Auto Updater

[Bashamega]

Summary by CodeRabbit

• New Features

  • Introduces in-app update support on macOS, Windows, and Linux.
  • Enables secure update checks with signed artifacts and a configured update feed.
  • Generates updater artifacts during desktop builds for smoother distribution.

• Chores

  • Enhances release pipeline to support building and signing desktop updates.
  • Updates project configuration to align with new desktop update capabilities.
  • Adds ignore rules for local tooling and build artifacts.

[coderabbitai]

Walkthrough

Adds Tauri updater support: configures updater plugin and endpoints, enables updater artifacts, adds plugin to the Tauri builder, introduces a desktop capability for updater permission, updates platform-specific Cargo deps, adds JS plugin dependency, and injects private key/password env vars into the release workflow. Minor .gitignore update.

Changes

Cohort / File(s)	Summary of Changes
CI/CD Release Workflow .github/workflows/release.yaml	Adds env vars TAURI_PRIVATE_KEY and TAURI_KEY_PASSWORD to the tauri-action build step (sourced from secrets).
Ignore Rules .gitignore	Restores .early.coverage; adds .tauri; ensures trailing newline.
JS Dependencies package.json	Adds dependency @tauri-apps/plugin-updater with version ~2.
Rust Manifest (platform-gated) src-tauri/Cargo.toml	Adds tauri-plugin-updater = "2" under target.'cfg(not(any(target_os = "android", target_os = "ios")))'.dependencies.
Tauri Runtime Composition src-tauri/src/lib.rs	Registers the updater plugin: .plugin(tauri_plugin_updater::Builder::new().build()) in the builder chain.
Tauri Configuration src-tauri/tauri.conf.json	Enables bundle.createUpdaterArtifacts: true; configures plugins.updater.pubkey and plugins.updater.endpoints (GitHub Releases latest.json).
Capabilities src-tauri/capabilities/desktop.json	Adds desktop-capability for macOS/Windows/Linux with permission updater:default; Windows scope includes main.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant App as Tauri App
  participant Updater as Updater Plugin
  participant GH as GitHub Releases

  User->>App: Launch application
  App->>Updater: Initialize with config (pubkey, endpoints)
  Updater->>GH: GET latest.json (endpoint)
  GH-->>Updater: latest.json (version, assets, sig)
  Updater->>Updater: Compare current vs latest
  alt Update available
    Updater->>GH: Download updater artifact
    Updater->>Updater: Verify signature (pubkey)
    alt Verification OK
      Updater->>App: Apply update and relaunch
    else Verification failed
      Updater-->>App: Report error / continue without update
    end
  else Up-to-date
    Updater-->>App: No action
  end
  App-->>User: App ready

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Feature: New project #8 — Also modifies src-tauri/src/lib.rs by adding a plugin in the same builder chain, suggesting related integration points and potential merge interactions.

Pre-merge checks (2 passed, 1 warning)

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The pull request description is empty and does not provide any context or detail about the changes introduced, preventing reviewers from understanding the intent or scope of the updates.	Please add a descriptive summary that outlines the purpose and key modifications of this pull request, such as the introduction of the Tauri auto-updater plugin and related configuration updates.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title “Auto Updater” concisely highlights the core change of integrating an automatic update mechanism into the Tauri application, aligning directly with the primary modifications made in this pull request.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

Poem

A bunny compiled an update tonight,
With keys in the clouds and versions in sight.
It hops through configs, signs every byte—
GitHub whispers “latest,” all checks turn bright.
One gentle restart, then off in delight.
(\/)<(^^)> 🚀

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
		  - name: "Undocumented Breaking Changes"
			  mode: "warning"
			  instructions: |
				  Flag potential breaking changes that are not documented:
				  1. Identify changes to public APIs/exports, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints (including removed/renamed items and changes to types, required params, return values, defaults, or behavior).
				  2. Ignore purely internal/private changes (e.g., code not exported from package entry points or marked internal).
				  3. Verify documentation exists: a "Breaking Change" section in the PR description and updates to CHANGELOG.md.

Please share your feedback with us on this Discord post.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch updater

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src-tauri/src/lib.rs (1)

9-16: Gate the updater plugin for non-mobile targets to avoid mobile build breakage.

Cargo only includes the crate on non-Android/iOS, but the code always references it; mobile builds will fail to compile.

Apply this refactor to conditionally add the plugin:

 pub fn run() {
-    tauri::Builder::default()
-        .plugin(tauri_plugin_updater::Builder::new().build())
-        .plugin(tauri_plugin_fs::init())
+    let builder = tauri::Builder::default();
+    #[cfg(not(any(target_os = "android", target_os = "ios")))]
+    let builder = builder.plugin(tauri_plugin_updater::Builder::new().build());
+    #[cfg(any(target_os = "android", target_os = "ios"))]
+    let builder = builder;
+    builder
+        .plugin(tauri_plugin_fs::init())
         .plugin(tauri_plugin_dialog::init())
         .plugin(tauri_plugin_opener::init())
         .invoke_handler(tauri::generate_handler![read_file, sync, generate_epub])
         .run(tauri::generate_context!())
         .expect("error while running tauri application");
 }

🧹 Nitpick comments (3)

package.json (1)

35-35: Add updater dep looks good; consider aligning semver style.

You use ^2 for most Tauri JS plugins and ~2 here. For consistency, consider switching to caret.

-    "@tauri-apps/plugin-updater": "~2",
+    "@tauri-apps/plugin-updater": "^2",

.gitignore (1)

26-29: Good adds; also ignore Rust build outputs.

Ignoring .tauri and coverage is fine. To avoid accidentally committing Rust artifacts, consider adding target/ (and the nested one some setups create).

 .early.coverage

 .tauri
+target/
+src-tauri/target/

.github/workflows/release.yaml (1)

156-157: Secrets wired correctly; verify they exist and match the pubkey.

Make sure repo/org secrets TAURI_PRIVATE_KEY and TAURI_KEY_PASSWORD are set and correspond to the public key in tauri.conf.json. Otherwise updater verification will fail.

I can provide a hardened checklist for key setup and a dry-run script to validate release assets once secrets are in place.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 96c26a0 and 3e3a96e.

⛔ Files ignored due to path filters (2)

• src-tauri/Cargo.lock is excluded by !**/*.lock
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (7)

• .github/workflows/release.yaml (1 hunks)
• .gitignore (1 hunks)
• package.json (1 hunks)
• src-tauri/Cargo.toml (1 hunks)
• src-tauri/capabilities/desktop.json (1 hunks)
• src-tauri/src/lib.rs (1 hunks)
• src-tauri/tauri.conf.json (1 hunks)

🔇 Additional comments (4)

src-tauri/Cargo.toml (1)

34-36: Correct target-specific dep; align with code gating.

Dependency is properly limited to desktop. Once you conditionally register the plugin in lib.rs, desktop/mobile builds will be consistent.

Try cargo check --target aarch64-apple-ios (or Android) after the lib.rs change to ensure mobile builds succeed.

src-tauri/capabilities/desktop.json (1)

1-14: Capability looks correct.

Platforms and windows: ["main"] with updater:default are appropriate for desktop. No issues.

src-tauri/tauri.conf.json (2)

33-35: Enabling updater artifacts is right; verify multi-arch release has a single coherent latest.json.

When building both macOS arches in parallel, ensure the release ends up with a single latest.json that references all assets. Tauri Action usually handles this, but it’s worth checking after the first release.

I can provide a small gh-CLI script to assert that latest.json exists and lists all artifact URLs for darwin-x64, darwin-arm64, windows, and linux if you want.

---

36-43: Ensure updater pubkey matches your Tauri private key
Decode the Base64 string in src-tauri/tauri.conf.json (lines 36–43) locally—e.g.

echo '<pubkey>' | base64 -d   # or use openssl: openssl base64 -d  

and confirm it begins with “untrusted comment: minisign public key:” and corresponds to your TAURI_PRIVATE_KEY. If it doesn’t, replace it to prevent client update failures.