Today we are looking at the new update of Microsoft’s Winget Bot. The Winget Bot now can automatically scan and update Winget packages in the Repo. This has been a long-awaited feature, and we are extremely excited to now see it in action. At the time of writing this, the Winget bot has only been active for about a week and has already committed 1000 changes to the Winget repository. These changes include the latest version updates of existing packages and automatic removal of versions which no longer validate. 

How does the Winget Bot work? 

The Winget Bot scans the repo for previously approved applications which are now failing due to a hash mismatch error. When a failure is detected, the Winget Bot attempts to download the latest installer file. If successful, the bot extracts the information from the installer file (version, hash) and automatically creates a new pull request for the Winget repository on GitHub. The package is then validated to confirm installation works and scanned for any malware. 

How does this help Pckgr? 

As you may know, we have our own automated bot called Pckgr Bot. We have programmed our bot to automate Winget package updates for many of the applications we currently support. However, as the list of applications grows it creates more overhead to support. Having Winget Bot on our side reduces the amount of automation we need to create for new applications. Pckgr Bot will now mostly focus on applications which use dynamic URL’s (URL is different for each version) and popular packages that require minimal delay between package updates. 

Where can I see the Winget Bot in action? 

To see the latest package submissions from Winget Bot, please follow this link to GitHub: https://github.com/microsoft/winget-pkgs/pulls/wingetbot 

Features we would like to see in the future 

Currently the process for approving a new package update in Winget requires the final approval of a Winget moderator (real humans!) before it is successfully added into the repository. While this process adds an extra layer of assurance around package submission, we think there could be some exceptions for popular packages to help speed up the approvals. For example, if the Winget Bot submitted the latest version of Google Chrome and it passed all validation testing and malware scanning it should be automatically added into the repository without needing moderator approval. This would reduce the overhead for the moderators too! 

Another feature we would like to see for the Winget Bot is the ability to submit applications to be added into the automation scanning. This could be a simple manifest that developers could submit with the information required for the Winget Bot to scan for version updates. This would provide a standardized process for updating the repository as well as leveraging the Winget Bot’s automated PR submissions.

Summary

The new updates to the Winget Bot is simply another fantastic addition to a long line of updates that the Winget team continue to release. We at Pckgr are delighted that we have opted to use the Winget technology for our package deployments and are excited to see what the team releases next.