Skip to content

Releases: staticwire/aurtomator

v0.1.0

03 May 08:15
@noctuum noctuum
v0.1.0
2678ef2
This commit was signed with the committer’s verified signature.
noctuum
GPG key ID: B9A03103DE71BFD7
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.1.0 Latest
Latest

Automated AUR package updates from a single GitHub repo. Fork it, drop in your packages, let CI handle the rest.

What it does

  • Detects new upstream versions via 13 built-in strategies (GitHub, GitLab, Gitea, PyPI, npm, crates.io, and more)
  • Clones your existing AUR package, bumps pkgver, regenerates checksums and .SRCINFO
  • Pushes to AUR with optional GPG signing
  • Creates GitHub Issues on failure
  • Runs hourly via GitHub Actions

Safety features

  • PKGBUILD audit blocks split packages, pkgver() with incompatible strategies, and mixed SKIP/real checksums for remote sources
  • Source URL validation detects HTML error pages via Content-Type check before downloading
  • namcap lint catches PKGBUILD errors before push
  • Checksum verification via makepkg --verifysource after updpkgsums
  • SSH retry with 3 attempts and connection multiplexing for AUR reliability
  • Workflow concurrency group — scheduled cron and manual workflow_dispatch queue rather than race, preventing concurrent-push ref divergence on the AUR side
  • Detached-HEAD self-healupdate-pkg.sh re-anchors on origin/master if a clone returns detached HEAD for any reason, so every push is a clean fast-forward
  • Downgrade observabilityvercmp-based direction check on every run. Downgrades surface as a DOWNGRADE log token, dedicated .status/ values (downgrade:, available_downgrade:), and a ⬇️ icon in the README table. Mirrored, not blocked — upstream is the source of truth. See docs/WORKFLOW.md §4.3.

Supported package types

  • Binary packages (-bin) with stable download URL patterns
  • VCS packages (-git) via git-latest strategy
  • Nightly/prerelease builds (4 patterns) via github-nightly
  • Arch-specific sources (source_x86_64, source_aarch64)
  • Non-standard tag formats via tag_version_regex

Project files

  • SECURITY.md — vulnerability reporting via GitHub Private Vulnerability Reporting, explicit in/out-of-scope sections, solo-maintainer SLA disclaimer.
  • CONTRIBUTING.md — fork-model disclaimer, the exact conventions CI enforces (shellcheck, shfmt, BATS, Conventional Commits, SHA-pinned actions), new-strategy checklist.
  • CODE_OF_CONDUCT.md — Contributor Covenant 3.0 body with CC BY-SA 4.0 attribution preserved. Enforcement routes privately through GitHub PVR and GitHub's abuse reporting.
  • .github/ISSUE_TEMPLATE/bug_report.yml, strategy_request.yml, config.yml — GitHub issue-form schema with required fields. Blank issues are disabled.
  • .github/PULL_REQUEST_TEMPLATE.md — checklist whose commands match ci.yml 1:1 so "passes locally" equals "passes in CI".

Limitations

aurtomator only updates pkgver, checksums, and .SRCINFO. It does not build packages or check dependencies. See docs/SUPPORTED-PACKAGES.md for the full breakdown.

Tests

221 BATS tests across scripts/ and strategies/, run on every PR.

Getting started

See README for quick start and docs/SETUP.md for detailed configuration.

Assets 2
Loading