Update the AUR from GitHub Actions

I maintain trello-cli, which is also published to the Arch User Repository (AUR).

Each time the package is published, I needed to update the PKGBUILD with a new version and sha512sum. I'm no longer an Arch user (I miss it, but MacOS works so much better for my current role) and so I don't have makepkg readily available.

I had an idea that updating the PKGBUILD could be done with GitHub Actions:

Updating an AUR package for a node based tool could be automated using GitHub Actions.
Each time a release is tagged, the pkgver and sha512sums fields in the PKGBUILD need updating, and the repo needs pushing to the https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD
The sha512sum needs to be calculated from the published NPM package, so we'd need to wait until the version is available, download it from the registry and then calculate the checksum.

Here's how I did it:

1. Generate an SSH keypair:

   bash
   ssh-keygen -t ed25519 -f ~/.ssh/aur -C "GH AUR - [email protected]"

2. Add the public key to your AUR account:

   • Go to https://aur.archlinux.org → My Account → SSH Public Keys
   • Paste contents of ~/.ssh/aur.pub

3. Add the private key as a GitHub secret:

   • Go to your repo → Settings → Secrets and variables → Actions
   • Create secret named AUR_SSH_PRIVATE_KEY
   • Paste contents of ~/.ssh/aur

Then create a GitHub Actions workflow that you can run. You can't add it to your npm release workflow as there is a delay between publishing and it appearing in the API.

There's some tricky runuser logic required when updating .SRCINFO as you can't run makepkg as root:

yaml
name: Update AUR Package
on:
  workflow_dispatch:
  schedule:
    - cron: "0 0 * * 0" # Weekly on Sunday at midnight UTC
jobs:
  update-aur:
    runs-on: ubuntu-latest
    container:
      image: archlinux:base-devel
    steps:
      - name: Install dependencies
        run: pacman -Sy --noconfirm jq openssh git
      - name: Get latest npm version
        id: npm
        run: |
          VERSION=$(curl -s https://registry.npmjs.org/trello-cli/latest | jq -r '.version')
          echo "version=$VERSION" >> $GITHUB_OUTPUT
      - name: Download tarball and get sha512sum
        id: checksum
        run: |
          curl -sLO "https://registry.npmjs.org/trello-cli/-/trello-cli-$.tgz"
          SHA512=$(sha512sum trello-cli-$.tgz | cut -d' ' -f1)
          echo "sha512=$SHA512" >> $GITHUB_OUTPUT
      - name: Setup SSH for AUR
        run: |
          mkdir -p ~/.ssh
          echo "$" > ~/.ssh/aur
          chmod 600 ~/.ssh/aur
      - name: Clone AUR repo
        env:
          GIT_SSH_COMMAND: "ssh -i ~/.ssh/aur -o IdentitiesOnly=yes -o StrictHostKeyChecking=no"
        run: git clone ssh://[email protected]/trello-cli.git aur-repo
      - name: Check if update needed
        id: check
        working-directory: aur-repo
        run: |
          CURRENT=$(grep '^pkgver=' PKGBUILD | cut -d= -f2)
          if [ "$CURRENT" = "$" ]; then
            echo "Already up-to-date (version $CURRENT)"
            echo "skip=true" >> $GITHUB_OUTPUT
          else
            echo "Update available: $CURRENT -> $"
            echo "skip=false" >> $GITHUB_OUTPUT
          fi
      - name: Update PKGBUILD
        if: steps.check.outputs.skip != 'true'
        working-directory: aur-repo
        run: |
          sed -i "s/^pkgver=.*/pkgver=${{ steps.npm.outputs.version }}/" PKGBUILD
          sed -i "s/^pkgrel=.*/pkgrel=1/" PKGBUILD
          sed -i "s/^sha512sums=.*/sha512sums=('${{ steps.checksum.outputs.sha512 }}')/" PKGBUILD
      - name: Update .SRCINFO
        if: steps.check.outputs.skip != 'true'
        working-directory: aur-repo
        run: |
          useradd -m builder
          mkdir -p /home/builder/build
          cp -a . /home/builder/build
          chown -R builder:builder /home/builder/build
          runuser -u builder -- bash -lc 'cd /home/builder/build && makepkg --printsrcinfo > .SRCINFO'
          cp /home/builder/build/.SRCINFO ./.SRCINFO
      - name: Commit and push
        if: steps.check.outputs.skip != 'true'
        working-directory: aur-repo
        env:
          GIT_SSH_COMMAND: "ssh -i ~/.ssh/aur -o IdentitiesOnly=yes -o StrictHostKeyChecking=no"
        run: |
          git config user.name "Michael Heap"
          git config user.email "[email protected]"
          git add PKGBUILD .SRCINFO
          git commit -m "Update to version $"
          git push

Now you have a workflow that will update your PKGBUILD automatically once per week, or whenever you trigger the action manually.