)
+        run: |
+          # runner image is Arch aarch64 with base-devel + gnupg + rsync + sudo.
+          # This step exists so a freshly re-imaged runner bootstraps itself.
+          pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo avahi popt python python-setuptools
+
+      - name: import signing key
+        env:
+          PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
+          PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
+        run: |
+          set -e
+          mkdir -m700 -p /root/.gnupg
+          printf '%s\n' "$PRIV" | gpg --batch --import
+          # echo trust so gpg doesn't complain during signing
+          echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
+          printf '%s' "$PASS" > /root/repo_pass
+          chmod 600 /root/repo_pass
+
+      - name: install deploy ssh key
+        env:
+          KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
+        run: |
+          mkdir -m700 -p /root/.ssh
+          printf '%s\n' "$KEY" > /root/.ssh/id_ed25519
+          chmod 600 /root/.ssh/id_ed25519
+          ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null
+
+      - name: makepkg
+        run: |
+          set -e
+          chown -R builder:builder arch/distcc-avahi
+          cd arch/distcc-avahi
+          sudo -u builder makepkg --nocheck --noconfirm --syncdeps --cleanbuild
+          ls -la *.pkg.tar.zst
+
+      - name: sign package
+        run: |
+          set -e
+          cd arch/distcc-avahi
+          for f in *.pkg.tar.zst; do
+            gpg --batch --pinentry-mode loopback --passphrase-file /root/repo_pass \
+                --detach-sign --yes -u 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C "$f"
+          done
+          ls -la *.sig
+
+      - name: fetch current repo db and rebuild
+        run: |
+          set -e
+          mkdir -p /tmp/arch-stage
+          cd /tmp/arch-stage
+          # pull current db (may be empty skeleton on first run)
+          curl -sSL https://packages.reauktion.de/arch/aarch64/marfrit.db.tar.gz -o marfrit.db.tar.gz || true
+          curl -sSL https://packages.reauktion.de/arch/aarch64/marfrit.files.tar.gz -o marfrit.files.tar.gz || true
+          # move freshly built package(s) in
+          mv "$GITHUB_WORKSPACE"/arch/distcc-avahi/*.pkg.tar.zst .
+          mv "$GITHUB_WORKSPACE"/arch/distcc-avahi/*.pkg.tar.zst.sig .
+          # regenerate the db, signing it with our key
+          GPG_TTY= \
+          GNUPGHOME=/root/.gnupg \
+          repo-add --new --sign --key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C \
+            --verify marfrit.db.tar.gz *.pkg.tar.zst
+          # refresh "unversioned" symlinks expected by pacman
+          ln -sf marfrit.db.tar.gz     marfrit.db
+          ln -sf marfrit.files.tar.gz  marfrit.files
+          ln -sf marfrit.db.tar.gz.sig marfrit.db.sig
+          ln -sf marfrit.files.tar.gz.sig marfrit.files.sig
+          ls -la
+
+      - name: publish via rrsync
+        run: |
+          set -e
+          cd /tmp/arch-stage
+          # rrsync on nc is scoped to /srv/packages/; target path is relative.
+          rsync -avL --copy-unsafe-links \
+            -e 'ssh -i /root/.ssh/id_ed25519' \
+            ./ mfritsche@nc.reauktion.de:arch/aarch64/
+
+      - name: wipe secrets
+        if: always()
+        run: rm -f /root/repo_pass /root/.ssh/id_ed25519
+
+  # x86_64 job will mirror this one and run on the pve4 runner.
+  # Kept commented out until a package actually targets x86_64 —
+  # no point spinning pve4 for a no-op.
+  #
+  # distcc-avahi-x86_64:
+  #   runs-on: arch-x86_64
+  #   steps: (same as above, with arch/x86_64/ target)

arch/distcc-avahi/PKGBUILD

@@ -23,16 +23,16 @@ conflicts=('distcc')
 replaces=('distcc')
 backup=('etc/conf.d/distccd')
 source=(
-    "https://github.com/distcc/distcc/releases/download/v${pkgver}/distcc-${pkgver}.tar.gz"
+    "${_pkgname}-${pkgver}.tar.gz::https://github.com/distcc/distcc/archive/refs/tags/v${pkgver}.tar.gz"
     "distccd.conf"
     "distccd.service"
     "distcc.tmpfiles"
 )
 sha256sums=(
-    'SKIP'  # pin when first built in CI
+    '37a34c9555498a1168fea026b292ab07e7bb394715d87d8403e0c33b16d2d008'
-    'SKIP'
+    '38cb1912bfa15efd762dd868e049bdbcd58f1a46065255bc4648f821ba516d65'
-    'SKIP'
+    'a4f1d1bb21d61d41f22e918b448cfb852a6d95b0d3b922bd82805090cb2ce41a'
-    'SKIP'
+    'd8aee2eb895c02a39e0f2b76fd4a5c9dce91405f1c443286ca324628eadbf3f1'
 )
 
 prepare() {