feat(linux): sign .deb/.rpm with minisign and add arm64 packages

[AprilNEA]

Follow-up to the Linux packaging from #179/#182. Closes the two gaps that left Linux behind macOS and Windows: the packages were unsigned and amd64-only.

Changes

Sign .deb/.rpm with minisign
The signing loop covered only the DMGs and Windows binaries, so Linux packages shipped with no detached signature. Add them to the loop so each ships a verifiable .minisig against the release public key — the same scheme already used for every other artifact. They were already in the release upload globs and the R2 sync.

Build arm64 packages
The linux-packages job ran only on amd64. Matrix it over native amd64 (ubuntu-latest) and arm64 (ubuntu-24.04-arm, GA + free for public repos) runners. nfpm's arch is now driven by PKG_ARCH, which xtask derives from the host it builds on; collected-package and upload-artifact names are per-arch so the publish job merges both sets. fail-fast: false + the existing !cancelled() publish gate keep the arm64 leg best-effort, so a broken arm64 build never blocks a release.

Validation

release.yml runs only on tags / workflow_dispatch, so PR CI does not exercise it. To validate before merging, run a publish-free workflow_dispatch of this workflow on this branch — it builds and signs both arches without cutting a release, the same way the Windows arm64 leg was proven. The build is native (no cross-compile), so the main thing to confirm is that the GUI (gpui) builds on the arm64 runner.

Not done here: native GPG package signatures (rpm --addsign / dpkg-sig). minisign is consistent with the rest of the project and needs no new key material; native GPG can follow if there's demand.

[greptile-apps]

Greptile Summary

This PR fills two gaps left by the original Linux packaging work: packages were unsigned and amd64-only. It matrices the linux-packages job over native amd64 (ubuntu-latest) and arm64 (ubuntu-24.04-arm) runners, and extends the minisign signing loop to cover .deb/.rpm alongside the existing DMG and Windows artifacts.

• arm64 builds: A new matrix leg adds ubuntu-24.04-arm with its own per-arch nfpm checksum, an architecture verification step (uname -m vs matrix.arch), and per-arch artifact names; the publish job merges both sets with merge-multiple: true. fail-fast: false keeps the arm64 leg best-effort, consistent with Windows.
• minisign signing: .deb and .rpm are added to the existing nullglob-guarded signing loop in publish; no new key material or verification logic is needed.
• xtask / nfpm config: pkg_arch is derived from std::env::consts::ARCH at build time and passed as PKG_ARCH to nfpm, replacing the hardcoded arch: amd64 in nfpm.yaml.

Confidence Score: 4/5

Safe to merge after verifying the arm64 nfpm checksum against the official release page; all other logic is consistent with existing patterns.

The workflow changes are well-structured: architecture verification, per-arch artifact naming, merge-multiple download, and nullglob-guarded signing all work correctly together. The only thing that warrants a pre-merge check is the new arm64 nfpm SHA256 value — a wrong hash would break every arm64 CI run until corrected, though it would fail loudly rather than ship anything incorrect.

release.yml matrix entry for arm64 — specifically the nfpm_sha256 value should be spot-checked against the nfpm v2.46.3 releases page.

Important Files Changed

Filename	Overview
.github/workflows/release.yml	Matrices linux-packages over amd64/arm64 runners, adds architecture verification, per-arch artifact naming, pattern-based merge download in publish, and extends the minisign loop to cover .deb/.rpm — all changes are logically consistent and follow the existing Windows best-effort pattern
packaging/linux/nfpm.yaml	Replaces hardcoded arch: amd64 with env-var interpolation arch: "${PKG_ARCH}", and updates the doc comment to show both env vars; change is minimal and correct
xtask/src/linux.rs	Adds pkg_arch detection from std::env::consts::ARCH (x86_64→amd64, aarch64→arm64) and passes PKG_ARCH to nfpm; mapping correctly mirrors Debian/nfpm conventions and bails on unsupported arches

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant amd64 as linux-packages (amd64)
    participant arm64 as linux-packages (arm64)
    participant pub as publish

    GH->>amd64: trigger (ubuntu-latest)
    GH->>arm64: trigger (ubuntu-24.04-arm)

    amd64->>amd64: "verify uname -m == amd64"
    amd64->>amd64: install nfpm (amd64 .deb, verified SHA256)
    amd64->>amd64: "cargo xtask package-linux (PKG_ARCH=amd64)"
    amd64->>amd64: "collect → dist/openlogi-*-linux-amd64.{deb,rpm}"
    amd64->>GH: upload-artifact OpenLogi-linux-packages-amd64

    arm64->>arm64: "verify uname -m == arm64"
    arm64->>arm64: install nfpm (arm64 .deb, verified SHA256)
    arm64->>arm64: "cargo xtask package-linux (PKG_ARCH=arm64)"
    arm64->>arm64: "collect → dist/openlogi-*-linux-arm64.{deb,rpm}"
    arm64->>GH: upload-artifact OpenLogi-linux-packages-arm64

    GH->>pub: trigger (needs: macos ✓, release-notes ✓)
    pub->>GH: "download-artifact pattern=OpenLogi-linux-packages-* (merge-multiple)"
    pub->>pub: "sha256sum *.dmg *.deb *.rpm → SHA256SUMS"
    pub->>pub: "minisign sign dist/*.deb dist/*.rpm (nullglob)"
    pub->>pub: upload to R2 + GitHub Release

Loading

_{Reviews (1): Last reviewed commit: "feat(release): build arm64 Linux .deb/.r..." | Re-trigger Greptile}

[greptile-apps]

Unverifiable arm64 nfpm checksum in the matrix

The nfpm_sha256 value for arm64 (dc63aa7228ec70490bae67ad3146883055a055639dcf0dffc82fa965bac75a31) is new and there's no existing record in the repo to cross-check it against. While a wrong hash causes a safe, loud failure (sha256sum -c exits non-zero) rather than silently shipping a bad binary, it would also permanently break all arm64 builds until corrected. Worth a quick spot-check against the official nfpm v2.46.3 release page before merging.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!