From ab19cf113b8e4dd646d99459a45d86df5583ae79 Mon Sep 17 00:00:00 2001
From: Anthony Stirling <77850077+Frooodle@users.noreply.github.com>
Date: Fri, 17 Apr 2026 23:12:46 +0100
Subject: [PATCH] AUR publishing workflow (#6132)

Co-authored-by: aikido-pr-checks[bot] <169896070+aikido-pr-checks[bot]@users.noreply.github.com>
---
 .github/aur/stirling-pdf-bin/PKGBUILD        |  29 +++++
 .github/aur/stirling-pdf-server-bin/PKGBUILD |  90 +++++++++++++
 .github/workflows/aur-publish.yml            | 128 +++++++++++++++++++
 3 files changed, 247 insertions(+)
 create mode 100644 .github/aur/stirling-pdf-bin/PKGBUILD
 create mode 100644 .github/aur/stirling-pdf-server-bin/PKGBUILD
 create mode 100644 .github/workflows/aur-publish.yml

diff --git a/.github/aur/stirling-pdf-bin/PKGBUILD b/.github/aur/stirling-pdf-bin/PKGBUILD
new file mode 100644
index 0000000000..bc6f59cea3
--- /dev/null
+++ b/.github/aur/stirling-pdf-bin/PKGBUILD
@@ -0,0 +1,29 @@
+# Maintainer: Stirling PDF Inc <contact@stirlingpdf.com>
+pkgname=stirling-pdf-bin
+pkgver=2.7.3
+pkgrel=1
+pkgdesc="Locally hosted, web-based PDF manipulation tool (desktop app, prebuilt binary)"
+arch=('x86_64')
+url="https://www.stirling.com"
+license=('MIT' 'LicenseRef-Stirling-PDF-Proprietary')
+depends=('gtk3' 'webkit2gtk' 'libappindicator-gtk3')
+provides=('stirling-pdf')
+conflicts=('stirling-pdf' 'stirling-pdf-git')
+options=('!strip')
+
+source_x86_64=("${pkgname}-${pkgver}.deb::https://github.com/Stirling-Tools/Stirling-PDF/releases/download/v${pkgver}/Stirling-PDF-linux-x86_64.deb")
+sha256sums_x86_64=('PLACEHOLDER_DEB_SHA256')
+
+package() {
+    # Extract the .deb archive
+    bsdtar -xf data.tar* -C "${pkgdir}"
+
+    # Fix permissions
+    find "${pkgdir}" -type d -exec chmod 755 {} \;
+
+    # Install license
+    install -Dm644 /dev/stdin "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE" <<EOF
+Copyright (c) 2025 Stirling PDF Inc
+All rights reserved. See https://github.com/Stirling-Tools/Stirling-PDF/blob/main/LICENSE
+EOF
+}
diff --git a/.github/aur/stirling-pdf-server-bin/PKGBUILD b/.github/aur/stirling-pdf-server-bin/PKGBUILD
new file mode 100644
index 0000000000..3e0119e10e
--- /dev/null
+++ b/.github/aur/stirling-pdf-server-bin/PKGBUILD
@@ -0,0 +1,90 @@
+# Maintainer: Stirling PDF Inc <contact@stirlingpdf.com>
+pkgname=stirling-pdf-server-bin
+pkgver=2.7.3
+pkgrel=1
+pkgdesc="Locally hosted, web-based PDF manipulation tool (server JAR, prebuilt)"
+arch=('any')
+url="https://www.stirling.com"
+license=('MIT' 'LicenseRef-Stirling-PDF-Proprietary')
+depends=('java-runtime>=21')
+provides=('stirling-pdf-server')
+conflicts=('stirling-pdf-server' 'stirling-pdf-server-git')
+backup=('etc/stirling-pdf-server/settings.yml')
+
+source=("Stirling-PDF-with-login-${pkgver}.jar::https://github.com/Stirling-Tools/Stirling-PDF/releases/download/v${pkgver}/Stirling-PDF-with-login.jar"
+        "stirling-pdf-server.service"
+        "stirling-pdf-server.sysusers"
+        "stirling-pdf-server.tmpfiles")
+sha256sums=('PLACEHOLDER_JAR_SHA256'
+            'PLACEHOLDER_SERVICE_SHA256'
+            'PLACEHOLDER_SYSUSERS_SHA256'
+            'PLACEHOLDER_TMPFILES_SHA256')
+
+prepare() {
+    cat > stirling-pdf-server.service << 'EOF'
+[Unit]
+Description=Stirling-PDF Server
+After=network.target
+
+[Service]
+Type=simple
+User=stirling-pdf
+Group=stirling-pdf
+WorkingDirectory=/var/lib/stirling-pdf-server
+ExecStart=/usr/bin/java -jar /usr/share/stirling-pdf-server/stirling-pdf-server.jar
+Restart=on-failure
+RestartSec=5
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=stirling-pdf-server
+Environment=JAVA_OPTS=-Xmx512m
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+    cat > stirling-pdf-server.sysusers << 'EOF'
+u stirling-pdf - "Stirling-PDF Server" /var/lib/stirling-pdf-server -
+EOF
+
+    cat > stirling-pdf-server.tmpfiles << 'EOF'
+d /var/lib/stirling-pdf-server 0750 stirling-pdf stirling-pdf -
+d /var/log/stirling-pdf-server 0750 stirling-pdf stirling-pdf -
+EOF
+}
+
+package() {
+    # JAR
+    install -Dm644 "Stirling-PDF-with-login-${pkgver}.jar" \
+        "${pkgdir}/usr/share/stirling-pdf-server/stirling-pdf-server.jar"
+
+    # Wrapper script
+    install -Dm755 /dev/stdin "${pkgdir}/usr/bin/stirling-pdf-server" << 'EOF'
+#!/bin/sh
+exec java $JAVA_OPTS -jar /usr/share/stirling-pdf-server/stirling-pdf-server.jar "$@"
+EOF
+
+    # systemd unit
+    install -Dm644 stirling-pdf-server.service \
+        "${pkgdir}/usr/lib/systemd/system/stirling-pdf-server.service"
+
+    # sysusers / tmpfiles
+    install -Dm644 stirling-pdf-server.sysusers \
+        "${pkgdir}/usr/lib/sysusers.d/stirling-pdf-server.conf"
+    install -Dm644 stirling-pdf-server.tmpfiles \
+        "${pkgdir}/usr/lib/tmpfiles.d/stirling-pdf-server.conf"
+
+    # Default config stub
+    install -dm755 "${pkgdir}/etc/stirling-pdf-server"
+    install -Dm644 /dev/stdin "${pkgdir}/etc/stirling-pdf-server/settings.yml" << 'EOF'
+# Stirling-PDF Server configuration
+# See https://github.com/Stirling-Tools/Stirling-PDF for all options
+server:
+  port: 8080
+EOF
+
+    # License
+    install -Dm644 /dev/stdin "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE" << 'EOF'
+MIT License — see https://github.com/Stirling-Tools/Stirling-PDF/blob/main/LICENSE
+EOF
+}
diff --git a/.github/workflows/aur-publish.yml b/.github/workflows/aur-publish.yml
new file mode 100644
index 0000000000..935e58ffe0
--- /dev/null
+++ b/.github/workflows/aur-publish.yml
@@ -0,0 +1,128 @@
+name: Publish to AUR
+
+on:
+  release:
+    types: [released]
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to publish (e.g. 2.9.2 — no v prefix)"
+        required: true
+        type: string
+      dry_run:
+        description: "Skip the AUR push (safe test)"
+        type: boolean
+        default: true
+
+permissions:
+  contents: read
+
+jobs:
+  get-release-info:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.info.outputs.version }}
+      deb_sha256: ${{ steps.hashes.outputs.deb_sha256 }}
+      jar_sha256: ${{ steps.hashes.outputs.jar_sha256 }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
+        with:
+          egress-policy: audit
+
+      - name: Extract version from tag or manual input
+        id: info
+        env:
+          DISPATCH_VERSION: ${{ inputs.version }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VERSION="$DISPATCH_VERSION"
+          else
+            VERSION="$RELEASE_TAG"
+          fi
+          VERSION="${VERSION#v}"
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Download release assets and compute SHA256
+        id: hashes
+        env:
+          VERSION: ${{ steps.info.outputs.version }}
+        run: |
+          BASE="https://github.com/Stirling-Tools/Stirling-PDF/releases/download/v${VERSION}"
+
+          download_sha256() {
+            local url="$1"
+            local file
+            file=$(basename "$url")
+            curl -fsSL --retry 3 -o "$file" "$url"
+            sha256sum "$file" | awk '{print $1}'
+          }
+
+          DEB_SHA=$(download_sha256 "${BASE}/Stirling-PDF-linux-x86_64.deb")
+          JAR_SHA=$(download_sha256 "${BASE}/Stirling-PDF-with-login.jar")
+
+          echo "deb_sha256=$DEB_SHA" >> "$GITHUB_OUTPUT"
+          echo "jar_sha256=$JAR_SHA" >> "$GITHUB_OUTPUT"
+
+  publish-aur:
+    needs: get-release-info
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository (for PKGBUILD templates)
+        uses: actions/checkout@v4
+
+      - name: Update stirling-pdf-bin PKGBUILD
+        env:
+          VERSION: ${{ needs.get-release-info.outputs.version }}
+          DEB_SHA: ${{ needs.get-release-info.outputs.deb_sha256 }}
+        run: |
+          PKGBUILD=".github/aur/stirling-pdf-bin/PKGBUILD"
+          sed -i "s/^pkgver=.*/pkgver=${VERSION}/" "$PKGBUILD"
+          sed -i "s/^pkgrel=.*/pkgrel=1/" "$PKGBUILD"
+          sed -i "s/'PLACEHOLDER_DEB_SHA256'/'${DEB_SHA}'/" "$PKGBUILD"
+
+      - name: Update stirling-pdf-server-bin PKGBUILD
+        env:
+          VERSION: ${{ needs.get-release-info.outputs.version }}
+          JAR_SHA: ${{ needs.get-release-info.outputs.jar_sha256 }}
+        run: |
+          PKGBUILD=".github/aur/stirling-pdf-server-bin/PKGBUILD"
+          sed -i "s/^pkgver=.*/pkgver=${VERSION}/" "$PKGBUILD"
+          sed -i "s/^pkgrel=.*/pkgrel=1/" "$PKGBUILD"
+          sed -i "s/'PLACEHOLDER_JAR_SHA256'/'${JAR_SHA}'/" "$PKGBUILD"
+
+      - name: Show updated PKGBUILDs (for dry-run visibility)
+        run: |
+          echo "--- stirling-pdf-bin PKGBUILD ---"
+          cat .github/aur/stirling-pdf-bin/PKGBUILD
+          echo ""
+          echo "--- stirling-pdf-server-bin PKGBUILD ---"
+          cat .github/aur/stirling-pdf-server-bin/PKGBUILD
+
+      - name: Publish stirling-pdf-bin to AUR
+        if: ${{ github.event_name == 'release' || inputs.dry_run == false }}
+        uses: KSXGitHub/github-actions-deploy-aur@2ac5a4c1d7035885d46b10e3193393be8460b6f1 # v4.1.1
+        with:
+          pkgname: stirling-pdf-bin
+          pkgbuild: .github/aur/stirling-pdf-bin/PKGBUILD
+          commit_username: Stirling PDF Inc
+          commit_email: contact@stirlingpdf.com
+          ssh_private_key: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
+          commit_message: "Update to v${{ needs.get-release-info.outputs.version }}"
+
+      - name: Publish stirling-pdf-server-bin to AUR
+        if: ${{ github.event_name == 'release' || inputs.dry_run == false }}
+        uses: KSXGitHub/github-actions-deploy-aur@v4.1.1
+        with:
+          pkgname: stirling-pdf-server-bin
+          pkgbuild: .github/aur/stirling-pdf-server-bin/PKGBUILD
+          commit_username: Stirling PDF Inc
+          commit_email: contact@stirlingpdf.com
+          ssh_private_key: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
+          commit_message: "Update to v${{ needs.get-release-info.outputs.version }}"