fix: replace goreleaser AUR integration with manual ssh-agent push

matpdev · matpdev · commit 0665c9679d49 · 2026-04-01T12:20:39.000-03:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,24 +5,21 @@
 # vX.Y.Z is pushed to the repository (e.g.: via `make release` or scripts/release.sh).
 #
 # Full flow:
-#   git commit → scripts/release.sh → tag vX.Y.Z → this workflow → goreleaser
-#                                                                       ↓
-#                                              binários + archives + GitHub Release
-#                                                                       ↓
-#                                              (se AUR_KEY configurado) AUR push
+#   git commit → tag vX.Y.Z → this workflow
+#       ↓
+#   goreleaser → binaries + archives + GitHub Release   (always)
+#       ↓
+#   Publish to AUR                                      (only if AUR_KEY is set)
 #
 # ── AUR secret setup ──────────────────────────────────────────────────────────
-# The AUR_KEY secret MUST be stored as base64 to avoid newline corruption.
-# GitHub Actions mangles multi-line secrets; base64 encodes them to a single
-# line that is decoded byte-for-byte back to the original key file.
+# Store the SSH private key as base64 to avoid newline corruption from GitHub
+# Actions secret expansion. Run once on your machine:
 #
-# One-time setup — encode your AUR SSH private key and store it as AUR_KEY:
+#   Linux:  base64 -w 0 ~/.ssh/aur > /tmp/aur_b64.txt
+#   macOS:  base64 -i  ~/.ssh/aur > /tmp/aur_b64.txt
 #
-#   Linux:  base64 -w 0 ~/.ssh/aur > aur_key_b64.txt
-#   macOS:  base64 -i  ~/.ssh/aur > aur_key_b64.txt
-#
-# Copy the content of aur_key_b64.txt and paste it as the AUR_KEY secret at:
-#   Settings → Secrets and variables → Actions → New repository secret
+# Then go to: Settings → Secrets and variables → Actions → AUR_KEY → Update
+# and paste the single-line base64 output.
 # ==============================================================================
 
 name: Release
@@ -33,23 +30,20 @@ on:
       - "v[0-9]+.[0-9]+.[0-9]+"   # v1.2.3
       - "v[0-9]+.[0-9]+.[0-9]+-*" # v1.2.3-beta.1  (pre-release)
 
-# Minimum permissions required for goreleaser to create the release
 permissions:
-  contents: write # create releases and upload assets
-  packages: write # publish packages (if needed in the future)
+  contents: write
+  packages: write
 
 jobs:
-  # ── Goreleaser ───────────────────────────────────────────────────────────────
-  goreleaser:
+  # ── Release ──────────────────────────────────────────────────────────────────
+  release:
     name: Release ${{ github.ref_name }}
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout (com histórico completo)
+      - name: Checkout
         uses: actions/checkout@v4
         with:
-          # fetch-depth 0 is required for goreleaser to generate the changelog
-          # correctly from the full commit and tag history.
           fetch-depth: 0
 
       - name: Setup Go
@@ -64,69 +58,128 @@ jobs:
           go mod tidy
           git diff --exit-code go.mod go.sum
 
-      # Runs tests before publishing — failure here aborts the release
       - name: Test
         run: go test -race ./...
 
-      # Decodes the base64-encoded AUR_KEY secret into a proper PEM key file.
-      # goreleaser v2 requires private_key to be a FILE PATH, not inline content.
-      # Storing the key as base64 avoids the newline corruption that GitHub
-      # Actions causes when expanding multi-line secrets — which triggers
-      # "error in libcrypto" from OpenSSH when it tries to parse the key.
-      - name: Setup AUR key
+      # ── Goreleaser (GitHub Release only, AUR handled separately below) ──────
+      - name: Run goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: "~> v2"
+          args: release --clean --skip=aurs
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # ── AUR publish ──────────────────────────────────────────────────────────
+      # Uses ssh-agent to load the key into memory, bypassing the OpenSSH
+      # file-loading path that causes "error in libcrypto" with go-git / git.
+      # The AUR_KEY secret must be base64-encoded (see header comment above).
+      - name: Decode AUR key
         id: aur
         env:
           AUR_KEY_B64: ${{ secrets.AUR_KEY }}
         run: |
-          if [ -n "$AUR_KEY_B64" ]; then
-            mkdir -p ~/.ssh
-            echo "$AUR_KEY_B64" | base64 -d > ~/.ssh/aur_key
-            chmod 600 ~/.ssh/aur_key
-            # Validate the decoded key is parseable before proceeding
-            if ssh-keygen -l -f ~/.ssh/aur_key > /dev/null 2>&1; then
-              echo "has_key=true" >> "$GITHUB_OUTPUT"
-            else
-              echo "::error title=AUR_KEY inválida::A chave decodificada não é um arquivo de chave SSH válido."
-              echo "::error title=AUR_KEY inválida::Verifique se o secret foi armazenado em base64 (veja o comentário no topo deste arquivo)."
-              echo "has_key=false" >> "$GITHUB_OUTPUT"
-            fi
-          else
+          if [ -z "$AUR_KEY_B64" ]; then
             echo "has_key=false" >> "$GITHUB_OUTPUT"
-            echo "::warning title=AUR_KEY ausente::Publicação no AUR ignorada. Configure o secret AUR_KEY para habilitar."
+            echo "::warning title=AUR_KEY ausente::Publicação no AUR ignorada."
+            exit 0
           fi
 
-      - name: Run goreleaser
-        uses: goreleaser/goreleaser-action@v6
-        with:
-          distribution: goreleaser
-          version: "~> v2"
-          args: >-
-            release --clean
-            ${{ steps.aur.outputs.has_key != 'true' && '--skip=aurs' || '' }}
+          mkdir -p ~/.ssh
+          echo "$AUR_KEY_B64" | base64 -d > ~/.ssh/aur_key
+          chmod 600 ~/.ssh/aur_key
+
+          if ! ssh-keygen -l -f ~/.ssh/aur_key > /dev/null 2>&1; then
+            echo "has_key=false" >> "$GITHUB_OUTPUT"
+            echo "::error title=AUR_KEY inválida::Chave não reconhecida. Confirme que o secret está em base64."
+            exit 0
+          fi
+
+          echo "has_key=true" >> "$GITHUB_OUTPUT"
+
+      - name: Publish to AUR
+        if: steps.aur.outputs.has_key == 'true'
         env:
-          # GitHub token to create the release and upload assets.
-          # GITHUB_TOKEN is automatically injected by Actions — no extra configuration needed.
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # goreleaser v2 expects a FILE PATH for private_key, not inline key content.
-          # Points to the file written and validated by the "Setup AUR key" step above.
-          AUR_KEY: /home/runner/.ssh/aur_key
+          GIT_AUTHOR_NAME: goreleaserbot
+          GIT_AUTHOR_EMAIL: bot@goreleaser.com
+          GIT_COMMITTER_NAME: goreleaserbot
+          GIT_COMMITTER_EMAIL: bot@goreleaser.com
+        run: |
+          # ── Load key into agent (avoids all file-based libcrypto issues) ────
+          eval "$(ssh-agent -s)"
+          ssh-add ~/.ssh/aur_key
+          ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts 2>/dev/null
+
+          # ── Version and checksums ────────────────────────────────────────────
+          VERSION="${GITHUB_REF_NAME#v}"
+          SHA_X86_64=$(grep "linux_amd64.tar.gz" dist/checksums.txt | awk '{print $1}')
+          SHA_I686=$(grep "linux_386.tar.gz"     dist/checksums.txt | awk '{print $1}')
+
+          if [ -z "$SHA_X86_64" ] || [ -z "$SHA_I686" ]; then
+            echo "::error::Checksums não encontrados em dist/checksums.txt"
+            exit 1
+          fi
+
+          # ── Clone AUR repo ───────────────────────────────────────────────────
+          git -c init.defaultBranch=master \
+            clone ssh://aur@aur.archlinux.org/cpp-gen-bin.git /tmp/aur-cpp-gen-bin
+
+          # ── Generate PKGBUILD with real version and checksums ────────────────
+          sed \
+            -e "s/^pkgver=.*/pkgver=${VERSION}/" \
+            -e "s/^pkgrel=.*/pkgrel=1/" \
+            -e "s/sha256sums_x86_64=('SKIP')/sha256sums_x86_64=('${SHA_X86_64}')/" \
+            -e "s/sha256sums_i686=('SKIP')/sha256sums_i686=('${SHA_I686}')/" \
+            aur/PKGBUILD > /tmp/aur-cpp-gen-bin/PKGBUILD
+
+          # ── Generate .SRCINFO ────────────────────────────────────────────────
+          cat > /tmp/aur-cpp-gen-bin/.SRCINFO << EOF
+pkgbase = cpp-gen-bin
+	pkgdesc = Modern C++ project generator with CMake, package managers, IDE configurations and development tools
+	pkgver = ${VERSION}
+	pkgrel = 1
+	url = https://github.com/matpdev/cpp-gen
+	arch = x86_64
+	arch = i686
+	license = MIT
+	provides = cpp-gen
+	conflicts = cpp-gen
+	options = !strip
+	source_x86_64 = cpp-gen-bin-${VERSION}-x86_64.tar.gz::https://github.com/matpdev/cpp-gen/releases/download/v${VERSION}/cpp-gen_${VERSION}_linux_amd64.tar.gz
+	sha256sums_x86_64 = ${SHA_X86_64}
+	source_i686 = cpp-gen-bin-${VERSION}-i686.tar.gz::https://github.com/matpdev/cpp-gen/releases/download/v${VERSION}/cpp-gen_${VERSION}_linux_386.tar.gz
+	sha256sums_i686 = ${SHA_I686}
+
+pkgname = cpp-gen-bin
+EOF
+
+          # ── Copy LICENSE ─────────────────────────────────────────────────────
+          cp aur/LICENSE /tmp/aur-cpp-gen-bin/LICENSE
+
+          # ── Commit and push (branch must be master for AUR) ──────────────────
+          cd /tmp/aur-cpp-gen-bin
+          git add PKGBUILD .SRCINFO LICENSE
+          git diff --staged --quiet && echo "Nothing to commit, skipping." && exit 0
+          git commit -m "Update to v${VERSION}"
+          git push origin master
 
-  # ── Completion notification ───────────────────────────────────────────────────
+  # ── Notify ───────────────────────────────────────────────────────────────────
   notify:
     name: Notify
     runs-on: ubuntu-latest
-    needs: goreleaser
+    needs: release
     if: always()
 
     steps:
       - name: Release succeeded
-        if: needs.goreleaser.result == 'success'
+        if: needs.release.result == 'success'
         run: |
-          echo "::notice title=Release publicada::cpp-gen ${{ github.ref_name }} foi publicada com sucesso!"
+          echo "::notice title=Release publicada::cpp-gen ${{ github.ref_name }} publicada com sucesso!"
           echo "URL: https://github.com/${{ github.repository }}/releases/tag/${{ github.ref_name }}"
 
       - name: Release failed
-        if: needs.goreleaser.result == 'failure'
+        if: needs.release.result == 'failure'
         run: |
-          echo "::error title=Falha na release::O goreleaser falhou para a tag ${{ github.ref_name }}."
+          echo "::error title=Falha na release::goreleaser falhou para ${{ github.ref_name }}."
           exit 1
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -77,41 +77,21 @@ checksum:
   algorithm: sha256
 
 # ── AUR ───────────────────────────────────────────────────────────────────────
-# Publishes the PKGBUILD automatically to the Arch User Repository after release.
+# AUR publishing is handled manually in .github/workflows/release.yml via
+# ssh-agent + system git, bypassing goreleaser's built-in AUR integration.
 #
-# Prerequisites:
-#   1. Create an account at https://aur.archlinux.org
-#   2. Generate an SSH key pair: ssh-keygen -t ed25519 -f ~/.ssh/aur
-#   3. Add the public key to your AUR account: https://aur.archlinux.org/account/
-#   4. Register the package with an initial push (branch MUST be master):
-#        git -c init.defaultBranch=master clone ssh://aur@aur.archlinux.org/cpp-gen-bin.git
-#        cp aur/PKGBUILD aur/.SRCINFO aur/LICENSE <cloned-dir>/
-#        cd <cloned-dir> && git add PKGBUILD .SRCINFO LICENSE && git commit -m "Initial release" && git push
-#   5. Add the private key as a GitHub repository secret named AUR_KEY
+# The manual approach avoids "error in libcrypto" caused by goreleaser passing
+# the private key file path to go-git/system SSH in a way that OpenSSH on the
+# GitHub Actions runner cannot parse.
 #
-# Note: The AUR only accepts pushes to the `master` branch.
-# See: https://goreleaser.com/customization/aur/
-
-aurs:
-  - name: cpp-gen-bin
-    homepage: "https://github.com/matpdev/cpp-gen"
-    description: "Modern C++ project generator with CMake, package managers, IDE configurations and development tools."
-    maintainers:
-      - "matpdev <matheus2ep at gmail dot com>"
-    license: MIT
-    private_key: "{{ .Env.AUR_KEY }}"
-    git_url: "ssh://aur@aur.archlinux.org/cpp-gen-bin.git"
-    provides:
-      - cpp-gen
-    conflicts:
-      - cpp-gen
-    package: |-
-      install -Dm755 "./cpp-gen"   "${pkgdir}/usr/bin/cpp-gen"
-      install -Dm644 "./LICENSE"   "${pkgdir}/usr/share/licenses/cpp-gen-bin/LICENSE"
-      install -Dm644 "./README.md" "${pkgdir}/usr/share/doc/cpp-gen-bin/README.md"
-    commit_author:
-      name: goreleaserbot
-      email: bot@goreleaser.com
+# The release.yml workflow:
+#   1. Decodes the base64-encoded AUR_KEY secret to ~/.ssh/aur_key
+#   2. Loads it into ssh-agent (key stays in memory, no file reading by SSH)
+#   3. Clones ssh://aur@aur.archlinux.org/cpp-gen-bin.git
+#   4. Generates PKGBUILD (from aur/PKGBUILD template) with real checksums
+#   5. Generates .SRCINFO inline
+#   6. Commits and pushes to branch master
+
 
 # ── Changelog ─────────────────────────────────────────────────────────────────
 # Generated from commit messages following the Conventional Commits convention.
