Skip to content
Auditaur

Release and Packaging

Auditaur packages are published publicly and the repository is configured for semantic release automation.

Package names

Section titled “Package names”
ComponentNameStatus
CLI crateauditaur-cliPublished to crates.io; installs a binary named auditaur.
Core crateauditaur-corePublished to crates.io for shared models and config.
Collector crateauditaur-collectorPublished to crates.io for SQLite store and receiver types.
Tauri plugin macro cratetauri-plugin-auditaur-macrosPublished to crates.io before the plugin crate; re-exported by tauri-plugin-auditaur.
Tauri plugin cratetauri-plugin-auditaurPublished to crates.io for Tauri v2 apps.
Frontend package@auditaur/apiPublished to npm.

The Rust workspace declares MIT license and repository metadata. Each crate includes crates.io metadata and versioned workspace dependency declarations. The npm package is public-scoped through publishConfig.access = "public".

CLI build

Section titled “CLI build”

Install the CLI:

Terminal window
cargo install auditaur-cli
auditaur doctor

Source checkout development:

Terminal window
cargo run -p auditaur-cli -- apps --json
cargo run -p auditaur-cli -- mcp

Build release binary:

Terminal window
cargo build -p auditaur-cli --release
.\target\release\auditaur.exe doctor

On macOS/Linux, use ./target/release/auditaur.

Semantic release automation

Section titled “Semantic release automation”

Rust crates use release-plz:

  1. .github/workflows/release-rust.yml opens or updates a Rust release PR on pushes to main.
  2. Merging the release PR updates versions and changelogs according to Conventional Commits plus release-plz semver checks.
  3. release-plz.toml sets release_always = false, so normal pushes only prepare release PRs and publishing happens from release PR merges.
  4. Merging the release PR runs release-plz publish for changed Rust crates.
  5. The release workflow verifies that tauri-plugin-auditaur depends on tauri-plugin-auditaur-macros at the same version before release-plz runs. Cargo and release-plz then use the workspace dependency graph, so the macro crate must be available before the plugin crate can publish.
  6. CI and release workflows run python scripts/check-skill-drift.py so .github/skills/auditaur-debug/SKILL.md and the packaged CLI asset at crates/auditaur-cli/assets/auditaur-debug-skill.md cannot drift.
  7. Publishing requires a CARGO_REGISTRY_TOKEN repository secret until crates.io trusted publishing is configured for existing crates.
  8. The CLI is distributed through the auditaur-cli crate. Auditaur does not publish prebuilt GitHub release binaries because Tauri developers already need Rust and Cargo for normal app development.

The frontend package uses release-please:

  1. .github/workflows/release-api.yml opens or updates a release PR for packages\api.
  2. Merging the release PR creates a GitHub release tagged for @auditaur/api.
  3. .github/workflows/publish-api.yml publishes matching @auditaur/api-v* releases to npm with provenance.
  4. Publishing uses npm trusted publishing/OIDC, so no NPM_TOKEN is required after the package is configured on npm.

Manual dry runs are available locally:

Terminal window
cargo publish -p auditaur-core --dry-run
cargo publish -p auditaur-collector --dry-run
cargo publish -p tauri-plugin-auditaur-macros --dry-run
cargo publish -p tauri-plugin-auditaur --dry-run
cargo publish -p auditaur-cli --dry-run


cd packages\api
npm publish --dry-run --access public

For a single local preflight before a release, run:

Terminal window
.\scripts\preflight-release.ps1

This runs the skill drift check, Rust formatting and targeted tests, API tests/build, docs build, CLI crate package verification, and gh skill publish .github --dry-run when GitHub CLI is available. Add -IncludeDogfoodSmoke to include the live Windows dogfood app pass, -AllowDirtyPackage while validating uncommitted local changes, or -SkipGhSkillDryRun when GitHub CLI is unavailable.

The live dogfood app smoke is also available as a manual GitHub Actions workflow named Dogfood Smoke. It is intentionally workflow_dispatch only because it launches the Windows Tauri/WebView app and is heavier than normal PR validation.

Release checklist

Section titled “Release checklist”
  1. Keep npm trusted publishing configured for @auditaur/api:
    • Publisher: GitHub Actions.
    • Organization/user: sethjuarez.
    • Repository: auditaur.
    • Workflow: publish-api.yml.
    • Environment: leave blank unless this workflow is later updated to use one.
  2. Keep CARGO_REGISTRY_TOKEN available until crates.io trusted publishing is configured for all Rust crates.
  3. For the first release that includes tauri-plugin-auditaur-macros, confirm the release-plz run lists the macro crate before tauri-plugin-auditaur.
  4. Run python scripts/check-skill-drift.py after editing the Auditaur debug skill, or copy .github\skills\auditaur-debug\SKILL.md to crates\auditaur-cli\assets\auditaur-debug-skill.md.
  5. Run .\scripts\preflight-release.ps1 before publishing release PRs. Use -IncludeDogfoodSmoke when a live Windows dogfood pass is appropriate.
  6. Before publishing the agent skill for real, review gh skill publish .github --dry-run warnings. Repo-level warnings such as secret scanning, push protection, and tag rulesets are GitHub repository settings, not code changes.
  7. Use Conventional Commits so release-plz and release-please can calculate semantic versions consistently.