ci: add AUR automation to release workflow#11
Conversation
Add update-aur job to release.yml that automatically updates the jwt-term-bin AUR package on each release. The job downloads release assets, computes SHA256 checksums, updates the PKGBUILD, generates .SRCINFO, and pushes to AUR via SSH. Also bumps PKGBUILD version from 1.0.1 to 1.1.0 and updates ROADMAP to reflect AUR submission and automation are complete.
There was a problem hiding this comment.
Pull request overview
Adds automated AUR package updates to the release workflow so jwt-term-bin stays in sync with GitHub Releases, alongside updating packaging metadata and roadmap status.
Changes:
- Add an
update-aurjob to.github/workflows/release.ymlthat downloads release assets, computes SHA256 sums, updatesPKGBUILD/.SRCINFO, and pushes to AUR via SSH. - Bump
packaging/aur/PKGBUILDversion to1.1.0. - Update
ROADMAP.mdto mark AUR automation as complete and reorganize remaining distribution work.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
.github/workflows/release.yml |
Introduces the new AUR automation job within the release pipeline. |
packaging/aur/PKGBUILD |
Updates pkgver to align with the new release version. |
ROADMAP.md |
Marks AUR work as done and updates distribution status tracking. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| echo "${{ secrets.AUR_SSH_KEY }}" > ~/.ssh/aur | ||
| chmod 600 ~/.ssh/aur | ||
| cat >> ~/.ssh/config << 'EOF' | ||
| Host aur.archlinux.org | ||
| IdentityFile ~/.ssh/aur | ||
| User aur | ||
| StrictHostKeyChecking accept-new |
There was a problem hiding this comment.
Fixed in de5cde0 — now using ssh-keyscan -t ed25519 aur.archlinux.org to pin the host key and StrictHostKeyChecking yes.
| - name: Configure SSH for AUR | ||
| run: | | ||
| mkdir -p ~/.ssh | ||
| echo "${{ secrets.AUR_SSH_KEY }}" > ~/.ssh/aur |
There was a problem hiding this comment.
Fixed in de5cde0 — switched to printf '%s' and added chmod 700 ~/.ssh.
| VERSION="${GITHUB_REF_NAME#v}" | ||
| TAG="${GITHUB_REF_NAME}" | ||
| BASE="https://github.com/felipemorandini/jwt-term/releases/download/${TAG}" | ||
|
|
||
| curl -sL "${BASE}/jwt-term-x86_64-unknown-linux-musl.tar.gz" -o x86_64.tar.gz | ||
| curl -sL "${BASE}/jwt-term-aarch64-unknown-linux-musl.tar.gz" -o aarch64.tar.gz | ||
| curl -sL "https://raw.githubusercontent.com/felipemorandini/jwt-term/${TAG}/LICENSE" -o LICENSE | ||
|
|
||
| SHA_X86_64=$(sha256sum x86_64.tar.gz | cut -d' ' -f1) | ||
| SHA_AARCH64=$(sha256sum aarch64.tar.gz | cut -d' ' -f1) | ||
| SHA_LICENSE=$(sha256sum LICENSE | cut -d' ' -f1) |
There was a problem hiding this comment.
Fixed in de5cde0 — now using set -euo pipefail and curl -fSL --retry 3 so the job fails immediately on HTTP errors.
| # Generate .SRCINFO (makepkg is not available on Ubuntu) | ||
| # .SRCINFO uses tab indentation for fields under pkgbase/pkgname | ||
| TAB=$'\t' | ||
| URL="https://github.com/felipemorandini/jwt-term" | ||
| { | ||
| echo "pkgbase = jwt-term-bin" | ||
| echo "${TAB}pkgdesc = A blazing-fast, secure, and offline-first CLI for inspecting, validating, and manipulating JWTs" | ||
| echo "${TAB}pkgver = ${VERSION}" | ||
| echo "${TAB}pkgrel = 1" | ||
| echo "${TAB}url = ${URL}" | ||
| echo "${TAB}arch = x86_64" | ||
| echo "${TAB}arch = aarch64" | ||
| echo "${TAB}license = MIT" | ||
| echo "${TAB}provides = jwt-term" | ||
| echo "${TAB}conflicts = jwt-term" | ||
| echo "${TAB}source_x86_64 = ${URL}/releases/download/v${VERSION}/jwt-term-x86_64-unknown-linux-musl.tar.gz" | ||
| echo "${TAB}source_x86_64 = ${URL}/raw/v${VERSION}/LICENSE" | ||
| echo "${TAB}sha256sums_x86_64 = ${SHA_X86_64}" | ||
| echo "${TAB}sha256sums_x86_64 = ${SHA_LICENSE}" | ||
| echo "${TAB}source_aarch64 = ${URL}/releases/download/v${VERSION}/jwt-term-aarch64-unknown-linux-musl.tar.gz" | ||
| echo "${TAB}source_aarch64 = ${URL}/raw/v${VERSION}/LICENSE" | ||
| echo "${TAB}sha256sums_aarch64 = ${SHA_AARCH64}" | ||
| echo "${TAB}sha256sums_aarch64 = ${SHA_LICENSE}" | ||
| echo "" | ||
| echo "pkgname = jwt-term-bin" | ||
| } > .SRCINFO |
There was a problem hiding this comment.
Acknowledged — this is a known trade-off. makepkg --printsrcinfo requires an Arch Linux environment (not available on Ubuntu runners). Adding a Docker container step would add significant time and complexity. The .SRCINFO is generated from the same variables used to update the PKGBUILD, so they stay in sync for all fields that change between releases (version, checksums, sources). If dependencies or pkgdesc change in the future, both the hardcoded .SRCINFO generation and the PKGBUILD template would need updating together — this is acceptable for a -bin package with no build dependencies.
- Pin AUR host key via ssh-keyscan instead of accept-new (MITM prevention) - Use printf instead of echo for SSH key to preserve multi-line content - Use curl -fSL --retry 3 to fail on HTTP errors instead of silently hashing error pages - Set chmod 700 on ~/.ssh directory
Summary
update-aurjob torelease.ymlthat automatically updates thejwt-term-binAUR package on each releasejwt-term-binis live)Test plan
update-aurjob runs afterreleasejobAUR_SSH_KEYsecret correctly