fix: onelf asset paths, GHCR push staging, and container output perms

- Extract onelf icon/desktop beside the binary (packages/<parent>/) instead
  of the root outdir, and keep renamed icons in that same dir.

- push_files stages all files into one temp dir before invoking oras.
  Previously oras cd'd into the first file's parent and referenced every
  file by basename, so shared root-outdir files (BUILD.log, CHECKSUM) were
  unreachable when pushing from a package subdir and the push failed with
  'stat .../BUILD.log: no such file'. Same files, names, and destination as
  before — only multi-directory file sets are now handled.

- Container builds run as root, so output subdirs the recipe creates (e.g.
  packages/<pkg>/) aren't writable by the host user and block host-side
  steps (icon/desktop extraction, signing). Append 'chmod -R a+rwX /sbuild'
  to the container script, preserving its exit status. chmod (not chown) is
  used so it works under both rootful docker and rootless docker/podman,
  where container root maps to the host user via a subuid range.

Author: QaidVoid

sbuild/src/builder.rs

@@ -608,16 +608,29 @@ impl Builder {
                 }
 
                 let exec_file = x_exec.run.as_ref().map(|run| {
-                    let script = format!(
-                        "#!/usr/bin/env {}\n{}\n{}",
-                        x_exec.shell,
-                        match self.log_level {
-                            2 => "set -x",
-                            3 => "set -xv",
-                            _ => "",
-                        },
-                        run
-                    );
+                    let setx = match self.log_level {
+                        2 => "set -x",
+                        3 => "set -xv",
+                        _ => "",
+                    };
+                    // In a container the script runs as root, so subdirs the
+                    // recipe creates under the mounted /sbuild (e.g.
+                    // packages/<pkg>/) aren't writable by the host user, which
+                    // blocks later host-side steps (icon/desktop extraction,
+                    // signing). Relax permissions so the host user can write
+                    // regardless of ownership. chmod (not chown) is used
+                    // deliberately: under rootless docker/podman the container
+                    // root maps to the host user via a subuid range, so
+                    // chown-ing to a host uid would map it back out of reach;
+                    // chmod works the same under both rootful and rootless
+                    // runtimes. Preserve the script's real exit status.
+                    let trailer = if build_config.x_exec.container.is_some() {
+                        "\n__sbuild_rc=$?\nchmod -R a+rwX /sbuild 2>/dev/null || true\nexit $__sbuild_rc"
+                    } else {
+                        ""
+                    };
+                    let script =
+                        format!("#!/usr/bin/env {}\n{}\n{}{}", x_exec.shell, setx, run, trailer);
                     let tmp = temp_file(pkg_id, &script);
                     tmp.to_string_lossy().to_string()
                 });
@@ -848,13 +861,19 @@ impl Builder {
                     self.pkg_type = PackageType::Onelf;
                 }
 
+                // Write extracted assets next to the binary so sub-package
+                // provides (packages/<parent>/<cmd>) land in their own dir
+                // rather than the root outdir.
+                let dest_dir = provide_path.parent().unwrap_or_else(|| Path::new(""));
+
                 match OnelfPackage::open(&provide_path) {
                     Ok(mut pkg) => {
                         if self.icon.get(&provide).is_none() {
-                            let dest = format!("{}.DirIcon", cmd);
+                            let dest = dest_dir.join(format!("{}.DirIcon", cmd));
                             match pkg.extract_icon(cmd, &dest) {
                                 Ok(Some(())) => {
-                                    self.logger.info(&format!("Extracted icon to {}", dest));
+                                    self.logger
+                                        .info(&format!("Extracted icon to {}", dest.display()));
                                     self.rename_icon(dest, context, &provide, cmd);
                                 }
                                 Ok(None) => {}
@@ -866,10 +885,11 @@ impl Builder {
                             }
                         }
                         if self.desktop.get(&provide).is_none() {
-                            let dest = format!("{}.desktop", cmd);
+                            let dest = dest_dir.join(format!("{}.desktop", cmd));
                             match pkg.extract_desktop(cmd, &dest) {
                                 Ok(Some(())) => {
-                                    self.logger.info(&format!("Extracted desktop to {}", dest));
+                                    self.logger
+                                        .info(&format!("Extracted desktop to {}", dest.display()));
                                     self.desktop.insert(provide.clone(), true);
                                 }
                                 Ok(None) => {}
@@ -926,12 +946,15 @@ impl Builder {
         } else {
             None
         } {
-            let final_path = format!("{}.{}", cmd, extension);
+            // Keep the renamed icon in the same directory as the source so
+            // sub-package icons don't get hoisted to the root outdir.
+            let dir = file_path.parent().unwrap_or_else(|| Path::new(""));
+            let final_path = dir.join(format!("{}.{}", cmd, extension));
             fs::rename(&file_path, &final_path).unwrap();
             self.logger.info(&format!(
                 "Renamed {} to {}",
                 file_path.display(),
-                final_path
+                final_path.display()
             ));
             self.icon.insert(provide.to_string(), true);
         } else {

sbuild/src/ghcr.rs

@@ -107,32 +107,38 @@ impl GhcrClient {
         // Add target
         cmd.arg(&target);
 
-        // Collect files and determine working directory
-        // We need to cd to the directory so oras stores just filenames, not full paths
-        let mut work_dir: Option<&Path> = None;
+        // oras stores each pushed file under its basename relative to the
+        // working directory. Our file set can span multiple directories (the
+        // package subdir plus shared files in the root outdir like BUILD.log
+        // and CHECKSUM), so cd-ing to a single source directory can't see all
+        // of them. Stage every file into one temp dir and push from there.
+        let staging = tempfile::tempdir()?;
         let mut filenames: Vec<String> = Vec::new();
+        let mut seen: std::collections::HashSet<String> = std::collections::HashSet::new();
 
         for file in files {
             let path = file.as_ref();
-            if path.exists() {
-                if work_dir.is_none() {
-                    work_dir = path.parent();
-                }
-                if let Some(filename) = path.file_name() {
-                    filenames.push(filename.to_string_lossy().to_string());
-                }
+            if !path.exists() {
+                continue;
             }
+            let Some(filename) = path.file_name() else {
+                continue;
+            };
+            let name = filename.to_string_lossy().to_string();
+            // First occurrence of a basename wins; skip later duplicates so a
+            // shared file never clobbers a package-specific one.
+            if !seen.insert(name.clone()) {
+                continue;
+            }
+            std::fs::copy(path, staging.path().join(filename))?;
+            filenames.push(name);
         }
 
-        // Add filenames (relative to work_dir)
+        // Add filenames (relative to the staging dir)
         for filename in &filenames {
             cmd.arg(filename);
         }
-
-        // Set working directory if we have one
-        if let Some(dir) = work_dir {
-            cmd.current_dir(dir);
-        }
+        cmd.current_dir(staging.path());
 
         let output = cmd.output()?;
 

sbuild/tests/onelf_extract.rs

@@ -7,6 +7,7 @@
 //! ```
 
 use std::env;
+use std::path::Path;
 
 use sbuild::onelf::OnelfPackage;
 
@@ -38,3 +39,29 @@ fn extracts_icon_and_desktop() {
     );
     eprintln!("desktop:\n{desktop}");
 }
+
+/// Mirrors the builder's dest-dir computation: for a sub-package binary at
+/// `packages/<parent>/<cmd>`, extracted assets must land in that same dir,
+/// not the root.
+#[test]
+#[ignore]
+fn extracts_next_to_subpackage_binary() {
+    let path = env::var("ONELF_TEST_FILE").expect("set ONELF_TEST_FILE");
+    let cmd = env::var("ONELF_TEST_CMD").unwrap_or_else(|_| "amdgpu_top".to_string());
+    let provide_path = Path::new(&path);
+    let dest_dir = provide_path.parent().unwrap_or_else(|| Path::new(""));
+
+    let mut pkg = OnelfPackage::open(provide_path).expect("open onelf");
+
+    let desktop_dest = dest_dir.join(format!("{cmd}.desktop"));
+    let got = pkg
+        .extract_desktop(&cmd, &desktop_dest)
+        .expect("extract desktop");
+    assert!(got.is_some(), "expected a desktop file");
+    assert!(
+        desktop_dest.exists(),
+        "desktop should be written beside the binary at {}",
+        desktop_dest.display()
+    );
+    eprintln!("desktop written to: {}", desktop_dest.display());
+}