name: Update AUR Package on: release: types: [published] workflow_dispatch: permissions: contents: read jobs: update-aur: name: update-aur runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Extract version from tag id: version run: | # Determine the tag based on trigger type if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then # Get the latest tag when manually triggered git fetch --tags TAG=$(git tag --sort=-version:refname | head -n1) else # For release event, use the release tag TAG="${{ github.event.release.tag_name }}" fi # Extract version by removing 'v' prefix VERSION="${TAG#v}" echo "version=$VERSION" >> $GITHUB_OUTPUT echo "tag=$TAG" >> $GITHUB_OUTPUT echo "Extracted version: $VERSION" echo "Tag: $TAG" - name: Download release assets and calculate checksums id: checksums run: | VERSION="${{ steps.version.outputs.version }}" TAG="${{ steps.version.outputs.tag }}" # Define asset names ASSET_X64="rustnet-${TAG}-x86_64-unknown-linux-gnu.tar.gz" ASSET_ARM64="rustnet-${TAG}-aarch64-unknown-linux-gnu.tar.gz" echo "Downloading release assets..." # Download assets gh release download "$TAG" -p "$ASSET_X64" -p "$ASSET_ARM64" # Calculate SHA256 checksums SHA256_X64=$(sha256sum "$ASSET_X64" | awk '{print $1}') SHA256_ARM64=$(sha256sum "$ASSET_ARM64" | awk '{print $1}') echo "x64_checksum=$SHA256_X64" >> $GITHUB_OUTPUT echo "arm64_checksum=$SHA256_ARM64" >> $GITHUB_OUTPUT echo "Checksums calculated:" echo " x86_64: $SHA256_X64" echo " aarch64: $SHA256_ARM64" env: GH_TOKEN: ${{ github.token }} - name: Verify checksums match release assets run: | TAG="${{ steps.version.outputs.tag }}" EXPECTED_X64="${{ steps.checksums.outputs.x64_checksum }}" EXPECTED_ARM64="${{ steps.checksums.outputs.arm64_checksum }}" FAILED=0 echo "Re-downloading assets to verify checksums are stable..." ASSET_X64="rustnet-${TAG}-x86_64-unknown-linux-gnu.tar.gz" ASSET_ARM64="rustnet-${TAG}-aarch64-unknown-linux-gnu.tar.gz" gh release download "$TAG" -p "$ASSET_X64" -p "$ASSET_ARM64" -D /tmp/verify ACTUAL_X64=$(sha256sum "/tmp/verify/$ASSET_X64" | awk '{print $1}') ACTUAL_ARM64=$(sha256sum "/tmp/verify/$ASSET_ARM64" | awk '{print $1}') rm -rf /tmp/verify if [ "$ACTUAL_X64" != "$EXPECTED_X64" ]; then echo "::error::x86_64 checksum mismatch: expected $EXPECTED_X64, got $ACTUAL_X64" FAILED=1 else echo " ✓ x86_64 checksum verified" fi if [ "$ACTUAL_ARM64" != "$EXPECTED_ARM64" ]; then echo "::error::aarch64 checksum mismatch: expected $EXPECTED_ARM64, got $ACTUAL_ARM64" FAILED=1 else echo " ✓ aarch64 checksum verified" fi if [ "$FAILED" -ne 0 ]; then echo "::error::Checksum verification failed — aborting to prevent pushing stale checksums to AUR" exit 1 fi echo "All checksums verified successfully" env: GH_TOKEN: ${{ github.token }} - name: Setup SSH for AUR env: AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }} run: | mkdir -p ~/.ssh # Pass the key via env, not inline interpolation, so its bytes are never # spliced into the rendered command line (matches the GPG handling in # ppa-release.yml). printf avoids echo's escape interpretation. printf '%s\n' "$AUR_SSH_PRIVATE_KEY" > ~/.ssh/aur chmod 600 ~/.ssh/aur ssh-keyscan aur.archlinux.org >> ~/.ssh/known_hosts # Configure SSH to use the AUR key cat > ~/.ssh/config < .SRCINFO ' || { # If that fails (no write permissions), install tools as root then run as user docker run --rm -v "$PWD/aur-rustnet-bin:/pkg" archlinux:latest bash -c " pacman -Sy --noconfirm binutils fakeroot sudo && useradd -m -u $(id -u) builder && cd /pkg && su builder -c 'makepkg --printsrcinfo > .SRCINFO' " } echo ".SRCINFO generated successfully" - name: Commit and push to AUR run: | cd aur-rustnet-bin VERSION="${{ steps.version.outputs.version }}" # Check if there are changes to commit if git diff --quiet PKGBUILD .SRCINFO; then echo "No changes to PKGBUILD or .SRCINFO (already at version $VERSION)" exit 0 fi # Show changes echo "Changes to be committed:" git diff PKGBUILD .SRCINFO # Commit and push git add PKGBUILD .SRCINFO git commit -m "Update to version $VERSION" git push origin master echo "Pushed changes to AUR repository" - name: Summary run: | VERSION="${{ steps.version.outputs.version }}" echo "## 🎉 AUR Package Updated" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "- **Package**: rustnet-bin" >> $GITHUB_STEP_SUMMARY echo "- **Version**: $VERSION" >> $GITHUB_STEP_SUMMARY echo "- **Architectures**: x86_64, aarch64" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### Checksums" >> $GITHUB_STEP_SUMMARY echo "- **x86_64**: \`${{ steps.checksums.outputs.x64_checksum }}\`" >> $GITHUB_STEP_SUMMARY echo "- **aarch64**: \`${{ steps.checksums.outputs.arm64_checksum }}\`" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "[View AUR Package →](https://aur.archlinux.org/packages/rustnet-bin)" >> $GITHUB_STEP_SUMMARY