Merged
Conversation
Add a prepare() function that verifies the build provenance attestations for the binary, completion files, and man page using `gh attestation verify`. The step is gracefully skipped (with a warning) when the GitHub CLI is missing or not authenticated, since `gh attestation verify` currently requires an authenticated session even for public repositories (cli/cli#12030).
The binary and shell completions are the high-risk artifacts (the binary runs as root during install, the completions are sourced by every interactive shell). The man page is rendered by groff in safer mode, so verifying it adds little value compared to keeping the prepare() function short.
makepkg has no `hint` helper, so the warnings about missing `gh` / missing authentication read as if the script intends to perform the action itself. Prefix them with `hint:` to make their advisory nature explicit.
Stacking `WARNING:` and `hint:` on the same line reads as a contradictory severity tag. Switch the second line of each branch to makepkg's `plain` helper, which renders as an indented continuation without re-asserting the warning prefix.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a provenance verification step to the parallel-disk-usage-bin AUR PKGBUILD template, leveraging GitHub CLI attestations to validate release artifacts when gh is available and authenticated.
Changes:
- Add a
prepare()hook that attempts to verify artifact attestations viagh attestation verify. - Skip provenance verification with warnings when
ghis missing or not authenticated.
Performance Regression Reportscommit: 883725e There are no regressions. |
Wrap the verify loop so that a failure (including transient network or rate-limit errors) points users at PDU_SKIP_PROVENANCE_VERIFY as an escape hatch, and honor the variable up front to let users skip the check entirely in offline builds. Addresses Copilot review feedback on #390.
KSXGitHub
commented
Apr 8, 2026
"For offline builds" was too narrow and framed the opt-out as a convenience knob. Rephrase to make the rule explicit: use PDU_SKIP_PROVENANCE_VERIFY only when a failure is unrelated to artifact trust, so users don't treat it as a way to silence real tampering signals.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds provenance verification steps to the
parallel-disk-usage-binAUR package.https://claude.ai/code/session_01Yc9Cmehp4Hc7fBezohZNwt