initial import: SHPIT arch PKGBUILDs

PKGBUILDs for tabex-bin and osyrra-bin (linux amd64, private GitHub
release assets pulled with gh release download) plus three workflows:

- version-bumps.yml: scheduled/manual PR that refreshes pkgver, sha256,
  and .SRCINFO using repo-owned updater scripts.
- validate.yml: non-mutating PR check that parses PKGBUILDs and diffs
  the generated .SRCINFO against what's committed.
- publish.yml: post-merge per-package push to the matching AUR repo,
  gated on AUR_USERNAME / AUR_EMAIL / AUR_SSH_PRIVATE_KEY secrets.

Both packages require SHPIT_GH_TOKEN in Actions to read the private
upstream releases; without it the bump job silently no-ops so the repo
is safe to land before the secret is attached.

Author: anand-testcompare

.github/workflows/publish.yml

@@ -0,0 +1,103 @@
+name: publish
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - '*/PKGBUILD'
+      - '*/.SRCINFO'
+      - '*/*.install'
+
+jobs:
+  detect:
+    runs-on: ubuntu-latest
+    outputs:
+      packages: ${{ steps.collect.outputs.packages }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Find updated packages
+        id: collect
+        run: |
+          #!/usr/bin/env bash
+          set -euo pipefail
+
+          before="${{ github.event.before }}"
+          if [[ -z "${before}" || "${before}" =~ ^0+$ ]]; then
+            before="$(git rev-list --max-parents=0 HEAD)"
+          fi
+
+          mapfile -t packages < <(
+            git diff --name-only "${before}" "${GITHUB_SHA}" -- '*/PKGBUILD' '*/.SRCINFO' '*/*.install' \
+              | xargs -r -n1 dirname \
+              | sort -u
+          )
+
+          if ((${#packages[@]} == 0)); then
+            echo 'packages=[]' >> "${GITHUB_OUTPUT}"
+            exit 0
+          fi
+
+          json="$(printf '%s\n' "${packages[@]}" | jq -R . | jq -s -c .)"
+          echo "packages=${json}" >> "${GITHUB_OUTPUT}"
+
+  publish:
+    needs: detect
+    if: ${{ needs.detect.outputs.packages != '[]' }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        package: ${{ fromJson(needs.detect.outputs.packages) }}
+    permissions:
+      contents: read
+    env:
+      AUR_USERNAME: ${{ secrets.AUR_USERNAME }}
+      AUR_EMAIL: ${{ secrets.AUR_EMAIL }}
+      AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Check publishing configuration
+        id: config
+        run: |
+          #!/usr/bin/env bash
+          set -euo pipefail
+          if [[ -n "${AUR_USERNAME}" && -n "${AUR_EMAIL}" && -n "${AUR_SSH_PRIVATE_KEY}" ]]; then
+            echo 'enabled=true' >> "${GITHUB_OUTPUT}"
+          else
+            echo 'enabled=false' >> "${GITHUB_OUTPUT}"
+            echo "AUR publish skipped: AUR secrets are not configured."
+          fi
+
+      - name: Install publish dependencies
+        if: ${{ steps.config.outputs.enabled == 'true' }}
+        run: |
+          sudo apt-get update
+          sudo apt-get install --yes openssh-client rsync
+
+      - name: Start ssh-agent
+        if: ${{ steps.config.outputs.enabled == 'true' }}
+        env:
+          AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
+        run: |
+          #!/usr/bin/env bash
+          set -euo pipefail
+          install -d -m 700 ~/.ssh
+          ssh-keyscan aur.archlinux.org >> ~/.ssh/known_hosts
+          eval "$(ssh-agent -s)"
+          ssh-add - <<< "${AUR_SSH_PRIVATE_KEY}"
+          {
+            echo "SSH_AUTH_SOCK=${SSH_AUTH_SOCK}"
+            echo "SSH_AGENT_PID=${SSH_AGENT_PID}"
+          } >> "${GITHUB_ENV}"
+
+      - name: Publish package
+        if: ${{ steps.config.outputs.enabled == 'true' }}
+        run: ./scripts/publish-package.sh "${{ matrix.package }}"

.github/workflows/validate.yml

@@ -0,0 +1,32 @@
+name: validate
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - '*/PKGBUILD'
+      - '*/.SRCINFO'
+      - '*/*.install'
+      - '.github/workflows/**'
+      - 'scripts/**'
+      - 'README.md'
+  workflow_dispatch:
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    container:
+      image: archlinux:base-devel
+    steps:
+      - name: Install validation dependencies
+        run: pacman -Syu --noconfirm git github-cli jq unzip
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Mark workspace as safe
+        run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
+
+      - name: Validate packages
+        run: ./scripts/validate-packages.sh

.github/workflows/version-bumps.yml

@@ -0,0 +1,88 @@
+name: version-bumps
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '23 6 * * *'
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    container:
+      image: archlinux:base-devel
+    env:
+      GH_TOKEN: ${{ github.token }}
+      SHPIT_GH_TOKEN: ${{ secrets.SHPIT_GH_TOKEN }}
+      UPDATE_BRANCH: automation/version-bumps
+    steps:
+      - name: Install updater dependencies
+        run: pacman -Syu --noconfirm git github-cli jq unzip
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Mark workspace as safe
+        run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
+
+      - name: Configure git identity
+        run: |
+          git config user.name "shpit-bot"
+          git config user.email "opensource@shpit.dev"
+
+      - name: Update packages
+        run: ./scripts/update-packages.sh auto
+
+      - name: Detect changes
+        id: detect
+        run: |
+          if git diff --quiet; then
+            echo 'changed=false' >> "${GITHUB_OUTPUT}"
+          else
+            echo 'changed=true' >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: Commit and push branch
+        if: ${{ steps.detect.outputs.changed == 'true' }}
+        run: |
+          git checkout -B "${UPDATE_BRANCH}"
+          git add README.md docs scripts .github/workflows tabex-bin osyrra-bin
+          git commit -m "chore(pkgbuilds): bump package versions"
+          git push --force --set-upstream origin "${UPDATE_BRANCH}"
+
+      - name: Open or update pull request
+        if: ${{ steps.detect.outputs.changed == 'true' }}
+        run: |
+          #!/usr/bin/env bash
+          set -euo pipefail
+
+          pr_number="$(gh pr list \
+            --head "${UPDATE_BRANCH}" \
+            --base main \
+            --json number \
+            --jq '.[0].number // empty')"
+
+          title="chore(pkgbuilds): bump package versions"
+          body_file="$(mktemp)"
+          cat <<'EOF' > "${body_file}"
+          ## Summary
+
+          - update SHPIT package definitions to the latest discovered upstream versions
+          - refresh checksums and `.SRCINFO`
+          - keep the public repo metadata aligned with the package automation flow
+          EOF
+
+          if [[ -n "${pr_number}" ]]; then
+            gh pr edit "${pr_number}" --title "${title}" --body-file "${body_file}"
+          else
+            gh pr create \
+              --base main \
+              --head "${UPDATE_BRANCH}" \
+              --title "${title}" \
+              --body-file "${body_file}"
+          fi

.gitignore

@@ -0,0 +1,23 @@
+# package src/pkg archives, downloaded sources
+*.tar*
+*.tgz
+*.zip
+*.oxt
+
+# signed sources
+*.asc
+*.sig
+
+# log files from makepkg --log (or extra-x86_64-build)
+*.log
+
+# subfolders, e.g. source or built package trees, vcs
+*/**/
+!.github/**/
+
+# backup files
+*~
+*.bak
+
+# mkpkg status files
+.mkpkg_check

LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 SHPIT LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,72 @@
+# SHPIT Arch Packages
+
+Arch Linux package definitions for SHPIT-maintained command-line tools.
+
+## Packages
+
+| Package | Upstream | Notes |
+|---|---|---|
+| `tabex-bin` | `shpitdev/tabex` GitHub Releases | Private release assets. The PKGBUILD is public, but `makepkg` needs GitHub access to the `shpitdev` org to download the release tarball. |
+| `osyrra-bin` | `shpitdev/osyrra` GitHub Releases | Private release assets. Same auth model as `tabex-bin`. |
+
+## Automation
+
+- `.github/workflows/version-bumps.yml` runs on a schedule or manual dispatch, updates package versions/checksums via repo-owned scripts, regenerates `.SRCINFO`, and opens or updates a PR.
+- `.github/workflows/validate.yml` is non-mutating PR validation. It checks PKGBUILD syntax and confirms `.SRCINFO` is in sync.
+- `.github/workflows/publish.yml` publishes every changed package directory to the AUR after changes land on `main`, but cleanly skips publishing until AUR secrets exist.
+
+## Local Usage
+
+Update all packages:
+
+```bash
+./scripts/update-packages.sh auto
+```
+
+Validate package metadata:
+
+```bash
+./scripts/validate-packages.sh
+```
+
+Build a package locally:
+
+```bash
+cd <package-dir>
+makepkg -si
+```
+
+`gh auth login` must be configured with access to the `shpitdev` org before `makepkg` can download the private release assets.
+
+## Temporary Mode
+
+- You can use this repo immediately without creating the AUR repositories or AUR secrets.
+- The scheduled/manual bump workflow uses the repository `GITHUB_TOKEN` for branch and PR operations in this repo.
+- Without `SHPIT_GH_TOKEN`, the workflow skips the private package updates (both `tabex-bin` and `osyrra-bin` need it).
+- Without AUR secrets, the publish workflow exits successfully without pushing anywhere.
+
+## Secrets
+
+- `SHPIT_GH_TOKEN` — required for GitHub Actions to refresh private SHPIT packages from their GitHub releases.
+- `AUR_USERNAME`, `AUR_EMAIL`, `AUR_SSH_PRIVATE_KEY` — optional until you actually want to publish to AUR.
+
+## Local Auth
+
+- Local scripts use your normal `gh auth login` session when you run them from your machine.
+- GitHub-hosted Actions cannot reuse your personal interactive `gh` login session. They only get the repository `GITHUB_TOKEN` plus any secrets you explicitly configure.
+
+## Adding a New Package
+
+1. Create a directory with the package name and add a `PKGBUILD`.
+2. Add a dedicated updater script in `scripts/` if the package needs live version discovery.
+3. Regenerate `.SRCINFO` with `./scripts/render-srcinfo.sh <package-dir>`.
+4. Extend `./scripts/update-packages.sh` if the package should be included in automated bump PRs.
+
+## Ultimate Setup
+
+1. Create the GitHub repository and enable Actions.
+2. In `Settings -> Actions -> General`, set workflow permissions to read and write, and enable GitHub Actions to create pull requests.
+3. Attach the `SHPIT_GH_TOKEN` secret (org-level or repo-level) to this repo so the bump workflow can read the private release assets.
+4. When the AUR repos exist, add `AUR_USERNAME`, `AUR_EMAIL`, and `AUR_SSH_PRIVATE_KEY`.
+5. Run `version-bumps` manually once, confirm the PR output, then merge.
+6. After the first merge, `publish.yml` will start pushing package updates to AUR only if those AUR secrets are present.