ci: automate Cycler releases#6
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b5748ea09f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if grep -Fq "releases/download/${TAG}/Cycler-${VERSION}.dmg" web/appcast.xml; then | ||
| echo "changed=false" >> "${GITHUB_OUTPUT}" | ||
| echo "web/appcast.xml already points at ${TAG}." | ||
| exit 0 |
There was a problem hiding this comment.
Recommit the appcast after clobbering assets
Per the GitHub CLI manual (https://cli.github.com/manual/gh_release_upload), --clobber deletes and re-uploads same-named assets; since this workflow does that earlier for an existing release, rerunning a tag whose appcast is already on main can replace Cycler-${VERSION}.dmg with different bytes while this URL-only guard exits without committing the newly generated sparkle:edSignature and length. In that rerun scenario Sparkle clients download the re-uploaded DMG but verify it against the old appcast signature, so the update fails; compare the generated appcast content instead of only the URL, or avoid clobbering unchanged assets.
Useful? React with 👍 / 👎.
Summary\n- Add a Release workflow for v* tags and manual workflow_dispatch runs.\n- Recreate signing/notary/Sparkle keychain state on GitHub macOS runners and reuse the existing release scripts.\n- Publish or update the GitHub release, regenerate appcast, commit it to main, and explicitly dispatch the web deploy workflow.\n- Document required GitHub secrets and the v0.4.1 recovery path via workflow_dispatch.\n\n## Required secrets before first run\n- DEVELOPER_ID_CERT_P12_BASE64\n- DEVELOPER_ID_CERT_PASSWORD\n- APPLE_ID\n- APPLE_TEAM_ID\n- APPLE_APP_SPECIFIC_PASSWORD\n- SPARKLE_ED_PRIVATE_KEY\n\n## Verification\n- actionlint .github/workflows/release.yml\n- ruby -e 'require "yaml"; YAML.load_file(".github/workflows/release.yml")'\n- swift build\n- swift run cycler-tests\n\n## Notes\n- First end-to-end validation requires the secrets above. For the already-created v0.4.1 tag, run the Release workflow manually with tag=v0.4.1 after secrets are configured.\n- Reviewed with Claude via agents-pair; no blocking issues remained after the keychain/notary fixes.