refactor(release): move appcast updates to dedicated post-build workflows

The appcast commit step inside the build job races with developer pushes
to main. The build takes ~10 minutes; any push during that window causes
a non-fast-forward rejection.

Fix: strip appcast logic out of release.yml and nightly-dev.yml entirely.
Add two new workflows that trigger on workflow_run completed+success:

- update-appcast.yml     : triggered by 'Release SAM' success
- update-dev-appcast.yml : triggered by 'Weekly Development Release' success

Both check out main fresh (ref: main, not the tag), download the ZIP
from the just-created GitHub Release, sign it, and push a single commit
to main. The job is ~30 seconds with no competing pushes possible.

This is the same pattern already used by update-homebrew-cask.yml.

Author: fewtarius

.github/workflows/nightly-dev.yml

@@ -109,40 +109,6 @@ jobs:
           echo "Distribution files ready:"
           ls -lh dist/SAM-${DEV_VERSION}.*
       
-      - name: Update development appcast
-        env:
-          SPARKLE_PRIVATE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY }}
-        run: |
-          # Create temporary file for private key
-          TEMP_KEY_FILE=$(mktemp)
-          echo "$SPARKLE_PRIVATE_KEY" > "$TEMP_KEY_FILE"
-          chmod 600 "$TEMP_KEY_FILE"
-          
-          # Update appcast-dev-items.xml with new development release
-          ./scripts/update_dev_appcast.sh "${DEV_VERSION}" "dist/SAM-${DEV_VERSION}.zip" "$TEMP_KEY_FILE"
-          
-          # Generate appcast-dev.xml from items + stable releases
-          ./scripts/generate-dev-appcast.sh
-          
-          # Clean up temporary key file
-          rm -f "$TEMP_KEY_FILE"
-      
-      - name: Commit and push appcast changes
-        run: |
-          git config user.name "GitHub Actions"
-          git config user.email "actions@github.com"
-          git add appcast-dev-items.xml appcast-dev.xml
-          if git diff --staged --quiet; then
-            echo "No changes to development appcast files"
-          else
-            git commit -m "chore(dev-release): update appcast-dev.xml for v${DEV_VERSION}"
-            # The build takes time; commits may have landed on main. Fetch and rebase
-            # so our appcast commit lands on top before pushing.
-            git fetch origin main
-            git rebase origin/main
-            git push origin HEAD:main
-          fi
-      
       - name: Create GitHub pre-release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -94,42 +94,6 @@ jobs:
           ls -lh dist/SAM-${VERSION}.*
       
       - name: Update appcast.xml
-        env:
-          SPARKLE_PRIVATE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY }}
-          VERSION: ${{ steps.version.outputs.VERSION }}
-        run: |
-          # Create temporary file for private key
-          TEMP_KEY_FILE=$(mktemp)
-          echo "$SPARKLE_PRIVATE_KEY" > "$TEMP_KEY_FILE"
-          chmod 600 "$TEMP_KEY_FILE"
-          
-          # Update appcast with signature
-          ./scripts/update_appcast.sh "${VERSION}" "dist/SAM-${VERSION}.zip" "$TEMP_KEY_FILE"
-          
-          # Clean up temporary key file
-          rm -f "$TEMP_KEY_FILE"
-      
-      - name: Commit and push appcast changes
-        env:
-          VERSION: ${{ steps.version.outputs.VERSION }}
-        run: |
-          git config user.name "GitHub Actions"
-          git config user.email "actions@github.com"
-          
-          git add appcast.xml
-          if git diff --staged --quiet; then
-            echo "No changes to appcast.xml"
-          else
-            git commit -m "chore(release): update appcast.xml for v${VERSION}"
-            # Checkout is triggered by a tag, so HEAD is detached.
-            # The build takes ~10 minutes, so commits may have landed on main since
-            # we checked out. Fetch and rebase so our appcast commit lands on top,
-            # then push. This is race-condition-proof without force-pushing.
-            git fetch origin main
-            git rebase origin/main
-            git push origin HEAD:main
-          fi
-      
       - name: Create GitHub Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/update-appcast.yml

@@ -0,0 +1,82 @@
+name: Update Appcast
+
+# Runs after Release SAM succeeds. Checks out main fresh (not the tag),
+# so there is no race between the ~10-minute build and developer pushes.
+# The ZIP is already in the GitHub Release at this point - we just sign
+# it and commit the appcast entry.
+on:
+  workflow_run:
+    workflows: ["Release SAM"]
+    types:
+      - completed
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to update appcast for (e.g., 20260315.2)'
+        required: true
+        type: string
+
+permissions:
+  contents: write
+
+jobs:
+  update-appcast:
+    name: Update appcast.xml
+    runs-on: [self-hosted]
+    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+      - name: Extract version
+        id: version
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          INPUT_VERSION: ${{ github.event.inputs.version }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+        run: |
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+            VERSION="$INPUT_VERSION"
+          else
+            VERSION="$HEAD_BRANCH"
+          fi
+          echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
+          echo "Updating appcast for version: $VERSION"
+
+      - name: Checkout main
+        uses: actions/checkout@v6
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: Download ZIP from release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ steps.version.outputs.VERSION }}
+        run: |
+          mkdir -p dist
+          gh release download "${VERSION}" --pattern "SAM-${VERSION}.zip" --dir dist
+          ls -lh "dist/SAM-${VERSION}.zip"
+
+      - name: Update appcast.xml
+        env:
+          SPARKLE_PRIVATE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY }}
+          VERSION: ${{ steps.version.outputs.VERSION }}
+        run: |
+          TEMP_KEY_FILE=$(mktemp)
+          echo "$SPARKLE_PRIVATE_KEY" > "$TEMP_KEY_FILE"
+          chmod 600 "$TEMP_KEY_FILE"
+          ./scripts/update_appcast.sh "${VERSION}" "dist/SAM-${VERSION}.zip" "$TEMP_KEY_FILE"
+          rm -f "$TEMP_KEY_FILE"
+
+      - name: Commit and push
+        env:
+          VERSION: ${{ steps.version.outputs.VERSION }}
+        run: |
+          git config user.name "GitHub Actions"
+          git config user.email "actions@github.com"
+          git add appcast.xml
+          if git diff --staged --quiet; then
+            echo "No changes to appcast.xml"
+          else
+            git commit -m "chore(release): update appcast.xml for v${VERSION}"
+            git push origin main
+          fi

.github/workflows/update-dev-appcast.yml

@@ -0,0 +1,82 @@
+name: Update Dev Appcast
+
+# Runs after Weekly Development Release succeeds. Checks out main fresh,
+# downloads the ZIP from the just-created pre-release, signs it, and
+# commits the appcast-dev entries - no race with developer pushes.
+on:
+  workflow_run:
+    workflows: ["Weekly Development Release"]
+    types:
+      - completed
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Dev version to update appcast for (e.g., 20260315.2-dev.1)'
+        required: true
+        type: string
+
+permissions:
+  contents: write
+
+jobs:
+  update-dev-appcast:
+    name: Update appcast-dev.xml
+    runs-on: [self-hosted]
+    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+      - name: Extract version
+        id: version
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          INPUT_VERSION: ${{ github.event.inputs.version }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+        run: |
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+            VERSION="$INPUT_VERSION"
+          else
+            VERSION="$HEAD_BRANCH"
+          fi
+          echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
+          echo "Updating dev appcast for version: $VERSION"
+
+      - name: Checkout main
+        uses: actions/checkout@v6
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: Download ZIP from pre-release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ steps.version.outputs.VERSION }}
+        run: |
+          mkdir -p dist
+          gh release download "${VERSION}" --pattern "SAM-${VERSION}.zip" --dir dist
+          ls -lh "dist/SAM-${VERSION}.zip"
+
+      - name: Update development appcast
+        env:
+          SPARKLE_PRIVATE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY }}
+          VERSION: ${{ steps.version.outputs.VERSION }}
+        run: |
+          TEMP_KEY_FILE=$(mktemp)
+          echo "$SPARKLE_PRIVATE_KEY" > "$TEMP_KEY_FILE"
+          chmod 600 "$TEMP_KEY_FILE"
+          ./scripts/update_dev_appcast.sh "${VERSION}" "dist/SAM-${VERSION}.zip" "$TEMP_KEY_FILE"
+          ./scripts/generate-dev-appcast.sh
+          rm -f "$TEMP_KEY_FILE"
+
+      - name: Commit and push
+        env:
+          VERSION: ${{ steps.version.outputs.VERSION }}
+        run: |
+          git config user.name "GitHub Actions"
+          git config user.email "actions@github.com"
+          git add appcast-dev-items.xml appcast-dev.xml
+          if git diff --staged --quiet; then
+            echo "No changes to development appcast files"
+          else
+            git commit -m "chore(dev-release): update appcast-dev.xml for v${VERSION}"
+            git push origin main
+          fi