fix(arch)+ci: clone the latest release tag, guard it in CI

install.sh's Arch path now clones the resolved release tag ($RELEASE_TAG)
instead of a hard-coded branch, matching what deb/rpm/tarball already do
(all four targets follow the same published release). A published tag
always has a downloadable archive and its PKGBUILD pins _tag to that
version, so makepkg's source=() can never 404 — and Arch tracks the
latest release automatically, nothing hard-coded.

Add tests/test-install-arch-source.sh + a CI job reproducing the
installer's Arch chain (resolve the cloned ref -> read its PKGBUILD _tag
-> assert archive/v$_tag.tar.gz is HTTP 200). It fails on the broken
state (clone master -> 1.4.0-beta -> 404) and passes on the fixed state,
so a future master bump to an unreleased version, a stale hard-coded
branch, or a tag/_tag mismatch is caught in CI before users hit it (#17).

(cherry picked from commit 35c7687)

Author: rcspam

.github/workflows/rust.yml

@@ -70,6 +70,17 @@ jobs:
     - name: Audit packaging deps manifest vs builders
       run: python3 packaging/audit-deps.py
 
+  test-install-arch-source:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v5
+    - name: Verify the Arch installer resolves to an existing source tarball
+      # Guards against issue #17: the Arch install path must clone a ref
+      # whose PKGBUILD _tag points at a tarball that actually exists (HTTP
+      # 200). Catches a master bump to an unreleased version, a stale
+      # hard-coded branch, or any tag/_tag mismatch — before users hit it.
+      run: bash tests/test-install-arch-source.sh
+
   test-x86:
     runs-on: ubuntu-latest
     steps:
@@ -93,7 +104,7 @@ jobs:
       run: cargo test --verbose
 
   release:
-    needs: [lint, test-postprocess, test-apply-continuation, test-transcribe-routing, packaging-audit, test-x86, test-arm64]
+    needs: [lint, test-postprocess, test-apply-continuation, test-transcribe-routing, packaging-audit, test-install-arch-source, test-x86, test-arm64]
     # Disabled: dictee ships locally-built CUDA assets that CI cannot produce,
     # so a tag push must NOT auto-publish an empty release (it would also flip
     # the GitHub "Latest" pointer and break install.sh's asset lookup for

install.sh

@@ -568,14 +568,21 @@ mode_online() {
             fi
         fi
 
-        info "Cloning the dictee repository (release/1.3)..."
-        # Clone the matching release branch for Arch (not master): makepkg
-        # then builds THIS release's PKGBUILD, whose source= fetches the
-        # release's version tag archive (v1.3.5). PKGBUILD packaging fixes
-        # still ship without a binary version bump — the tag archive is the
-        # frozen binary source. The 1.4 line ships its own install.sh that
-        # clones master.
-        git clone --depth 1 --branch release/1.3 "https://github.com/${REPO}.git" dictee-src
+        info "Cloning dictee at the latest release tag (${RELEASE_TAG})..."
+        # Clone the resolved release TAG ($RELEASE_TAG), NOT master. This
+        # mirrors what the deb/rpm/tarball paths already do — they pull assets
+        # from the release tag — so all four targets follow the same published
+        # release. The Arch path builds from source, so it clones the tag to
+        # read its PKGBUILD; makepkg then builds it via source=()
+        # (archive/v$_tag.tar.gz). Cloning the tag guarantees that archive
+        # exists: a published tag always has a downloadable archive, and the
+        # tag's PKGBUILD pins _tag to that same version. master must NOT be
+        # cloned — it can sit ahead on an unreleased dev version (e.g.
+        # 1.4.0-beta) whose tag does not exist yet, making makepkg fetch a 404
+        # archive and abort (issue #17). Tracking $RELEASE_TAG also means Arch
+        # follows the latest published release automatically, nothing
+        # hard-coded. $RELEASE_TAG is set above (latest stable, or --version).
+        git clone --depth 1 --branch "$RELEASE_TAG" "https://github.com/${REPO}.git" dictee-src
         cd dictee-src
 
         info "Building via makepkg (this will compile from source)..."

tests/test-install-arch-source.sh

@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+# test-install-arch-source.sh — guard against issue #17.
+#
+# The online installer's Arch path clones a git ref so makepkg can read its
+# PKGBUILD; makepkg then re-fetches the tagged tarball declared in the
+# PKGBUILD's source=() (archive/v$_tag.tar.gz) and builds THAT. If the
+# cloned ref's PKGBUILD points _tag at a version that was never tagged
+# (e.g. an in-dev 1.4.0-beta on master), the download 404s and makepkg
+# aborts for every Arch/CachyOS user.
+#
+# This test reproduces the exact chain the installer takes and asserts the
+# resulting source tarball actually exists (HTTP 200). It fails on the
+# broken state (clone master -> _tag=1.4.0-beta -> 404) and passes on the
+# fixed state (clone the latest release tag / release branch -> 200).
+#
+# Usage: test-install-arch-source.sh [path-to-install.sh]
+#   defaults to the install.sh at the repo root next to this test.
+
+set -uo pipefail
+
+REPO="rcspam/dictee"
+INSTALL_SH="${1:-$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/install.sh}"
+
+fail() { echo "FAIL: $*" >&2; exit 1; }
+
+[[ -r "$INSTALL_SH" ]] || fail "install.sh not readable: $INSTALL_SH"
+
+# 1. Find the Arch clone line (ignore the unrelated AUR dotool clone).
+clone_line="$(grep -E 'git clone .*dictee-src' "$INSTALL_SH" | grep -vE 'aur\.archlinux' | head -1)"
+[[ -n "$clone_line" ]] || fail "no 'git clone ... dictee-src' line found in $INSTALL_SH"
+
+# 2. Extract the --branch argument. It may be a literal ref (a branch like
+#    release/1.3 or a tag like v1.3.5) or the $RELEASE_TAG variable. A bare
+#    clone with no --branch checks out the repo's default branch (master).
+ref=""
+if [[ "$clone_line" =~ --branch[[:space:]]+([^[:space:]]+) ]]; then
+    ref="${BASH_REMATCH[1]}"
+    ref="${ref%\"}"; ref="${ref#\"}"        # strip surrounding double quotes
+fi
+
+case "$ref" in
+    "")
+        ref="master" ;;                      # bare clone -> default branch
+    *'$RELEASE_TAG'*|*'${RELEASE_TAG}'*)
+        # Installer clones the resolved latest-release tag. Resolve it the
+        # same way install.sh does, so we exercise the real chain.
+        ref="$(curl -fsSL "https://api.github.com/repos/${REPO}/releases/latest" \
+                | grep -Po '"tag_name"\s*:\s*"\K[^"]+' | head -1)"
+        [[ -n "$ref" ]] || fail "cannot resolve \$RELEASE_TAG from /releases/latest" ;;
+    *'$'*)
+        fail "unsupported variable in install.sh --branch argument: $ref" ;;
+esac
+echo "Installer resolves Arch source to ref: $ref"
+
+# 3. Read that ref's PKGBUILD and extract _tag (the version makepkg fetches).
+pkgbuild="$(curl -fsSL "https://raw.githubusercontent.com/${REPO}/${ref}/PKGBUILD")" \
+    || fail "cannot fetch PKGBUILD from ref '$ref'"
+tag="$(printf '%s\n' "$pkgbuild" | grep -E '^_tag=' | head -1 | cut -d= -f2)"
+[[ -n "$tag" ]] || fail "no _tag= in PKGBUILD of ref '$ref'"
+echo "PKGBUILD _tag: $tag"
+
+# 4. The chain only works if archive/v$_tag.tar.gz exists (what makepkg's
+#    source=() downloads). Assert HTTP 200.
+url="https://github.com/${REPO}/archive/v${tag}.tar.gz"
+code="$(curl -fsS -o /dev/null -w '%{http_code}' -L "$url")"
+echo "Source archive $url -> HTTP $code"
+
+[[ "$code" == "200" ]] \
+    || fail "Arch installer would fetch a non-existent tarball (HTTP $code) for v$tag — see issue #17"
+
+echo "PASS: installer's Arch source chain resolves to an existing tarball (v$tag)"