ci: add AUR automation to release workflow#20
Conversation
There was a problem hiding this comment.
Pull request overview
This PR extends the existing tag-driven release pipeline by adding automated AUR publishing for the smartlog-bin package, and updates packaging docs/metadata to reflect completed distribution work.
Changes:
- Add an
update-aurjob to the release workflow to clonesmartlog-binfrom AUR, updatePKGBUILD/.SRCINFO, and push via SSH. - Bump the AUR
PKGBUILDversion to0.6.0. - Update
ROADMAP.mdto mark AUR automation and other distribution items as done/partially done.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/workflows/release.yml |
Adds update-aur job that fetches release assets, computes checksums, updates AUR packaging files, and pushes to AUR. |
packaging/aur/PKGBUILD |
Updates pkgver to 0.6.0 for the AUR smartlog-bin package. |
ROADMAP.md |
Updates project roadmap/distribution status (AUR automation marked complete). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ssh-keyscan -t ed25519 aur.archlinux.org >> ~/.ssh/known_hosts 2>/dev/null | ||
| cat >> ~/.ssh/config << 'EOF' | ||
| Host aur.archlinux.org | ||
| IdentityFile ~/.ssh/aur | ||
| User aur | ||
| StrictHostKeyChecking yes | ||
| EOF |
There was a problem hiding this comment.
Valid point. For now, ssh-keyscan is still better than accept-new since it writes to known_hosts and StrictHostKeyChecking yes ensures subsequent connections verify against it. Pinning a committed fingerprint is a future hardening step — the current risk is limited to the first connection per workflow run.
| # Generate .SRCINFO (makepkg is not available on Ubuntu) | ||
| # .SRCINFO uses tab indentation for fields under pkgbase/pkgname | ||
| TAB=$'\t' | ||
| URL="https://github.com/felipemorandini/smartlog" | ||
| { | ||
| echo "pkgbase = smartlog-bin" | ||
| echo "${TAB}pkgdesc = A high-performance TUI for log tailing with JSON auto-detection and real-time filtering" | ||
| echo "${TAB}pkgver = ${VERSION}" | ||
| echo "${TAB}pkgrel = 1" | ||
| echo "${TAB}url = ${URL}" | ||
| echo "${TAB}arch = x86_64" | ||
| echo "${TAB}arch = aarch64" | ||
| echo "${TAB}license = MIT" | ||
| echo "${TAB}provides = smartlog" | ||
| echo "${TAB}conflicts = smartlog" | ||
| echo "${TAB}source_x86_64 = ${URL}/releases/download/v${VERSION}/smartlog-x86_64-unknown-linux-musl.tar.gz" | ||
| echo "${TAB}source_x86_64 = ${URL}/raw/v${VERSION}/LICENSE" | ||
| echo "${TAB}sha256sums_x86_64 = ${SHA_X86_64}" | ||
| echo "${TAB}sha256sums_x86_64 = ${SHA_LICENSE}" | ||
| echo "${TAB}source_aarch64 = ${URL}/releases/download/v${VERSION}/smartlog-aarch64-unknown-linux-musl.tar.gz" | ||
| echo "${TAB}source_aarch64 = ${URL}/raw/v${VERSION}/LICENSE" | ||
| echo "${TAB}sha256sums_aarch64 = ${SHA_AARCH64}" | ||
| echo "${TAB}sha256sums_aarch64 = ${SHA_LICENSE}" | ||
| echo "" | ||
| echo "pkgname = smartlog-bin" | ||
| } > .SRCINFO |
There was a problem hiding this comment.
Known trade-off. makepkg --printsrcinfo requires an Arch Linux container, adding complexity and CI time. The .SRCINFO is generated from the same variables used to update the PKGBUILD, keeping them in sync for all fields that change between releases (version, checksums, sources). For a -bin package with no build dependencies, the static fields (pkgdesc, url, license) change very rarely — when they do, both would need manual updating together. Acceptable risk for now.
| ssh-keyscan -t ed25519 aur.archlinux.org >> ~/.ssh/known_hosts 2>/dev/null | ||
| cat >> ~/.ssh/config << 'EOF' | ||
| Host aur.archlinux.org | ||
| IdentityFile ~/.ssh/aur |
There was a problem hiding this comment.
Good suggestion. Adding IdentitiesOnly yes to the SSH config would be a nice hardening step. Will address in a follow-up.
Add update-aur job to release.yml that automatically updates the smartlog-bin AUR package on each release. The job downloads release assets, computes SHA256 checksums, updates the PKGBUILD, generates .SRCINFO, and pushes to AUR via SSH. Hardened with pinned host key (ssh-keyscan), printf for SSH key, curl --fail with retries, and set -euo pipefail. Also bumps PKGBUILD version from 0.5.0 to 0.6.0 and updates ROADMAP to reflect AUR submission and automation are complete.
FelipeMorandini
force-pushed
the
chore/aur-automation
branch
from
a2d58b4 to
1d03204
Compare
Summary
update-aurjob torelease.ymlthat automatically updates thesmartlog-binAUR package on each releasessh-keyscan,printffor SSH key,curl --failwith retries,set -euo pipefailsmartlog-binis live)Test plan
update-aurjob runs afterreleasejobStrictHostKeyChecking yes--failwith retries