From fea72b34cf7a36eeb0768f52ae42b951dc9ceaf4 Mon Sep 17 00:00:00 2001
From: Pino de Candia <32303022+pinodeca@users.noreply.github.com>
Date: Thu, 4 Jun 2026 01:53:43 +0000
Subject: [PATCH 1/3] Drop unused arm64 packaging scaffolding

The build/validate matrix and README only target amd64, so the arm64
branches in the packaging scripts were dead code. Remove them so the
scripts reject unsupported architectures explicitly.
---
 scripts/package-deb.sh          | 3 ---
 scripts/validate-deb-package.sh | 3 ---
 2 files changed, 6 deletions(-)

diff --git a/scripts/package-deb.sh b/scripts/package-deb.sh
index 25c7a07..629e51b 100755
--- a/scripts/package-deb.sh
+++ b/scripts/package-deb.sh
@@ -22,9 +22,6 @@ case "$ARCH" in
     amd64|x86_64)
         DEB_ARCH="amd64"
         ;;
-    arm64|aarch64)
-        DEB_ARCH="arm64"
-        ;;
     *)
         echo "unsupported architecture: $ARCH" >&2
         exit 2
diff --git a/scripts/validate-deb-package.sh b/scripts/validate-deb-package.sh
index 3a3fab8..914e52b 100755
--- a/scripts/validate-deb-package.sh
+++ b/scripts/validate-deb-package.sh
@@ -19,9 +19,6 @@ case "$ARCH" in
     amd64|x86_64)
         DEB_ARCH="amd64"
         ;;
-    arm64|aarch64)
-        DEB_ARCH="arm64"
-        ;;
     *)
         echo "unsupported architecture: $ARCH" >&2
         exit 2

From 18ae225854f072c4fecca744f62b7d2693b69bca Mon Sep 17 00:00:00 2001
From: Pino de Candia <32303022+pinodeca@users.noreply.github.com>
Date: Thu, 4 Jun 2026 01:54:00 +0000
Subject: [PATCH 2/3] Publish .deb assets directly and harden release job

- Scope contents:write to the release job only; the rest of the
  workflow runs read-only (least privilege).
- Upload the .deb files as release assets directly instead of wrapping
  them in zips, matching the README's documented asset names.
- Publish a SHA256SUMS file so downloaders can verify assets.
- Drop the now-unused zip packaging step and build dependency.
---
 .github/workflows/package-release.yml | 24 ++++++++++++------------
 README.md                             |  2 +-
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml
index 30f3013..a8512d5 100644
--- a/.github/workflows/package-release.yml
+++ b/.github/workflows/package-release.yml
@@ -27,7 +27,7 @@ on:
       - 'sql/**'
 
 permissions:
-  contents: write
+  contents: read
 
 env:
   CARGO_TERM_COLOR: always
@@ -100,8 +100,7 @@ jobs:
                 libxml2-dev \
                 libxslt1-dev \
                 libicu-dev \
-                file \
-                zip
+                file
 
               install -d -m 0755 /usr/share/keyrings
               curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc \
@@ -148,19 +147,12 @@ jobs:
           dpkg-deb -x "$deb_file" check-package
           file "check-package/usr/lib/postgresql/${{ matrix.pg_version }}/lib/pg_durable.so" | grep -E "${{ matrix.platform.file_pattern }}"
 
-      - name: Create package archive
-        run: |
-          cd dist
-          zip "pg-durable-${VERSION}-pg${{ matrix.pg_version }}-${{ matrix.platform.type }}.zip" \
-            pg-durable-postgresql-${{ matrix.pg_version }}_*_${{ matrix.platform.type }}.deb
-
       - name: Upload package artifact
         uses: actions/upload-artifact@v4
         with:
           name: pg-durable-package-${{ github.run_id }}-pg${{ matrix.pg_version }}-${{ matrix.platform.type }}
           path: |
             dist/*.deb
-            dist/*.zip
           retention-days: 30
 
   validate-packages:
@@ -248,6 +240,8 @@ jobs:
     needs: [validate-packages, build-source]
     runs-on: ubuntu-latest
     if: github.event_name == 'push' || github.event.inputs.publish_release == 'true'
+    permissions:
+      contents: write
 
     steps:
       - uses: actions/checkout@v4
@@ -278,5 +272,11 @@ jobs:
               --draft
           fi
 
-          find artifacts -type f \( -name '*.zip' -o -name '*.tar.gz' -o -name '*.tar.bz2' \) -print0 \
-            | xargs -0 -I {} gh release upload "$VERSION" "{}" --clobber
\ No newline at end of file
+          mkdir -p release-assets
+          find artifacts -type f \( -name '*.deb' -o -name '*.tar.gz' -o -name '*.tar.bz2' \) \
+            -exec cp -t release-assets {} +
+
+          ( cd release-assets && sha256sum -- * > SHA256SUMS )
+
+          find release-assets -type f -print0 \
+            | xargs -0 -I {} gh release upload "$VERSION" "{}" --clobber
diff --git a/README.md b/README.md
index 24ae577..d99af01 100644
--- a/README.md
+++ b/README.md
@@ -110,7 +110,7 @@ CREATE EXTENSION pg_durable;
 
 The default pg_durable database is `postgres`; see [User Guide](USER_GUIDE.md) for background worker configuration and privilege setup.
 
-Release assets also include source archives for building from source.
+Each release also publishes source archives for building from source and a `SHA256SUMS` file for verifying downloaded assets.
 
 ## Development Installation
 

From 03e4ed9590df5ea168becbdc722d1486192e51e5 Mon Sep 17 00:00:00 2001
From: Pino de Candia <pinod@microsoft.com>
Date: Thu, 4 Jun 2026 15:33:17 +0000
Subject: [PATCH 3/3] ci: source release tooling from workflow commit, not
 target tag

---
 .github/workflows/package-release.yml | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml
index a8512d5..1ae641e 100644
--- a/.github/workflows/package-release.yml
+++ b/.github/workflows/package-release.yml
@@ -57,6 +57,19 @@ jobs:
         with:
           ref: ${{ github.event.inputs.tag || github.ref }}
 
+      # Release tooling (scripts, packaging helpers) must come from the commit
+      # that defines this workflow, not from the target tag. For
+      # workflow_dispatch, GitHub runs the workflow YAML from the default
+      # branch HEAD while the primary checkout above is pinned to an older
+      # tag, so the tag may predate these scripts. github.sha tracks the
+      # workflow's own commit for both workflow_dispatch (main HEAD) and
+      # push:tags (the tagged commit), keeping YAML and scripts in sync.
+      - name: Checkout release tooling
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.sha }}
+          path: _release_tooling
+
       - name: Set version
         run: |
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
@@ -127,7 +140,7 @@ jobs:
                 --no-default-features \
                 --features "$FEATURES"
 
-              scripts/package-deb.sh \
+              _release_tooling/scripts/package-deb.sh \
                 "$VERSION" \
                 "$PWD/target/release/pg_durable-pg${{ matrix.pg_version }}" \
                 "${{ matrix.platform.type }}" \
@@ -172,6 +185,15 @@ jobs:
         with:
           ref: ${{ github.event.inputs.tag || github.ref }}
 
+      # See build-packages: validation tooling must come from the workflow's
+      # own commit (github.sha), not the target tag, so a tag predating these
+      # scripts still validates correctly.
+      - name: Checkout release tooling
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.sha }}
+          path: _release_tooling
+
       - name: Download package artifact
         uses: actions/download-artifact@v4
         with:
@@ -186,7 +208,7 @@ jobs:
             -w /work \
             --user root \
             debian:bookworm \
-            bash -euxo pipefail -c 'scripts/validate-deb-package.sh "${{ matrix.pg_version }}" "${{ matrix.platform.type }}"'
+            bash -euxo pipefail -c '_release_tooling/scripts/validate-deb-package.sh "${{ matrix.pg_version }}" "${{ matrix.platform.type }}"'
 
       - name: Upload validation diagnostics on failure
         if: failure()