Add self-update command and daily update check

- ghapp update: fetch latest release, verify SHA256, replace binaries
- Daily background check with non-blocking notice on stderr
- Platform-specific binary replacement (atomic rename Unix, rename+copy Windows)
- Skip check for machine-consumed commands and dev builds
- GHAPP_NO_UPDATE_CHECK=1 env var to opt out

Author: rmorse

README.md

@@ -88,6 +88,7 @@ gh pr list
 | `ghapp auth configure [--gh-auth MODE]` | Configure git credential helper, gh CLI, and git identity |
 | `ghapp auth status` | Show current auth configuration and diagnostics |
 | `ghapp auth reset [--remove-key]` | Remove all auth config and restore previous git identity |
+| `ghapp update` | Self-update to the latest release |
 | `ghapp version` | Print version info |
 
 ### `--gh-auth` modes
@@ -150,7 +151,7 @@ app_slug: myapp              # cached after first auth configure
 bot_user_id: 149130343       # cached after first auth configure
 ```
 
-Environment overrides: `GHAPP_APP_ID`, `GHAPP_INSTALLATION_ID`, `GHAPP_PRIVATE_KEY_PATH`
+Environment overrides: `GHAPP_APP_ID`, `GHAPP_INSTALLATION_ID`, `GHAPP_PRIVATE_KEY_PATH`, `GHAPP_NO_UPDATE_CHECK=1` (disable daily update notice)
 
 ## Private Key Storage
 

internal/cmd/root.go

@@ -2,11 +2,13 @@ package cmd
 
 import (
 	"fmt"
+	"os"
 
 	"github.com/spf13/cobra"
 
 	"github.com/operator-kit/github-app-auth/internal/auth"
 	"github.com/operator-kit/github-app-auth/internal/config"
+	"github.com/operator-kit/github-app-auth/internal/selfupdate"
 )
 
 var (
@@ -18,6 +20,8 @@ var (
 	versionStr string
 	commitStr  string
 	dateStr    string
+
+	updateResult chan string
 )
 
 func SetVersionInfo(version, commit, date string) {
@@ -31,9 +35,11 @@ var rootCmd = &cobra.Command{
 	Short: "GitHub App authentication for git and gh",
 	Long:  "Authenticate as a GitHub App, generate installation tokens, and configure git/gh to use them transparently.",
 	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+		startUpdateCheck(cmd)
+
 		// Commands that don't need config
 		name := cmd.Name()
-		if name == "ghapp" || name == "version" || name == "setup" || name == "shell-init" {
+		if name == "ghapp" || name == "version" || name == "setup" || name == "shell-init" || name == "update" {
 			return nil
 		}
 
@@ -53,6 +59,40 @@ var rootCmd = &cobra.Command{
 		}
 		return nil
 	},
+	PersistentPostRunE: func(cmd *cobra.Command, args []string) error {
+		if updateResult == nil {
+			return nil
+		}
+		select {
+		case latest := <-updateResult:
+			if latest != "" {
+				fmt.Fprintf(os.Stderr, "\nA new version of ghapp is available: v%s (current: v%s)\nRun 'ghapp update' to upgrade.\n", latest, versionStr)
+			}
+		default:
+			// goroutine hasn't finished, skip silently
+		}
+		return nil
+	},
+}
+
+func startUpdateCheck(cmd *cobra.Command) {
+	if os.Getenv("GHAPP_NO_UPDATE_CHECK") == "1" {
+		return
+	}
+	if versionStr == "dev" {
+		return
+	}
+	name := cmd.Name()
+	if name == "credential-helper" || name == "shell-init" || name == "token" || name == "update" {
+		return
+	}
+	if !selfupdate.ShouldCheck(versionStr) {
+		return
+	}
+	updateResult = make(chan string, 1)
+	go func() {
+		updateResult <- selfupdate.CheckForUpdate(versionStr)
+	}()
 }
 
 func init() {
@@ -63,6 +103,7 @@ func init() {
 	rootCmd.AddCommand(tokenCmd)
 	rootCmd.AddCommand(authCmd)
 	rootCmd.AddCommand(credentialHelperCmd)
+	rootCmd.AddCommand(updateCmd)
 }
 
 func Execute() error {

internal/cmd/update.go

@@ -0,0 +1,44 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"github.com/operator-kit/github-app-auth/internal/selfupdate"
+)
+
+var updateCmd = &cobra.Command{
+	Use:   "update",
+	Short: "Update ghapp to the latest version",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if versionStr == "dev" {
+			fmt.Fprintln(cmd.ErrOrStderr(), "Skipping update: running dev build")
+			return nil
+		}
+
+		release, err := selfupdate.FetchLatestRelease()
+		if err != nil {
+			return fmt.Errorf("check for update: %w", err)
+		}
+		if release == nil {
+			fmt.Fprintln(cmd.OutOrStdout(), "No published release found.")
+			return nil
+		}
+
+		latest := strings.TrimPrefix(release.TagName, "v")
+		if selfupdate.CompareVersions(versionStr, latest) >= 0 {
+			fmt.Fprintf(cmd.OutOrStdout(), "Already up to date (v%s).\n", versionStr)
+			return nil
+		}
+
+		fmt.Fprintf(cmd.ErrOrStderr(), "Updating v%s → v%s\n", versionStr, latest)
+		if err := selfupdate.Update(release, cmd.ErrOrStderr()); err != nil {
+			return fmt.Errorf("update: %w", err)
+		}
+
+		fmt.Fprintf(cmd.OutOrStdout(), "Successfully updated to v%s.\n", latest)
+		return nil
+	},
+}

internal/selfupdate/check.go

@@ -0,0 +1,134 @@
+package selfupdate
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+)
+
+const checkFileName = "update-check.json"
+
+// DirOverride allows tests to redirect the cache to a temp directory.
+var DirOverride string
+
+// BaseURL is the GitHub API base URL (override in tests with httptest).
+var BaseURL = "https://api.github.com"
+
+// CheckResult is persisted between runs to throttle update checks.
+type CheckResult struct {
+	LatestVersion string    `json:"latest_version"`
+	CheckedAt     time.Time `json:"checked_at"`
+}
+
+// ReleaseResponse is the subset of GitHub's release JSON we need.
+type ReleaseResponse struct {
+	TagName string  `json:"tag_name"`
+	Assets  []Asset `json:"assets"`
+}
+
+// Asset is a single file attached to a GitHub release.
+type Asset struct {
+	Name               string `json:"name"`
+	BrowserDownloadURL string `json:"browser_download_url"`
+}
+
+func checkFilePath() string {
+	if DirOverride != "" {
+		return filepath.Join(DirOverride, checkFileName)
+	}
+	configDir, err := os.UserConfigDir()
+	if err != nil {
+		return ""
+	}
+	return filepath.Join(configDir, "ghapp", checkFileName)
+}
+
+func readCheckResult() *CheckResult {
+	path := checkFilePath()
+	if path == "" {
+		return nil
+	}
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil
+	}
+	var result CheckResult
+	if err := json.Unmarshal(data, &result); err != nil {
+		return nil
+	}
+	return &result
+}
+
+func writeCheckResult(result *CheckResult) {
+	path := checkFilePath()
+	if path == "" {
+		return
+	}
+	data, err := json.Marshal(result)
+	if err != nil {
+		return
+	}
+	_ = os.MkdirAll(filepath.Dir(path), 0o755)
+	_ = os.WriteFile(path, data, 0o600)
+}
+
+// ShouldCheck returns true if >24h since last check and version is not "dev".
+func ShouldCheck(currentVersion string) bool {
+	if currentVersion == "dev" {
+		return false
+	}
+	result := readCheckResult()
+	if result == nil {
+		return true
+	}
+	return time.Since(result.CheckedAt) > 24*time.Hour
+}
+
+// FetchLatestRelease fetches the latest published release from GitHub.
+// Returns nil, nil if no published release exists (404).
+func FetchLatestRelease() (*ReleaseResponse, error) {
+	url := BaseURL + "/repos/operator-kit/github-app-auth/releases/latest"
+	client := &http.Client{Timeout: 5 * time.Second}
+	resp, err := client.Get(url)
+	if err != nil {
+		return nil, fmt.Errorf("fetch release: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusNotFound {
+		return nil, nil
+	}
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("GitHub API returned %d", resp.StatusCode)
+	}
+
+	var release ReleaseResponse
+	if err := json.NewDecoder(resp.Body).Decode(&release); err != nil {
+		return nil, fmt.Errorf("decode release: %w", err)
+	}
+	return &release, nil
+}
+
+// CheckForUpdate fetches the latest release and returns the version if newer.
+// Returns empty string if no update available or on any error.
+func CheckForUpdate(currentVersion string) string {
+	release, err := FetchLatestRelease()
+	if err != nil || release == nil {
+		return ""
+	}
+
+	latest := strings.TrimPrefix(release.TagName, "v")
+	writeCheckResult(&CheckResult{
+		LatestVersion: latest,
+		CheckedAt:     time.Now(),
+	})
+
+	if CompareVersions(currentVersion, latest) < 0 {
+		return latest
+	}
+	return ""
+}