From 68f770fc554ffbc91b6b628779f24d0c1c4ed5ff Mon Sep 17 00:00:00 2001
From: nelsoduarte <nelson.miguel.duarte@outlook.com>
Date: Sun, 10 May 2026 22:15:13 +0100
Subject: [PATCH] fix(aur): hash all six pdfapps-bin sources instead of SKIP

Background: AUR user BluePeril reported that `updpkgsums` had to be
run manually every time the pdfapps-bin PKGBUILD updated, because
five of the six sources used `sha256sums = SKIP`. The auxiliary
sources (LICENSE, .desktop, .metainfo.xml, icon, svg) are pinned to
the release tag so technically immutable, but having real hashes
makes `updpkgsums` a no-op and matches AUR conventions for binary
packages.

- Update committed `aur/pdfapps-bin/PKGBUILD` + `.SRCINFO` to v1.13.10
  with sha256 of all six sources computed against the v1.13.10 tag.
- Rewrite the `publish.yml` pdfapps-bin step to compute all six hashes
  on every release and rewrite the entire sha256sums block (Python
  in-place edit, both PKGBUILD and .SRCINFO).

After this PR is merged, the next publish.yml run will push the
v1.13.10 PKGBUILD to AUR with all six hashes, addressing the user's
complaint.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 53 +++++++++++++++++++++++++++++------
 aur/pdfapps-bin/.SRCINFO      | 28 +++++++++---------
 aur/pdfapps-bin/PKGBUILD      | 14 ++++-----
 3 files changed, 66 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 85013f4..a727da0 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -111,20 +111,57 @@ jobs:
           set -e
           VER="${{ needs.resolve.outputs.version }}"
 
-          # Compute sha256 of the binary tarball from the GitHub release
-          BIN_SHA=$(curl -sL "https://github.com/nelsonduarte/PDFApps/releases/download/v${VER}/PDFApps-Linux.tar.gz" | sha256sum | awk '{print $1}')
-          echo "Binary tarball sha256: $BIN_SHA"
+          # Compute sha256 for all six sources. Five are tag-pinned
+          # immutable URLs so SKIP would be technically safe, but AUR
+          # users want `updpkgsums` to be a no-op (BluePeril, 2026-05).
+          BIN_SHA=$(curl -fsL "https://github.com/nelsonduarte/PDFApps/releases/download/v${VER}/PDFApps-Linux.tar.gz" | sha256sum | awk '{print $1}')
+          LICENSE_SHA=$(curl -fsL "https://raw.githubusercontent.com/nelsonduarte/PDFApps/v${VER}/LICENSE" | sha256sum | awk '{print $1}')
+          DESKTOP_SHA=$(curl -fsL "https://raw.githubusercontent.com/nelsonduarte/PDFApps/v${VER}/flatpak/io.github.nelsonduarte.PDFApps.desktop" | sha256sum | awk '{print $1}')
+          METAINFO_SHA=$(curl -fsL "https://raw.githubusercontent.com/nelsonduarte/PDFApps/v${VER}/flatpak/io.github.nelsonduarte.PDFApps.metainfo.xml" | sha256sum | awk '{print $1}')
+          PNG_SHA=$(curl -fsL "https://raw.githubusercontent.com/nelsonduarte/PDFApps/v${VER}/icon_512.png" | sha256sum | awk '{print $1}')
+          SVG_SHA=$(curl -fsL "https://raw.githubusercontent.com/nelsonduarte/PDFApps/v${VER}/pdfapps.svg" | sha256sum | awk '{print $1}')
+
+          for v in BIN_SHA LICENSE_SHA DESKTOP_SHA METAINFO_SHA PNG_SHA SVG_SHA; do
+            echo "$v=${!v}"
+          done
 
           rm -rf /tmp/aur-pdfapps-bin
           git clone ssh://aur@aur.archlinux.org/pdfapps-bin.git /tmp/aur-pdfapps-bin
           cp aur/pdfapps-bin/PKGBUILD aur/pdfapps-bin/.SRCINFO /tmp/aur-pdfapps-bin/
           cd /tmp/aur-pdfapps-bin
 
-          # Patch only the first sha256 (binary tarball) — the rest are SKIP
-          sed -i "0,/sha256sums=/{s|sha256sums=(|sha256sums=(\n    '${BIN_SHA}'|}" PKGBUILD || true
-          # Simpler: replace the old hash line
-          sed -i "s|'[a-f0-9]\{64\}'|'${BIN_SHA}'|" PKGBUILD
-          sed -i "0,/sha256sums = [a-f0-9]/{s|sha256sums = [a-f0-9].*|sha256sums = ${BIN_SHA}|}" .SRCINFO
+          # Rewrite PKGBUILD's sha256sums block (6 entries, in source order)
+          # and .SRCINFO's six sha256sums lines.
+          BIN_SHA="$BIN_SHA" LICENSE_SHA="$LICENSE_SHA" \
+          DESKTOP_SHA="$DESKTOP_SHA" METAINFO_SHA="$METAINFO_SHA" \
+          PNG_SHA="$PNG_SHA" SVG_SHA="$SVG_SHA" \
+          python3 <<'PY'
+          import os, re
+
+          hashes = [os.environ[k] for k in (
+              "BIN_SHA", "LICENSE_SHA", "DESKTOP_SHA",
+              "METAINFO_SHA", "PNG_SHA", "SVG_SHA",
+          )]
+
+          # PKGBUILD: replace the whole sha256sums=(...) array.
+          with open("PKGBUILD") as f:
+              src = f.read()
+          new_block = "sha256sums=(\n" + "\n".join(f"    '{h}'" for h in hashes) + "\n)"
+          src = re.sub(r"sha256sums=\([^)]*\)", new_block, src, count=1)
+          with open("PKGBUILD", "w") as f:
+              f.write(src)
+
+          # .SRCINFO: replace the six tab-indented sha256sums lines, in order.
+          with open(".SRCINFO") as f:
+              lines = f.readlines()
+          hi = 0
+          for i, line in enumerate(lines):
+              if line.lstrip().startswith("sha256sums = ") and hi < len(hashes):
+                  lines[i] = f"\tsha256sums = {hashes[hi]}\n"
+                  hi += 1
+          with open(".SRCINFO", "w") as f:
+              f.writelines(lines)
+          PY
 
           if git diff --quiet; then
             echo "no changes — nothing to push"
diff --git a/aur/pdfapps-bin/.SRCINFO b/aur/pdfapps-bin/.SRCINFO
index 37894ad..8f7ba9b 100644
--- a/aur/pdfapps-bin/.SRCINFO
+++ b/aur/pdfapps-bin/.SRCINFO
@@ -1,11 +1,11 @@
 pkgbase = pdfapps-bin
 	pkgdesc = Fast, offline, subscription-free PDF editor (PyInstaller binary)
-	pkgver = 1.13.9
+	pkgver = 1.13.10
 	pkgrel = 1
 	url = https://nelsonduarte.github.io/PDFApps/
 	arch = x86_64
 	license = MIT
-	provides = pdfapps=1.13.9
+	provides = pdfapps=1.13.10
 	conflicts = pdfapps
 	depends = glibc
 	depends = fontconfig
@@ -18,17 +18,17 @@ pkgbase = pdfapps-bin
 	optdepends = tesseract-data-fra: French OCR
 	optdepends = tesseract-data-deu: German OCR
 	optdepends = ghostscript: advanced PDF compression
-	source = pdfapps-1.13.9.tar.gz::https://github.com/nelsonduarte/PDFApps/releases/download/v1.13.9/PDFApps-Linux.tar.gz
-	source = LICENSE::https://raw.githubusercontent.com/nelsonduarte/PDFApps/v1.13.9/LICENSE
-	source = pdfapps.desktop::https://raw.githubusercontent.com/nelsonduarte/PDFApps/v1.13.9/flatpak/io.github.nelsonduarte.PDFApps.desktop
-	source = pdfapps.metainfo.xml::https://raw.githubusercontent.com/nelsonduarte/PDFApps/v1.13.9/flatpak/io.github.nelsonduarte.PDFApps.metainfo.xml
-	source = pdfapps.png::https://raw.githubusercontent.com/nelsonduarte/PDFApps/v1.13.9/icon_512.png
-	source = pdfapps.svg::https://raw.githubusercontent.com/nelsonduarte/PDFApps/v1.13.9/pdfapps.svg
-	sha256sums = 3ad529ec1f02ba515e722becc28029d7ced68480d2a0e60d58811fe5c0d68f19
-	sha256sums = SKIP
-	sha256sums = SKIP
-	sha256sums = SKIP
-	sha256sums = SKIP
-	sha256sums = SKIP
+	source = pdfapps-1.13.10.tar.gz::https://github.com/nelsonduarte/PDFApps/releases/download/v1.13.10/PDFApps-Linux.tar.gz
+	source = LICENSE::https://raw.githubusercontent.com/nelsonduarte/PDFApps/v1.13.10/LICENSE
+	source = pdfapps.desktop::https://raw.githubusercontent.com/nelsonduarte/PDFApps/v1.13.10/flatpak/io.github.nelsonduarte.PDFApps.desktop
+	source = pdfapps.metainfo.xml::https://raw.githubusercontent.com/nelsonduarte/PDFApps/v1.13.10/flatpak/io.github.nelsonduarte.PDFApps.metainfo.xml
+	source = pdfapps.png::https://raw.githubusercontent.com/nelsonduarte/PDFApps/v1.13.10/icon_512.png
+	source = pdfapps.svg::https://raw.githubusercontent.com/nelsonduarte/PDFApps/v1.13.10/pdfapps.svg
+	sha256sums = 7b168c704551516c29d32684a86ba2ef0755c5a087362ed81a92e0350b7fed71
+	sha256sums = 7db363c32a832c173e807e3737b50425dd2554acf93b25715a68483c4ff68c51
+	sha256sums = 0d7610911a09ee9c5ff3770de433bc61c31d81825ff433e8c42e46eedc6324b5
+	sha256sums = 8547fc58d95ce363ea0058a057d1776d169cd7fd4adbb5b91ef478136fefbf12
+	sha256sums = 79800a6233787dc82b3ea31c7de75be10149e387d1180029ec14e59301663c77
+	sha256sums = 97d82b76f38a287d8eaaee1f295ed3848052f35855439a44f57197854ac20361
 
 pkgname = pdfapps-bin
diff --git a/aur/pdfapps-bin/PKGBUILD b/aur/pdfapps-bin/PKGBUILD
index 54276af..df9d175 100644
--- a/aur/pdfapps-bin/PKGBUILD
+++ b/aur/pdfapps-bin/PKGBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Nelson Duarte <nelsonduarte@github.com>
 pkgname=pdfapps-bin
 _pkgname=pdfapps
-pkgver=1.13.9
+pkgver=1.13.10
 pkgrel=1
 pkgdesc="Fast, offline, subscription-free PDF editor (PyInstaller binary)"
 arch=('x86_64')
@@ -33,12 +33,12 @@ source=(
     "$_pkgname.svg::https://raw.githubusercontent.com/nelsonduarte/PDFApps/v$pkgver/pdfapps.svg"
 )
 sha256sums=(
-    '3ad529ec1f02ba515e722becc28029d7ced68480d2a0e60d58811fe5c0d68f19'
-    'SKIP'
-    'SKIP'
-    'SKIP'
-    'SKIP'
-    'SKIP'
+    '7b168c704551516c29d32684a86ba2ef0755c5a087362ed81a92e0350b7fed71'
+    '7db363c32a832c173e807e3737b50425dd2554acf93b25715a68483c4ff68c51'
+    '0d7610911a09ee9c5ff3770de433bc61c31d81825ff433e8c42e46eedc6324b5'
+    '8547fc58d95ce363ea0058a057d1776d169cd7fd4adbb5b91ef478136fefbf12'
+    '79800a6233787dc82b3ea31c7de75be10149e387d1180029ec14e59301663c77'
+    '97d82b76f38a287d8eaaee1f295ed3848052f35855439a44f57197854ac20361'
 )
 
 package() {