Release Pipelines with Code Signing

[ThatDeparted2061]

Fixes #631
Fixes #571
Co-contributor - @Git-HimanshuRathi

Summary by CodeRabbit

• New Features

  • Manually triggered desktop release flow: choose version bump, run multi‑OS builds, generate changelog, and publish a GitHub Release with platform artifacts.
  • Desktop build automation: runs packaging steps, verifies build output, and prepares artifacts for distribution.

• Chores

  • Updated application version and pinned/updated desktop packaging dependency versions.

• Style

  • Minor formatting adjustments to project metadata.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[netlify]

✅ Deploy Preview for circuitverse ready!

Name	Link
🔨 Latest commit	7f4f98a
🔍 Latest deploy log	https://app.netlify.com/projects/circuitverse/deploys/697cb75fe265be000808a913
😎 Deploy Preview	https://deploy-preview-636--circuitverse.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 48 (🟢 up 4 from production) Accessibility: 73 (no change from production) Best Practices: 92 (no change from production) SEO: 82 (no change from production) PWA: - View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Walkthrough

Adds a manually triggered GitHub Actions workflow at .github/workflows/Tauri-Release.yml to compute a new semantic version (input: major/minor/patch), update version fields in package.json, src-tauri/tauri.conf.json, and src-tauri/Cargo.toml, generate a changelog, commit and tag the version, run cross-OS Tauri builds (ubuntu/windows/macos), upload artifacts, and create a GitHub Release with changelog and attached assets. Adds build-desktop.js to set DESKTOP_MODE, run the frontend build, verify dist/index-cv.html, and copy it to dist/index.html. Also pins tauri-plugin-fs to 2.3.0 and changes package/tauri versions to 0.0.0; package.json whitespace was reformatted.

Possibly related PRs

• fix: broken windows and improve build tooling #752: Adds a Node-based desktop build script and updates Tauri config/dependency versions relevant to cross-platform desktop builds.
• CI: Establishing an Automated Release Pipeline for Streamlined Deployment #503: Introduces a GitHub Actions workflow for Tauri desktop releases, overlapping with the release automation and multi-OS build steps in this change.
• Update Tauri release workflow for additional branch and paths #716: Modifies Tauri release workflow build and artifact handling, overlapping with artifact preparation and upload semantics in this change.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title mentions code signing but the PR primarily implements release pipelines; code signing is noted as incomplete work-in-progress.	Consider a more accurate title like 'Add Release Pipelines with Manual Versioning and Changelog Automation' that reflects the completed implementations.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	PR implements most objectives: multi-OS release pipeline (ubuntu, windows, macOS), version bumping, changelog automation, and GitHub Release creation, addressing #571 and #631 core requirements.
Out of Scope Changes check	✅ Passed	Changes are within scope: Tauri-Release.yml workflow, build-desktop.js script, and version/dependency updates directly support release pipeline and desktop build automation objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 12

🔭 Outside diff range comments (1)

.github/workflows/eslint.yml (1)

37-43: run: block is invalid YAML – the workflow will not load

YAML treats each indented line after run: as a new mapping key unless the value is declared as a multiline string (|).
GitHub Actions will refuse to parse this file and the ESLint job will never start.

-      - name: Run ESLint
-        run: npx eslint .
-          --config .eslintrc.js
-          --ext .js,.jsx,.ts,.tsx
-          --format @microsoft/eslint-formatter-sarif
-          --output-file eslint-results.sarif
+      - name: Run ESLint
+        run: |
+          npx eslint . \
+            --config .eslintrc.js \
+            --ext .js,.jsx,.ts,.tsx \
+            --format @microsoft/eslint-formatter-sarif \
+            --output-file eslint-results.sarif

Add a newline at EOF as well to keep YAML-lint happy.
Without this fix the entire ESLint workflow is effectively disabled.

🧹 Nitpick comments (6)

.github/workflows/codeql.yml (1)

55-57: Missing newline at EOF breaks YAML-lint and some CI linters

Several of your workflow files now fail the new-line-at-end-of-file rule.
While this is only a formatting issue, it can cause YAML-lint steps to fail and block the pipeline.

-        category: "/language:${{matrix.language}}"
+        category: "/language:${{matrix.language}}"
+

.github/workflows/websimulatortest.yml (1)

13-29: Workflow stops after npm install – no tests are executed

The job checks out the repo, sets up Node 20, installs dependencies … and finishes.
If the intent is to actually run the web-simulator test suite, add a step such as:

      - name: Run unit / e2e tests
        run: npm test --if-present

Also remove trailing spaces on Line 29 and add a newline at EOF to silence YAML-lint.

build-desktop.js (1)

6-22: Good error handling foundation, but could be more robust.

The runCommand function provides good error logging, but consider checking command success more explicitly.

Consider this enhancement for better error handling:

 function runCommand(command) {
   try {
+    console.log(`Executing: ${command}`);
     const output = execSync(command, { encoding: 'utf8', stdio: 'pipe' });
     if (output) {
       console.log(output);
     }
+    return true;
   } catch (error) {
     console.error(`Error executing command: ${command}`);
     if (error.stdout) {
       console.error(`Stdout: ${error.stdout}`);
     }
     if (error.stderr) {
       console.error(`Stderr: ${error.stderr}`);
     }
     process.exit(1);
   }
 }

.github/workflows/desktoprelease.yml (3)

110-115: GitHub context expression inside Bash test – brittle

${{ matrix.os }} is expanded by the runner before the script executes, so the if test works, but it couples YAML templating with shell logic. A cleaner approach is to rely on $RUNNER_OS inside the script or move the conditional into separate if: clauses.

---

161-167: Quote paths that contain spaces & parentheses

Bare cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/deb/*.deb … works only because of manual escaping but still breaks on filenames with spaces. Wrap the whole path in quotes and drop manual escapes:

-cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/deb/*.deb release-assets/ || true
+cp "artifacts/Tauri Build Artifacts (ubuntu-latest)"/deb/*.deb release-assets/ || true

Apply the same to the other copy operations.

---

117-185: Clean up trailing whitespace flagged by YAMLlint

Lines 117, 158, 168, 173 and 185 contain stray spaces. They are harmless but fail strict linters.

-<blank line with spaces>
+<completely empty line>

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7b1f11f and 643564b.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (12)

• .github/workflows/Tauri-testing.yml (1 hunks)
• .github/workflows/codeql.yml (1 hunks)
• .github/workflows/desktoprelease.yml (1 hunks)
• .github/workflows/eslint.yml (1 hunks)
• .github/workflows/tauri-release.yml (0 hunks)
• .github/workflows/websimulatortest.yml (1 hunks)
• build-desktop.js (1 hunks)
• index.html (1 hunks)
• src-tauri/tauri.conf.json (1 hunks)
• tsconfig.json (2 hunks)
• vite.config.ts (2 hunks)
• vite.config.v0.ts (2 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/tauri-release.yml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: in the circuitverse frontend vue project, globalscope should be declared on the window object using ...

Learnt from: ThatDeparted2061
PR: CircuitVerse/cv-frontend-vue#442
File: src/simulator/src/wire.ts:0-0
Timestamp: 2025-01-27T17:29:33.929Z
Learning: In the CircuitVerse frontend Vue project, globalScope should be declared on the window object using TypeScript declaration files (.d.ts) rather than importing it as a module.

Applied to files:

• vite.config.ts
• index.html
• tsconfig.json

🪛 YAMLlint (1.37.1)

.github/workflows/codeql.yml

[error] 57-57: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/websimulatortest.yml

[error] 29-29: no new line character at the end of file

(new-line-at-end-of-file)

---

[error] 29-29: trailing spaces

(trailing-spaces)

.github/workflows/desktoprelease.yml

[error] 117-117: trailing spaces

(trailing-spaces)

---

[error] 158-158: trailing spaces

(trailing-spaces)

---

[error] 168-168: trailing spaces

(trailing-spaces)

---

[error] 173-173: trailing spaces

(trailing-spaces)

---

[error] 185-185: trailing spaces

(trailing-spaces)

.github/workflows/eslint.yml

[error] 49-49: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/Tauri-testing.yml

[error] 53-53: trailing spaces

(trailing-spaces)

🪛 actionlint (1.7.7)

.github/workflows/desktoprelease.yml

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

191-191: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

.github/workflows/Tauri-testing.yml

29-29: the runner of "actions-rs/toolchain@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Analyze (javascript)
• GitHub Check: Desktop Simulator Tests

🔇 Additional comments (7)

src-tauri/tauri.conf.json (1)

10-10: build-desktop.js fully replaces the inline beforeBuildCommand
Verified that the new script:

• Sets process.env.DESKTOP_MODE = "true" (line 25)
• Runs npm run build
• Copies dist/index-cv.html to dist/index.html on both Windows (copy) and Unix (cp) (lines 34–36)

No additional steps from the previous inline command are missing—everything is covered.

tsconfig.json (1)

17-18: LGTM: Path mappings updated consistently.

The path mappings correctly remove the "v0" directory prefix, aligning with the source restructuring.

vite.config.ts (3)

23-23: LGTM: Path updates consistent with source restructuring.

The removal of "v0" prefix from locale and alias paths aligns with the broader source directory restructuring across the project.

Also applies to: 29-30

---

35-35: LGTM: Output directory updated consistently.

The build output path change removes the "v0" subdirectory, consistent with the source restructuring.

---

63-69: LGTM: Reasonable Sass warning suppression.

Adding quietDeps: true to suppress Sass dependency warnings is a good practice to reduce build noise while maintaining important error reporting.

build-desktop.js (1)

25-31: LGTM: Environment setup and build execution.

The environment variable setup and platform-aware build execution are implemented correctly.

.github/workflows/desktoprelease.yml (1)

24-27: Pin to an actually available Node.js version

setup-node currently exposes 20 (LTS) and 21. “22” does not exist yet and the job will fail the moment the action queries the download endpoint.
Change to 20 (or lts/*) unless you have a private mirror that already hosts 22.

[coderabbitai]

⚠️ Potential issue

Rust toolchain is skipped on Windows – build will break

windows-latest runners do NOT come with Rust pre-installed. The conditional if: matrix.os != 'windows-latest' leaves the Windows leg without cargo, causing npm run tauri build to error out.

Suggested fix (install on all OSes):

-      - name: Setup Rust
-        if: matrix.os != 'windows-latest'
+      - name: Setup Rust

Or use actions-rs/toolchain/dtolnay/rust-toolchain for cross-matrix consistency.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Setup Rust
	if: matrix.os != 'windows-latest'
	run: |
	rustup update stable
	rustup default stable
	shell: bash
	- name: Setup Rust
	run: |
	rustup update stable
	rustup default stable
	shell: bash

🤖 Prompt for AI Agents

In .github/workflows/desktoprelease.yml around lines 54 to 60, the Rust setup
step is skipped on Windows due to the condition `if: matrix.os !=
'windows-latest'`, but Windows runners do not have Rust pre-installed, causing
build failures. Remove the conditional to run the Rust setup on all OSes or
replace the manual setup with a dedicated Rust toolchain action like
`actions-rs/toolchain` to ensure Rust is installed consistently across all
matrix OSes.

[coderabbitai]

⚠️ Potential issue

Update deprecated Rust toolchain action.

The actions-rs/toolchain@v1 action is deprecated and may not work on newer GitHub runners.

Apply this diff to use the current recommended approach:

-      - name: Install Rust
-        uses: actions-rs/toolchain@v1
-        with:
-          toolchain: stable
-          override: true
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable

🧰 Tools

🪛 actionlint (1.7.7)

29-29: the runner of "actions-rs/toolchain@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

In .github/workflows/Tauri-testing.yml around lines 29 to 32, the usage of the
deprecated action actions-rs/toolchain@v1 should be updated. Replace it with the
current recommended Rust toolchain setup action, such as
actions-rs/toolchain@v1.2 or the latest stable version, ensuring compatibility
with newer GitHub runners. Update the syntax accordingly to match the new
action's requirements for specifying the toolchain and override options.

[ThatDeparted2061]

Code Signing is still a work in progress

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (4)

.github/workflows/desktoprelease.yml (4)

20-21: Upgrade to actions/checkout@v4 to drop Node-16
The runner shipped with v3 is stuck on the deprecated Node-16 runtime. GitHub will remove that image soon and actionlint is already warning.

---

54-60: Rust toolchain is never installed on Windows – build will break
windows-latest runners do NOT come with Rust. Dropping the OS condition or using actions-rs/toolchain fixes the gap.

---

78-88: Passphrase exposure during GPG import
--passphrase "$LINUX_SIGNING_KEY_PASSPHRASE" leaks the secret via the process table and is unnecessary for key import. Use --pinentry-mode loopback only where the passphrase is actually required.

---

199-201: Bump softprops/action-gh-release to v2 (Node-20)
v1 still relies on Node-16. Upgrading prevents future deprecation outages.

🧹 Nitpick comments (4)

.github/workflows/desktoprelease.yml (4)

24-27: Stick to an LTS Node version (20) instead of 22
Node 22 is not LTS and not yet broadly supported by many ecosystem tools (incl. some Tauri templates). Unless you have a hard requirement, pinning to the current LTS (20) improves stability and reduces unexpected breakages.

-          node-version: 22
+          node-version: 20

---

42-46: Avoid double & unpinned installs of the Tauri CLI
The CLI is first installed globally and then as a dev-dependency, both at floating latest. This duplicates bandwidth and risks random build breaks when a new CLI is released. Pin a single install location and lock the version (e.g. @tauri-apps/cli@^2.0).

---

167-181: Paths with spaces/parentheses make the asset copy brittle
The numerous back-slashes are hard to maintain and easy to break. Prefer artifact names without spaces or use ${{ join(…) }} to capture the path, or quote the entire string once:

-            if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/deb" ]; then
+            UBUNTU_DIR="artifacts/Tauri Build Artifacts (ubuntu-latest)"
+            if [ -d "${UBUNTU_DIR}/deb" ]; then
               cp "${UBUNTU_DIR}"/deb/*.deb release-assets/ || true

---

90-98: YAML trailing whitespace cleanup
Lines 94, 125, 166, 176, 181, 193, 197 contain only whitespace. Removing them silences yamllint and keeps diffs minimal.

Also applies to: 123-127, 164-168, 174-177, 189-195

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 643564b and 73fa000.

📒 Files selected for processing (1)

• .github/workflows/desktoprelease.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/desktoprelease.yml

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

200-200: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/desktoprelease.yml

[error] 94-94: trailing spaces

(trailing-spaces)

---

[error] 125-125: trailing spaces

(trailing-spaces)

---

[error] 166-166: trailing spaces

(trailing-spaces)

---

[error] 176-176: trailing spaces

(trailing-spaces)

---

[error] 181-181: trailing spaces

(trailing-spaces)

---

[error] 193-193: trailing spaces

(trailing-spaces)

---

[error] 197-197: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Desktop Simulator Tests

🔇 Additional comments (1)

.github/workflows/desktoprelease.yml (1)

63-75: Package name libwebkit2gtk-4.1-dev is unavailable on GitHub Ubuntu images
Ubuntu 22.04 provides libwebkit2gtk-4.0-dev; the 4.1 package does not exist and causes apt failures. Please verify the exact package names for the runner image.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (4)

.github/workflows/desktoprelease.yml (4)

20-21: Upgrade to actions/checkout@v4

The workflow still uses actions/checkout@v3, which relies on the deprecated Node-16 runtime. Bump to v4 to stay on the supported Node-20 stack.

-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

---

54-60: Rust toolchain must also be installed on Windows

The conditional if: matrix.os != 'windows-latest' skips Rust setup on Windows runners, but windows-latest images do not ship with Rust. Remove the condition or switch to actions-rs/toolchain/dtolnay/rust-toolchain for a cross-platform installation.

-      - name: Setup Rust
-        if: matrix.os != 'windows-latest'
+      - name: Setup Rust

---

78-87: GPG import leaks passphrase

Passing the passphrase to gpg --import is unnecessary and exposes the secret via the process list. Drop it and, if required later, add --pinentry-mode loopback in the signing step instead.

-echo "$LINUX_SIGNING_KEY" | gpg --batch --yes --passphrase "$LINUX_SIGNING_KEY_PASSPHRASE" --import -
+echo "$LINUX_SIGNING_KEY" | gpg --batch --yes --pinentry-mode loopback --import -

---

182-184: softprops/action-gh-release@v2 is required for Node-20

softprops/action-gh-release@v1 runs on the deprecated Node-16 runtime. Upgrade to v2.

-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2

🧹 Nitpick comments (2)

.github/workflows/desktoprelease.yml (2)

30-35: Node-cache path is Linux-only – cache misses on Windows & macOS

~/.npm exists only on Unix systems. Windows stores the cache under %LOCALAPPDATA%\npm-cache, and macOS runners may use a different location if npm is configured. Consider a portable cache strategy:

-          path: ~/.npm
+          path: |
+            ~/.npm
+            ${{ env.LOCALAPPDATA }}/npm-cache
+            ~/Library/Caches/npm

Alternatively, compute the path dynamically with npm config get cache.

---

94-180: Trailing whitespace and missing newline violate YAML-lint

YAML-lint flags trailing spaces (Lines 94, 125, 149, 159, 164, 176, 180) and absence of terminal newline (Line 186). Remove stray spaces and ensure the file ends with \n to keep CI linters happy.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 73fa000 and fefc1f6.

📒 Files selected for processing (1)

• .github/workflows/desktoprelease.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/desktoprelease.yml

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

183-183: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/desktoprelease.yml

[error] 94-94: trailing spaces

(trailing-spaces)

---

[error] 125-125: trailing spaces

(trailing-spaces)

---

[error] 149-149: trailing spaces

(trailing-spaces)

---

[error] 159-159: trailing spaces

(trailing-spaces)

---

[error] 164-164: trailing spaces

(trailing-spaces)

---

[error] 176-176: trailing spaces

(trailing-spaces)

---

[error] 180-180: trailing spaces

(trailing-spaces)

---

[error] 186-186: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Desktop Simulator Tests
• GitHub Check: Analyze (javascript)

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (4)

.github/workflows/desktoprelease.yml (4)

20-21: Upgrade actions/checkout to v4
Using actions/checkout@v3 keeps the job on the deprecated Node-16 runtime. Bump to v4 to avoid imminent deprecation failures.

---

54-59: Rust toolchain still skipped on Windows – build will break
windows-latest runners do not include Rust by default. Drop the condition or use actions-rs/toolchain for all matrix entries so npm run tauri build has cargo everywhere.

---

78-88: GPG import leaks the passphrase in the process list
Passing --passphrase "$LINUX_SIGNING_KEY_PASSPHRASE" to gpg --import is unnecessary and exposes the secret. Import without the flag and use --pinentry-mode loopback only when signing.

-echo "$LINUX_SIGNING_KEY" | gpg --batch --yes --passphrase "$LINUX_SIGNING_KEY_PASSPHRASE" --import -
+echo "$LINUX_SIGNING_KEY" | gpg --batch --yes --pinentry-mode loopback --import -

---

199-201: Update softprops/action-gh-release to v2 (Node-20)
Version 1 runs on Node-16 and will be disabled soon. Switch to v2 to keep the release upload functioning.

🧹 Nitpick comments (2)

.github/workflows/desktoprelease.yml (2)

28-35: Cache node_modules instead of only the npm cache
Storing just ~/.npm avoids re-fetching packages but still triggers npm install recompilation on every run. Caching the actual node_modules directory (keyed on package-lock.json) shaves minutes off multi-OS matrices.

-  path: ~/.npm
+  path: |
+    ~/.npm
+    **/node_modules

---

94-197: Trailing whitespace & missing EOF newline flagged by YAMLlint
While harmless, fixing these formatting nits keeps the workflow lint-clean.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fefc1f6 and cf66b66.

📒 Files selected for processing (1)

• .github/workflows/desktoprelease.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/desktoprelease.yml

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

200-200: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/desktoprelease.yml

[error] 94-94: trailing spaces

(trailing-spaces)

---

[error] 119-119: trailing spaces

(trailing-spaces)

---

[error] 142-142: trailing spaces

(trailing-spaces)

---

[error] 166-166: trailing spaces

(trailing-spaces)

---

[error] 176-176: trailing spaces

(trailing-spaces)

---

[error] 181-181: trailing spaces

(trailing-spaces)

---

[error] 193-193: trailing spaces

(trailing-spaces)

---

[error] 197-197: trailing spaces

(trailing-spaces)

---

[error] 203-203: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Analyze (javascript)
• GitHub Check: Desktop Simulator Tests

🔇 Additional comments (2)

.github/workflows/desktoprelease.yml (2)

24-27: Target the latest LTS (Node 20) instead of experimental Node 22
setup-node@v4 currently supports stable/LTS channels; specifying node-version: 22 may resolve to a nightly preview and break reproducibility. Unless you have a hard requirement for 22, pin to 20 (or lts/*) for predictable CI builds.

---

89-93: KEY_ID extraction may pick the wrong key
gpg --list-secret-keys --with-colons | grep "^sec" | cut -d: -f5 returns the first secret key, not necessarily the one just imported. Scope the query by email or fingerprint to avoid mismatching when multiple keys are present.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (6)

.github/workflows/desktoprelease.yml (6)

20-20: Still on actions/checkout@v3 – upgrade to v4 to avoid Node-16 deprecation
Same issue flagged previously – please bump to actions/checkout@v4.

---

48-52: Build script executed before native/Rust deps – move it further down
The custom build-desktop.js relies on Rust & GTK being available; executing it here will fail on fresh runners.

---

86-88: Passphrase leaked in GPG import command

--passphrase "$LINUX_SIGNING_KEY_PASSPHRASE" exposes the secret in the process list.
Drop it for import or switch to --pinentry-mode loopback with a passphrase file.

---

121-135: Signing step still exposes passphrase on the CLI

The detached-signature loop repeats the same secret-leak problem; use --passphrase-file and loopback mode instead.

---

199-200: softprops/action-gh-release@v1 runs on deprecated Node-16 – bump to v2

-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2

---

53-59: Rust step skips Windows & relies on missing rustup – unify via actions-rs/toolchain

Previous review already noted that skipping Windows will break the build – the condition is still here.
Additionally, the current commands assume rustup is pre-installed, which is not the case on GitHub-hosted runners.

Consider:

-      - name: Setup Rust
-        if: matrix.os != 'windows-latest'
-        run: |
-          rustup update stable
-          rustup default stable
+      - name: Setup Rust
+        uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+          profile: minimal
+          override: true

🧹 Nitpick comments (1)

.github/workflows/desktoprelease.yml (1)

90-97: Trailing whitespace – clean up to satisfy YAML lint

Several lines contain stray spaces; remove them to keep yamllint happy.
Minimal example:

-          echo "LINUX_SIGNING_KEY_ID=$KEY_ID" >> "$GITHUB_OUTPUT"␠
+          echo "LINUX_SIGNING_KEY_ID=$KEY_ID" >> "$GITHUB_OUTPUT"

Also applies to: 119-119, 142-142, 166-166, 176-176, 181-181, 193-197

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cf66b66 and 6cceca4.

📒 Files selected for processing (1)

• .github/workflows/desktoprelease.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/desktoprelease.yml

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

200-200: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/desktoprelease.yml

[error] 94-94: trailing spaces

(trailing-spaces)

---

[error] 119-119: trailing spaces

(trailing-spaces)

---

[error] 142-142: trailing spaces

(trailing-spaces)

---

[error] 166-166: trailing spaces

(trailing-spaces)

---

[error] 176-176: trailing spaces

(trailing-spaces)

---

[error] 181-181: trailing spaces

(trailing-spaces)

---

[error] 193-193: trailing spaces

(trailing-spaces)

---

[error] 197-197: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Desktop Simulator Tests
• GitHub Check: Analyze (javascript)

🔇 Additional comments (1)

.github/workflows/desktoprelease.yml (1)

24-27: Ignore the “risky” warning for node-version: 22—it’s supported by setup-node@v4
The action will pull any semver match (including 22.x) from the actions/node-versions manifest (we see 22.0.0 through 22.17.1 available) and, on a cache miss, automatically fall back to downloading from the Node.js dist site. Your workflow will not error out if you specify 22.

• If you want long-term LTS support, you can still pin to 20 or use lts/*.
• Otherwise, feel free to target 22—setup-node@v4 fully supports it today.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (6)

.github/workflows/desktoprelease.yml (6)

20-21: Bump actions/checkout to v4 to drop the deprecated Node-16 runtime
v3 still relies on Node-16 and is already flagged by actionlint; GitHub will remove it soon.

-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

---

195-196: Upgrade softprops/action-gh-release to v2 (Node-20)
v1 is stuck on Node-16 and flagged by actionlint.

-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2

---

48-52: Run the build script after tool-chain installation to avoid early failures
build-desktop.js needs Rust, GTK, etc. but is executed before those steps, so first-time runners will break. Move this step below the dependency-installation blocks (right before “Cache Rust Dependencies” works well).

---

54-60: Rust is still skipped on Windows – Windows runners do NOT ship Rust
Leaving cargo absent will make the subsequent npm run tauri build fail.

-      - name: Setup Rust
-        if: matrix.os != 'windows-latest'
+      - name: Setup Rust

Or switch to dtolnay/rust-toolchain for cross-matrix consistency.

---

78-86: GPG import still leaks the passphrase via the process list
Passphrase is not required for --import. Drop it (and enable loopback later if needed):

-echo "$LINUX_SIGNING_KEY" | gpg --batch --yes --passphrase "$LINUX_SIGNING_KEY_PASSPHRASE" --import -
+echo "$LINUX_SIGNING_KEY" | gpg --batch --yes --pinentry-mode loopback --import -

---

163-171: Release-asset paths still omit the src-tauri/target/release/bundle prefix
Nothing is copied, leaving the release empty. Example fix for the Linux block:

-cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/deb/*.deb release-assets/ || true
+cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/src-tauri/target/release/bundle/deb/*.deb release-assets/ || true

Replicate for appimage, msi, dmg, .app.

🧹 Nitpick comments (1)

.github/workflows/desktoprelease.yml (1)

110-193: Multiple trailing-space lint errors – clean up for YAML hygiene
Lines 111, 120, 138, 162, 172, 177, 189, 193 contain stray whitespace and fail yamllint. Remove them to keep CI green.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6cceca4 and 27029ba.

📒 Files selected for processing (1)

• .github/workflows/desktoprelease.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/desktoprelease.yml

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

196-196: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/desktoprelease.yml

[error] 111-111: trailing spaces

(trailing-spaces)

---

[error] 120-120: trailing spaces

(trailing-spaces)

---

[error] 138-138: trailing spaces

(trailing-spaces)

---

[error] 162-162: trailing spaces

(trailing-spaces)

---

[error] 172-172: trailing spaces

(trailing-spaces)

---

[error] 177-177: trailing spaces

(trailing-spaces)

---

[error] 189-189: trailing spaces

(trailing-spaces)

---

[error] 193-193: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: CodeQL
• GitHub Check: Analyze (javascript)
• GitHub Check: Desktop Simulator Tests

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (7)

.github/workflows/desktoprelease.yml (7)

20-21: actions/checkout still on v3 – update to v4
Node-16 deprecation has not been addressed.

---

48-52: Build script still runs before native toolchains are ready
build-desktop.js executes prior to Rust/GTK setup, so fresh runners will fail. Move this step below the dependency-installation blocks.

---

54-59: Rust toolchain skipped on Windows – build will break
windows-latest does not ship with Rust; dropping the if: guard fixes it.

---

100-108: Secrets are echoed to the log – remove the line
echo "Using TAURI_SIGNING_KEY: …" exposes masked secrets and is unnecessary.

---

110-125: Globs & passphrase handling remain unsafe
Add shopt -s nullglob (or a test for file existence) before the loops and avoid piping the passphrase via echo. Use --passphrase-file with a temp file instead.

---

158-165: Artifact paths still omit the src-tauri/target/release/bundle prefix
cp commands will copy zero files, leaving the release empty. Adjust the source paths as previously suggested.

---

190-191: softprops/action-gh-release@v1 is deprecated – switch to v2
Node-16 runtime will be removed soon.

🧹 Nitpick comments (1)

.github/workflows/desktoprelease.yml (1)

24-27: Verify that node-version: 22 is intentional
Node 22 is not an LTS release and may introduce breaking changes or cache misses on GitHub-hosted runners. Consider pinning to the latest LTS (currently 20) unless you have a hard requirement for 22.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 27029ba and c87d776.

📒 Files selected for processing (1)

• .github/workflows/desktoprelease.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/desktoprelease.yml

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

190-190: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/desktoprelease.yml

[error] 109-109: trailing spaces

(trailing-spaces)

---

[error] 132-132: trailing spaces

(trailing-spaces)

---

[error] 156-156: trailing spaces

(trailing-spaces)

---

[error] 166-166: trailing spaces

(trailing-spaces)

---

[error] 171-171: trailing spaces

(trailing-spaces)

---

[error] 183-183: trailing spaces

(trailing-spaces)

---

[error] 187-187: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Desktop Simulator Tests
• GitHub Check: Analyze (javascript)

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (10)

.github/workflows/desktoprelease.yml (10)

20-21: Still on actions/checkout@v3 – upgrade to v4
The workflow continues to pull actions/checkout@v3, which is tied to the deprecated Node-16 runtime. Bump to v4 as previously requested.

---

48-52: Build script still runs before toolchains/deps are ready
build-desktop.js is executed before Rust and native packages are installed. On fresh runners this regularly fails (no Rust, GTK, etc.). Move this step after all tool-chain / OS-dependency steps.

---

54-60: Rust skipped on Windows – build will break
windows-latest does not ship Rust. Dropping the condition (if: matrix.os != 'windows-latest') or using actions-rs/toolchain remains necessary.

---

100-107: Secret value still echoed to logs
Line 106 prints TAURI_SIGNING_KEY, leaking the secret once the mask fails or a fork is created. Remove the echo entirely.

---

115-123: Globs & passphrase handling still fragile

1. Without nullglob, the loops iterate over the literal *.deb / *.AppImage when no files exist – gpg then errors out.
2. echo "$LINUX_SIGNING_PASSPHRASE" exposes the passphrase in the process list. Write it to a temp file and use --passphrase-file, or rely on gpg-agent.

---

157-165: Copy paths still omit src-tauri/target/release/bundle/… prefix
Result: nothing gets copied, gh-release uploads an empty asset set. Prefix the correct sub-directory as highlighted earlier.

---

167-176: Same wrong paths for Windows/macOS artefacts
The MSI/DMG paths miss the bundle prefix too; fix alongside the Linux block.

---

188-191: softprops/action-gh-release@v1 is still Node-16
Upgrade to v2 to stay on a supported runtime.

---

201-201: Second occurrence of actions/checkout@v3
Update to v4 here as well.

---

78-84: GPG import step: missing --pinentry-mode loopback
Importing a secret key in batch mode without --pinentry-mode loopback can still trigger an interactive pinentry in some gpg versions. Add the flag to guarantee non-interactive execution.

-          echo "$LINUX_SIGNING_KEY" | gpg --batch --yes --import
+          echo "$LINUX_SIGNING_KEY" | gpg --batch --yes --pinentry-mode loopback --import

🧹 Nitpick comments (1)

.github/workflows/desktoprelease.yml (1)

109-187: Trailing whitespace violates yaml-lint
Lines 109, 132, 156, 166, 171, 183, 187 contain trailing spaces flagged by YAMLlint. Remove to keep the workflow lint-clean.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c87d776 and f5ac2b8.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• .github/workflows/desktoprelease.yml (1 hunks)
• .releaserc.json (1 hunks)
• package.json (2 hunks)

✅ Files skipped from review due to trivial changes (2)

• package.json
• .releaserc.json

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/desktoprelease.yml

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

190-190: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

201-201: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/desktoprelease.yml

[error] 109-109: trailing spaces

(trailing-spaces)

---

[error] 132-132: trailing spaces

(trailing-spaces)

---

[error] 156-156: trailing spaces

(trailing-spaces)

---

[error] 166-166: trailing spaces

(trailing-spaces)

---

[error] 171-171: trailing spaces

(trailing-spaces)

---

[error] 183-183: trailing spaces

(trailing-spaces)

---

[error] 187-187: trailing spaces

(trailing-spaces)

---

[error] 214-214: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Desktop Simulator Tests

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (8)

.github/workflows/desktoprelease.yml (8)

17-18: actions/checkout@v3 → v4 still pending
Prior review already requested the bump to avoid Node-16 deprecation; please update both occurrences.

Also applies to: 56-56

---

85-90: Rust toolchain skipped on Windows – unresolved
The conditional still leaves Windows without Rust and will break the build. Remove the if: guard or use actions-rs/toolchain.

---

81-84: Build script runs before toolchains are installed
build-desktop.js executes prior to Rust/GTK installation, reproducing the earlier failure scenario. Move the step below dependency-installation blocks.

---

96-104: Ubuntu package libwebkit2gtk-4.1-dev is unavailable on the runner
The pinned 4.1 package does not exist on 22.04; replace with libwebkit2gtk-4.0-dev or the meta-package libwebkit2gtk-dev.

---

132-133: Leaking secret in logs – echo must be removed
Echoing $TAURI_SIGNING_KEY prints the secret despite masking risk. Delete the line.

---

139-147: Glob loops need nullglob and secure passphrase handling
If no artefacts exist, the literal pattern is passed to gpg. Enable shopt -s nullglob or guard with [[ -e ... ]]; also avoid piping the passphrase via stdin repeatedly.

---

175-195: cp source paths still wrong – assets won’t be copied
The commands omit the src-tauri/target/release/bundle prefix present inside the downloaded artefacts, so nothing reaches release-assets/. Fix the path for all platforms.

---

202-203: softprops/action-gh-release@v1 still Node-16 – bump to v2
The earlier actionlint warning remains unresolved.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f5ac2b8 and 48db964.

📒 Files selected for processing (1)

• .github/workflows/desktoprelease.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/desktoprelease.yml

17-17: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

35-35: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

---

35-35: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

---

56-56: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

202-202: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/desktoprelease.yml

[error] 37-37: trailing spaces

(trailing-spaces)

---

[error] 41-41: trailing spaces

(trailing-spaces)

---

[error] 73-73: trailing spaces

(trailing-spaces)

---

[error] 154-154: trailing spaces

(trailing-spaces)

---

[error] 199-199: trailing spaces

(trailing-spaces)

---

[error] 207-207: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Analyze (javascript)
• GitHub Check: Desktop Simulator Tests

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (10)

.github/workflows/desktoprelease.yml (10)

20-21: Still using deprecated actions/checkout@v3
The runner behind v3 is stuck on Node-16. Upgrade to actions/checkout@v4 to stay supported.

---

49-52: Build script runs before Rust / native deps are installed
build-desktop.js is executed prior to Rust setup and OS-level libraries, leading to failures on fresh runners. Move this step below the dependency-installation blocks.

---

54-60: Rust toolchain still skipped on Windows
windows-latest images do not ship Cargo; the build will crash. Remove the if: guard or install Rust specifically for Windows.

---

64-67: libwebkit2gtk-4.1-dev is unavailable on Ubuntu 22.04 runners
Pinning a non-existent version breaks the Linux leg. Use libwebkit2gtk-dev or detect the distro release.

---

106-106: Secrets are echoed to logs
echo "Using TAURI_SIGNING_KEY: $TAURI_SIGNING_KEY" leaks the secret. Delete this line.

---

114-123: Globs may expand to the literal pattern when no files exist
Enable nullglob or guard the loops to avoid gpg failures; also prevents repeated passphrase exposure.

---

158-165: Artifact copy paths omit the src-tauri/target/release/bundle prefix
Nothing will be copied, leaving the release empty. Prepend the correct directory.

---

168-170: Windows MSI path suffers from the same missing prefix
Fix the copy source so the .msi actually lands in release-assets/.

---

173-180: macOS asset section uses wrong paths & fragile zip logic
Correct the source directory and zip creation to ensure the .app bundle is packaged.

---

189-191: softprops/action-gh-release@v1 is on deprecated Node-16
Bump to v2 (Node-20) to keep the workflow future-proof.

🧹 Nitpick comments (1)

.github/workflows/desktoprelease.yml (1)

109-109: Trailing whitespace – minor style issue
Line 109 contains stray spaces; remove to satisfy YAML-lint.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 48db964 and 2671740.

📒 Files selected for processing (1)

• .github/workflows/desktoprelease.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/desktoprelease.yml

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

190-190: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/desktoprelease.yml

[error] 109-109: trailing spaces

(trailing-spaces)

---

[error] 132-132: trailing spaces

(trailing-spaces)

---

[error] 156-156: trailing spaces

(trailing-spaces)

---

[error] 166-166: trailing spaces

(trailing-spaces)

---

[error] 171-171: trailing spaces

(trailing-spaces)

---

[error] 183-183: trailing spaces

(trailing-spaces)

---

[error] 187-187: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Desktop Simulator Tests

🔇 Additional comments (1)

.github/workflows/desktoprelease.yml (1)

24-27: Verify that Node 22 is available on GitHub-hosted runners
actions/setup-node@v4 may not resolve the yet-to-be-LTS 22.x stream, which can break the matrix. Confirm availability or pin to the current LTS (20.x).

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (3)

.github/workflows/desktoprelease.yml (3)

42-45: Run the build script after toolchains/deps or drop it if tauri.conf runs it

Invoking build-desktop.js before Rust/OS deps are ready can be flaky on fresh runners and may be redundant if tauri.conf.json runs it via beforeBuildCommand.

Either remove this step (relying on Tauri’s beforeBuildCommand), or move it below dependency setup:

-      - name: Run Cross-Platform Build Script
-        run: node build-desktop.js
-        shell: bash
+      # Option A: Remove; tauri.conf.json beforeBuildCommand will invoke it
+      # - name: Run Cross-Platform Build Script
+      #   run: node build-desktop.js
+      #   shell: bash

---

46-51: Rust toolchain skipped on Windows — use a cross-OS toolchain action

Windows runners don’t have Rust by default. Current conditional skips installation and will cause tauri build to fail on Windows.

Use a toolchain action on all OSes:

-      - name: Setup Rust
-        if: matrix.os != 'windows-latest'
-        run: |
-          rustup update stable
-          rustup default stable
-        shell: bash
+      - name: Setup Rust
+        uses: dtolnay/rust-toolchain@stable

---

53-66: Ubuntu dependency is invalid on 22.04; apt may prompt

libwebkit2gtk-4.1-dev exists only on Ubuntu 24.04+. GitHub ubuntu-latest is currently 22.04 for many orgs; use -4.0-dev or the meta-package, and add -y to apt install.

       - name: Install Linux Dependencies (Ubuntu)
         if: matrix.os == 'ubuntu-latest'
         run: |
           sudo apt update
-          sudo apt install libwebkit2gtk-4.1-dev \
+          sudo apt install -y libwebkit2gtk-4.0-dev \
           build-essential \
           curl \
           wget \
           file \
           libxdo-dev \
           libssl-dev \
           libayatana-appindicator3-dev \
           librsvg2-dev
         shell: bash

Alternatively, use libwebkit2gtk-dev to avoid version pinning.

🧹 Nitpick comments (4)

.github/workflows/Conventional-commits.yml (1)

13-13: Add missing newline at EOF to satisfy linters

YAMLlint flags missing newline at end of file. Add a trailing newline to keep CI green.

Apply:

-      - uses: webiny/action-conventional-commits@v1.3.0
+      - uses: webiny/action-conventional-commits@v1.3.0
+

.github/workflows/semantic-release.yml (2)

19-19: Fix trailing spaces and add missing newline at EOF

YAMLlint is flagging trailing spaces and missing newline. Clean up whitespace to avoid style failures.

Apply:

-      new_release_version: ${{ steps.semantic.outputs.new_release_version }}
-      
+      new_release_version: ${{ steps.semantic.outputs.new_release_version }}
 
@@
-          fetch-depth: 0
-          
+          fetch-depth: 0
@@
-          node-version: "22"
-          
+          node-version: "22"
@@
-            conventional-changelog-conventionalcommits
-      
+            conventional-changelog-conventionalcommits
@@
-          }' > .releaserc.json
-          
+          }' > .releaserc.json
@@
-        run: npx semantic-release
+        run: npx semantic-release
+

Also applies to: 25-25, 30-30, 42-42, 95-95, 100-100

---

31-41: Redundant global installs; prefer npx or an action wrapper

Installing semantic-release globally and plugins locally is unnecessary and slows CI. Prefer a single npx invocation (which pulls the exact version) or use cycjimmy/semantic-release-action.

Minimal change:

-      - name: Install semantic-release and plugins
-        run: |
-          npm install -g semantic-release
-          npm install --no-save \
-            @semantic-release/commit-analyzer \
-            @semantic-release/release-notes-generator \
-            @semantic-release/changelog \
-            @semantic-release/github \
-            @semantic-release/git \
-            @semantic-release/exec \
-            conventional-changelog-conventionalcommits
+      - name: Install semantic-release plugins
+        run: |
+          npm install --no-save \
+            @semantic-release/commit-analyzer \
+            @semantic-release/release-notes-generator \
+            @semantic-release/changelog \
+            @semantic-release/github \
+            @semantic-release/git \
+            @semantic-release/exec \
+            conventional-changelog-conventionalcommits

Or replace the entire job body with cycjimmy/semantic-release-action@v4 (happy to provide a concrete diff if you prefer that route).

.github/workflows/desktoprelease.yml (1)

90-90: Clean up trailing spaces and ensure newline at EOF

YAMLlint is flagging trailing spaces on these lines and missing newline at EOF. Remove trailing whitespace and end the file with a newline to keep CI tidy.

Also applies to: 104-104, 109-109, 113-113, 121-121, 126-126, 138-138, 140-140, 159-159, 164-164

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2671740 and b061e55.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (5)

• .github/workflows/Conventional-commits.yml (1 hunks)
• .github/workflows/desktoprelease.yml (1 hunks)
• .github/workflows/semantic-release.yml (1 hunks)
• CHANGELOG.md (1 hunks)
• package.json (1 hunks)

✅ Files skipped from review due to trivial changes (2)

• CHANGELOG.md
• package.json

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/semantic-release.yml

[error] 19-19: trailing spaces

(trailing-spaces)

---

[error] 25-25: trailing spaces

(trailing-spaces)

---

[error] 30-30: trailing spaces

(trailing-spaces)

---

[error] 42-42: trailing spaces

(trailing-spaces)

---

[error] 95-95: trailing spaces

(trailing-spaces)

---

[error] 100-100: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/Conventional-commits.yml

[error] 13-13: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/desktoprelease.yml

[error] 90-90: trailing spaces

(trailing-spaces)

---

[error] 104-104: trailing spaces

(trailing-spaces)

---

[error] 109-109: trailing spaces

(trailing-spaces)

---

[error] 113-113: trailing spaces

(trailing-spaces)

---

[error] 121-121: trailing spaces

(trailing-spaces)

---

[error] 126-126: trailing spaces

(trailing-spaces)

---

[error] 138-138: trailing spaces

(trailing-spaces)

---

[error] 140-140: trailing spaces

(trailing-spaces)

---

[error] 159-159: trailing spaces

(trailing-spaces)

---

[error] 164-164: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (1)

.github/workflows/semantic-release.yml (1)

27-29: Confirm Node.js 22 compatibility for semantic-release plugins

Node 22 is very new; some plugins may lag. If you hit runtime issues, drop to Node 20 LTS.

Would you like me to open a follow-up to pin Node to 20 LTS and add a matrix to validate both 20 and 22?

[coderabbitai]

⚠️ Potential issue

This step breaks on macOS/Windows runners (apt not available)

Installing GitHub CLI with apt inside the Matrix job fails on macOS/Windows. You only need gh in the upload job (ubuntu-latest). Move the install there or guard with an OS check.

Apply:

-      - name: Install GitHub CLI
-        run: |
-          curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
-          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
-          sudo apt update
-          sudo apt install gh -y
+      # Remove this step from the matrix job. We'll install gh in the upload-assets job on ubuntu-latest.

And add the install to the upload job (see suggested upload-assets job fix below).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Install GitHub CLI
	run: |
	curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
	echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
	sudo apt update
	sudo apt install gh -y
	# Remove this step from the matrix job. We'll install gh in the upload-assets job on ubuntu-latest.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 90-90: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

.github/workflows/desktoprelease.yml lines 84-90: the current step installs
GitHub CLI using apt which fails on macOS/Windows runners; move the GH CLI
installation out of the matrix setup and into the upload job that runs on
ubuntu-latest (or wrap the install with an OS check so it only runs on ubuntu),
and ensure the upload-assets/upload job includes the gh install step so the
uploader has gh available.

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (2)

.github/workflows/manual-release.yml (1)

28-28: Add newline at end of file

YAML linters enforce a trailing newline.

-            --plugins "@semantic-release/changelog,@semantic-release/git,@semantic-release/github"
+            --plugins "@semantic-release/changelog,@semantic-release/git,@semantic-release/github"
+

.github/workflows/semantic-release.yml (1)

32-32: Add newline at end of file

Compliance with linters and POSIX text file convention.

-            --release-rules='[{"release": false}]'
+            --release-rules='[{"release": false}]'
+

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b061e55 and 5e6f58b.

📒 Files selected for processing (3)

• .github/workflows/manual-release.yml (1 hunks)
• .github/workflows/semantic-release.yml (1 hunks)
• .releaserc.json (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/manual-release.yml

[error] 28-28: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/semantic-release.yml

[error] 32-32: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Desktop Simulator Tests

🔇 Additional comments (1)

.github/workflows/semantic-release.yml (1)

8-9: Grant write permissions if you intend to commit CHANGELOG

If this workflow will commit CHANGELOG.md, you need contents: write.

If you keep this as a “preview” (no writes), you can skip. If you want it to commit, add:

 jobs:
   update-changelog:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write

[coderabbitai]

⚠️ Potential issue

Set write permissions for GITHUB_TOKEN

By default, GITHUB_TOKEN is read-only on newer repos. Pushing CHANGELOG commits/tags and creating releases requires contents: write.

Add permissions:

 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	release:
	runs-on: ubuntu-latest
	steps:
	release:
	runs-on: ubuntu-latest
	permissions:
	contents: write
	steps:

🤖 Prompt for AI Agents

.github/workflows/manual-release.yml around lines 7 to 9: the workflow currently
runs with the default GITHUB_TOKEN which may be read-only on newer repos, so add
explicit write permissions to allow pushing CHANGELOG commits/tags and creating
releases; update the workflow to include a top-level permissions section (or
job-level permissions) that sets contents: write (and optionally packages: write
if releasing packages) so the token has sufficient rights for push and release
operations.

[coderabbitai]

🛠️ Refactor suggestion

Avoid global install; ensure plugins are available and versions are pinned

Global installs are unnecessary with npx and make builds less reproducible. Also, semantic-release must be able to resolve all plugins listed in .releaserc.json from local dependencies.

Replace the global install with local, no-save plugin installs (or add them as devDependencies and run npm ci):

-      - name: Install semantic-release
-        run: npm install -g semantic-release
+      - name: Install semantic-release plugins
+        run: |
+          npm install --no-save \
+            semantic-release@^23 \
+            @semantic-release/commit-analyzer@^13 \
+            @semantic-release/release-notes-generator@^14 \
+            @semantic-release/changelog@^6 \
+            @semantic-release/git@^10 \
+            @semantic-release/github@^10

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Install semantic-release
	run: npm install -g semantic-release
	- name: Install semantic-release plugins
	run: |
	npm install --no-save \
	semantic-release@^23 \
	@semantic-release/commit-analyzer@^13 \
	@semantic-release/release-notes-generator@^14 \
	@semantic-release/changelog@^6 \
	@semantic-release/git@^10 \
	@semantic-release/github@^10

🤖 Prompt for AI Agents

.github/workflows/manual-release.yml lines 20-22: current step installs
semantic-release globally which hurts reproducibility and can prevent resolution
of local plugins; replace the global install with either running
semantic-release via npx (e.g., npx semantic-release) or install
semantic-release and its plugins locally (preferably as devDependencies with
explicit versions and using npm ci in the workflow) or, if opting for ephemeral
install, run npm install --no-save semantic-release@<pinned-version> and all
required plugin packages@<pinned-versions> before invoking semantic-release so
the runner can resolve plugins reliably.

[coderabbitai]

⚠️ Potential issue

CLI overrides drop commit-analyzer and will break releases

Passing --plugins via CLI overrides .releaserc and omits @semantic-release/commit-analyzer, so semantic-release cannot determine the next version. Also configure git user to allow committing.

Use the config in .releaserc.json and configure git identity:

       - name: Create Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          npx semantic-release \
-            --plugins "@semantic-release/changelog,@semantic-release/git,@semantic-release/github"
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          npx -y semantic-release

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Create Release
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: |
	npx semantic-release \
	--plugins "@semantic-release/changelog,@semantic-release/git,@semantic-release/github"
	- name: Create Release
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: |
	git config user.name "github-actions[bot]"
	git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
	npx -y semantic-release

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 28-28: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents

.github/workflows/manual-release.yml lines 23-28: the workflow is passing
--plugins via the CLI which overrides .releaserc and drops
@semantic-release/commit-analyzer, and it also doesn't set git identity for
commits; remove the --plugins argument so semantic-release uses .releaserc.json,
run npx semantic-release with no plugin overrides, and add steps before running
semantic-release to configure git user.name and user.email (e.g., git config
user.name and git config user.email) so semantic-release can create and push
changelog/commit changes using the provided GITHUB_TOKEN.

[coderabbitai]

🛠️ Refactor suggestion

Install the full plugin set or rely on repo devDependencies

To run semantic-release end-to-end (even for changelog-only), it must resolve plugins locally. You currently install only changelog and git. Add commit-analyzer and release-notes-generator, or better, add them to devDependencies and run npm ci.

       - name: Install semantic-release (changelog only)
         run: |
-          npm install -g semantic-release
-          npm install --no-save @semantic-release/changelog @semantic-release/git
+          npm install --no-save \
+            semantic-release@^23 \
+            @semantic-release/commit-analyzer@^13 \
+            @semantic-release/release-notes-generator@^14 \
+            @semantic-release/changelog@^6 \
+            @semantic-release/git@^10

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Install semantic-release (changelog only)
	run: |
	npm install -g semantic-release
	npm install --no-save @semantic-release/changelog @semantic-release/git
	- name: Install semantic-release (changelog only)
	run: |
	npm install --no-save \
	semantic-release@^23 \
	@semantic-release/commit-analyzer@^13 \
	@semantic-release/release-notes-generator@^14 \
	@semantic-release/changelog@^6 \
	@semantic-release/git@^10

🤖 Prompt for AI Agents

.github/workflows/semantic-release.yml lines 21-25: the workflow only installs
@semantic-release/changelog and @semantic-release/git which prevents
semantic-release from resolving its full plugin set; either install the missing
plugins here (add npm install --no-save @semantic-release/commit-analyzer
@semantic-release/release-notes-generator in the run block) or, preferably, add
all semantic-release plugins to package.json devDependencies and replace the
installs with a single npm ci so the action resolves plugins locally.

[coderabbitai]

⚠️ Potential issue

Release rules likely disable all non-breaking releases

As written, releaseRules override defaults and will prevent minor/patch releases (feat/fix both set to false). You’ll only ever cut a release on explicit breaking changes. This is almost certainly not what you want for ongoing releases.

Consider either removing releaseRules entirely to use defaults, or explicitly mapping feat→minor and fix/perf→patch. Also, include release-notes-generation and (if desired) the GitHub plugin in config to avoid CLI drift across workflows.

Proposed config tweak:

   "plugins": [
-      ["@semantic-release/commit-analyzer", {
-        "releaseRules": [
-          {"type": "feat", "release": false},
-          {"type": "fix", "release": false},  
-          {"breaking": true, "release": "major"}
-        ]
-      }],
-      "@semantic-release/changelog",
-      "@semantic-release/git"
+    ["@semantic-release/commit-analyzer", {
+      "preset": "conventionalcommits",
+      "releaseRules": [
+        {"breaking": true, "release": "major"},
+        {"type": "feat", "release": "minor"},
+        {"type": "fix", "release": "patch"},
+        {"type": "perf", "release": "patch"},
+        {"type": "chore", "release": false},
+        {"type": "docs", "release": false},
+        {"type": "style", "release": false},
+        {"type": "refactor", "release": false},
+        {"type": "test", "release": false}
+      ]
+    }],
+    "@semantic-release/release-notes-generator",
+    "@semantic-release/changelog",
+    "@semantic-release/git",
+    "@semantic-release/github"
   ]

This restores conventional behavior while keeping non-code changes from triggering releases and consolidates plugin selection in one place.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"plugins": [
	["@semantic-release/commit-analyzer", {
	"releaseRules": [
	{"type": "feat", "release": false},
	{"type": "fix", "release": false},
	{"breaking": true, "release": "major"}
	]
	}],
	"@semantic-release/changelog",
	"@semantic-release/git"
	]
	"plugins": [
	["@semantic-release/commit-analyzer", {
	"preset": "conventionalcommits",
	"releaseRules": [
	{"breaking": true, "release": "major"},
	{"type": "feat", "release": "minor"},
	{"type": "fix", "release": "patch"},
	{"type": "perf", "release": "patch"},
	{"type": "chore", "release": false},
	{"type": "docs", "release": false},
	{"type": "style", "release": false},
	{"type": "refactor","release": false},
	{"type": "test", "release": false}
	]
	}],
	"@semantic-release/release-notes-generator",
	"@semantic-release/changelog",
	"@semantic-release/git",
	"@semantic-release/github"
	]

🤖 Prompt for AI Agents

In .releaserc.json around lines 3 to 13 the custom releaseRules set "feat" and
"fix" to false which effectively prevents minor and patch releases (only
breaking changes will release); update the config to either remove the
releaseRules block to use semantic-release defaults, or change the rules to map
"feat"→"minor" and "fix" (and "perf")→"patch"; also include the
release-notes-generator plugin and, if you want GitHub releases, add
"@semantic-release/github" to the plugins array so plugin selection is
consolidated and the release behavior matches conventional commits.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (4)

.github/workflows/manual-release.yml (2)

6-7: Add contents: write permissions for GITHUB_TOKEN

Releases and changelog commits/tags require write access. Without this, semantic-release will fail to push commits/tags and to create releases.

 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write

---

17-17: Avoid global install; install required plugins locally with pinned versions

Global install is unnecessary and won’t make plugins resolvable. semantic-release will also need its plugins (@semantic-release/*) available locally. Pin versions for reproducibility.

-      - run: npm install -g semantic-release
+      - name: Install semantic-release + plugins
+        run: |
+          npm install --no-save \
+            semantic-release@^23 \
+            @semantic-release/commit-analyzer@^13 \
+            @semantic-release/release-notes-generator@^14 \
+            @semantic-release/changelog@^6 \
+            @semantic-release/git@^10 \
+            @semantic-release/github@^10

.github/workflows/semantic-release.yml (2)

45-50: --dry-run will not update CHANGELOG; align step name and behavior

This step is named “Update CHANGELOG.md without releasing” but --dry-run prevents any file changes/commits. Choose one:

Option A — actually update and commit CHANGELOG (requires write perms and git identity):

   update-changelog:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
@@
       - name: Update CHANGELOG.md without releasing
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          npx semantic-release --dry-run --no-ci \
-            --extends ./release.config.js
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          npx -y semantic-release --no-ci --extends ./release.config.js

Option B — keep as a preview only: rename the step to “Preview next release (no changes)” to reflect behavior and leave --dry-run as-is.

---

19-23: Missing required plugins and reproducible installs

release.config.js below requires @semantic-release/commit-analyzer, but it isn’t installed; the step will fail at runtime. Also avoid global installs and unpinned versions that modify package.json. Use ephemeral, pinned, no-save installs (or npm ci if added as devDeps).

-      - name: Install dependencies
-        run: |
-          npm install -g semantic-release
-          npm install @semantic-release/changelog @semantic-release/git
+      - name: Install semantic-release + plugins
+        run: |
+          npm install --no-save \
+            semantic-release@^23 \
+            @semantic-release/commit-analyzer@^13 \
+            @semantic-release/release-notes-generator@^14 \
+            @semantic-release/changelog@^6 \
+            @semantic-release/git@^10

🧹 Nitpick comments (3)

.github/workflows/manual-release.yml (1)

24-24: Add newline at end of file

Minor formatting fix to satisfy linters.

.github/workflows/semantic-release.yml (2)

24-44: Avoid duplicating release config; prefer a single source of truth

Creating release.config.js inline risks config drift with .releaserc.json. Unless you intend this to differ, consider deleting this step and letting semantic-release load .releaserc.json.

If you keep this inline config, ensure it remains synchronized with .releaserc.json and that all referenced plugins are installed.

---

50-50: Add newline at end of file

Minor formatting fix to satisfy linters.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5e6f58b and 2e20b2c.

📒 Files selected for processing (2)

• .github/workflows/manual-release.yml (1 hunks)
• .github/workflows/semantic-release.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/manual-release.yml

[error] 24-24: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/semantic-release.yml

[error] 50-50: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Desktop Simulator Tests

[coderabbitai]

🛠️ Refactor suggestion

⚠️ Potential issue

release.config.js may not exist on runner; remove CLI override and configure git identity

This workflow references ./release.config.js, but it’s generated only in another workflow and isn’t committed. The manual run will likely fail resolving that file. Prefer relying on .releaserc.json (single source of truth). Also configure git user/email so semantic-release can commit/push CHANGELOG and tags.

       - name: Create Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          npx semantic-release \
-            --extends ./release.config.js
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          npx -y semantic-release

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Create Release
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: |
	npx semantic-release \
	--extends ./release.config.js
	- name: Create Release
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: |
	git config user.name "github-actions[bot]"
	git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
	npx -y semantic-release

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 24-24: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents

.github/workflows/manual-release.yml around lines 19 to 24: the workflow
overrides semantic-release with --extends ./release.config.js which may not
exist on the runner (it's generated elsewhere), and it doesn't configure git
identity so semantic-release cannot commit or push changelogs/tags; remove the
CLI --extends override so semantic-release uses the committed .releaserc.json,
and add steps before running semantic-release to set git user.email and
user.name (or configure them via environment variables) and ensure GITHUB_TOKEN
is available so semantic-release can push commits and tags.

[coderabbitai]

Actionable comments posted: 5

♻️ Duplicate comments (3)

.github/workflows/manual-release.yml (1)

11-16: Add explicit permissions: contents: write for GITHUB_TOKEN

Creating releases and pushing CHANGELOG commits require write permissions. Add job-level permissions.

 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0

.github/workflows/semantic-release.yml (2)

19-23: Avoid global installs; install full plugin set locally or use npm ci

Global installs reduce reproducibility and can fail to resolve local plugins. Install all required plugins locally (or rely on devDependencies + npm ci).

Option A — ephemeral, pinned installs:

-      - name: Install dependencies
-        run: |
-          npm install -g semantic-release
-          npm install @semantic-release/changelog @semantic-release/git
+      - name: Install semantic-release toolchain (ephemeral)
+        run: |
+          npm install --no-save \
+            semantic-release@^23 \
+            @semantic-release/commit-analyzer@^13 \
+            @semantic-release/release-notes-generator@^14 \
+            @semantic-release/changelog@^6 \
+            @semantic-release/git@^10

Option B — via repo devDependencies (preferred):

• Add the above packages to devDependencies in package.json.
• Replace this step with: npm ci

---

43-47: ‘--dry-run’ won’t update files; step name is misleading

With --dry-run, @semantic-release/changelog won’t write CHANGELOG.md and @semantic-release/git won’t commit. Either make this a true update (remove --dry-run and configure git) or rename the step to a preview.

Option A — true changelog update:

-      - name: Update CHANGELOG.md
+      - name: Update CHANGELOG.md
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          npx semantic-release --dry-run --no-ci --extends ./release.config.js
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          npx -y semantic-release --no-ci --extends ./release.config.js

Option B — keep preview only:

-      - name: Update CHANGELOG.md
+      - name: Preview next release (no changes)
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          npx semantic-release --dry-run --no-ci --extends ./release.config.js
+          npx -y semantic-release --dry-run --no-ci --extends ./release.config.js

🧹 Nitpick comments (5)

.github/workflows/manual-release.yml (3)

14-16: Also fetch tags during checkout

Tag checks and release metadata often rely on tags. Ensure tags are fetched.

       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          fetch-tags: true

---

3-9: Optional: validate version input is SemVer

Avoid accidental releases with malformed versions.

 on:
   workflow_dispatch:
     inputs:
       version:
         description: 'Version number (e.g., 1.2.3)'
         required: true
+        default: ''
+        type: string
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate version input
+        run: |
+          if ! [[ "${{ inputs.version }}" =~ ^[0-9]+(\.[0-9]+){2}(-[0-9A-Za-z.-]+)?(\+[0-9A-Za-z.-]+)?$ ]]; then
+            echo "Invalid SemVer: ${{ inputs.version }}"
+            exit 1
+          fi

---

43-43: Add trailing newline

Minor YAMLlint warning: missing newline at end of file.

-          git push
\ No newline at end of file
+          git push
+

.github/workflows/semantic-release.yml (2)

11-17: Fetch tags during checkout to let semantic-release compute next version

semantic-release relies on tags for versioning; ensure tags are fetched.

       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          fetch-tags: true

---

47-47: Add trailing newline

Minor YAMLlint warning: missing newline at end of file.

-          npx semantic-release --dry-run --no-ci --extends ./release.config.js
\ No newline at end of file
+          npx semantic-release --dry-run --no-ci --extends ./release.config.js
+

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2e20b2c and 814d751.

📒 Files selected for processing (2)

• .github/workflows/manual-release.yml (1 hunks)
• .github/workflows/semantic-release.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/manual-release.yml

26-26: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/manual-release.yml

[error] 43-43: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/semantic-release.yml

[error] 47-47: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Desktop Simulator Tests

[coderabbitai]

⚠️ Potential issue

Tag existence check is wrong (missing ‘v’ prefix and not verifying tag ref)

You create tag v${{ inputs.version }} later, but verify without the ‘v’ and against any ref name. Verify the exact tag ref instead.

-      - name: Verify tag doesn't exist
+      - name: Verify tag doesn't exist
         run: |
-          if git rev-parse "${{ inputs.version }}" >/dev/null 2>&1; then
-            echo "Tag v${{ inputs.version }} already exists!"
-            exit 1
-          fi
+          if git show-ref --tags --quiet --verify "refs/tags/v${{ inputs.version }}"; then
+            echo "Tag v${{ inputs.version }} already exists!"
+            exit 1
+          fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Verify tag doesn't exist
	run: |
	if git rev-parse "${{ inputs.version }}" >/dev/null 2>&1; then
	echo "Tag v${{ inputs.version }} already exists!"
	exit 1
	fi
	- name: Verify tag doesn't exist
	run: |
	if git show-ref --tags --quiet --verify "refs/tags/v${{ inputs.version }}"; then
	echo "Tag v${{ inputs.version }} already exists!"
	exit 1
	fi

🤖 Prompt for AI Agents

In .github/workflows/manual-release.yml around lines 18 to 23, the tag existence
check uses the raw input version and checks any ref name; update it to verify
the exact tag ref with the 'v' prefix (e.g. refs/tags/v${{ inputs.version }}).
Replace the condition with a check that verifies the tag ref itself (for example
using git rev-parse --verify or git show-ref --verify/--quiet against
refs/tags/v${{ inputs.version }}) and exit on match so you correctly detect an
existing v-prefixed tag.

[coderabbitai]

⚠️ Potential issue

Replace inline shell in body with body_path; upgrade action to v2

The action input ‘body’ is not a shell; the $(sed ...) won't execute and will be posted literally. Generate notes in a prior step and pass with body_path. Also, actionlint flags softprops/action-gh-release@v1 as too old; use @v2.

+      - name: Generate release notes
+        run: |
+          awk 'BEGIN{p=0} /^## Unreleased/{p=1; next} /^## /{if(p){exit}} p{print}' CHANGELOG.md > RELEASE_NOTES.md
+
-      - name: Create release
-        uses: softprops/action-gh-release@v1
+      - name: Create release
+        uses: softprops/action-gh-release@v2
         with:
           tag_name: v${{ inputs.version }}
           name: Release v${{ inputs.version }}
-          body: |
-            ## Changes since last release:
-            $(sed -n '/## Unreleased/,/## /p' CHANGELOG.md | head -n -1)
+          body_path: RELEASE_NOTES.md
           draft: false
           prerelease: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Create release
	uses: softprops/action-gh-release@v1
	with:
	tag_name: v${{ inputs.version }}
	name: Release v${{ inputs.version }}
	body: |
	## Changes since last release:
	$(sed -n '/## Unreleased/,/## /p' CHANGELOG.md | head -n -1)
	draft: false
	prerelease: false
	- name: Generate release notes
	run: |
	awk 'BEGIN{p=0} /^## Unreleased/{p=1; next} /^## /{if(p){exit}} p{print}' CHANGELOG.md > RELEASE_NOTES.md
	- name: Create release
	uses: softprops/action-gh-release@v2
	with:
	tag_name: v${{ inputs.version }}
	name: Release v${{ inputs.version }}
	body_path: RELEASE_NOTES.md
	draft: false
	prerelease: false

🧰 Tools

🪛 actionlint (1.7.7)

26-26: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

.github/workflows/manual-release.yml lines 25-35: the workflow currently passes
a literal string with shell substitution to the softprops/action-gh-release@v1
'body' input (so $(sed ...) will not be executed) and the action version is
outdated; replace this by adding a prior step that generates the release body to
a file (e.g., run a step that extracts the "## Unreleased" section from
CHANGELOG.md and writes it to a temp file like release_body.md), change the
action usage to softprops/action-gh-release@v2, remove the inline body: block
and instead pass body_path: path/to/release_body.md to the action, ensuring the
file path exists and is checked into the workspace or created in a previous run
step.

[coderabbitai]

🛠️ Refactor suggestion

Grant contents: write for commits

If you adopt Option A (real changelog updates), the job must push commits.

   update-changelog:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write

🤖 Prompt for AI Agents

In .github/workflows/semantic-release.yml around line 9, the workflow currently
runs on ubuntu-latest but lacks the required repository write permission for
pushing commits; add a top-level permissions block with "contents: write" (and
ensure the job uses GITHUB_TOKEN for any push actions or actions/checkout with
persist-credentials: true) so the workflow can create/commit/push changelog or
release commits as needed.

[coderabbitai]

⚠️ Potential issue

release.config.js contains invalid JS (uses ‘#’ comment) and disables all releases

The line with “# Never auto-release” is invalid in JS and will throw on require. Also, setting releaseRules to always false prevents prepare steps (incl. changelog/git) from running even in non-dry runs, so no files will be updated.

-          echo 'module.exports = {
+          echo 'module.exports = {
             branches: ["main"],
             plugins: [
               ["@semantic-release/commit-analyzer", {
                 "preset": "conventionalcommits",
                 "releaseRules": [
-                  {"type": "*", "release": false} # Never auto-release
+                  // Note: configure release rules appropriately. Removing this blanket rule enables normal releases.
                 ]
               }],
               "@semantic-release/changelog",
               ["@semantic-release/git", {
                 "assets": ["CHANGELOG.md"],
                 "message": "docs(changelog): Update for unreleased changes [skip ci]"
               }]
             ]
-          }' > release.config.js
+          }' > release.config.js

If the goal is “changelog-only” commits, semantic-release is not the right tool in dry-run or with all releases disabled. Consider either:

• Full semantic-release (recommended): let it manage versions/tags/changelog.
• Or use conventional-changelog CLI to regenerate CHANGELOG without publishing.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Configure semantic-release
	run: |
	echo 'module.exports = {
	branches: ["main"],
	plugins: [
	["@semantic-release/commit-analyzer", {
	"preset": "conventionalcommits",
	"releaseRules": [
	{"type": "*", "release": false} # Never auto-release
	]
	}],
	"@semantic-release/changelog",
	["@semantic-release/git", {
	"assets": ["CHANGELOG.md"],
	"message": "docs(changelog): Update for unreleased changes [skip ci]"
	}]
	]
	}' > release.config.js
	- name: Configure semantic-release
	run: |
	echo 'module.exports = {
	branches: ["main"],
	plugins: [
	["@semantic-release/commit-analyzer", {
	"preset": "conventionalcommits",
	"releaseRules": [
	// Note: configure release rules appropriately. Removing this blanket rule enables normal releases.
	]
	}],
	"@semantic-release/changelog",
	["@semantic-release/git", {
	"assets": ["CHANGELOG.md"],
	"message": "docs(changelog): Update for unreleased changes [skip ci]"
	}]
	]
	}' > release.config.js

🤖 Prompt for AI Agents

.github/workflows/semantic-release.yml around lines 24 to 41: the generated
release.config.js uses an invalid '#' comment and also sets releaseRules to
always return false which both breaks requiring the file and prevents
semantic-release from running prepare steps (changelog/git). Fix by replacing
the '#' comment with a JS comment (//) or removing the inline comment entirely,
and remove or change the blanket releaseRules that disable all releases so
semantic-release can run its prepare/plugins (or alternatively replace this job
with a conventional-changelog CLI step if you truly only want changelog
regeneration without using semantic-release to manage releases).

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (4)

.github/workflows/semantic-release.yml (4)

19-23: Missing plugins and inconsistent installation method will break semantic-release resolution

The config references @semantic-release/commit-analyzer, but it's not installed. Also, mixing a global install with npx is brittle and can lead to version/plugin resolution mismatch.

Apply this diff to install the required plugins locally (no global install) so semantic-release can resolve them:

       - name: Install dependencies
         run: |
-          npm install -g semantic-release
-          npm install @semantic-release/changelog @semantic-release/git
+          npm install --no-save \
+            semantic-release@^23 \
+            @semantic-release/commit-analyzer@^13 \
+            @semantic-release/release-notes-generator@^14 \
+            @semantic-release/changelog@^6 \
+            @semantic-release/git@^10

Alternatively, add these as devDependencies in package.json and replace this step with a single npm ci to keep versions pinned.

---

24-41: Configuration disables all releases, preventing changelog prepare step from running

releaseRules: [{ release: false }] forces commit-analyzer to emit “no release,” which means prepare plugins (@semantic-release/changelog, @semantic-release/git) won’t run even in non–dry runs. The job named “Update Changelog” will thus never update anything.

If the goal is to actually update CHANGELOG on main, remove the blanket disable and include the typical plugin chain. Example:

           module.exports = {
             branches: ["main"],
             plugins: [
-              ["@semantic-release/commit-analyzer", {
-                preset: "conventionalcommits",
-                releaseRules: [{release: false}] // Disable all automatic releases
-              }],
-              "@semantic-release/changelog",
+              ["@semantic-release/commit-analyzer", { preset: "conventionalcommits" }],
+              "@semantic-release/release-notes-generator",
+              "@semantic-release/changelog",
               ["@semantic-release/git", {
                 assets: ["CHANGELOG.md"],
                 message: "docs(changelog): Update for unreleased changes [skip ci]"
               }]
             ]
           }

If you truly want a preview-only run, keep the disable or use --dry-run, but then rename the step to indicate it won’t modify files.

---

43-47: Dry-run won’t write CHANGELOG; step name and behavior are inconsistent

--dry-run only logs; it will not update files or create commits. This contradicts the step name “Update CHANGELOG.md.”

Option A — actually update and commit the changelog (recommended on pushes to main):

       - name: Update CHANGELOG.md
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          npx semantic-release --dry-run --no-ci --extends ./release.config.js
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          npx -y semantic-release --extends ./release.config.js

Option B — keep as a preview (no writes): rename the step and keep dry-run:

-      - name: Update CHANGELOG.md
+      - name: Preview next release (no changes)
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           npx semantic-release --dry-run --no-ci --extends ./release.config.js
```<!-- review_comment_end -->

---

`8-9`: **Add permissions to allow committing/pushing changelog updates**

If you adopt Option A (real writes), the job needs repository write permission.



```diff
   update-changelog:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write

Also ensure checkout uses the default persisted GITHUB_TOKEN (actions/checkout@v4 does by default) so pushes succeed.

🧹 Nitpick comments (3)

.github/workflows/semantic-release.yml (3)

15-17: Enable npm cache for faster runs

Minor improvement: enable npm cache in setup-node to speed up installs.

       - uses: actions/setup-node@v4
         with:
           node-version: '20'
+          cache: 'npm'
```<!-- review_comment_end -->

---

`3-6`: **Avoid CI loop when committing to main**

If the job commits back to main, it will retrigger itself. You mitigate with “[skip ci]” in the commit message, but adding a guard helps.


Add a job-level condition to skip when the actor is the bot:

```diff
 jobs:
   update-changelog:
+    if: github.actor != 'github-actions[bot]'
     runs-on: ubuntu-latest

Alternatively, trigger this workflow on a schedule or on release, depending on your intended cadence.

---

47-47: Add a newline at end of file

YAML linters flag this; append a trailing newline to satisfy linting.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 814d751 and d523053.

📒 Files selected for processing (1)

• .github/workflows/semantic-release.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/semantic-release.yml

[error] 47-47: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Desktop Simulator Tests

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (7)

.github/workflows/release.yml (7)

193-201: Guard against empty macOS .app glob to avoid creating a literal '*.zip'.

If there are no .app files, bash will pass '*.app' literally. Enable nullglob or check for matches before zipping.

Apply this diff:

-            for app in *.app; do
-              zip -r "../../../release-assets/${app%.app}.zip" "$app"
-            done
+            shopt -s nullglob
+            for app in *.app; do
+              zip -r "../../../release-assets/${app%.app}.zip" "$app"
+            done
+            shopt -u nullglob

---

96-106: Align Node version and simplify dependency caching.

You use Node "lts/*" in release and "22" in build. Prefer a consistent LTS version across jobs and leverage setup-node’s built-in cache.

Apply this diff:

-      - name: Setup Node.js
+      - name: Setup Node.js (LTS) with npm cache
         uses: actions/setup-node@v4
         with:
-          node-version: 22
+          node-version: "lts/*"
+          cache: "npm"
 
-      - name: Cache Node.js Dependencies
-        uses: actions/cache@v4
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: ${{ runner.os }}-node-
+      # Dedicated cache above replaces manual cache step

Also applies to: 107-113

---

98-101: Build from the release tag for reproducibility.

Checking out main may build a different commit than the one semantic-release tagged. Prefer the new tag.

Apply this diff:

       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          ref: main # Ensure we are building the latest code from the main branch
+          ref: v${{ needs.release.outputs.new_release_version }} # Build from the release tag

---

12-17: Tighten job permissions to least privilege.

Only contents: write is required for releases/tags. Drop issues, pull-requests, and id-token unless used elsewhere.

Apply this diff:

 permissions:
-  contents: write # For creating releases and pushing tags/commits
-  issues: write # For managing issues and comments
-  pull-requests: write # For managing pull requests
-  id-token: write # For OIDC authentication, if needed
+  contents: write # For creating releases and pushing tags/commits

---

175-206: Resolve YAML lint errors: trailing spaces on several lines.

YAMLlint flagged trailing spaces on Lines 178, 186, 191, 203, and 206. Remove trailing whitespace and avoid whitespace-only lines.

Apply this diff to trim whitespace-only lines:

-          
+
@@
-          
+
@@
-          
+
@@
-          
+
@@
-        
+

---

154-160: Avoid spaces/parentheses in artifact names to simplify downstream paths.

Spaces and parentheses complicate quoting and escaping in bash. Prefer a simple, slugged name.

Apply this diff:

       - name: Upload Tauri Build Artifacts
         uses: actions/upload-artifact@v4
         with:
-          name: Tauri Build Artifacts (${{ matrix.os }})
+          name: tauri-build-${{ matrix.os }}
           path: |
             src-tauri/target/release/bundle

Then adjust the download paths accordingly, e.g., replace artifacts/Tauri Build Artifacts (ubuntu-latest)/bundle/... with artifacts/tauri-build-ubuntu-latest/bundle/....

---

118-123: Global + local Tauri CLI installs are redundant.

You install @tauri-apps/cli globally and again locally as devDep. Keep one: either rely on npx/local CLI (npx tauri build) or the global one. Less churn, faster CI.

Apply this diff:

       - name: Install Tauri CLI and API
         run: |
-          npm install -g @tauri-apps/cli
-          npm install @tauri-apps/cli @tauri-apps/api @tauri-apps/plugin-fs --save-dev
+          npm install @tauri-apps/cli @tauri-apps/api @tauri-apps/plugin-fs --save-dev
         shell: bash

And change the build step to use the local CLI:

-      - name: Build Tauri App
-        run: npm run tauri build
+      - name: Build Tauri App
+        run: npx tauri build

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d523053 and 1b2ba95.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/release.yml

[error] 178-178: trailing spaces

(trailing-spaces)

---

[error] 186-186: trailing spaces

(trailing-spaces)

---

[error] 191-191: trailing spaces

(trailing-spaces)

---

[error] 203-203: trailing spaces

(trailing-spaces)

---

[error] 206-206: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Desktop Simulator Tests

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (3)

.github/workflows/release.yml (3)

48-53: Install Rust across all OSes using dtolnay/rust-toolchain; current step skips Windows and assumes rustup.

This will fail on Windows and on Linux/macOS runners without rustup.

Apply this diff:

-      - name: Setup Rust
-        if: matrix.os != 'windows-latest'
-        run: |
-          rustup update stable
-          rustup default stable
-        shell: bash
+      - name: Setup Rust (stable)
+        uses: dtolnay/rust-toolchain@stable

---

55-68: Fix apt install flags and add webkit2gtk fallback; current command may hang and/or fail on Ubuntu 22.04.

• Missing “-y” can block on prompts.
• libwebkit2gtk-4.1-dev isn’t available on all runners; fall back to 4.0.

Apply this diff:

       - name: Install Linux Dependencies (Ubuntu)
         if: matrix.os == 'ubuntu-latest'
         run: |
           sudo apt update
-          sudo apt install libwebkit2gtk-4.1-dev \
-          build-essential \
-          curl \
-          wget \
-          file \
-          libxdo-dev \
-          libssl-dev \
-          libayatana-appindicator3-dev \
-          librsvg2-dev
+          # Base packages
+          sudo apt install -y build-essential curl wget file libxdo-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev
+          # Try 4.1, fall back to 4.0 if not available
+          sudo apt install -y libwebkit2gtk-4.1-dev || sudo apt install -y libwebkit2gtk-4.0-dev
         shell: bash

---

119-142: Fix artifact collection paths: missing ‘bundle/’ causes no files to be found.

Tauri bundles artifacts under bundle/. Insert bundle/ in all checks/copies and the macOS zip cd.

Apply this diff:

           # For Ubuntu (Linux)
-          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/deb" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/deb/*.deb release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/bundle/deb" ]; then
+            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/bundle/deb/*.deb release-assets/ || true
           fi
-          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/appimage" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/appimage/*.AppImage release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/bundle/appimage" ]; then
+            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/bundle/appimage/*.AppImage release-assets/ || true
           fi
           
           # For Windows
-          if [ -d "artifacts/Tauri Build Artifacts (windows-latest)/msi" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(windows-latest\)/msi/*.msi release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (windows-latest)/bundle/msi" ]; then
+            cp artifacts/Tauri\ Build\ Artifacts\ \(windows-latest\)/bundle/msi/*.msi release-assets/ || true
           fi
           
           # For macOS
-          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/dmg" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/dmg/*.dmg release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/bundle/dmg" ]; then
+            cp artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/bundle/dmg/*.dmg release-assets/ || true
           fi
-          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/app" ]; then
-            cd artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/app
+          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/bundle/app" ]; then
+            cd artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/bundle/app
             for app in *.app; do
               zip -r "../../../release-assets/${app%.app}.zip" "$app"
             done
             cd - || exit
           fi

🧹 Nitpick comments (7)

.github/workflows/release.yml (7)

1-9: Set explicit token permissions and add a concurrency group.

• Creating releases and pushing tags require contents: write.
• Concurrency avoids overlapping runs on the same ref.

Apply this diff:

 name: Vue + Tauri Simulator Desktop Release
 
 on:
   push:
     branches: [ "main" ]
   release:
     types: [created]
 
+permissions:
+  contents: write
+  actions: read
+  packages: read
+
+concurrency:
+  group: desktop-release-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true

Please verify org/repo settings do not override GITHUB_TOKEN permissions to read-only.

---

22-26: Use setup-node’s built-in dependency cache.

You can drop the separate cache step and let setup-node manage it.

Apply this diff:

       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: 22
+          cache: 'npm'

---

27-33: Remove manual npm cache step (redundant with setup-node cache).

Apply this diff:

-      - name: Cache Node.js Dependencies
-        uses: actions/cache@v4
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: ${{ runner.os }}-node-

---

38-43: Avoid redundant global Tauri CLI install.

You install @tauri-apps/cli both globally and as a dev dependency. One is sufficient; prefer local dev dep and invoke via npm scripts.

Apply this diff:

       - name: Install Tauri CLI and API
         run: |
-          npm install -g @tauri-apps/cli
           npm install @tauri-apps/cli @tauri-apps/api @tauri-apps/plugin-fs --save-dev
         shell: bash

Alternatively, rely on npx tauri without installing globally.

---

82-85: Code signing not configured (Windows/macOS).

Given the PR objective “Release Pipelines with Code Signing”, there are no steps/secrets for:

• macOS: codesign with Developer ID Application + notarytool notarization/stapling.
• Windows: signtool or Tauri’s Windows signing via certificate/PFX or Azure Sign.
• Linux: optional (e.g., .deb signing).

I can add guarded signing steps (only if the needed secrets are present) for both macOS and Windows. Do you want me to draft:

• macOS: Import certificate to keychain, codesign, notarize with Apple ID and keychain profile or keychain-less notarytool credentials, then staple.
• Windows: Use a Base64 PFX from secrets with signtool, or Tauri’s built-in signing with CSC_LINK/CSC_KEY_PASSWORD equivalents?

Please confirm available secrets and desired signing providers.

---

147-153: Installing GitHub CLI may be unnecessary.

Ubuntu runners usually include gh. If you keep this step, it’s fine; otherwise, you can skip to reduce time.

---

103-109: Trim trailing spaces to satisfy YAML linting.

YAMLlint flags trailing spaces on Lines 109, 118, 126, 131, 143, 161, 179. Remove them to keep CI green.

Also applies to: 118-118, 126-126, 131-131, 143-143, 161-161, 179-179

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1b2ba95 and 881ca7a.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/release.yml

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/release.yml

[error] 109-109: trailing spaces

(trailing-spaces)

---

[error] 118-118: trailing spaces

(trailing-spaces)

---

[error] 126-126: trailing spaces

(trailing-spaces)

---

[error] 131-131: trailing spaces

(trailing-spaces)

---

[error] 143-143: trailing spaces

(trailing-spaces)

---

[error] 161-161: trailing spaces

(trailing-spaces)

---

[error] 179-179: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Desktop Simulator Tests

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (6)

.github/workflows/release.yml (6)

4-9: Prevent workflow loop: avoid triggering on release-created or gate the job.

This workflow creates a GitHub Release; also triggering on release: created can re-trigger itself and duplicate runs.

Apply one of:

• Gate the create-release job to only run on push.
• Or remove the release trigger.

Example (gate the job):

 on:
   push:
     branches: [ "main" ]
-  release:
-    types: [created]
+
+  # Optional: keep this only if you need other jobs on release events
+  # release:
+  #   types: [created]

And (see also comment on Lines 93-96) add:

 create-release:
   runs-on: ubuntu-latest
   needs: build-tauri
+  if: github.event_name == 'push'

---

20-21: Update checkout to v4; v3 is deprecated on current runners.

actionlint flags this; v3 uses Node 16 which is disabled.

-      - name: Checkout repository
-        uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@v4

---

48-54: Install Rust on all OSes using dtolnay/rust-toolchain.

Current step skips Windows and assumes rustup exists; Windows builds will fail and other runners may lack rustup.

-      - name: Setup Rust
-        if: matrix.os != 'windows-latest'
-        run: |
-          rustup update stable
-          rustup default stable
-        shell: bash
+      - name: Setup Rust (stable)
+        uses: dtolnay/rust-toolchain@stable

---

55-69: Fix apt install flags and add WebKit fallback to avoid CI hangs/failures.

• Missing -y will block on prompts in CI.
• libwebkit2gtk-4.1-dev isn’t available on all Ubuntu images; add 4.0 fallback.

       - name: Install Linux Dependencies (Ubuntu)
         if: matrix.os == 'ubuntu-latest'
         run: |
           sudo apt update
-          sudo apt install libwebkit2gtk-4.1-dev \
-          build-essential \
-          curl \
-          wget \
-          file \
-          libxdo-dev \
-          libssl-dev \
-          libayatana-appindicator3-dev \
-          librsvg2-dev
+          # Base deps (non-interactive)
+          sudo apt install -y build-essential curl wget file libxdo-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev
+          # Try 4.1, fall back to 4.0
+          sudo apt install -y libwebkit2gtk-4.1-dev || sudo apt install -y libwebkit2gtk-4.0-dev
         shell: bash

---

93-96: Gate create-release to push events only.

Prevents a release-created event from re-triggering the workflow that just created it.

   create-release:
     runs-on: ubuntu-latest
     needs: build-tauri
+    if: github.event_name == 'push'

---

116-146: Fix artifact collection paths: missing 'bundle/' segment.

Artifacts are uploaded starting at src-tauri/target/release/bundle; downloaded folder tree includes bundle/. Current paths won’t find files.

           # For Ubuntu (Linux)
-          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/deb" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/deb/*.deb release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/bundle/deb" ]; then
+            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/bundle/deb/*.deb release-assets/ || true
           fi
-          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/appimage" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/appimage/*.AppImage release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/bundle/appimage" ]; then
+            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/bundle/appimage/*.AppImage release-assets/ || true
           fi
           
           # For Windows
-          if [ -d "artifacts/Tauri Build Artifacts (windows-latest)/msi" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(windows-latest\)/msi/*.msi release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (windows-latest)/bundle/msi" ]; then
+            cp artifacts/Tauri\ Build\ Artifacts\ \(windows-latest\)/bundle/msi/*.msi release-assets/ || true
           fi
           
           # For macOS
-          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/dmg" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/dmg/*.dmg release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/bundle/dmg" ]; then
+            cp artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/bundle/dmg/*.dmg release-assets/ || true
           fi
-          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/app" ]; then
-            cd artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/app
+          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/bundle/app" ]; then
+            cd artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/bundle/app
             for app in *.app; do
               zip -r "../../../release-assets/${app%.app}.zip" "$app"
             done
             cd - || exit
           fi

🧹 Nitpick comments (6)

.github/workflows/release.yml (6)

38-43: Avoid double-installing Tauri CLI and pin versions.

You install @tauri-apps/cli globally and locally; redundant and slower. Prefer 1 source of truth and pinned versions.

Option A: Use local devDependency + npx:

-      - name: Install Tauri CLI and API
-        run: |
-          npm install -g @tauri-apps/cli
-          npm install @tauri-apps/cli @tauri-apps/api @tauri-apps/plugin-fs --save-dev
+      - name: Install Tauri CLI and API
+        run: |
+          npm install --save-dev @tauri-apps/cli@^2 @tauri-apps/api@^2 @tauri-apps/plugin-fs@^2
         shell: bash

Then call tauri via npx (see build step below).

Option B: Use only global CLI (less recommended for reproducibility):

-          npm install -g @tauri-apps/cli
-          npm install @tauri-apps/cli @tauri-apps/api @tauri-apps/plugin-fs --save-dev
+          npm install -g @tauri-apps/cli@^2

---

82-85: Consider injecting signing credentials during build.

Code signing is stated as WIP; Tauri uses env-based signing. Add per-OS secrets to sign on CI (macOS notarization, Windows .pfx, Tauri key).

Example (high-level):

• Windows: WIN_CERTIFICATE (base64 PFX), WIN_CERT_PASSWORD, set TAURI_SIGNING_PRIVATE_KEY if using Tauri’s key.
• macOS: APPLE_ID/APP_SPECIFIC_PASSWORD or API key (APPLE_API_KEY/ISSUER), and set TAURI_* signing vars; optionally notarize with gon/notarytool.
• Linux: optional GPG signing for AppImage or repo.

If you want, I can draft env/step blocks for each matrix OS wired to repo secrets.

---

103-110: Double-check conventional-changelog output variable.

Many use steps.changelog.outputs.clean_changelog; using changelog may be empty depending on action config.

Use clean_changelog (safer) and pass via --notes-file to avoid shell quoting issues:

-      - name: Generate Changelog
+      - name: Generate Changelog
         id: changelog
         uses: TriPSs/conventional-changelog-action@v3
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           skip-git-pull: 'true'
@@
-          CHANGELOG_NOTES="${{ steps.changelog.outputs.changelog }}"
+          CHANGELOG_NOTES="${{ steps.changelog.outputs.clean_changelog }}"
+          printf "%s\n" "$CHANGELOG_NOTES" > RELEASE_NOTES.md
@@
-          gh release create "$NEW_VERSION" \
-            --title "CircuitVerse Desktop $NEW_VERSION" \
-            --notes "$CHANGELOG_NOTES" \
-            release-assets/*
+          gh release create "$NEW_VERSION" \
+            --title "CircuitVerse Desktop $NEW_VERSION" \
+            --notes-file RELEASE_NOTES.md \
+            release-assets/*

If you intentionally want the raw changelog, keep changelog but still prefer --notes-file.

Also applies to: 177-185

---

148-155: Optional: use setup-gh action instead of manual apt install.

This shortens the step and avoids apt repo flakiness.

-      - name: Install GitHub CLI
-        run: |
-          curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
-          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
-          sudo apt update
-          sudo apt install gh -y
-        shell: bash
+      - name: Setup GitHub CLI
+        uses: cli/cli-action@v2

---

156-186: Make release creation deterministic and robust.

• If no tags exist, you seed v0.0.1; OK. Consider skip if tag already exists.
• Multi-line notes are safer via --notes-file (see earlier comment).

Add a guard:

           # Create release
-          gh release create "$NEW_VERSION" \
+          if gh release view "$NEW_VERSION" >/dev/null 2>&1; then
+            echo "Release $NEW_VERSION already exists; skipping."
+            exit 0
+          fi
+          gh release create "$NEW_VERSION" \
             --title "CircuitVerse Desktop $NEW_VERSION" \
-            --notes "$CHANGELOG_NOTES" \
+            --notes-file RELEASE_NOTES.md \
             release-assets/*

Please verify whether you want semantic versioning (major/minor bumps) via conventional commits; if so, consider replacing this manual bump with semantic-release.

---

103-110: Remove trailing whitespace flagged by YAMLlint.

Trailing spaces on these lines can fail lint checks.

Run yamllint locally and strip trailing spaces on:

• Line 110
• Line 119
• Line 127
• Line 132
• Line 144
• Line 162
• Line 180

Also applies to: 119-119, 127-127, 132-132, 144-144, 162-162, 180-180

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 881ca7a and b531fcd.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/release.yml

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/release.yml

[error] 110-110: trailing spaces

(trailing-spaces)

---

[error] 119-119: trailing spaces

(trailing-spaces)

---

[error] 127-127: trailing spaces

(trailing-spaces)

---

[error] 132-132: trailing spaces

(trailing-spaces)

---

[error] 144-144: trailing spaces

(trailing-spaces)

---

[error] 162-162: trailing spaces

(trailing-spaces)

---

[error] 180-180: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Desktop Simulator Tests

🔇 Additional comments (1)

.github/workflows/release.yml (1)

44-47: Verify build script name: tauri-build.js vs build-desktop.js.

The workflow runs node tauri-build.js, but the PR summary mentions build-desktop.js and tauri.conf.json calling that script. This mismatch will cause ENOENT.

If the correct script is build-desktop.js:

-      - name: Run Cross-Platform Build Script
-        run: node tauri-build.js
+      - name: Run Cross-Platform Build Script
+        run: node build-desktop.js
         shell: bash

If tauri-build.js is correct, please update tauri.conf.json and docs accordingly to keep names consistent.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (5)

.github/workflows/release.yml (5)

93-96: Prevent release-event loops: gate create-release to push events only.

This job creates a release which will retrigger the workflow via the “release: created” trigger, causing duplicate runs.

Apply this diff:

   create-release:
     runs-on: ubuntu-latest
     needs: build-tauri
+    if: github.event_name == 'push'

---

19-21: Update checkout action to v4 (v3 is deprecated on current runners).
[actionlint finding]

Apply this diff:

-      - name: Checkout repository
-        uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@v4

---

48-54: Install Rust on all OSes; current step skips Windows and assumes rustup is present.

Windows builds can fail; prefer the cross-platform toolchain action.

Apply this diff:

-      - name: Setup Rust
-        if: matrix.os != 'windows-latest'
-        run: |
-          rustup update stable
-          rustup default stable
-        shell: bash
+      - name: Setup Rust (stable)
+        uses: dtolnay/rust-toolchain@stable

---

116-146: Artifact collection paths are wrong; missing ‘bundle/’ segment so no files are found.

Tauri outputs to src-tauri/target/release/bundle/...; downloaded artifacts mirror that path.

Apply this diff:

           # For Ubuntu (Linux)
-          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/deb" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/deb/*.deb release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/bundle/deb" ]; then
+            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/bundle/deb/*.deb release-assets/ || true
           fi
-          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/appimage" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/appimage/*.AppImage release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/bundle/appimage" ]; then
+            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/bundle/appimage/*.AppImage release-assets/ || true
           fi
           
           # For Windows
-          if [ -d "artifacts/Tauri Build Artifacts (windows-latest)/msi" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(windows-latest\)/msi/*.msi release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (windows-latest)/bundle/msi" ]; then
+            cp artifacts/Tauri\ Build\ Artifacts\ \(windows-latest\)/bundle/msi/*.msi release-assets/ || true
           fi
           
           # For macOS
-          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/dmg" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/dmg/*.dmg release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/bundle/dmg" ]; then
+            cp artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/bundle/dmg/*.dmg release-assets/ || true
           fi
-          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/app" ]; then
-            cd artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/app
+          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/bundle/app" ]; then
+            cd artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/bundle/app
             for app in *.app; do
               zip -r "../../../release-assets/${app%.app}.zip" "$app"
             done
             cd - || exit
           fi

---

55-68: Apt install lacks -y and may hang; also make webkit2gtk version robust (4.1 vs 4.0).

Add -y and fallback logic to avoid failures across Ubuntu images.

Apply this diff:

       - name: Install Linux Dependencies (Ubuntu)
         if: matrix.os == 'ubuntu-latest'
         run: |
           sudo apt update
-          sudo apt install libwebkit2gtk-4.1-dev \
-          build-essential \
-          curl \
-          wget \
-          file \
-          libxdo-dev \
-          libssl-dev \
-          libayatana-appindicator3-dev \
-          librsvg2-dev
+          # Base deps
+          sudo apt install -y build-essential curl wget file libxdo-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev
+          # Try webkit 4.1 first, fall back to 4.0 if unavailable
+          sudo apt install -y libwebkit2gtk-4.1-dev || sudo apt install -y libwebkit2gtk-4.0-dev
         shell: bash

🧹 Nitpick comments (6)

.github/workflows/release.yml (6)

38-43: Avoid double-installing Tauri CLI; prefer local devDependency and npx.

Installing globally and locally is redundant and slows CI. Use local devDependency and invoke via npx.

Apply this diff:

-      - name: Install Tauri CLI and API
-        run: |
-          npm install -g @tauri-apps/cli
-          npm install @tauri-apps/cli @tauri-apps/api @tauri-apps/plugin-fs --save-dev
+      - name: Install Tauri CLI and API
+        run: |
+          npm install @tauri-apps/cli @tauri-apps/api @tauri-apps/plugin-fs --save-dev
         shell: bash

And update the build step to use npx (optional):

-      - name: Build Tauri App
-        run: npm run tauri build
+      - name: Build Tauri App
+        run: npx tauri build
         shell: bash

---

82-84: Windows/macOS artifacts are currently unsigned. Add Windows signing and (optionally) Linux signatures.

No steps invoke signtool (Windows) or sign Linux packages. For Windows MSI, add a post-build signing step (or integrate a signing service).

Example (Windows) after build:

- name: Sign Windows MSI
  if: matrix.os == 'windows-latest'
  shell: pwsh
  env:
    PFX_BASE64: ${{ secrets.WIN_CODESIGN_PFX_BASE64 }}
    PFX_PASSWORD: ${{ secrets.WIN_CODESIGN_PFX_PASSWORD }}
  run: |
    $pfxPath = "$env:RUNNER_TEMP\codesign.pfx"
    [IO.File]::WriteAllBytes($pfxPath, [Convert]::FromBase64String($env:PFX_BASELINE))
    # Import cert to CurrentUser\My
    certutil -f -p $env:PFX_PASSWORD -importpfx $pfxPath NoRoot
    # Sign all MSI artifacts
    Get-ChildItem "src-tauri\target\release\bundle\msi\*.msi" | ForEach-Object {
      & signtool sign /f $pfxPath /p $env:PFX_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 $_.FullName
    }

Confirm if you plan to use a managed signing service (e.g., Azure Trusted Signing/SignPath). I can tailor steps accordingly.

---

27-33: Use setup-node’s built-in npm cache for simplicity.

You can drop actions/cache and let setup-node manage npm caching.

Apply this diff:

-      - name: Cache Node.js Dependencies
-        uses: actions/cache@v4
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: ${{ runner.os }}-node-
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: 'npm'

Then remove the earlier Setup Node.js step to avoid duplication.

---

103-110: Confirm changelog output name; TriPSs action may not expose ‘changelog’.

If the output is different (e.g., a “clean_” variant), your release notes will be empty.

Two options:

• Use the action’s documented output (verify exact key), or
• Write to a file and pass it to gh via --notes-file.

Example adjusting the release step:

-          CHANGELOG_NOTES="${{ steps.changelog.outputs.changelog }}"
+          CHANGELOG_NOTES="${{ steps.changelog.outputs.clean_changelog }}"

Or:

-          gh release create "$NEW_VERSION" \
+          echo "${{ steps.changelog.outputs.changelog }}" > RELEASE_NOTES.md
+          gh release create "$NEW_VERSION" \
             --title "CircuitVerse Desktop $NEW_VERSION" \
-            --notes "$CHANGELOG_NOTES" \
+            --notes-file RELEASE_NOTES.md \
             release-assets/*

If you want, I can verify and wire the exact output key to avoid surprises.

---

156-186: Versioning is ad-hoc; consider semantic-release for reliable tagging and releases.

Manual tag bumping can desync with package.json and produce race conditions on parallel runs.

You can replace the custom versioning and gh calls with semantic-release (or keep gh for assets only). I can provide a minimal semantic-release job that:

• analyzes conventional commits,
• updates CHANGELOG.md,
• creates a GitHub Release with proper semver,
• exposes outputs for downstream asset upload.
  Want me to drop in a ready-to-run semantic-release config tailored to this repo?

---

110-110: Trim trailing spaces flagged by yamllint.

These lines have trailing spaces; clean them to satisfy linters.

Also applies to: 119-119, 127-127, 132-132, 144-144, 162-162, 180-180

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b531fcd and 4c0896a.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/release.yml

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/release.yml

[error] 110-110: trailing spaces

(trailing-spaces)

---

[error] 119-119: trailing spaces

(trailing-spaces)

---

[error] 127-127: trailing spaces

(trailing-spaces)

---

[error] 132-132: trailing spaces

(trailing-spaces)

---

[error] 144-144: trailing spaces

(trailing-spaces)

---

[error] 162-162: trailing spaces

(trailing-spaces)

---

[error] 180-180: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Desktop Simulator Tests

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (7)

.github/workflows/release.yml (7)

4-9: Add top-level permissions for releases (contents: write).

Without explicit permissions, GITHUB_TOKEN may be read-only in orgs and gh release create will fail.

Apply this diff:

 on:
   push:
     branches: [ "main" ]
   release:
     types: [created]
 
+permissions:
+  contents: write

---

20-21: Update checkout to v4 (v3 deprecated on current runners).

-      - name: Checkout repository
-        uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@v4

---

48-54: Install Rust across all OSes; current step skips Windows and assumes rustup.

Use dtolnay/rust-toolchain for a consistent toolchain on ubuntu/macOS/Windows.

-      - name: Setup Rust
-        if: matrix.os != 'windows-latest'
-        run: |
-          rustup update stable
-          rustup default stable
-        shell: bash
+      - name: Setup Rust (stable)
+        uses: dtolnay/rust-toolchain@stable

---

55-68: Make Linux deps robust and non-interactive (-y) with webkit2gtk 4.1→4.0 fallback.

This prevents apt prompts from hanging and handles Ubuntu images that only have 4.0.

       - name: Install Linux Dependencies (Ubuntu)
         if: matrix.os == 'ubuntu-latest'
         run: |
           sudo apt update
-          sudo apt install libwebkit2gtk-4.1-dev \
-          build-essential \
-          curl \
-          wget \
-          file \
-          libxdo-dev \
-          libssl-dev \
-          libayatana-appindicator3-dev \
-          librsvg2-dev
+          # Base toolchain and libs
+          sudo apt install -y build-essential curl wget file libxdo-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev || true
+          # Try 4.1, fall back to 4.0 if not available
+          sudo apt install -y libwebkit2gtk-4.1-dev || sudo apt install -y libwebkit2gtk-4.0-dev
         shell: bash

---

70-76: Implement macOS code signing and notarization (currently missing).

PR objective includes “Code Signing” but there are no cert import/notarization steps. Import Developer ID certs before build; notarize the app after build.

Example steps (requires secrets):

       - name: Install macOS Dependencies
         if: matrix.os == 'macos-latest'
         run: |
           brew update
           brew install pkg-config
         shell: bash
+
+      # Import Apple Developer ID certificate for codesign
+      - name: Import Apple code signing cert
+        if: matrix.os == 'macos-latest'
+        uses: apple-actions/import-codesign-certs@v3
+        with:
+          p12-file-base64: ${{ secrets.MACOS_CERT_P12_BASE64 }}
+          p12-password: ${{ secrets.MACOS_CERT_PASSWORD }}
+
+      # After build, notarize the DMG/app (adjust paths as needed)
+      # Requires APPLE_API_KEY, APPLE_API_ISSUER, APPLE_TEAM_ID secrets
+      - name: Notarize app (macOS)
+        if: matrix.os == 'macos-latest'
+        run: |
+          xcrun notarytool submit "src-tauri/target/release/bundle/dmg/"*.dmg \
+            --apple-id $APPLE_API_KEY \
+            --team-id $APPLE_TEAM_ID \
+            --issuer $APPLE_API_ISSUER \
+            --wait
+        env:
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}

I can also wire Windows signing (signtool/PFX) and Linux .deb signing if you provide the certs. Want me to add those?

---

93-96: Prevent release loops: gate create-release to only run on push events.

The job creates a release which can retrigger the workflow via the release:created trigger.

   create-release:
     runs-on: ubuntu-latest
     needs: build-tauri
+    if: github.event_name == 'push'

Optionally remove the release: trigger at the top if not required.

---

120-143: Fix artifact paths: include 'bundle/' segment for Tauri outputs.

Current paths miss the bundle directory, resulting in no files found.

           # For Ubuntu (Linux)
-          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/deb" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/deb/*.deb release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/bundle/deb" ]; then
+            cp "artifacts/Tauri Build Artifacts (ubuntu-latest)/bundle/deb/"*.deb release-assets/ || true
           fi
-          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/appimage" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/appimage/*.AppImage release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/bundle/appimage" ]; then
+            cp "artifacts/Tauri Build Artifacts (ubuntu-latest)/bundle/appimage/"*.AppImage release-assets/ || true
           fi
           
           # For Windows
-          if [ -d "artifacts/Tauri Build Artifacts (windows-latest)/msi" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(windows-latest\)/msi/*.msi release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (windows-latest)/bundle/msi" ]; then
+            cp "artifacts/Tauri Build Artifacts (windows-latest)/bundle/msi/"*.msi release-assets/ || true
           fi
           
           # For macOS
-          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/dmg" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/dmg/*.dmg release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/bundle/dmg" ]; then
+            cp "artifacts/Tauri Build Artifacts (macos-latest)/bundle/dmg/"*.dmg release-assets/ || true
           fi
-          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/app" ]; then
-            cd artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/app
+          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/bundle/app" ]; then
+            cd "artifacts/Tauri Build Artifacts (macos-latest)/bundle/app"
             for app in *.app; do
               zip -r "../../../release-assets/${app%.app}.zip" "$app"
             done
             cd - || exit
           fi

Also prefer quoting paths with spaces instead of backslash-escaping for readability.

🧹 Nitpick comments (6)

.github/workflows/release.yml (6)

38-43: Avoid mutating package.json in CI; install Tauri API/plugin without --save-dev.

Using --save-dev writes to package.json on the runner. Prefer --no-save or predefine deps in the repo.

       - name: Install Tauri CLI and API
         run: |
           npm install -g @tauri-apps/cli@2.0.0-beta.13
-          npm install @tauri-apps/api@2.0.0-beta.13 @tauri-apps/plugin-fs@2.0.0-beta.13 --save-dev
+          npm install --no-save @tauri-apps/api@2.0.0-beta.13 @tauri-apps/plugin-fs@2.0.0-beta.13
         shell: bash

Alternatively, add these packages to devDependencies and drop this step entirely.

---

27-33: Use setup-node’s built-in npm cache instead of a separate cache step.

Simplifies the workflow and improves cache hit behavior keyed by lockfile.

       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 22
+          node-version: 22
+          cache: 'npm'
-      - name: Cache Node.js Dependencies
-        uses: actions/cache@v4
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: ${{ runner.os }}-node-

---

148-155: Skip installing gh; it’s available on ubuntu-latest runners.

You can remove this step and rely on preinstalled GitHub CLI to save time.

If you keep it, add -y consistently to apt commands and consider pinning a version.

---

110-110: Remove trailing spaces flagged by yamllint.

Minor formatting cleanup to keep CI linters green.

-          skip-git-pull: 'true'
+          skip-git-pull: 'true'
-          
+
-          
+
-          
+
-          
+
-          
+
-          
+
-          
+

Also applies to: 119-119, 127-127, 132-132, 144-144, 162-162, 180-180

---

82-85: Prepare for signing envs during Tauri build (macOS/Windows).

If you wire signing, set env vars consumed by Tauri during build (e.g., Apple team ID, Windows PFX path/password).

Example:

       - name: Build Tauri App
-        run: npm run tauri build
+        run: npm run tauri build
+        env:
+          # macOS signing (example; adapt to your method)
+          TAURI_SIGNING_IDENTITY: "Developer ID Application: Your Org (TEAMID)"
+          # Windows signing (if using a PFX file)
+          CSC_LINK: ${{ secrets.WIN_CERT_PFX_BASE64 }}
+          CSC_KEY_PASSWORD: ${{ secrets.WIN_CERT_PASSWORD }}
         shell: bash

Note: Prefer tauri-apps/tauri-action which has first-class signing/notarization support if you want a simpler setup.

---

156-186: Changelog Outputs Verified – Both changelog and clean_changelog Are Exposed

The TriPSs action’s metadata confirms it defines both outputs:

• changelog – complete changelog including version header
• clean_changelog – changelog without the version line

Your current use of ${{ steps.changelog.outputs.changelog }} is valid. If you’d rather omit the version header in your GitHub Release notes, you can optionally switch to clean_changelog:

-          CHANGELOG_NOTES="${{ steps.changelog.outputs.changelog }}"
+          CHANGELOG_NOTES="${{ steps.changelog.outputs.clean_changelog }}"

No changes are strictly required unless you prefer the cleaned-up format.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4c0896a and 410edea.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/release.yml

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/release.yml

[error] 110-110: trailing spaces

(trailing-spaces)

---

[error] 119-119: trailing spaces

(trailing-spaces)

---

[error] 127-127: trailing spaces

(trailing-spaces)

---

[error] 132-132: trailing spaces

(trailing-spaces)

---

[error] 144-144: trailing spaces

(trailing-spaces)

---

[error] 162-162: trailing spaces

(trailing-spaces)

---

[error] 180-180: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Desktop Simulator Tests

🔇 Additional comments (1)

.github/workflows/release.yml (1)

111-115: Artifact naming/structure is fine.

Using download-artifact v4 with per-artifact subdirectories matches your Prepare Release script.

Also applies to: 86-92

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (7)

.github/workflows/release.yml (7)

93-96: Prevent release-event loops/duplicates.
This job will re-trigger on “release: created” events it emits. Gate it to only run on push.

   create-release:
     runs-on: ubuntu-latest
     needs: build-tauri
+    if: github.event_name == 'push'

Or remove the top-level release: trigger if not needed.

---

20-21: Update checkout to v4 (v3 is deprecated on GitHub-hosted runners).
actionlint flags v3 as too old; switch to v4.

-      - name: Checkout repository
-        uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@v4

---

4-9: Grant GITHUB_TOKEN write permissions for creating releases.
Without explicit permissions, gh release create may fail under org defaults.

 on:
   push:
     branches: [ "main" ]
   release:
     types: [created]
 
+permissions:
+  contents: write

---

48-54: Install Rust on all OSes; current step skips Windows and assumes rustup exists.
Windows builds will fail without Rust; and Linux/macOS runners may not have rustup preinstalled. Use dtolnay/rust-toolchain action.

-      - name: Setup Rust
-        if: matrix.os != 'windows-latest'
-        run: |
-          rustup update stable
-          rustup default stable
-        shell: bash
+      - name: Setup Rust (stable)
+        uses: dtolnay/rust-toolchain@stable

---

55-68: Apt install is non-interactive bug + libwebkit2gtk version fragility.

• Missing -y will prompt and hang CI.
• libwebkit2gtk-4.1-dev isn’t available on all Ubuntu images; add a fallback to 4.0.

       - name: Install Linux Dependencies (Ubuntu)
         if: matrix.os == 'ubuntu-latest'
         run: |
           sudo apt update
-          sudo apt install libwebkit2gtk-4.1-dev \
-          build-essential \
-          curl \
-          wget \
-          file \
-          libxdo-dev \
-          libssl-dev \
-          libayatana-appindicator3-dev \
-          librsvg2-dev
+          # Install common deps
+          sudo apt install -y build-essential curl wget file libxdo-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev
+          # Try WebKitGTK 4.1, fall back to 4.0 if unavailable
+          sudo apt install -y libwebkit2gtk-4.1-dev || sudo apt install -y libwebkit2gtk-4.0-dev
         shell: bash

---

86-92: Fix artifact paths: missing ‘bundle/’ causes no files to be found.
Tauri bundles artifacts under src-tauri/target/release/bundle; the download step looks in …/(os)/deb etc. Insert bundle/ in all paths.

-          # For Ubuntu (Linux)
-          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/deb" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/deb/*.deb release-assets/ || true
+          # For Ubuntu (Linux)
+          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/bundle/deb" ]; then
+            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/bundle/deb/*.deb release-assets/ || true
           fi
-          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/appimage" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/appimage/*.AppImage release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (ubuntu-latest)/bundle/appimage" ]; then
+            cp artifacts/Tauri\ Build\ Artifacts\ \(ubuntu-latest\)/bundle/appimage/*.AppImage release-assets/ || true
           fi
           
           # For Windows
-          if [ -d "artifacts/Tauri Build Artifacts (windows-latest)/msi" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(windows-latest\)/msi/*.msi release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (windows-latest)/bundle/msi" ]; then
+            cp artifacts/Tauri\ Build\ Artifacts\ \(windows-latest\)/bundle/msi/*.msi release-assets/ || true
           fi
           
           # For macOS
-          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/dmg" ]; then
-            cp artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/dmg/*.dmg release-assets/ || true
+          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/bundle/dmg" ]; then
+            cp artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/bundle/dmg/*.dmg release-assets/ || true
           fi
-          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/app" ]; then
-            cd artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/app
+          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/bundle/app" ]; then
+            cd artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/bundle/app
             for app in *.app; do
               zip -r "../../../release-assets/${app%.app}.zip" "$app"
             done
             cd - || exit
           fi

Also applies to: 120-143

---

70-76: Code signing is missing for macOS; import certificate and notarize.
PR objective is “Release Pipelines with Code Signing.” Add cert import before build and notarization after build on macOS.

Insert these steps (using your secrets) before and after “Build Tauri App”:

       - name: Install macOS Dependencies
         if: matrix.os == 'macos-latest'
         run: |
           brew update
           brew install pkg-config
         shell: bash

+      # Import Apple Developer ID cert (P12 base64) to enable codesign
+      - name: Import Apple code signing cert
+        if: matrix.os == 'macos-latest'
+        uses: apple-actions/import-codesign-certs@v3
+        with:
+          p12-file-base64: ${{ secrets.MACOS_CERT_P12_BASE64 }}
+          p12-password: ${{ secrets.MACOS_CERT_PASSWORD }}
+
       - name: Cache Rust Dependencies
         uses: Swatinem/rust-cache@v2
         with:
           workspaces: "./src-tauri"
 
       - name: Build Tauri App
         run: npm run tauri build
         shell: bash
+
+      # Example notarization step (adjust artifact paths)
+      - name: Notarize macOS app
+        if: matrix.os == 'macos-latest'
+        run: |
+          xcrun notarytool submit "src-tauri/target/release/bundle/dmg/"*.dmg \
+            --apple-id "$APPLE_ID" \
+            --team-id "$APPLE_TEAM_ID" \
+            --password "$APPLE_APP_SPECIFIC_PASSWORD" \
+            --wait
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}

If you prefer, switch to tauri-apps/tauri-action which supports macOS signing/notarization out of the box. I can provide a ready-to-drop configuration.

🧹 Nitpick comments (3)

.github/workflows/release.yml (3)

156-186: Versioning logic is naive; use Conventional Changelog outputs and guard empty releases.
Always bumping PATCH ignores commit semantics and may create duplicates. TriPSs action exposes outputs for tag/version and whether to skip.

-      - name: Auto-increment version and create GitHub Release
+      - name: Auto-increment version and create GitHub Release
+        if: steps.changelog.outputs.skipped == 'false'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CC_TAG: ${{ steps.changelog.outputs.tag }}
         run: |
           # Fetch latest tag
           LATEST_TAG=$(git tag --sort=-v:refname | head -n 1)
           
-          # Extract major, minor, patch versions
-          if [[ "$LATEST_TAG" =~ ^v([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            MAJOR=${BASH_REMATCH[1]}
-            MINOR=${BASH_REMATCH[2]}
-            PATCH=${BASH_REMATCH[3]}
-          else
-            MAJOR=0
-            MINOR=0
-            PATCH=0
-          fi
-
-          # Increment patch version
-          NEW_VERSION="v$MAJOR.$MINOR.$((PATCH + 1))"
+          # Prefer version/tag from Conventional Changelog if provided
+          if [ -n "$CC_TAG" ]; then
+            NEW_VERSION="$CC_TAG"
+          else
+            # Fallback: increment patch version
+            if [[ "$LATEST_TAG" =~ ^v([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+              MAJOR=${BASH_REMATCH[1]}
+              MINOR=${BASH_REMATCH[2]}
+              PATCH=${BASH_REMATCH[3]}
+            else
+              MAJOR=0; MINOR=0; PATCH=0
+            fi
+            NEW_VERSION="v$MAJOR.$MINOR.$((PATCH + 1))"
+          fi

Also, handle the case when no assets exist to avoid gh failing:

-          gh release create "$NEW_VERSION" \
+          shopt -s nullglob
+          ASSETS=(release-assets/*)
+          gh release create "$NEW_VERSION" \
             --title "CircuitVerse Desktop $NEW_VERSION" \
             --notes "$CHANGELOG_NOTES" \
-            release-assets/*
+            "${ASSETS[@]}"

If you want fully automated semver + changelog + release, consider semantic-release; I can provide a minimal config wired to your workflow.

---

110-110: Trim trailing spaces flagged by yamllint.
Minor, but keeps CI linting green and diffs clean.

Lines with trailing spaces: 110, 119, 127, 132, 144, 162, 180.

Also applies to: 119-119, 127-127, 132-132, 144-144, 162-162, 180-180

---

116-146: Robust asset collection and quoting.
Paths contain spaces/parentheses; you already escape them in cp, but the initial test uses unquoted -d and later cd without set -e. Consider consistent quoting and fail-fast for unexpected issues.

Example refinement:

-          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/bundle/app" ]; then
-            cd artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/bundle/app
+          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/bundle/app" ]; then
+            cd "artifacts/Tauri Build Artifacts (macos-latest)/bundle/app"
             for app in *.app; do
               zip -r "../../../release-assets/${app%.app}.zip" "$app"
             done
-            cd - || exit
+            cd - >/dev/null || exit
           fi

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 410edea and 3042d8b.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/release.yml

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/release.yml

[error] 110-110: trailing spaces

(trailing-spaces)

---

[error] 119-119: trailing spaces

(trailing-spaces)

---

[error] 127-127: trailing spaces

(trailing-spaces)

---

[error] 132-132: trailing spaces

(trailing-spaces)

---

[error] 144-144: trailing spaces

(trailing-spaces)

---

[error] 162-162: trailing spaces

(trailing-spaces)

---

[error] 180-180: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Desktop Simulator Tests

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (7)

build-desktop.js (1)

33-37: Avoid shell “copy/cp” (Windows prompt risk) and add existence checks.

copy may prompt on overwrite; use fs.copyFileSync cross‑platform and fail fast if source is missing.

Apply:

-const { execSync } = require('child_process');
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
@@
-runCommand('npm run build');
+runCommand('npm run build');
 
-if (platform === 'win32') {
-  runCommand('copy dist\\index-cv.html dist\\index.html');
-} else {
-  runCommand('cp dist/index-cv.html dist/index.html');
-}
+const src = path.join('dist', 'index-cv.html');
+const dst = path.join('dist', 'index.html');
+if (!fs.existsSync(src)) {
+  console.error(`Error: ${src} not found after build`);
+  process.exit(1);
+}
+fs.copyFileSync(src, dst);
+console.log(`Copied ${src} -> ${dst}`);

.github/workflows/release.yml (4)

108-126: Fix macOS .app path; it lives under bundle/app.

Current path misses “bundle/”, so zipping will find nothing.

Apply:

-          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/app" ]; then
-            cd artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/app
+          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/bundle/app" ]; then
+            cd artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/bundle/app
             for app in *.app; do
               zip -r "../../../release-assets/${app%.app}.zip" "$app"
             done
             cd -
           fi

Additionally, consider copying Windows .exe and macOS .zip if generated:

-          find artifacts -type f \( -name "*.deb" -o -name "*.AppImage" -o -name "*.msi" -o -name "*.dmg" \) -exec cp {} release-assets/ \; || true
+          find artifacts -type f \( -name "*.deb" -o -name "*.AppImage" -o -name "*.msi" -o -name "*.exe" -o -name "*.dmg" -o -name "*.zip" \) -exec cp {} release-assets/ \; || true

---

1-3: Grant token permissions for creating releases.

Without explicit permissions, gh release can fail under org defaults.

Apply:

 name: Manually Triggered Desktop Release
+permissions:
+  contents: write

---

54-59: Install Rust on all OSes; remove rustup assumptions.

Use dtolnay/rust-toolchain for cross‑platform installation.

Apply:

-      - name: Setup Rust
-        if: matrix.os != 'windows-latest'
-        run: |
-          rustup update stable
-          rustup default stable
+      - name: Setup Rust (stable)
+        uses: dtolnay/rust-toolchain@stable

---

43-50: Don’t mutate package.json in CI; rely on locked deps and local CLI.

Use npm ci and remove --save-dev installs/global CLI.

Apply:

-      - name: Cache Node.js Dependencies
+      - name: Cache Node.js Dependencies
         uses: actions/cache@v4
         with:
           path: ~/.npm
           key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
           restore-keys: ${{ runner.os }}-node-
 
-      - name: Install Dependencies
-        run: npm install
+      - name: Install Dependencies
+        run: npm ci
 
-      - name: Install Tauri CLI and API
-        run: |
-          npm install -g @tauri-apps/cli
-          npm install @tauri-apps/cli @tauri-apps/api @tauri-apps/plugin-fs --save-dev
+      # CLI is already a devDependency; no global install needed

.github/workflows/Tauri-testing.yml (2)

28-33: Replace deprecated Rust toolchain action.

actions-rs/toolchain@v1 is deprecated on new runners. Switch to dtolnay/rust-toolchain.

-      - name: Install Rust
-        uses: actions-rs/toolchain@v1
-        with:
-          toolchain: stable
-          override: true
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable

---

44-47: Guard mock-api.json or fix path.

json-server will fail if mock-api.json isn’t present. Add a pre-check or commit the file.

       - name: Start Mock API
         run: |
           npm install -g json-server
-          json-server --watch mock-api.json --port 3000 &
+          test -f mock-api.json
+          json-server --watch mock-api.json --port 3000 &

🧹 Nitpick comments (15)

.github/workflows/eslint.yml (2)

49-49: Add missing newline at EOF.

Silences YAMLlint “no new line at end of file”.

Apply:

-          wait-for-processing: true
+          wait-for-processing: true
+

---

32-43: Use repo’s ESLint and reproducible installs.

Install the project’s devDependencies and run that ESLint version; avoid ad‑hoc installs that can mismatch plugins.

Apply:

-      - name: Install ESLint
-        run: |
-          npm install eslint@8.10.0
-          npm install @microsoft/eslint-formatter-sarif@2.1.7
+      - name: Install dependencies (CI)
+        run: npm ci
       - name: Run ESLint
-        run: npx eslint .
+        run: npx eslint .
           --config .eslintrc.js
           --ext .js,.jsx,.ts,.tsx
-          --format @microsoft/eslint-formatter-sarif
+          --format @microsoft/eslint-formatter-sarif
           --output-file eslint-results.sarif
         continue-on-error: true

.github/workflows/codeql.yml (2)

57-57: Add missing newline at EOF.

Apply:

-        category: "/language:${{matrix.language}}"
+        category: "/language:${{matrix.language}}"
+

---

39-39: Upgrade checkout to v4 for runner compatibility.

Apply:

-      uses: actions/checkout@v3
+      uses: actions/checkout@v4

.github/workflows/Conventional-commits.yml (1)

13-13: Add missing newline at EOF.

Apply:

-      - uses: webiny/action-conventional-commits@v1.3.0
+      - uses: webiny/action-conventional-commits@v1.3.0
+

.github/workflows/release.yml (3)

60-65: Ubuntu webkit deps: add 4.0 fallback to avoid apt failures.

Apply:

       - name: Install Linux Dependencies (Ubuntu)
         if: matrix.os == 'ubuntu-latest'
         run: |
           sudo apt update
-          sudo apt install libwebkit2gtk-4.1-dev build-essential curl wget file libxdo-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev
+          sudo apt install -y build-essential curl wget file libxdo-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev
+          sudo apt install -y libwebkit2gtk-4.1-dev || sudo apt install -y libwebkit2gtk-4.0-dev

---

80-85: Optional: generate checksums for published assets.

Provide SHAs for consumers and to verify integrity post-signing.

Example step (before gh release):

      - name: Generate checksums
        run: |
          (cd release-assets && shasum -a 256 * > SHA256SUMS.txt)

---

18-26: Signing gaps vs PR goals (#631): add signing stages before release.

• Windows: integrate SignPath (as you planned) to sign MSI/EXE.
• macOS: codesign + notarytool submit + staple.
• Linux: optionally sign AppImage and sign apt repo metadata.

I can provide a tailored job once your certs/secrets are ready.

Example Windows signing job (replace placeholders):

sign-windows:
  runs-on: windows-latest
  needs: build-tauri
  steps:
    - uses: actions/download-artifact@v4
      with:
        name: Tauri Build Artifacts (windows-latest)
        path: windows-artifacts
    - name: Submit to SignPath
      uses: signpath/github-action@v1
      with:
        organization-id: ${{ secrets.SIGNPATH_ORG_ID }}
        project-slug: circuitverse-desktop
        signing-policy-slug: release
        artifact-path: windows-artifacts/bundle/msi/*.msi
        api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
      id: sign
    - name: Upload signed MSI
      uses: actions/upload-artifact@v4
      with:
        name: Windows Signed Artifacts
        path: ${{ steps.sign.outputs.signed-artifact-path }}

macOS (sketch):

sign-macos:
  runs-on: macos-latest
  needs: build-tauri
  steps:
    - uses: actions/download-artifact@v4
      with: { name: Tauri Build Artifacts (macos-latest), path: macos-artifacts }
    - name: Notarize and staple
      run: |
        xcrun notarytool submit "macos-artifacts/bundle/dmg/" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_PWD" --wait
        xcrun stapler staple macos-artifacts/bundle/dmg/*.dmg
      env:
        APPLE_ID: ${{ secrets.APPLE_ID }}
        APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        APPLE_APP_PWD: ${{ secrets.APPLE_APP_PWD }}

Then have create-release use signed artifacts.

package.json (1)

6-8: Windows portability risk: “build” script depends on bash.

Given the release matrix includes windows-latest, prefer a Node-based build (vite build) or a cross-platform script instead of bash build.sh.

Apply:

-        "build": "bash build.sh",
+        "build": "vite build",

Or create a JS build script that mirrors build.sh and call it.

src-tauri/tauri.conf.json (2)

4-4: Version mismatch with package.json (PR says 3.3.0).

Keep Tauri bundle version aligned with package.json to avoid confusing release metadata.

Apply if appropriate:

-  "version": "0.1.0",
+  "version": "3.3.0",

---

27-37: Plan signing config placeholders.

Since code signing is in scope, consider adding OS-specific signing stubs (macOS signingIdentity, Windows signCommand/args, etc.) guarded by CI env vars, so local builds remain unsigned.

.github/workflows/Tauri-testing.yml (4)

25-26: Use npm ci for reproducible CI installs.

Faster and deterministic for lockfile-based installs.

-      - name: Install Dependencies
-        run: npm install
+      - name: Install Dependencies
+        run: npm ci

---

34-36: Tauri CLI installed but never used.

You don’t invoke tauri build or tauri dev. Either call it (if intended) or drop the install to save time.

Option A (remove unused install):

-      - name: Install Tauri CLI
-        run: cargo install tauri-cli
-
-      - name: Debug Environment
+      - name: Debug Environment
         run: |
           echo "Node.js version: $(node -v)"
           echo "npm version: $(npm -v)"
-          echo "Rust version: $(rustc --version)"
-          echo "Tauri CLI version: $(tauri --version)"
+          echo "Rust version: $(rustc --version)"

Option B (actually build the desktop app bundle):

       - name: Build Tauri App using build-desktop.js
         run: |
           node build-desktop.js
+
+      - name: Bundle Tauri App
+        run: |
+          cargo install tauri-cli || true
+          tauri build

Also applies to: 49-52

---

11-14: Add basic caches to speed CI.

Cache npm and Cargo to cut cold-start times.

   desktop-simulator-tests:
     name: Desktop Simulator Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
     steps:
+      - name: Setup npm cache
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: 'npm'

Cargo cache (optional):

- name: Cache Cargo
  uses: actions/cache@v4
  with:
    path: |
      ~/.cargo/bin
      ~/.cargo/registry/index
      ~/.cargo/registry/cache
      ~/.cargo/git/db
      target
    key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
    restore-keys: |
      ${{ runner.os }}-cargo-

---

53-53: Trim trailing whitespace.

Yamllint flags trailing spaces on Line 53.

-      
+

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a1ff6c5 and 865db81.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (11)

• .github/workflows/Conventional-commits.yml (1 hunks)
• .github/workflows/Tauri-testing.yml (1 hunks)
• .github/workflows/codeql.yml (1 hunks)
• .github/workflows/eslint.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• .github/workflows/tauri-release.yml (0 hunks)
• .github/workflows/websimulatortest.yml (1 hunks)
• CHANGELOG.md (1 hunks)
• build-desktop.js (1 hunks)
• package.json (1 hunks)
• src-tauri/tauri.conf.json (1 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/tauri-release.yml

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/websimulatortest.yml

[error] 29-29: no new line character at the end of file

(new-line-at-end-of-file)

---

[error] 29-29: trailing spaces

(trailing-spaces)

.github/workflows/Conventional-commits.yml

[error] 13-13: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/Tauri-testing.yml

[error] 53-53: trailing spaces

(trailing-spaces)

.github/workflows/codeql.yml

[error] 57-57: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/eslint.yml

[error] 49-49: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/release.yml

[warning] 28-28: wrong indentation: expected 4 but found 6

(indentation)

---

[warning] 91-91: wrong indentation: expected 4 but found 6

(indentation)

---

[error] 114-114: trailing spaces

(trailing-spaces)

---

[error] 123-123: trailing spaces

(trailing-spaces)

---

[error] 146-146: trailing spaces

(trailing-spaces)

---

[error] 166-166: trailing spaces

(trailing-spaces)

---

[error] 169-169: trailing spaces

(trailing-spaces)

---

[error] 172-172: trailing spaces

(trailing-spaces)

---

[error] 177-177: no new line character at the end of file

(new-line-at-end-of-file)

🪛 actionlint (1.7.7)

.github/workflows/Tauri-testing.yml

29-29: the runner of "actions-rs/toolchain@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Desktop Simulator Tests

🔇 Additional comments (7)

build-desktop.js (1)

31-31: Confirm Windows portability of “npm run build” (build.sh).

package.json defines "build": "bash build.sh". On Windows this can break if bash isn’t available. Consider moving build logic into JS and calling it here, or ensure Git Bash is present.

Would you like me to inline build.sh steps into this script for true cross‑platform builds?

.github/workflows/release.yml (3)

72-79: Ensure Tauri uses local CLI and locked deps.

After npm ci, this is fine. No change if prior suggestion applied. Just confirm no global tauri is used.

---

136-177: Version source of truth is inconsistent with package.json (3.3.0).

You compute NEW_VERSION from tags only; built artifacts may embed package.json’s version, leading to mismatches (e.g., tag v0.0.1 vs app 3.3.0).

Options:

• Adopt semantic-release/release-please to bump, tag, changelog, and create release consistently.
• Or derive NEW_VERSION from package.json and tag accordingly, then update CHANGELOG.

I can wire semantic-release with conservative config if you want.

---

97-105: Changelog action is fine; ensure its notes include signed assets info once enabled.

package.json (1)

3-3: Keep version in sync with release workflow.

Ensure the workflow tags/releases the same 3.3.0 (or bumps package.json during release) to avoid mismatches shown in release assets and app metadata.

src-tauri/tauri.conf.json (1)

10-10: Confirm working directory for beforeBuildCommand.

Tauri runs beforeBuildCommand from appDir. Ensure build-desktop.js is resolvable from that CWD (likely repo root). If appDir isn’t the repo root, the command will fail. Consider an explicit relative path if needed.

.github/workflows/Tauri-testing.yml (1)

16-24: Node 22 choice looks good.

Modern, aligns with current LTS cadence for 2025. No change required.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (5)

.github/workflows/release.yml (5)

58-63: Install Rust on all OSes; current step skips Windows and assumes rustup is present.

Windows builds will fail and runners may not have rustup. Use a cross‑OS action.

-      - name: Setup Rust
-        if: matrix.os != 'windows-latest'
-        run: |
-          rustup update stable
-          rustup default stable
+      - name: Setup Rust (stable)
+        uses: dtolnay/rust-toolchain@stable

---

64-69: Make Linux deps robust and non-interactive.

• Missing -y causes interactive apt prompts.
• libwebkit2gtk-4.1-dev isn’t on all Ubuntu images; add fallback to 4.0.

       - name: Install Linux Dependencies (Ubuntu)
         if: matrix.os == 'ubuntu-latest'
         run: |
           sudo apt update
-          sudo apt install libwebkit2gtk-4.1-dev build-essential curl wget file libxdo-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev
+          # Try 4.1, fall back to 4.0 if unavailable
+          sudo apt install -y build-essential curl wget file libxdo-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev
+          sudo apt install -y libwebkit2gtk-4.1-dev || sudo apt install -y libwebkit2gtk-4.0-dev

---

112-126: Fix macOS .app path: missing ‘bundle/’ directory; zip step won’t find apps.

Artifacts from Tauri are under bundle/app.

       - name: Prepare Release Assets
         run: |
           mkdir -p release-assets
           # Move all built files (.deb, .AppImage, .msi, .dmg) into one folder
           # The '|| true' prevents the workflow from failing if a specific file type doesn't exist
           find artifacts -type f \( -name "*.deb" -o -name "*.AppImage" -o -name "*.msi" -o -name "*.dmg" \) -exec cp {} release-assets/ \; || true
           
           # For macOS, we also zip the .app bundle for easier distribution
-          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/app" ]; then
-            cd artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/app
+          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/bundle/app" ]; then
+            cd artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/bundle/app
             for app in *.app; do
               zip -r "../../../release-assets/${app%.app}.zip" "$app"
             done
             cd -
           fi

---

18-18: Grant token permissions for creating releases.

Org defaults may be read-only; set explicit permissions.

 on:
   workflow_dispatch:
     inputs:
       version-bump:
         description: 'The type of version bump (major, minor, or patch)'
         required: true
         default: 'patch'
         type: choice
         options:
         - patch
         - minor
         - major
 
+permissions:
+  contents: write
+
 jobs:

---

46-53: Fix failing step: npm outdated exits non‑zero; plus avoid mutating deps in CI.

• npm outdated '/@tauri-apps/' returns exit code 1 when anything is outdated, which will fail this job before the next lines run.
• Installing dev deps with --save-dev mutates package.json/lockfile in CI and makes builds non-reproducible.

Minimal fix for the failure:

       - name: Check and Install Latest Tauri Packages
         run: |
           # Install the latest CLI globally
           npm install -g @tauri-apps/cli
           # Check for any outdated tauri packages in the project
-          npm outdated '/@tauri-apps/'
+          npm outdated '/@tauri-apps/' || true
           # Install the latest versions of the CLI, API, and plugins to ensure they match
-          npm install @tauri-apps/cli@latest @tauri-apps/api@latest @tauri-apps/plugin-fs@latest --save-dev
+          echo "Skip mutating package.json in CI; declare versions in package.json and lockfile instead."

Follow-up: move @tauri-apps/* deps into package.json and switch installs to npm ci for reproducibility (see separate comment).

🧹 Nitpick comments (6)

.github/workflows/release.yml (6)

31-45: Use npm ci and built-in caching for deterministic installs.

Prefer reproducible installs and native cache from setup-node.

       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 22
+          node-version: 22
+          cache: 'npm'
 
-      - name: Cache Node.js Dependencies
-        uses: actions/cache@v4
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: ${{ runner.os }}-node-
-
       - name: Install Dependencies
-        run: npm install
+        run: npm ci

---

95-100: Ensure tags are fetched for version computation.

git tag --sort=… needs tags. Explicitly fetch tags.

       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           # Fetch all history for the changelog generator to work correctly
-          fetch-depth: 0
+          fetch-depth: 0
+          fetch-tags: true

---

140-182: Use a notes file to avoid quoting/newline issues with release notes.

Passing long, multi-line notes via --notes can break; use --notes-file.

-      - name: Determine New Version and Create GitHub Release
+      - name: Determine New Version and Create GitHub Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           # Fetch the latest tag from the repository
           LATEST_TAG=$(git tag --sort=-v:refname | head -n 1)
           if [[ -z "$LATEST_TAG" ]]; then
             # If no tags exist, start from v0.0.0
             LATEST_TAG="v0.0.0"
           fi
           
           # Parse the latest tag to get major, minor, and patch numbers
           if [[ "$LATEST_TAG" =~ ^v([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
             MAJOR=${BASH_REMATCH[1]}
             MINOR=${BASH_REMATCH[2]}
             PATCH=${BASH_REMATCH[3]}
           else
             echo "Could not parse latest tag: $LATEST_TAG. Starting from v0.1.0."
             MAJOR=0; MINOR=1; PATCH=0
           fi
 
           # Increment the version based on the manual input
           BUMP_TYPE="${{ github.event.inputs.version-bump }}"
           if [ "$BUMP_TYPE" == "major" ]; then
             MAJOR=$((MAJOR + 1)); MINOR=0; PATCH=0
           elif [ "$BUMP_TYPE" == "minor" ]; then
             MINOR=$((MINOR + 1)); PATCH=0
           else # Default to patch
             PATCH=$((PATCH + 1))
           fi
           
           NEW_VERSION="v$MAJOR.$MINOR.$PATCH"
           echo "Creating new release: $NEW_VERSION"
-          
-          # Get the release notes generated by the changelog action
-          CHANGELOG_NOTES="${{ steps.changelog.outputs.changelog }}"
-          
-          # Create the GitHub Release and upload all assets
-          gh release create "$NEW_VERSION" \
-            --title "CircuitVerse Desktop $NEW_VERSION" \
-            --notes "$CHANGELOG_NOTES" \
-            release-assets/*
+          # Write changelog to a file for robust passing to gh
+          printf "%s" "${{ steps.changelog.outputs.changelog }}" > RELEASE_NOTES.md
+          # Create the GitHub Release and upload all assets
+          gh release create "$NEW_VERSION" \
+            --title "CircuitVerse Desktop $NEW_VERSION" \
+            --notes-file RELEASE_NOTES.md \
+            release-assets/*

---

1-17: Code signing isn’t implemented; add signing jobs before publishing.

To meet #631/#571:

• Windows: integrate SignPath (submit MSI for signing, upload signed artifact for release).
• macOS: sign and notarize DMG/App with Apple Developer ID, staple before upload.
• Linux: optionally sign AppImage/zsync and/or provide checksums.

I can draft SignPath and macOS notarization steps wired to your secrets.

---

1-182: YAML hygiene: fix trailing spaces and ensure newline at EOF.

YAMLlint flagged trailing spaces (e.g., Lines 118, 127, 150, 170, 173, 176, 182) and missing newline at EOF. Remove trailing spaces and add a final newline.

---

27-35: Consider pinning Node and actions versions more strictly.

For supply-chain hardening, pin actions to commit SHAs and consider using an LTS range or explicit minor for Node (e.g., 22.x) to avoid surprise breakages.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 865db81 and 412b4fa.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/release.yml

[warning] 28-28: wrong indentation: expected 4 but found 6

(indentation)

---

[warning] 95-95: wrong indentation: expected 4 but found 6

(indentation)

---

[error] 118-118: trailing spaces

(trailing-spaces)

---

[error] 127-127: trailing spaces

(trailing-spaces)

---

[error] 150-150: trailing spaces

(trailing-spaces)

---

[error] 170-170: trailing spaces

(trailing-spaces)

---

[error] 173-173: trailing spaces

(trailing-spaces)

---

[error] 176-176: trailing spaces

(trailing-spaces)

---

[error] 182-182: no new line character at the end of file

(new-line-at-end-of-file)

---

[error] 182-182: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Desktop Simulator Tests

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (8)

.github/workflows/release.yml (8)

1-17: Code signing integration missing (per PR objectives).

• Windows: SignPath step after build, before release.
• macOS: codesign + notarytool.
• Linux: sign AppImage and optionally .deb with GPG.
  I can draft these jobs once you confirm certificate/secrets availability.

---

27-28: Update checkout to v4 (v3 is deprecated on current runners).

Apply:

-      - name: Checkout repository
-        uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@v4

---

35-44: Use deterministic installs: switch to setup-node cache and npm ci.

-      - name: Cache Node.js Dependencies
-        uses: actions/cache@v4
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: ${{ runner.os }}-node-
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: 'npm'
@@
-      - name: Install Dependencies
-        run: npm install
+      - name: Install Dependencies
+        run: npm ci

---

46-50: Don’t mutate package.json in CI; avoid double-installing the CLI.

• Keep CLI versioned globally (or as a devDependency already in the repo) and remove the CI “--save-dev” installs.
• Pin the CLI version for reproducibility (e.g., 2.3.1).

-      - name: Install Tauri CLI and API
-        run: |
-          npm install -g @tauri-apps/cli
-          npm install @tauri-apps/cli @tauri-apps/api @tauri-apps/plugin-fs --save-dev
+      - name: Install Tauri CLI
+        run: npm install -g @tauri-apps/cli@2.3.1
         shell: bash

Ensure @tauri-apps/api and plugins are declared in package.json and locked.

---

56-61: Rust toolchain isn’t installed on Windows and assumes rustup elsewhere.

Use cross-OS action:

-      - name: Setup Rust
-        if: matrix.os != 'windows-latest'
-        run: |
-          rustup update stable
-          rustup default stable
-        shell: bash
+      - name: Setup Rust (stable)
+        uses: dtolnay/rust-toolchain@stable

---

63-76: Make Ubuntu deps robust and non-interactive.

• Add “-y” to apt install.
• Fallback to webkit 4.0 if 4.1 is unavailable.

       - name: Install Linux Dependencies (Ubuntu)
         if: matrix.os == 'ubuntu-latest'
         run: |
           sudo apt update
-          sudo apt install libwebkit2gtk-4.1-dev \
+          # Base deps
+          sudo apt install -y \
+          build-essential \
           build-essential \
           curl \
           wget \
           file \
           libxdo-dev \
           libssl-dev \
           libayatana-appindicator3-dev \
           librsvg2-dev
+          # WebKitGTK: prefer 4.1, fallback to 4.0
+          sudo apt install -y libwebkit2gtk-4.1-dev || sudo apt install -y libwebkit2gtk-4.0-dev
         shell: bash

---

4-17: Grant token permissions for creating releases.

Add at top-level:

 on:
   workflow_dispatch:
     inputs:
       version-bump:
         description: 'The type of version bump (major, minor, or patch)'
         required: true
         default: 'patch'
         type: choice
         options:
         - patch
         - minor
         - major
+
+permissions:
+  contents: write

---

123-141: Fix macOS .app zipping path (missing bundle/).

-          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/app" ]; then
-            cd artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/app
+          if [ -d "artifacts/Tauri Build Artifacts (macos-latest)/bundle/app" ]; then
+            cd artifacts/Tauri\ Build\ Artifacts\ \(macos-latest\)/bundle/app
             for app in *.app; do
               zip -r "../../../release-assets/${app%.app}.zip" "$app"
             done
             cd -
           fi

🧹 Nitpick comments (3)

.github/workflows/release.yml (3)

94-100: Artifact path OK. Consider retention and per-OS subpaths.

Optional:

         with:
           name: Tauri Build Artifacts (${{ matrix.os }})
           path: |
             src-tauri/target/release/bundle
+          retention-days: 7

---

78-84: macOS deps OK; consider codesign/notarize before packaging.

If code signing is in scope, integrate Apple codesign + notarytool before upload; I can provide a minimal job wired to App Store Connect credentials.

---

27-27: YAML lint: indentation/trailing spaces/newline at EOF.

Fix indent at steps blocks (Lines 27, 106), remove trailing spaces (129, 138, 161, 181, 184, 187, 193), and add a final newline to the file.

Also applies to: 106-106, 129-129, 138-138, 161-161, 181-181, 184-184, 187-187, 193-193

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 412b4fa and d4c778f.

📒 Files selected for processing (3)

• .github/workflows/release.yml (1 hunks)
• package.json (2 hunks)
• src-tauri/Cargo.toml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/release.yml

28-28: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/release.yml

[warning] 27-27: wrong indentation: expected 4 but found 6

(indentation)

---

[warning] 106-106: wrong indentation: expected 4 but found 6

(indentation)

---

[error] 129-129: trailing spaces

(trailing-spaces)

---

[error] 138-138: trailing spaces

(trailing-spaces)

---

[error] 161-161: trailing spaces

(trailing-spaces)

---

[error] 181-181: trailing spaces

(trailing-spaces)

---

[error] 184-184: trailing spaces

(trailing-spaces)

---

[error] 187-187: trailing spaces

(trailing-spaces)

---

[error] 193-193: no new line character at the end of file

(new-line-at-end-of-file)

---

[error] 193-193: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Desktop Simulator Tests

🔇 Additional comments (1)

src-tauri/Cargo.toml (1)

26-26: Align JS/Rust plugin versions; remove CI ad‑hoc installs

• package.json contains "@tauri-apps/plugin-fs": "^2.3.1" — pin it to "2.3.1" to match src-tauri/Cargo.toml (tauri-plugin-fs = "2.3.1") and stop ad‑hoc installs in CI (.github/workflows/release.yml currently runs npm install @tauri-apps/plugin-fs without a version). (files: package.json, .github/workflows/release.yml, src-tauri/Cargo.toml)

• src-tauri/Cargo.toml has tauri-plugin-log = "2.0.0-rc" — verify compatibility with tauri = "2.3.1" and replace the RC with a stable, compatible tauri-plugin-log release if one exists.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src-tauri/Cargo.toml`:
- Line 27: The Cargo.lock is out of sync with the declared dependency version
for tauri-plugin-fs (Cargo.toml lists tauri-plugin-fs = "2.3.0" but Cargo.lock
contains 2.2.0); fix this by updating the lockfile for the tauri-plugin-fs
crate—run cargo update -p tauri-plugin-fs (or cargo update tauri-plugin-fs) from
the project root so Cargo.lock is refreshed to the 2.3.0 version referenced in
Cargo.toml, then commit the updated Cargo.lock.

[Git-HimanshuRathi]

@ThatDeparted2061 it's done

[Git-HimanshuRathi]

@ThatDeparted2061 CI failures are pre-existing issues , crosschecked it with running the test on main branch .nothing to update from my side .

[ThatDeparted2061]

@tachyons LGTM PTAL

[ThatDeparted2061]

@Git-HimanshuRathi remove the said files from the PR, lets only keep what is relevant to the release pipeline

[Git-HimanshuRathi]

removed 3 unrelated files .

[Radhikaa-chauhan]

Hey @ThatDeparted2061 , CI is failing due to a few issues: The desktop build needs dist/index.html generated from dist/simulatorvue//index.html, and some commit messages don’t follow Conventional Commits.

[Git-HimanshuRathi]

thanks @Radhikaa-chauhan , but those changes are not related to this PR . so ig we can ignore it and raise another issue to fix that .

[Radhikaa-chauhan]

@Git-HimanshuRathi , You are right that some of the changes are not related to this PR and can be handled in a separate issue.
However, the CI is also failing because a few commit messages don’t follow the Conventional Commits format, so those commits will still need to be fixed for this PR.

[senutpal]

Hey @ThatDeparted2061 , CI is failing due to a few issues: The desktop build needs dist/index.html generated from dist/simulatorvue//index.html, and some commit messages don’t follow Conventional Commits.

i was also kinda working on this, and it could help
works fine ig commit - v1.0.0

@ThatDeparted2061 @Git-HimanshuRathi

[ThatDeparted2061]

Ignore the commits failure

[ThatDeparted2061]

No we shud create first release after merge.

Hey @ThatDeparted2061 , CI is failing due to a few issues: The desktop build needs dist/index.html generated from dist/simulatorvue//index.html, and some commit messages don’t follow Conventional Commits.

i was also kinda working on this, and it could help
works fine ig commit - v1.0.0

@ThatDeparted2061 @Git-HimanshuRathi

[tachyons]

Why ?

[Git-HimanshuRathi]

The version was set to 0.0.0 as a baseline for the automated release workflow. If you prefer keeping 0.1.0 as the baseline instead, I can update all three version files accordingly. Let me know!

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@build-desktop.js`:
- Around line 6-21: The runCommand function uses execSync with stdio: 'pipe',
which risks hitting the default maxBuffer limit; update the execSync call in
runCommand to either (a) add a sufficiently large maxBuffer option (e.g.,
maxBuffer: 10 * 1024 * 1024 or appropriate size) while keeping stdio: 'pipe' so
you preserve captured output and conditional console.log, or (b) if you do not
need captured output, switch stdio to 'inherit' and remove the conditional
logging; modify the execSync invocation accordingly within runCommand to
implement the chosen approach.

In `@package.json`:
- Line 58: Update the package.json dependency for cross-env: replace the current
"cross-env": "^10.1.0" entry with the Node-18-compatible pinned version
"cross-env": "^7.0.3" so installs use the 7.x line; ensure package.json is saved
and run npm install (or yarn) to update lockfile accordingly.

🧹 Nitpick comments (1)

package.json (1)

20-22: Update @tauri-apps/plugin-fs to match the Rust side version for consistency.

The JS side is pinned to 2.2.0 while the Rust side is at 2.3.0. The changelog for 2.3.0 contains no breaking changes—only a performance improvement for the watch and unwatch operations—making it a straightforward backwards-compatible update.

Proposed change

-    "@tauri-apps/plugin-fs": "2.2.0",
+    "@tauri-apps/plugin-fs": "2.3.0",

[ThatDeparted2061]

@Git-HimanshuRathi the version is bumped to 11.0.2 we need it at 0.0.0