fix(release): version AUR asset cache aliases

backlog/tasks/task-166 - Prevent-AUR-upgrade-cache-collisions-for-unversioned-release-assets.md

@@ -0,0 +1,73 @@
+---
+id: TASK-166
+title: Prevent AUR upgrade cache collisions for unversioned release assets
+status: Done
+assignee:
+  - Codex
+created_date: '2026-03-17 18:10'
+updated_date: '2026-03-17 18:14'
+labels:
+  - release
+  - packaging
+  - linux
+dependencies:
+  - TASK-165
+references:
+  - /home/sudacode/projects/japanese/SubMiner/.github/workflows/release.yml
+  - /home/sudacode/projects/japanese/SubMiner/scripts/update-aur-package.sh
+  - /home/sudacode/projects/japanese/SubMiner/scripts/update-aur-package.test.ts
+  - /home/sudacode/projects/japanese/SubMiner/packaging/aur/subminer-bin/PKGBUILD
+  - /home/sudacode/projects/japanese/SubMiner/packaging/aur/subminer-bin/.SRCINFO
+priority: medium
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Fix the AUR release metadata generated by the tagged-release workflow so end-user upgrades do not reuse stale cached downloads for unversioned `subminer` and `subminer-assets.tar.gz` source names.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [x] #1 AUR packaging generated for a new `pkgver` uses versioned local source aliases for the non-versioned GitHub release assets.
+- [x] #2 The package install step references the versioned local launcher filename correctly.
+- [x] #3 Regression coverage fails if metadata generation reintroduces stable cache-colliding source aliases.
+- [x] #4 Targeted verification records the commands run and results.
+<!-- AC:END -->
+
+## Implementation Plan
+
+<!-- SECTION:PLAN:BEGIN -->
+1. Add a failing regression test around `scripts/update-aur-package.sh` output for versioned local source aliases.
+2. Update the repo AUR template and `.SRCINFO` rewrite logic to stamp versioned alias names for `subminer` and `subminer-assets`.
+3. Verify the generated metadata and targeted workflow/package tests, then record results here.
+<!-- SECTION:PLAN:END -->
+
+## Implementation Notes
+
+<!-- SECTION:NOTES:BEGIN -->
+Root cause: the AUR package used stable local source aliases for the unversioned `subminer` and `subminer-assets.tar.gz` GitHub release assets. `makepkg`/AUR helpers can reuse those cached filenames across upgrades, so a stale cached download survives into a newer `pkgver` and then fails checksum validation.
+
+Patched the repo AUR template to version the local cache aliases:
+- `subminer-${pkgver}::.../subminer`
+- `subminer-assets-${pkgver}.tar.gz::.../subminer-assets.tar.gz`
+
+Updated `package()` to install the versioned local wrapper filename, and updated `scripts/update-aur-package.sh` so the generated `.SRCINFO` stamps matching concrete versioned aliases for release automation.
+
+Added regression assertions in `scripts/update-aur-package.test.ts` covering both versioned source aliases and the launcher install path, then watched that test fail before the patch and pass after it.
+
+Verification:
+- `bun test scripts/update-aur-package.test.ts`
+- `bash -n scripts/update-aur-package.sh && bash -n packaging/aur/subminer-bin/PKGBUILD`
+- `bun run typecheck`
+- `bun run test:fast`
+- `bun run test:env`
+- `bun run build`
+- `bun run test:smoke:dist`
+<!-- SECTION:NOTES:END -->
+
+## Final Summary
+
+<!-- SECTION:FINAL_SUMMARY:BEGIN -->
+The tagged-release AUR metadata path now emits versioned local source aliases for the non-versioned GitHub release assets, preventing stale `makepkg` cache reuse across `subminer-bin` upgrades. The change is covered by a regression test and passed the repo's maintained verification gate.
+<!-- SECTION:FINAL_SUMMARY:END -->