feat: add artifact caching to build process and improve error logging

scripts/build.sh

@@ -22,6 +22,20 @@ fi
 
 mkdir -p "${ARTIFACTS_DIR}"
 
+# Skip rebuild if artifacts for this version already exist
+pkgver=$(bash -c "source ${SRC_DIR}/PKGBUILD; echo \${pkgver}")
+pkgrel=$(bash -c "source ${SRC_DIR}/PKGBUILD; echo \${pkgrel}")
+existing=$(find "${ARTIFACTS_DIR}" -maxdepth 1 \
+    -name "webkit2gtk-${pkgver}-${pkgrel}-*.pkg.tar.zst" \
+    ! -name 'webkit2gtk-docs-*' \
+    -print | head -n1)
+
+if [[ -n "${existing}" ]]; then
+    log "Artifacts for ${pkgver}-${pkgrel} already exist, skipping build"
+    log "Using cached: $(basename "${existing}")"
+    exit 0
+fi
+
 # Clean any leftover build artifacts from a previous run
 log "Cleaning previous build artifacts in ${SRC_DIR}"
 # makepkg leaves behind src/, pkg/ and the .pkg.tar.zst files

scripts/check-update.sh

@@ -73,7 +73,7 @@ log "Running publish"
 if "${SCRIPT_DIR}/publish.sh"; then
     log "Publish succeeded"
 else
-    log "ERROR: Publish failed"
+    log "ERROR: Publish failed, exit code: $?"
     exit 1
 fi
 

scripts/entrypoint.sh

@@ -8,6 +8,16 @@
 
 set -euo pipefail
 
+# Load .env so all variables are available both here (root) and in child
+# processes running as builduser. Docker's env_file only sets variables for
+# the initial process; sudo drops them by default.
+if [[ -f /workspace/.env ]]; then
+    set -a
+    # shellcheck source=/dev/null
+    source /workspace/.env
+    set +a
+fi
+
 POLL_INTERVAL_SECONDS="${POLL_INTERVAL_SECONDS:-3600}"
 
 # Set up AUR SSH key
@@ -25,21 +35,21 @@ else
 fi
 
 # Set git identity for builduser
-sudo -u builduser git config --global user.name  "${AUR_MAINTAINER_NAME:-webkit2gtk-automator}"
+sudo -u builduser HOME=/home/builduser git config --global user.name  "${AUR_MAINTAINER_NAME:-webkit2gtk-automator}"
-sudo -u builduser git config --global user.email "${AUR_MAINTAINER_EMAIL:-noreply@localhost}"
+sudo -u builduser HOME=/home/builduser git config --global user.email "${AUR_MAINTAINER_EMAIL:-noreply@localhost}"
 
 # Import WebKitGTK PGP signing keys into builduser's keyring
 # makepkg verifies the source tarball signature against these keys.
 # Try the bundled local keys first (no network needed), then fall back to keyservers.
 echo "[entrypoint] Importing WebKitGTK PGP signing keys"
 if ls /workspace/webkit2gtk/keys/pgp/*.asc &>/dev/null; then
-    sudo -u builduser gpg --import /workspace/webkit2gtk/keys/pgp/*.asc
+    sudo -u builduser HOME=/home/builduser gpg --import /workspace/webkit2gtk/keys/pgp/*.asc
     echo "[entrypoint] PGP keys imported from local bundle"
 else
-    sudo -u builduser gpg --keyserver keyserver.ubuntu.com --recv-keys \
+    sudo -u builduser HOME=/home/builduser gpg --keyserver keyserver.ubuntu.com --recv-keys \
         5AA3BC334FD7E3369E7C77B291C559DBE4C9123B \
         013A0127AC9C65B34FFA62526C1009B693975393 || \
-    sudo -u builduser gpg --keyserver hkps://keys.openpgp.org --recv-keys \
+    sudo -u builduser HOME=/home/builduser gpg --keyserver hkps://keys.openpgp.org --recv-keys \
         5AA3BC334FD7E3369E7C77B291C559DBE4C9123B \
         013A0127AC9C65B34FFA62526C1009B693975393
     echo "[entrypoint] PGP keys imported from keyserver"
@@ -47,7 +57,7 @@ fi
 
 # Drop to builduser and start the polling loop
 echo "[entrypoint] Starting polling loop, interval: ${POLL_INTERVAL_SECONDS}s"
-exec sudo -u builduser bash -c '
+exec sudo -u builduser --preserve-env HOME=/home/builduser bash -c '
     set -euo pipefail
     POLL_INTERVAL_SECONDS="'"${POLL_INTERVAL_SECONDS}"'"
     while true; do

scripts/publish.sh

@@ -33,23 +33,18 @@ die() {
 : "${AUR_MAINTAINER_EMAIL:?AUR_MAINTAINER_EMAIL is not set}"
 
 # Authenticate gh CLI
-echo "${GITHUB_TOKEN}" | gh auth login --with-token
+# GITHUB_TOKEN is already in the environment and picked up by gh automatically
 
-# Find the main webkit2gtk package (not -docs)
+# Find the main webkit2gtk package only (exclude -docs and -debug variants)
 log "Looking for built package in ${ARTIFACTS_DIR}"
-# We want webkit2gtk-<ver>-<rel>-x86_64.pkg.tar.zst, NOT webkit2gtk-docs-*
-pkg_file=$(find "${ARTIFACTS_DIR}" -maxdepth 1 \
-    -name 'webkit2gtk-*.pkg.tar.zst' \
-    ! -name 'webkit2gtk-docs-*' \
-    -print | sort -V | tail -n1)
-
-[[ -n "${pkg_file}" ]] || die "No webkit2gtk .pkg.tar.zst found in ${ARTIFACTS_DIR}"
-log "Found package: ${pkg_file}"
-# Derive version from the built PKGBUILD
 pkgver=$(bash -c "source ${SRC_PKGBUILD}; echo \${pkgver}")
 pkgrel=$(bash -c "source ${SRC_PKGBUILD}; echo \${pkgrel}")
 full_version="${pkgver}-${pkgrel}"
 log "Package version: ${full_version}"
+
+pkg_file="${ARTIFACTS_DIR}/webkit2gtk-${pkgver}-${pkgrel}-x86_64.pkg.tar.zst"
+[[ -f "${pkg_file}" ]] || die "Expected artifact not found: ${pkg_file}"
+log "Found package: ${pkg_file}"
 # Compute sha256sum of the artifact
 sha256=$(sha256sum "${pkg_file}" | awk '{print $1}')
 log "sha256sum: ${sha256}"
@@ -61,12 +56,16 @@ release_title="webkit2gtk ${full_version}"
 
 log "Creating/updating GitHub release ${release_tag}"
 
-# Create the release if it doesn't exist; ignore error if it already does
+# Create the release if it doesn't exist
-gh release create "${release_tag}" \
+if gh release view "${release_tag}" --repo "${GITHUB_REPO}" &>/dev/null; then
+    log "Release ${release_tag} already exists, proceeding to upload asset"
+else
+    log "Creating GitHub release ${release_tag}"
+    gh release create "${release_tag}" \
         --repo "${GITHUB_REPO}" \
         --title "${release_title}" \
-    --notes "Automated build of webkit2gtk ${full_version}" \
+        --notes "Automated build of webkit2gtk ${full_version}"
-    2>/dev/null || log "Release ${release_tag} already exists, proceeding to upload asset"
+fi
 
 # Upload the package (--clobber overwrites an existing asset with the same name)
 log "Uploading ${pkg_filename} to release ${release_tag}"