SubMiner/backlog/tasks/task-166 - Prevent-AUR-upgrade-cache-collisions-for-unversioned-release-assets.md

---
id: TASK-166
title: Prevent AUR upgrade cache collisions for unversioned release assets
status: Done
assignee:
  - Codex
created_date: '2026-03-17 18:10'
updated_date: '2026-03-18 05:28'
labels:
  - release
  - packaging
  - linux
dependencies:
  - TASK-165
references:
  - /home/sudacode/projects/japanese/SubMiner/.github/workflows/release.yml
  - /home/sudacode/projects/japanese/SubMiner/scripts/update-aur-package.sh
  - /home/sudacode/projects/japanese/SubMiner/scripts/update-aur-package.test.ts
  - >-
    /home/sudacode/projects/japanese/SubMiner/packaging/aur/subminer-bin/PKGBUILD
  - >-
    /home/sudacode/projects/japanese/SubMiner/packaging/aur/subminer-bin/.SRCINFO
priority: medium
ordinal: 107500
---

## Description

<!-- SECTION:DESCRIPTION:BEGIN -->
Fix the AUR release metadata generated by the tagged-release workflow so end-user upgrades do not reuse stale cached downloads for unversioned `subminer` and `subminer-assets.tar.gz` source names.
<!-- SECTION:DESCRIPTION:END -->

## Acceptance Criteria
<!-- AC:BEGIN -->
- [x] #1 AUR packaging generated for a new `pkgver` uses versioned local source aliases for the non-versioned GitHub release assets.
- [x] #2 The package install step references the versioned local launcher filename correctly.
- [x] #3 Regression coverage fails if metadata generation reintroduces stable cache-colliding source aliases.
- [x] #4 Targeted verification records the commands run and results.
<!-- AC:END -->

## Implementation Plan

<!-- SECTION:PLAN:BEGIN -->
1. Add a failing regression test around `scripts/update-aur-package.sh` output for versioned local source aliases.
2. Update the repo AUR template and `.SRCINFO` rewrite logic to stamp versioned alias names for `subminer` and `subminer-assets`.
3. Verify the generated metadata and targeted workflow/package tests, then record results here.
<!-- SECTION:PLAN:END -->

## Implementation Notes

<!-- SECTION:NOTES:BEGIN -->
Root cause: the AUR package used stable local source aliases for the unversioned `subminer` and `subminer-assets.tar.gz` GitHub release assets. `makepkg`/AUR helpers can reuse those cached filenames across upgrades, so a stale cached download survives into a newer `pkgver` and then fails checksum validation.

Patched the repo AUR template to version the local cache aliases:
- `subminer-${pkgver}::.../subminer`
- `subminer-assets-${pkgver}.tar.gz::.../subminer-assets.tar.gz`

Updated `package()` to install the versioned local wrapper filename, and updated `scripts/update-aur-package.sh` so the generated `.SRCINFO` stamps matching concrete versioned aliases for release automation.

Added regression assertions in `scripts/update-aur-package.test.ts` covering both versioned source aliases and the launcher install path, then watched that test fail before the patch and pass after it.

Verification:
- `bun test scripts/update-aur-package.test.ts`
- `bash -n scripts/update-aur-package.sh && bash -n packaging/aur/subminer-bin/PKGBUILD`
- `bun run typecheck`
- `bun run test:fast`
- `bun run test:env`
- `bun run build`
- `bun run test:smoke:dist`
<!-- SECTION:NOTES:END -->

## Final Summary

<!-- SECTION:FINAL_SUMMARY:BEGIN -->
The tagged-release AUR metadata path now emits versioned local source aliases for the non-versioned GitHub release assets, preventing stale `makepkg` cache reuse across `subminer-bin` upgrades. The change is covered by a regression test and passed the repo's maintained verification gate.
<!-- SECTION:FINAL_SUMMARY:END -->