Automatically use latest nightly version of Zig

Downloads directly from https://ziglang.org/download

GPG verification of downloaded files is not currently possible because Zig nightly binaries aren't signed.
See github issue https://github.com/ziglang/zig/issues/4945 for details

Using hardcoded sha256 is also impossible because this is an auto-updating package

Therefore, there is no security beyonnd the basic integrity of a https:// network connection (although that is still some security, you would have to forge a signed  HTTPS certificate to intercept).

This commit also changes the versioning scheme to match
the upstream downloads (and be compatible with the main zig package)
This requires incrementing the "epoch"

This change also changes the package to supports multiple architectures (both x86_64 and ARM64)

1 files changed, 60 insertions, 11 deletions

diff --git a/PKGBUILD b/PKGBUILD
index 192bed08b5c4..a9e7b89591c2 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,26 +1,75 @@
 # Maintainer: Kaizhao Zhang <zhangkaizhao@gmail.com>
-
-_buildver=0.10.0-dev.2977+7d2e14267
+# Contributor: Techcable <$USER @ techcable.net>
 
 pkgname=zig-dev-bin
-pkgver=20220712
+# Old versions of zig-dev-bin used date as pkgver (pkgver=20220712)
+#
+# Now we use something consistent with zig internal versioning.
+# Without changing the epoch, the old version scheme would be considered
+# "newer" greater than the new version scheme
+epoch=1
+# NOTE: Hyphen -> underscore
+pkgver=0.10.0_dev.3475+b3d463c9e
 pkgrel=1
 pkgdesc="A general-purpose programming language and toolchain for maintaining robust, optimal, and reusable software"
-arch=('x86_64')
+arch=('x86_64' 'aarch64')
 url="https://ziglang.org/"
 license=('MIT')
+makedepends=(curl jq)
 options=('!strip')
 provides=('zig')
 conflicts=('zig')
-source=(
-  "https://ziglang.org/builds/zig-linux-x86_64-${_buildver}.tar.xz"
-)
-sha256sums=(
-  '22faf5006338de0682bb4c62dc0f73e4df5fb837ecaff21570e4ed39dc63b9c1'
-)
+# NOTE: We don't include the "real" source until build()
+source=()
+# GPG verification is not currently possible because Zig binaries aren't signed
+# Hardcoded sha256 not possible because this is a an auto-updating (nightly) package
+#
+# Zig Issue for signed binaries: https://github.com/ziglang/zig/issues/4945
+sha256sums=()
+
+pkgver() {
+    local index_file="${srcdir}/zig-version-index.json";
+    # Invalidate old verison-index.json
+    #
+    # If we put version-index in `source` then it would be cached...
+    if [[ -x "$index_file" ]]; then
+        rm "$index_file";
+    fi
+    curl -sS "https://ziglang.org/download/index.json" -o "$index_file"
+    jq -r .master.version "$index_file" | sed 's/-/_/'
+}
+
+prepare() {
+    local newver="$(pkgver)";
+    pushd "${srcdir}" > /dev/null;
+    local index_file="zig-version-index.json";
+    local newurl="$(jq -r ".master.\"${CARCH}-linux\".tarball" $index_file)";
+    local newfile="zig-linux-${CARCH}-${newver}.tar.xz";
+    source+=("${newfile}:${newurl}")
+    local expected_hash="$(jq -r ".master.\"${CARCH}-linux\".shasum" "$index_file")"
+    sha256sums+=("$newhash")
+    if [[ -f "$newfile" ]]; then
+        echo "Reusing existing $newfile";
+    else
+        echo "Downloading Zig $newver from $newurl" >&2;
+        curl -Ss "$newurl" -o "$newfile";
+    fi;
+    echo "" >&2
+    echo "WARNING: No way to GPG/SHA verify the version ahead of time" >&2
+    echo "See Zig issue https://github.com/ziglang/zig/issues/4945 for signed binaries" >&2;
+    echo "" >&2;
+    local actual_hash="$(sha256sum "$newfile" | grep -oE '^\w+')"
+    if [[ "$expected_hash" != "$actual_hash" ]]; then
+        echo "ERROR: Expected hash $expected_hash for $newfile, but got $actual_hash" >&2;
+        exit 1;
+    fi;
+    echo "Extracting file";
+    tar -xf "$newfile";
+    popd > /dev/null;
+}
 
 package() {
-  cd "${srcdir}/zig-linux-x86_64-${_buildver}"
+  cd "${srcdir}/zig-linux-${CARCH}-${pkgver//_/-}"
   install -d "${pkgdir}/usr/bin"
   install -d "${pkgdir}/usr/lib/zig"
   cp -R lib "${pkgdir}/usr/lib/zig/lib"