feat: harden fullupgrade and document release workflow

Add set -euo pipefail, root checks, safer orphan cleanup, and a help
message to fullupgrade. Refresh the README and project notes to match
the current scripts and release process.

.continue/rules/project.md

@@ -0,0 +1,86 @@
+# Project status — fullupgrade
+
+Last updated: 2026-04-27
+
+## Project goal
+This repository contains two Bash scripts for system administration and Git release management:
+- `fullupgrade`: Arch Linux maintenance script
+- `makerelease.sh`: Git release automation script
+
+The project is intentionally minimal and centered on these two scripts.
+
+## Current structure
+- `fullupgrade`: system update and cleanup
+- `makerelease.sh`: release workflow from `dev` to `main`
+- `README.md`: English documentation with usage, warnings, and examples
+- `LICENSE`: GPLv3
+
+## Current analysis
+
+### 1) `fullupgrade`
+Current behavior:
+- updates `archlinux-keyring`
+- runs `pacman -Syu --noconfirm`
+- removes orphaned packages only when any are found
+- cleans the pacman cache
+
+Notes:
+- the script already uses `set -euo pipefail`
+- it checks for root privileges before running package operations
+- it can have a significant system impact
+
+Recommendations:
+- keep documenting the system impact clearly
+- consider whether `pacman -Sc` is the right cache cleanup level for every use case
+
+### 2) `makerelease.sh`
+Current behavior:
+- takes `VERSION` and `MESSAGE` as arguments
+- checks that the current branch is `dev`
+- checks out `main`
+- merges `dev` into `main`
+- pushes the branch
+- creates an annotated tag
+- pushes tags
+- returns to `dev`
+
+Notes:
+- the script currently does not use `set -euo pipefail`
+- there is no check for a clean working tree
+- there is no validation of the release message
+- there is no guard against duplicate tags
+- returning to `dev` is not protected if a command fails
+
+Recommendations:
+- add `set -euo pipefail`
+- verify the Git status before releasing
+- validate `VERSION` and `MESSAGE`
+- prevent duplicate tags
+- use a `trap` to return to the initial branch on failure
+- improve the help output
+
+### 3) `README.md`
+Current status:
+- the README has a first complete pass in English
+- it explains both scripts, their requirements, usage, warnings, and an example release command
+
+Recommendations:
+- keep it aligned with the actual script behavior
+- add more examples only if they improve clarity
+
+## Project tracking rules
+This file should be updated whenever:
+- script behavior changes
+- documentation changes materially
+- new constraints or design decisions are introduced
+- release workflow rules evolve
+
+## Current priorities
+1. Secure the Bash scripts
+2. Keep documentation aligned with the scripts
+3. Make the release workflow more robust
+
+## Maintenance notes
+- Always keep the README, the scripts, and this file consistent.
+- If a script changes, update this note immediately.
+- If a new usage rule appears, document it here.

README.md

@@ -1,2 +1,79 @@
 # fullupgrade
 
+Minimal Bash tools for Arch Linux maintenance and Git release automation.
+
+## Overview
+
+This repository contains two small Bash scripts:
+
+- `fullupgrade`: updates an Arch Linux system and performs cleanup
+- `makerelease.sh`: merges `dev` into `main` and creates a release tag
+
+The project is intentionally small and focused on a simple, opinionated workflow.
+
+## Requirements
+
+- Bash
+- `pacman` for `fullupgrade`
+- `git` for `makerelease.sh`
+- root privileges for `fullupgrade`
+- a local Git repository with `dev` and `main` branches for `makerelease.sh`
+
+## `fullupgrade`
+
+`fullupgrade` performs the following steps:
+
+1. updates `archlinux-keyring`
+2. runs a full system synchronization with `pacman -Syu --noconfirm`
+3. removes orphaned packages if any are found
+4. cleans the pacman cache with `pacman -Sc --noconfirm`
+
+### Usage
+
+```bash
+sudo ./fullupgrade
+```
+
+### Notes
+
+- The script must be run as `root`.
+- It does not ask for confirmation.
+- It can remove packages and clean the package cache, so review the output carefully.
+
+## `makerelease.sh`
+
+`makerelease.sh` automates a simple Git release workflow:
+
+1. checks that the current branch is `dev`
+2. switches to `main`
+3. merges `dev` into `main`
+4. pushes `main`
+5. creates an annotated tag using the provided version and message
+6. pushes tags
+7. switches back to `dev`
+
+### Usage
+
+```bash
+./makerelease.sh VERSION "Release message"
+```
+
+### Example
+
+```bash
+./makerelease.sh 1.2.0 "Release 1.2.0"
+```
+
+### Notes
+
+- Run the script from a clean, local Git repository.
+- Make sure the `dev` branch contains the changes you want to release.
+- The script may fail if Git state is unexpected or if a tag already exists.
+
+## Status
+
+This repository is intentionally minimal. `fullupgrade` is hardened with `set -euo pipefail`, while `makerelease.sh` may still need additional validation and safeguards.
+
+## License
+
+GPLv3

fullupgrade

@@ -1,6 +1,61 @@
 #!/bin/bash
+set -euo pipefail
 
-pacman -Sy --noconfirm archlinux-keyring
+show_help() {
-pacman -Syu --noconfirm
+	cat <<'EOF'
-pacman -Rns $(pacman -Qqtd) --noconfirm
+Usage: fullupgrade
-pacman -Sc --noconfirm
+
+Met à jour Arch Linux et effectue un nettoyage:
+  - mise à jour de archlinux-keyring
+  - synchronisation complète du système
+  - suppression des paquets orphelins
+  - nettoyage du cache pacman
+
+Attention: ce script modifie le système et s'exécute sans confirmation.
+EOF
+}
+
+
+require_root() {
+	if [ "${EUID:-$(id -u)}" -ne 0 ]; then
+		echo "Erreur: ce script doit être exécuté en root." >&2
+		exit 1
+	fi
+}
+
+cleanup_orphans() {
+	local orphans=()
+
+	mapfile -t orphans < <(pacman -Qqtd)
+
+	if [ "${#orphans[@]}" -gt 0 ]; then
+		pacman -Rns --noconfirm "${orphans[@]}"
+	else
+		echo "Aucun paquet orphelin à supprimer."
+	fi
+}
+
+main() {
+	if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
+		show_help
+		exit 0
+	fi
+
+	require_root
+
+	echo "Mise à jour de archlinux-keyring..."
+	pacman -Sy --noconfirm archlinux-keyring
+
+	echo "Mise à jour complète du système..."
+	pacman -Syu --noconfirm
+
+	echo "Recherche des paquets orphelins..."
+	cleanup_orphans
+
+	echo "Nettoyage du cache pacman..."
+	pacman -Sc --noconfirm
+
+	echo "Mise à jour terminée avec succès."
+}
+
+main "$@"