Skip to content

ci: automate Cycler releases#6

Open
hcaiano wants to merge 1 commit into
mainfrom
hc/automate-release
Open

ci: automate Cycler releases#6
hcaiano wants to merge 1 commit into
mainfrom
hc/automate-release

Conversation

@hcaiano

@hcaiano hcaiano commented Jun 30, 2026

Copy link
Copy Markdown
Owner

Summary\n- Add a Release workflow for v* tags and manual workflow_dispatch runs.\n- Recreate signing/notary/Sparkle keychain state on GitHub macOS runners and reuse the existing release scripts.\n- Publish or update the GitHub release, regenerate appcast, commit it to main, and explicitly dispatch the web deploy workflow.\n- Document required GitHub secrets and the v0.4.1 recovery path via workflow_dispatch.\n\n## Required secrets before first run\n- DEVELOPER_ID_CERT_P12_BASE64\n- DEVELOPER_ID_CERT_PASSWORD\n- APPLE_ID\n- APPLE_TEAM_ID\n- APPLE_APP_SPECIFIC_PASSWORD\n- SPARKLE_ED_PRIVATE_KEY\n\n## Verification\n- actionlint .github/workflows/release.yml\n- ruby -e 'require "yaml"; YAML.load_file(".github/workflows/release.yml")'\n- swift build\n- swift run cycler-tests\n\n## Notes\n- First end-to-end validation requires the secrets above. For the already-created v0.4.1 tag, run the Release workflow manually with tag=v0.4.1 after secrets are configured.\n- Reviewed with Claude via agents-pair; no blocking issues remained after the keychain/notary fixes.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b5748ea09f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +218 to +221
if grep -Fq "releases/download/${TAG}/Cycler-${VERSION}.dmg" web/appcast.xml; then
echo "changed=false" >> "${GITHUB_OUTPUT}"
echo "web/appcast.xml already points at ${TAG}."
exit 0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Recommit the appcast after clobbering assets

Per the GitHub CLI manual (https://cli.github.com/manual/gh_release_upload), --clobber deletes and re-uploads same-named assets; since this workflow does that earlier for an existing release, rerunning a tag whose appcast is already on main can replace Cycler-${VERSION}.dmg with different bytes while this URL-only guard exits without committing the newly generated sparkle:edSignature and length. In that rerun scenario Sparkle clients download the re-uploaded DMG but verify it against the old appcast signature, so the update fails; compare the generated appcast content instead of only the URL, or avoid clobbering unchanged assets.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant