feat: add release preflight check and CI workflow deduplication

- Add scripts/preflight.sh: local pre-flight check that mirrors CI
  (lockfile, tests, tsc, Docker builds, frontend bundle)
- Add scripts/setup-secrets.sh: interactive guide for configuring
  Apple code signing GitHub Secrets
- Refactor build.yml to reuse ci.yml via workflow_call instead of
  duplicating test jobs (single source of truth for test definitions)
- Add workflow_call trigger to ci.yml

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: createpjf

.github/workflows/build.yml

@@ -11,37 +11,12 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  test-gateway:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: oven-sh/setup-bun@v2
-      - run: cd apps/gateway && bun install
-      - run: cd apps/gateway && bun test
-
-  test-desktop:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with: { node-version: 20 }
-      - uses: pnpm/action-setup@v4
-        with: { version: 10 }
-      - run: pnpm install
-      - run: cd apps/desktop && npx tsc --noEmit
-      - run: cd apps/desktop && npx vitest run
-
-  test-cloud-gateway:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: oven-sh/setup-bun@v2
-      - run: cd apps/cloud-gateway && bun install
-      - run: cd apps/cloud-gateway && bun test
-      - run: cd apps/cloud-gateway && bunx tsc --noEmit
+  # Reuse CI workflow for all tests + Docker smoke tests
+  ci:
+    uses: ./.github/workflows/ci.yml
 
   build-macos:
-    needs: [test-gateway, test-desktop, test-cloud-gateway]
+    needs: [ci]
     runs-on: macos-14
     strategy:
       matrix:
@@ -97,7 +72,7 @@ jobs:
           prerelease: false
 
   docker-gateway:
-    needs: [test-gateway]
+    needs: [ci]
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/v')
     permissions:
@@ -132,7 +107,7 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
 
   docker-cloud-gateway:
-    needs: [test-cloud-gateway]
+    needs: [ci]
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/v')
     permissions:

.github/workflows/ci.yml

@@ -5,6 +5,7 @@ on:
     branches: [main]
   pull_request:
     branches: [main]
+  workflow_call:  # Allow build.yml to reuse this workflow
 
 concurrency:
   group: ci-${{ github.ref }}

scripts/preflight.sh

@@ -0,0 +1,117 @@
+#!/bin/bash
+# ─────────────────────────────────────────────────────────────────────────────
+# preflight.sh — Local pre-flight check before pushing a release tag
+#
+# Simulates everything CI does: lockfile check, tests, tsc, Docker builds,
+# and frontend bundling. Run this BEFORE `git tag` + `git push`.
+#
+# Usage:
+#   ./scripts/preflight.sh          # Full check (default)
+#   ./scripts/preflight.sh --quick  # Skip Docker builds
+# ─────────────────────────────────────────────────────────────────────────────
+set -e
+
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+cd "$ROOT"
+
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+BOLD='\033[1m'
+
+pass() { echo -e "${GREEN}✓${NC} $1"; }
+fail() { echo -e "${RED}✗${NC} $1"; exit 1; }
+info() { echo -e "${YELLOW}→${NC} $1"; }
+step() { echo -e "\n${BOLD}[$1/$TOTAL] $2${NC}"; }
+
+QUICK=false
+[ "$1" = "--quick" ] && QUICK=true
+
+if $QUICK; then TOTAL=5; else TOTAL=7; fi
+ERRORS=0
+
+# ─────────────────────────────────────────────────────────────────────────────
+echo ""
+echo "═══════════════════════════════════════════════════════════"
+echo "  RouteBox Release Pre-flight Check"
+echo "═══════════════════════════════════════════════════════════"
+echo ""
+
+# ── 1. Lockfile consistency ──────────────────────────────────────────────────
+step 1 "Checking pnpm lockfile consistency..."
+if pnpm install --frozen-lockfile > /dev/null 2>&1; then
+  pass "pnpm-lock.yaml is up to date"
+else
+  fail "pnpm-lock.yaml is out of date — run 'pnpm install' first"
+fi
+
+# ── 2. Gateway tests ────────────────────────────────────────────────────────
+step 2 "Running gateway tests..."
+# Clean macOS resource forks that break bun
+find apps/gateway -name '._*' -delete 2>/dev/null || true
+if (cd apps/gateway && bun test 2>&1 | tail -5); then
+  pass "Gateway tests passed"
+else
+  fail "Gateway tests failed"
+fi
+
+# ── 3. Cloud-gateway tests + tsc ────────────────────────────────────────────
+step 3 "Running cloud-gateway tests + TypeScript check..."
+find apps/cloud-gateway -name '._*' -delete 2>/dev/null || true
+if (cd apps/cloud-gateway && bun test 2>&1 | tail -5) && \
+   (cd apps/cloud-gateway && bunx tsc --noEmit 2>&1); then
+  pass "Cloud-gateway tests + tsc passed"
+else
+  fail "Cloud-gateway tests or tsc failed"
+fi
+
+# ── 4. Desktop tests + tsc ──────────────────────────────────────────────────
+step 4 "Running desktop TypeScript check + tests..."
+find apps/desktop -name '._*' -delete 2>/dev/null || true
+if (cd apps/desktop && npx tsc --noEmit 2>&1) && \
+   (cd apps/desktop && npx vitest run 2>&1 | tail -10); then
+  pass "Desktop tsc + tests passed"
+else
+  fail "Desktop tsc or tests failed"
+fi
+
+# ── 5. Frontend bundle (Vite + gateway bundle) ──────────────────────────────
+step 5 "Verifying gateway bundle + Vite build..."
+if bun build apps/gateway/src/index.ts --target=bun --outfile apps/desktop/src-tauri/gateway-bundle.js > /dev/null 2>&1 && \
+   (cd apps/desktop && npx vite build > /dev/null 2>&1); then
+  pass "Frontend bundle OK"
+else
+  fail "Frontend bundle failed"
+fi
+
+if ! $QUICK; then
+  # ── 6. Docker build: gateway ─────────────────────────────────────────────
+  step 6 "Building gateway Docker image..."
+  if docker build -t routebox-gw-preflight apps/gateway > /dev/null 2>&1; then
+    pass "Gateway Docker image built"
+    docker rmi routebox-gw-preflight > /dev/null 2>&1 || true
+  else
+    fail "Gateway Docker build failed"
+  fi
+
+  # ── 7. Docker build: cloud-gateway ───────────────────────────────────────
+  step 7 "Building cloud-gateway Docker image..."
+  if docker build -t routebox-cgw-preflight apps/cloud-gateway > /dev/null 2>&1; then
+    pass "Cloud-gateway Docker image built"
+    docker rmi routebox-cgw-preflight > /dev/null 2>&1 || true
+  else
+    fail "Cloud-gateway Docker build failed"
+  fi
+fi
+
+# ── Summary ──────────────────────────────────────────────────────────────────
+echo ""
+echo "═══════════════════════════════════════════════════════════"
+echo -e "  ${GREEN}${BOLD}All pre-flight checks passed!${NC}"
+echo "  Safe to tag and push:"
+echo ""
+echo "    git tag -a v\$VERSION -m \"V\$VERSION — description\""
+echo "    git push origin main --tags"
+echo "═══════════════════════════════════════════════════════════"
+echo ""

scripts/setup-secrets.sh

@@ -0,0 +1,162 @@
+#!/bin/bash
+# ─────────────────────────────────────────────────────────────────────────────
+# setup-secrets.sh — Interactive guide to configure GitHub Secrets
+#                    for Apple code signing and Tauri updater
+#
+# Prerequisites:
+#   1. gh CLI authenticated (gh auth login)
+#   2. Developer ID Application certificate in Keychain
+#   3. Apple ID with app-specific password
+#   4. Tauri signer key pair (tauri signer generate)
+#
+# Usage:
+#   ./scripts/setup-secrets.sh
+# ─────────────────────────────────────────────────────────────────────────────
+set -e
+
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+RED='\033[0;31m'
+CYAN='\033[0;36m'
+NC='\033[0m'
+BOLD='\033[1m'
+
+info()  { echo -e "${GREEN}→${NC} $1"; }
+warn()  { echo -e "${YELLOW}!${NC} $1"; }
+ask()   { echo -e "${CYAN}?${NC} $1"; }
+step()  { echo -e "\n${BOLD}── Step $1 ──${NC}"; }
+
+REPO="createpjf/RouteBox"
+
+echo ""
+echo "═══════════════════════════════════════════════════════════"
+echo "  RouteBox — GitHub Secrets Setup for Code Signing"
+echo "═══════════════════════════════════════════════════════════"
+echo ""
+
+# Check gh is authenticated
+if ! gh auth status > /dev/null 2>&1; then
+  echo -e "${RED}✗${NC} gh CLI not authenticated. Run: gh auth login"
+  exit 1
+fi
+info "gh CLI authenticated"
+
+# Show current secrets
+echo ""
+info "Current secrets:"
+EXISTING=$(gh secret list --repo "$REPO" 2>&1)
+if [ -z "$EXISTING" ]; then
+  warn "No secrets configured yet"
+else
+  echo "$EXISTING"
+fi
+
+# ── Step 1: Apple Certificate ───────────────────────────────────────────────
+step "1/6: APPLE_CERTIFICATE"
+echo ""
+echo "  Export your Developer ID Application certificate as .p12:"
+echo ""
+echo "  1. Open Keychain Access"
+echo "  2. Find: Developer ID Application: Jinfeng Peng (M2XH53X5DB)"
+echo "  3. Right-click → Export Items → Save as .p12"
+echo "  4. Set an export password (you'll need it in Step 2)"
+echo ""
+ask "Path to exported .p12 file (or 'skip'):"
+read -r P12_PATH
+
+if [ "$P12_PATH" != "skip" ] && [ -f "$P12_PATH" ]; then
+  base64 -i "$P12_PATH" | gh secret set APPLE_CERTIFICATE --repo "$REPO"
+  info "APPLE_CERTIFICATE set!"
+else
+  warn "Skipped APPLE_CERTIFICATE"
+fi
+
+# ── Step 2: Certificate Password ────────────────────────────────────────────
+step "2/6: APPLE_CERTIFICATE_PASSWORD"
+ask "Enter the .p12 export password (or 'skip'):"
+read -rs CERT_PASS
+echo ""
+
+if [ "$CERT_PASS" != "skip" ] && [ -n "$CERT_PASS" ]; then
+  echo "$CERT_PASS" | gh secret set APPLE_CERTIFICATE_PASSWORD --repo "$REPO"
+  info "APPLE_CERTIFICATE_PASSWORD set!"
+else
+  warn "Skipped APPLE_CERTIFICATE_PASSWORD"
+fi
+
+# ── Step 3: Apple ID + Team ─────────────────────────────────────────────────
+step "3/6: APPLE_SIGNING_IDENTITY + APPLE_TEAM_ID"
+
+echo "Developer ID Application: Jinfeng Peng (M2XH53X5DB)" | \
+  gh secret set APPLE_SIGNING_IDENTITY --repo "$REPO"
+info "APPLE_SIGNING_IDENTITY set!"
+
+echo "M2XH53X5DB" | gh secret set APPLE_TEAM_ID --repo "$REPO"
+info "APPLE_TEAM_ID set!"
+
+# ── Step 4: Apple ID for Notarization ───────────────────────────────────────
+step "4/6: APPLE_ID + APPLE_PASSWORD (for notarization)"
+echo ""
+echo "  APPLE_ID: Your Apple ID email address"
+echo "  APPLE_PASSWORD: App-specific password from https://appleid.apple.com"
+echo "    → Sign In → App-Specific Passwords → Generate"
+echo ""
+
+ask "Apple ID email (or 'skip'):"
+read -r APPLE_ID_VAL
+
+if [ "$APPLE_ID_VAL" != "skip" ] && [ -n "$APPLE_ID_VAL" ]; then
+  echo "$APPLE_ID_VAL" | gh secret set APPLE_ID --repo "$REPO"
+  info "APPLE_ID set!"
+
+  ask "App-specific password:"
+  read -rs APP_PASS
+  echo ""
+  if [ -n "$APP_PASS" ]; then
+    echo "$APP_PASS" | gh secret set APPLE_PASSWORD --repo "$REPO"
+    info "APPLE_PASSWORD set!"
+  fi
+else
+  warn "Skipped Apple ID + Password"
+fi
+
+# ── Step 5: Tauri Signing Key ───────────────────────────────────────────────
+step "5/6: TAURI_SIGNING_PRIVATE_KEY"
+echo ""
+echo "  This is the Tauri updater signing key (minisign format)."
+echo "  If you don't have one, generate with: npx tauri signer generate"
+echo ""
+ask "Path to Tauri private key file (or 'skip'):"
+read -r TAURI_KEY_PATH
+
+if [ "$TAURI_KEY_PATH" != "skip" ] && [ -f "$TAURI_KEY_PATH" ]; then
+  gh secret set TAURI_SIGNING_PRIVATE_KEY --repo "$REPO" < "$TAURI_KEY_PATH"
+  info "TAURI_SIGNING_PRIVATE_KEY set!"
+else
+  warn "Skipped TAURI_SIGNING_PRIVATE_KEY"
+fi
+
+# ── Step 6: Tauri Key Password ──────────────────────────────────────────────
+step "6/6: TAURI_SIGNING_PRIVATE_KEY_PASSWORD"
+ask "Tauri signing key password (or 'skip'):"
+read -rs TAURI_PASS
+echo ""
+
+if [ "$TAURI_PASS" != "skip" ] && [ -n "$TAURI_PASS" ]; then
+  echo "$TAURI_PASS" | gh secret set TAURI_SIGNING_PRIVATE_KEY_PASSWORD --repo "$REPO"
+  info "TAURI_SIGNING_PRIVATE_KEY_PASSWORD set!"
+else
+  warn "Skipped TAURI_SIGNING_PRIVATE_KEY_PASSWORD"
+fi
+
+# ── Summary ─────────────────────────────────────────────────────────────────
+echo ""
+echo "═══════════════════════════════════════════════════════════"
+echo "  Setup Complete!"
+echo "═══════════════════════════════════════════════════════════"
+echo ""
+info "Configured secrets:"
+gh secret list --repo "$REPO"
+echo ""
+echo "  Next: push a v* tag to trigger Build & Release workflow"
+echo ""