fix: auto updater tauri

Author: Leoglme

.github/workflows/desktop-release.yml

@@ -70,10 +70,19 @@ jobs:
         working-directory: web
         env:
           RELEASE_VERSION: 0.1.${{ github.run_number }}
+          UPDATER_ENDPOINT: https://github.com/${{ github.repository }}/releases/download/desktop/latest.json
+          UPDATER_PUBKEY: ${{ secrets.TAURI_UPDATER_PUBKEY }}
         run: |
+          if [ -z "$UPDATER_PUBKEY" ]; then
+            echo "Secret TAURI_UPDATER_PUBKEY manquant."
+            exit 1
+          fi
+
           python3 << 'PY'
           import json, os, re
           version = os.environ["RELEASE_VERSION"]
+          updater_endpoint = os.environ["UPDATER_ENDPOINT"]
+          updater_pubkey = os.environ["UPDATER_PUBKEY"]
           os.chdir("src-tauri")
           with open("Cargo.toml", encoding="utf-8") as f:
               lines = f.read().splitlines(keepends=True)
@@ -93,6 +102,13 @@ jobs:
           with open("tauri.conf.json", encoding="utf-8") as f:
               conf = json.load(f)
           conf["version"] = version
+          conf.setdefault("bundle", {})
+          conf["bundle"]["createUpdaterArtifacts"] = True
+          conf.setdefault("plugins", {})
+          conf["plugins"]["updater"] = {
+              "endpoints": [updater_endpoint],
+              "pubkey": updater_pubkey
+          }
           with open("tauri.conf.json", "w", encoding="utf-8") as f:
               json.dump(conf, f, indent=2, ensure_ascii=False)
               f.write("\n")
@@ -109,6 +125,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NUXT_PUBLIC_API_BASE: ${{ secrets.NUXT_PUBLIC_API_BASE }}
           NUXT_PUBLIC_GITHUB_REPO: ${{ github.repository }}
+          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
         with:
           projectPath: web
           tagName: desktop

.gitignore

@@ -4,4 +4,6 @@ api/.venv
 api/__pycache__
 api/*.pyc
 api/.env
-web/.env
+web/.env
+web/goupixdex.key
+web/goupixdex.key.pub

api/README.md

@@ -43,24 +43,24 @@ api/
 
 - Python **3.10+**
 - MariaDB or MySQL (local or Docker)
-- Optional: `POKE_WALLET_API_KEY`, `GROQ_API_KEY`, **Chromium** for Vinted (voir ci-dessous)
+- Optional: `POKE_WALLET_API_KEY`, `GROQ_API_KEY`, **Chromium** for Vinted (see below)
 
-### Vinted (Chromium) et Xvfb
+### Vinted (Chromium) and Xvfb
 
-La publication Vinted lance **Chromium** via **nodriver**. Sur une machine **sans écran** (VPS, conteneur, CI), `VINTED_BROWSER_HEADLESS=false` exige un **DISPLAY** : le dépôt prévoit **Xvfb** pour ne rien configurer à la main.
+Vinted publishing launches **Chromium** through **nodriver**. On a **headless machine** (VPS, container, CI), `VINTED_BROWSER_HEADLESS=false` requires a **DISPLAY**: this repository uses **Xvfb** so no manual display setup is needed.
 
-| Environnement | Comportement |
+| Environment | Behavior |
 |----------------|---------------|
-| **Docker Compose** (`api/`) | L’image installe **chromium**, **xvfb**, **xauth** ; la commande de service enveloppe **uvicorn** avec **`xvfb-run`**. Aucune étape manuelle. |
-| **Déploiement GitHub → VPS** (`.github/workflows/deploy-api.yml`) | `apt install` inclut **xvfb** et **xauth** ; l’unité **systemd** lance Uvicorn sous **`xvfb-run`**. |
-| **Linux sans Docker** (venv + systemd maison) | Installez `xvfb` et `xauth` (`apt install xvfb xauth`), puis lancez l’API avec : `xvfb-run -a --server-args="-screen 0 1920x1080x24" uvicorn …` si `VINTED_BROWSER_HEADLESS=false`. |
-| **Windows (dev)** | Pas besoin d’Xvfb ; utilisez `VINTED_BROWSER_HEADLESS=false` avec un bureau local, ou `run_dev.py` si vous utilisez `--reload` avec Vinted. |
+| **Docker Compose** (`api/`) | The image installs **chromium**, **xvfb**, and **xauth**; the service command wraps **uvicorn** with **`xvfb-run`**. No manual step required. |
+| **GitHub → VPS deploy** (`.github/workflows/deploy-api.yml`) | `apt install` includes **xvfb** and **xauth**; the **systemd** unit runs Uvicorn under **`xvfb-run`**. |
+| **Linux without Docker** (venv + custom systemd) | Install `xvfb` and `xauth` (`apt install xvfb xauth`), then run the API with: `xvfb-run -a --server-args="-screen 0 1920x1080x24" uvicorn …` when `VINTED_BROWSER_HEADLESS=false`. |
+| **Windows (dev)** | No Xvfb needed; use `VINTED_BROWSER_HEADLESS=false` with a local desktop session, or use `run_dev.py` when running `--reload` with Vinted. |
 
-**GitHub Actions (secret optionnel)** : `VINTED_BROWSER_HEADLESS` — si absent ou vide, la valeur générée sur le VPS reste **`true`** (comportement historique). Mettez **`false`** pour un Chromium fenêtré sur Xvfb (souvent moins refusé par Vinted que le headless intégré). **Cloudflare / IP hébergeur** peuvent quand même bloquer des requêtes : un `curl` en **403** depuis le VPS alors qu’un navigateur répond **200** est possible.
+**GitHub Actions (optional secret)**: `VINTED_BROWSER_HEADLESS` — if missing or empty, the value generated on the VPS remains **`true`** (historical behavior). Set **`false`** for a headed Chromium session on Xvfb (often less likely to be blocked by Vinted than built-in headless mode). **Cloudflare / hosting IPs** can still block requests: it is possible to get a **403** from `curl` on the VPS while a browser returns **200**.
 
-Variables utiles dans `.env` / `.env.example` : `VINTED_BROWSER_HEADLESS`, `VINTED_CHROME_EXECUTABLE` (souvent `/usr/bin/chromium` sous Linux).
+Useful variables in `.env` / `.env.example`: `VINTED_BROWSER_HEADLESS`, `VINTED_CHROME_EXECUTABLE` (often `/usr/bin/chromium` on Linux).
 
-**Windows / macOS (app desktop)** : avec `VINTED_BROWSER_HEADLESS=false`, le mode **`VINTED_BROWSER_DISCREET=true`** (défaut) garde `--start-maximized`, puis applique `--window-position` (hors écran) + `--start-minimized` pour rester discret tout en gardant un rendu "headed". Vous pouvez désactiver la minimisation via `VINTED_BROWSER_DISCREET_MINIMIZE=false`. Sur **Linux + Xvfb plein écran**, mettre `VINTED_BROWSER_DISCREET=false` pour garder le comportement standard.
+**Windows / macOS (desktop app)**: with `VINTED_BROWSER_HEADLESS=false`, **`VINTED_BROWSER_DISCREET=true`** (default) keeps `--start-maximized`, then applies `--window-position` (off-screen) + `--start-minimized` to stay discreet while keeping a headed rendering path. You can disable minimization with `VINTED_BROWSER_DISCREET_MINIMIZE=false`. On **Linux + full-screen Xvfb**, set `VINTED_BROWSER_DISCREET=false` to keep standard behavior.
 
 ## Install
 
@@ -113,13 +113,13 @@ python migrations/run_migrations.py
 uvicorn main:app --reload --host 0.0.0.0 --port 8000
 ```
 
-Sous **Windows**, si vous utilisez **`--reload`** et la publication **Vinted** (nodriver / Chrome), uvicorn choisit une boucle sans support des sous-processus → erreur `NotImplementedError` dans nodriver. Utilisez plutôt :
+On **Windows**, if you use **`--reload`** with **Vinted** publishing (nodriver / Chrome), uvicorn can pick an event loop without subprocess support → `NotImplementedError` in nodriver. Use instead:
 
 ```bash
 python run_dev.py
 ```
 
-ou explicitement (Windows uniquement — la classe stdlib `ProactorEventLoop`) :
+or explicitly (Windows only — stdlib `ProactorEventLoop` class):
 
 ```bash
 uvicorn main:app --reload --host 0.0.0.0 --port 8000 --loop asyncio.windows_events:ProactorEventLoop
@@ -159,16 +159,16 @@ From `api/`:
 docker compose up --build
 ```
 
-- API: port **8000** (migrations + seed conditionnel au démarrage, puis **uvicorn** sous **`xvfb-run`** pour Vinted)
+- API: port **8000** (migrations + optional seed at startup, then **uvicorn** under **`xvfb-run`** for Vinted)
 - MariaDB: **3306**
 - phpMyAdmin: **8080**
-- L’image inclut **Chromium**, **Xvfb** et **xauth** ; les variables `VINTED_*` et **Supabase** peuvent être définies dans un fichier **`.env`** à côté de `docker-compose.yml` (substitution `${…}` — voir [Compose env files](https://docs.docker.com/compose/environment-variables/set-environment-variables/)).
+- The image includes **Chromium**, **Xvfb**, and **xauth**; `VINTED_*` and **Supabase** variables can be defined in a **`.env`** file next to `docker-compose.yml` (`${…}` substitution — see [Compose env files](https://docs.docker.com/compose/environment-variables/set-environment-variables/)).
 
 Create a user after startup: `docker compose exec api python seeders/user_seeder.py` (with env vars set), or use `POST /users` and `POST /auth/login`.
 
-### Déploiement API (GitHub → VPS)
+### API deployment (GitHub → VPS)
 
-Le workflow **Deploy API** installe **xvfb** et **xauth**, écrit l’unité **systemd** avec **`ExecStart=/usr/bin/xvfb-run … uvicorn`**, et peut fixer **`VINTED_BROWSER_HEADLESS`** via le secret du même nom (défaut **`true`** si le secret est absent). Aucune installation manuelle de Xvfb sur le VPS n’est nécessaire après un déploiement via cette CI.
+The **Deploy API** workflow installs **xvfb** and **xauth**, writes the **systemd** unit with **`ExecStart=/usr/bin/xvfb-run … uvicorn`**, and can set **`VINTED_BROWSER_HEADLESS`** via the secret of the same name (default **`true`** when the secret is missing). No manual Xvfb installation is required on the VPS after deploying through this CI.
 
 ## Limitations
 

web/README.md

@@ -1,32 +1,32 @@
 # GoupixDex Web + Desktop UI (Nuxt 4 + Tauri)
 
-Frontend unique partagé entre :
+Single frontend shared between:
 
-- la version **web** (Nuxt 4),
-- la version **desktop** (Tauri, Windows + macOS).
+- the **web** version (Nuxt 4),
+- the **desktop** version (Tauri, Windows + macOS).
 
-## Prérequis
+## Prerequisites
 
 - Node.js 22+
 - npm 10+
-- Pour Tauri local : Rust toolchain installé
+- For local Tauri: Rust toolchain installed
 
 ## Installation
 
 ```bash
 npm install
 ```
 
-## Variables d’environnement
+## Environment variables
 
-Exemple dans `.env.example` :
+Example in `.env.example`:
 
-- `NUXT_PUBLIC_API_BASE` : URL API distante (prod ou local)
-- `NUXT_PUBLIC_GITHUB_REPO` : slug `owner/repo` pour la page Download
-- `NUXT_PUBLIC_DESKTOP_RELEASE_CHANNEL` : `latest` ou tag GitHub Release
-- `NUXT_PUBLIC_GITHUB_API_BASE` : API GitHub (défaut `https://api.github.com`)
+- `NUXT_PUBLIC_API_BASE`: remote API URL (prod or local)
+- `NUXT_PUBLIC_GITHUB_REPO`: `owner/repo` slug for the Download page
+- `NUXT_PUBLIC_DESKTOP_RELEASE_CHANNEL`: `latest` or a GitHub Release tag
+- `NUXT_PUBLIC_GITHUB_API_BASE`: GitHub API base (default `https://api.github.com`)
 
-## Développement web
+## Web development
 
 ```bash
 npm run dev
@@ -38,34 +38,34 @@ npm run dev
 npm run build
 ```
 
-## Version desktop (Tauri)
+## Desktop version (Tauri)
 
 ### Dev desktop
 
 ```bash
 npm run tauri:dev
 ```
 
-Si vous voyez une erreur Cargo du type :
+If you see a Cargo error like:
 
 `this version of Cargo is older than the 2024 edition`
 
-mettez à jour Rust/Cargo (Windows/macOS/Linux) :
+update Rust/Cargo (Windows/macOS/Linux):
 
 ```bash
 rustup self update
 rustup update stable
 rustup default stable
 ```
 
-Puis redémarrez le terminal et vérifiez :
+Then restart your terminal and check:
 
 ```bash
 cargo -V
 rustc -V
 ```
 
-Sous Windows, si la version ne change pas, vérifiez que `cargo` pointe bien vers `~/.cargo/bin` :
+On Windows, if the version does not change, ensure `cargo` points to `~/.cargo/bin`:
 
 ```bash
 where cargo
@@ -78,14 +78,49 @@ where rustc
 npm run tauri:build
 ```
 
-La commande génère d’abord le frontend Nuxt en mode desktop (`NUXT_DESKTOP_BUILD=1`) puis bundle l’application via Tauri.
+The command first builds the Nuxt frontend in desktop mode (`NUXT_DESKTOP_BUILD=1`), then bundles the app with Tauri.
 
-## Comportement Vinted
+## Vinted behavior
 
-- **Web** : fonctionnalités de mise en ligne Vinted désactivées, avec message d’orientation vers la page de téléchargement.
-- **Desktop** : fonctionnalités Vinted disponibles (runtime détecté via Tauri WebView).
+- **Web**: Vinted publishing features are disabled, with a message pointing users to the download page.
+- **Desktop**: Vinted features are available (runtime detected through Tauri WebView).
 
 ## CI/CD
 
 - `deploy-web.yml` : build + déploiement web (Nitro + PM2).
 - `desktop-release.yml` : build desktop Windows/macOS en **release** (binaire sans console Windows) et publication sur GitHub Release stable (`desktop`, non-prerelease).
+
+## Tauri updater: key generation and GitHub secrets
+
+From the `web/` folder, generate the keypair:
+
+```bash
+npx @tauri-apps/cli signer generate -w goupixdex.key
+```
+
+Read the private key (to copy into a GitHub secret):
+
+```bash
+cat goupixdex.key
+```
+
+If you are using PowerShell:
+
+```powershell
+Get-Content .\goupixdex.key -Raw
+```
+
+Then configure these 3 secrets in `GitHub > Settings > Secrets and variables > Actions`:
+
+- `TAURI_SIGNING_PRIVATE_KEY`
+  - Value: full contents of `goupixdex.key` (Tauri/minisign format, as-is, including line breaks).
+  - Note: it is normal not to have `BEGIN PRIVATE KEY` / `END PRIVATE KEY`.
+- `TAURI_SIGNING_PRIVATE_KEY_PASSWORD`
+  - Value: the password entered during `signer generate`.
+- `TAURI_UPDATER_PUBKEY`
+  - Value: the public key generated by the command (`signer generate`) or the contents of `goupixdex.key.pub`.
+
+Important:
+
+- Never commit `goupixdex.key` or `goupixdex.key.pub`.
+- Keep `goupixdex.key` in a secure location (secret manager, vault, etc.).

web/app/plugins/desktop-updater.client.ts

@@ -0,0 +1,39 @@
+import { check } from '@tauri-apps/plugin-updater'
+
+export default defineNuxtPlugin(async () => {
+  const { isDesktopApp } = useDesktopRuntime()
+
+  if (!isDesktopApp.value || !import.meta.client) {
+    return
+  }
+
+  if (window.sessionStorage.getItem('goupix-updater-checked') === '1') {
+    return
+  }
+  window.sessionStorage.setItem('goupix-updater-checked', '1')
+
+  try {
+    const update = await check()
+
+    if (!update) {
+      return
+    }
+
+    const confirmed = window.confirm(
+      `Une mise a jour ${update.version} est disponible.\n\n` +
+      'Voulez-vous la telecharger et l installer maintenant ?'
+    )
+
+    if (!confirmed) {
+      return
+    }
+
+    await update.downloadAndInstall()
+
+    window.alert(
+      'La mise a jour est installee. Fermez puis relancez GoupixDex pour appliquer la nouvelle version.'
+    )
+  } catch (error) {
+    console.error('[Updater] Echec de verification/installation de mise a jour:', error)
+  }
+})

web/package-lock.json

@@ -20,6 +20,7 @@
     "@internationalized/date": "^3.12.0",
     "@nuxt/ui": "^4.6.1",
     "@tanstack/table-core": "^8.21.3",
+    "@tauri-apps/plugin-updater": "^2.10.1",
     "@unovis/ts": "^1.6.4",
     "@unovis/vue": "^1.6.4",
     "@vueuse/core": "^14.2.1",
@@ -34,8 +35,8 @@
     "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@tauri-apps/cli": "^2.0.0",
     "@nuxt/eslint": "^1.15.2",
+    "@tauri-apps/cli": "^2.0.0",
     "@types/node": "^25.5.2",
     "cross-env": "^10.1.0",
     "eslint": "^10.2.0",