From 67cb05bebb850ea946f0cff2175a57a766850ff9 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 8 Apr 2026 07:00:13 +0000
Subject: [PATCH 1/7] build(pkgbuild): add optional provenance verification to
 -bin package

Add a prepare() function that verifies the build provenance
attestations for the binary, completion files, and man page using
`gh attestation verify`. The step is gracefully skipped (with a
warning) when the GitHub CLI is missing or not authenticated, since
`gh attestation verify` currently requires an authenticated session
even for public repositories (cli/cli#12030).
---
 template/parallel-disk-usage-bin/PKGBUILD | 31 +++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/template/parallel-disk-usage-bin/PKGBUILD b/template/parallel-disk-usage-bin/PKGBUILD
index efbe2a00..8b050f45 100644
--- a/template/parallel-disk-usage-bin/PKGBUILD
+++ b/template/parallel-disk-usage-bin/PKGBUILD
@@ -16,6 +16,37 @@ sha1sums=(
   SKIP                          # for the license file
 )
 
+# Optionally verify the build provenance attestations published alongside the
+# release artifacts. This requires:
+#   * the GitHub CLI (the `github-cli` package), and
+#   * an authenticated `gh` session (run `gh auth login`) or a `GH_TOKEN`
+#     environment variable — `gh attestation verify` currently calls the
+#     GitHub API to fetch the attestation bundle even for public repos
+#     (see https://github.com/cli/cli/issues/12030).
+# When either prerequisite is missing, the verification step is skipped with
+# a warning so installing the package remains possible without it.
+prepare() {
+  if ! command -v gh > /dev/null 2>&1; then
+    warning 'GitHub CLI (gh) not found, skipping provenance verification.'
+    warning 'Install the github-cli package to enable cryptographic verification of release artifacts.'
+    return 0
+  fi
+
+  if ! gh auth status > /dev/null 2>&1; then
+    warning 'gh is not authenticated, skipping provenance verification.'
+    warning 'Run `gh auth login` (or set GH_TOKEN) to enable cryptographic verification of release artifacts.'
+    return 0
+  fi
+
+  msg2 'Verifying build provenance with gh attestation...'
+  local _repo='KSXGitHub/parallel-disk-usage'
+  gh attestation verify --repo "$_repo" "pdu-$_checksum"
+  gh attestation verify --repo "$_repo" "completion.$pkgver.bash"
+  gh attestation verify --repo "$_repo" "completion.$pkgver.fish"
+  gh attestation verify --repo "$_repo" "completion.$pkgver.zsh"
+  gh attestation verify --repo "$_repo" "pdu.$pkgver.1"
+}
+
 package() {
   install -Dm755 "pdu-$_checksum" "$pkgdir/usr/bin/pdu"
   install -Dm644 README.md "$pkgdir/usr/share/doc/$pkgname/README.md"

From 929d3c722b93b1fc8123b8736449834becaf9f1c Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 8 Apr 2026 07:07:02 +0000
Subject: [PATCH 2/7] build(pkgbuild): drop redundant comments above prepare()

---
 template/parallel-disk-usage-bin/PKGBUILD | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/template/parallel-disk-usage-bin/PKGBUILD b/template/parallel-disk-usage-bin/PKGBUILD
index 8b050f45..184b766c 100644
--- a/template/parallel-disk-usage-bin/PKGBUILD
+++ b/template/parallel-disk-usage-bin/PKGBUILD
@@ -16,15 +16,6 @@ sha1sums=(
   SKIP                          # for the license file
 )
 
-# Optionally verify the build provenance attestations published alongside the
-# release artifacts. This requires:
-#   * the GitHub CLI (the `github-cli` package), and
-#   * an authenticated `gh` session (run `gh auth login`) or a `GH_TOKEN`
-#     environment variable — `gh attestation verify` currently calls the
-#     GitHub API to fetch the attestation bundle even for public repos
-#     (see https://github.com/cli/cli/issues/12030).
-# When either prerequisite is missing, the verification step is skipped with
-# a warning so installing the package remains possible without it.
 prepare() {
   if ! command -v gh > /dev/null 2>&1; then
     warning 'GitHub CLI (gh) not found, skipping provenance verification.'

From 7772949945e45b62c2e5b919201ebd869b5cdc9a Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 8 Apr 2026 07:10:04 +0000
Subject: [PATCH 3/7] build(pkgbuild): skip provenance check for the man page

The binary and shell completions are the high-risk artifacts (the
binary runs as root during install, the completions are sourced by
every interactive shell). The man page is rendered by groff in safer
mode, so verifying it adds little value compared to keeping the
prepare() function short.
---
 template/parallel-disk-usage-bin/PKGBUILD | 1 -
 1 file changed, 1 deletion(-)

diff --git a/template/parallel-disk-usage-bin/PKGBUILD b/template/parallel-disk-usage-bin/PKGBUILD
index 184b766c..66da761e 100644
--- a/template/parallel-disk-usage-bin/PKGBUILD
+++ b/template/parallel-disk-usage-bin/PKGBUILD
@@ -35,7 +35,6 @@ prepare() {
   gh attestation verify --repo "$_repo" "completion.$pkgver.bash"
   gh attestation verify --repo "$_repo" "completion.$pkgver.fish"
   gh attestation verify --repo "$_repo" "completion.$pkgver.zsh"
-  gh attestation verify --repo "$_repo" "pdu.$pkgver.1"
 }
 
 package() {

From a30fa97328b2640b7eda5b5bbe18f40f57d1e942 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 8 Apr 2026 07:14:26 +0000
Subject: [PATCH 4/7] build(pkgbuild): prefix advisory warnings with `hint:`

makepkg has no `hint` helper, so the warnings about missing `gh` /
missing authentication read as if the script intends to perform the
action itself. Prefix them with `hint:` to make their advisory nature
explicit.
---
 template/parallel-disk-usage-bin/PKGBUILD | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/template/parallel-disk-usage-bin/PKGBUILD b/template/parallel-disk-usage-bin/PKGBUILD
index 66da761e..d8a97d1c 100644
--- a/template/parallel-disk-usage-bin/PKGBUILD
+++ b/template/parallel-disk-usage-bin/PKGBUILD
@@ -19,13 +19,13 @@ sha1sums=(
 prepare() {
   if ! command -v gh > /dev/null 2>&1; then
     warning 'GitHub CLI (gh) not found, skipping provenance verification.'
-    warning 'Install the github-cli package to enable cryptographic verification of release artifacts.'
+    warning 'hint: install the github-cli package to enable cryptographic verification of release artifacts.'
     return 0
   fi
 
   if ! gh auth status > /dev/null 2>&1; then
     warning 'gh is not authenticated, skipping provenance verification.'
-    warning 'Run `gh auth login` (or set GH_TOKEN) to enable cryptographic verification of release artifacts.'
+    warning 'hint: run `gh auth login` (or set GH_TOKEN) to enable cryptographic verification of release artifacts.'
     return 0
   fi
 

From 986c8e90913efce4946610362f6e4b0da5fe832a Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 8 Apr 2026 07:18:18 +0000
Subject: [PATCH 5/7] build(pkgbuild): use `plain` for the hint follow-up lines

Stacking `WARNING:` and `hint:` on the same line reads as a
contradictory severity tag. Switch the second line of each branch to
makepkg's `plain` helper, which renders as an indented continuation
without re-asserting the warning prefix.
---
 template/parallel-disk-usage-bin/PKGBUILD | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/template/parallel-disk-usage-bin/PKGBUILD b/template/parallel-disk-usage-bin/PKGBUILD
index d8a97d1c..f7e8eb0e 100644
--- a/template/parallel-disk-usage-bin/PKGBUILD
+++ b/template/parallel-disk-usage-bin/PKGBUILD
@@ -19,13 +19,13 @@ sha1sums=(
 prepare() {
   if ! command -v gh > /dev/null 2>&1; then
     warning 'GitHub CLI (gh) not found, skipping provenance verification.'
-    warning 'hint: install the github-cli package to enable cryptographic verification of release artifacts.'
+    plain 'hint: install the github-cli package to enable cryptographic verification of release artifacts.'
     return 0
   fi
 
   if ! gh auth status > /dev/null 2>&1; then
     warning 'gh is not authenticated, skipping provenance verification.'
-    warning 'hint: run `gh auth login` (or set GH_TOKEN) to enable cryptographic verification of release artifacts.'
+    plain 'hint: run `gh auth login` (or set GH_TOKEN) to enable cryptographic verification of release artifacts.'
     return 0
   fi
 

From 647f54f74b24ef763c3ea5a8d39423b3752549ae Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 8 Apr 2026 07:30:29 +0000
Subject: [PATCH 6/7] build(pkgbuild): make provenance verification opt-out via
 env var

Wrap the verify loop so that a failure (including transient network or
rate-limit errors) points users at PDU_SKIP_PROVENANCE_VERIFY as an
escape hatch, and honor the variable up front to let users skip the
check entirely in offline builds.

Addresses Copilot review feedback on KSXGitHub/parallel-disk-usage#390.
---
 template/parallel-disk-usage-bin/PKGBUILD | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/template/parallel-disk-usage-bin/PKGBUILD b/template/parallel-disk-usage-bin/PKGBUILD
index f7e8eb0e..e40de522 100644
--- a/template/parallel-disk-usage-bin/PKGBUILD
+++ b/template/parallel-disk-usage-bin/PKGBUILD
@@ -17,6 +17,11 @@ sha1sums=(
 )
 
 prepare() {
+  if [[ -n $PDU_SKIP_PROVENANCE_VERIFY ]]; then
+    warning 'PDU_SKIP_PROVENANCE_VERIFY is set, skipping provenance verification.'
+    return 0
+  fi
+
   if ! command -v gh > /dev/null 2>&1; then
     warning 'GitHub CLI (gh) not found, skipping provenance verification.'
     plain 'hint: install the github-cli package to enable cryptographic verification of release artifacts.'
@@ -31,10 +36,14 @@ prepare() {
 
   msg2 'Verifying build provenance with gh attestation...'
   local _repo='KSXGitHub/parallel-disk-usage'
-  gh attestation verify --repo "$_repo" "pdu-$_checksum"
-  gh attestation verify --repo "$_repo" "completion.$pkgver.bash"
-  gh attestation verify --repo "$_repo" "completion.$pkgver.fish"
-  gh attestation verify --repo "$_repo" "completion.$pkgver.zsh"
+  local _file
+  for _file in "pdu-$_checksum" "completion.$pkgver.bash" "completion.$pkgver.fish" "completion.$pkgver.zsh"; do
+    if ! gh attestation verify --repo "$_repo" "$_file"; then
+      error 'Build provenance verification failed.'
+      plain 'hint: set PDU_SKIP_PROVENANCE_VERIFY=1 to skip verification (e.g., for offline builds).'
+      return 1
+    fi
+  done
 }
 
 package() {

From ae96a3b2d2e0f8c510c10af357ac6778302afec0 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 8 Apr 2026 07:35:30 +0000
Subject: [PATCH 7/7] build(pkgbuild): reword hint for provenance skip escape
 hatch

"For offline builds" was too narrow and framed the opt-out as a
convenience knob. Rephrase to make the rule explicit: use
PDU_SKIP_PROVENANCE_VERIFY only when a failure is unrelated to
artifact trust, so users don't treat it as a way to silence real
tampering signals.
---
 template/parallel-disk-usage-bin/PKGBUILD | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/parallel-disk-usage-bin/PKGBUILD b/template/parallel-disk-usage-bin/PKGBUILD
index e40de522..eb8a45f2 100644
--- a/template/parallel-disk-usage-bin/PKGBUILD
+++ b/template/parallel-disk-usage-bin/PKGBUILD
@@ -40,7 +40,7 @@ prepare() {
   for _file in "pdu-$_checksum" "completion.$pkgver.bash" "completion.$pkgver.fish" "completion.$pkgver.zsh"; do
     if ! gh attestation verify --repo "$_repo" "$_file"; then
       error 'Build provenance verification failed.'
-      plain 'hint: set PDU_SKIP_PROVENANCE_VERIFY=1 to skip verification (e.g., for offline builds).'
+      plain 'hint: set PDU_SKIP_PROVENANCE_VERIFY=1 to skip verification for failures unrelated to artifact trust (e.g. transient network errors).'
       return 1
     fi
   done