chore: add desktop github release flow

marian2js · marian2js · commit c8aaa2e4e3ba · 2026-04-07T17:27:55.000+02:00
diff --git a/.github/workflows/desktop-release.yml b/.github/workflows/desktop-release.yml
@@ -0,0 +1,213 @@
+name: Desktop Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Release version to publish (for example 2026.4.7)
+        required: true
+        type: string
+      prerelease:
+        description: Publish this release as a prerelease
+        required: true
+        default: false
+        type: boolean
+  push:
+    tags:
+      - "v*.*.*"
+
+permissions:
+  contents: write
+
+concurrency:
+  group: desktop-release-${{ github.event_name }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  prepare:
+    name: Prepare release tag
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.release_meta.outputs.tag }}
+      version: ${{ steps.release_meta.outputs.version }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - id: release_meta
+        env:
+          INPUT_VERSION: ${{ github.event.inputs.version }}
+        run: |
+          version="${INPUT_VERSION#v}"
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+          echo "tag=v$version" >> "$GITHUB_OUTPUT"
+
+      - name: Fail if tag already exists
+        env:
+          RELEASE_TAG: ${{ steps.release_meta.outputs.tag }}
+        run: |
+          if git ls-remote --exit-code --tags origin "refs/tags/$RELEASE_TAG" >/dev/null 2>&1; then
+            echo "::error::Release tag $RELEASE_TAG already exists on origin. Use a new version or recreate the tag deliberately before releasing."
+            exit 1
+          fi
+
+      - name: Sync repository versions
+        env:
+          RELEASE_VERSION: ${{ steps.release_meta.outputs.version }}
+        run: node scripts/sync-version.mjs --set "$RELEASE_VERSION"
+
+      - name: Commit release metadata
+        env:
+          RELEASE_VERSION: ${{ steps.release_meta.outputs.version }}
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add VERSION Cargo.lock Cargo.toml package.json apps/desktop/package.json apps/desktop/src-tauri/tauri.conf.json packages/contracts/package.json packages/core/package.json packages/sidecar/package.json packages/cli/package.json
+          if ! git diff --cached --quiet; then
+            git commit -m "chore(release): cut v$RELEASE_VERSION"
+          fi
+
+      - name: Create release tag
+        env:
+          RELEASE_TAG: ${{ steps.release_meta.outputs.tag }}
+        run: git tag "$RELEASE_TAG"
+
+      - name: Push release commit and tag
+        env:
+          RELEASE_TAG: ${{ steps.release_meta.outputs.tag }}
+          RELEASE_BRANCH: ${{ github.ref_name }}
+        run: |
+          git push origin "HEAD:$RELEASE_BRANCH"
+          git push origin "$RELEASE_TAG"
+
+  release-info:
+    name: Resolve release metadata
+    needs: [prepare]
+    if: always() && (github.event_name == 'push' || needs.prepare.result == 'success')
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.meta.outputs.tag }}
+      version: ${{ steps.meta.outputs.version }}
+      prerelease: ${{ steps.meta.outputs.prerelease }}
+      ref: ${{ steps.meta.outputs.ref }}
+    steps:
+      - id: meta
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          PUSH_TAG: ${{ github.ref_name }}
+          PUSH_REF: ${{ github.ref }}
+          INPUT_PRERELEASE: ${{ github.event.inputs.prerelease }}
+          PREPARED_TAG: ${{ needs.prepare.outputs.tag }}
+          PREPARED_VERSION: ${{ needs.prepare.outputs.version }}
+        run: |
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+            tag="$PREPARED_TAG"
+            version="$PREPARED_VERSION"
+            prerelease="$INPUT_PRERELEASE"
+            case "$version" in
+              *-*) prerelease="true" ;;
+            esac
+            ref="refs/tags/$tag"
+          else
+            tag="$PUSH_TAG"
+            version="${PUSH_TAG#v}"
+            case "$version" in
+              *-*) prerelease="true" ;;
+              *) prerelease="false" ;;
+            esac
+            ref="$PUSH_REF"
+          fi
+          echo "tag=$tag" >> "$GITHUB_OUTPUT"
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+          echo "prerelease=$prerelease" >> "$GITHUB_OUTPUT"
+          echo "ref=$ref" >> "$GITHUB_OUTPUT"
+
+  create-release:
+    name: Create GitHub release
+    needs: [release-info]
+    if: always() && needs.release-info.result == 'success'
+    runs-on: ubuntu-latest
+    outputs:
+      release_id: ${{ steps.release.outputs.release_id }}
+    steps:
+      - id: release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          RELEASE_TAG: ${{ needs.release-info.outputs.tag }}
+          RELEASE_VERSION: ${{ needs.release-info.outputs.version }}
+          RELEASE_PRERELEASE: ${{ needs.release-info.outputs.prerelease }}
+        run: |
+          if gh release view "$RELEASE_TAG" >/dev/null 2>&1; then
+            release_id="$(gh release view "$RELEASE_TAG" --json databaseId --jq '.databaseId')"
+          else
+            args=(
+              release create "$RELEASE_TAG"
+              --title "OpenGoat v$RELEASE_VERSION"
+              --generate-notes
+              --notes "Download the installer for your platform from the assets below."
+            )
+            if [ "$RELEASE_PRERELEASE" = "true" ]; then
+              args+=(--prerelease)
+            fi
+            gh "${args[@]}"
+            release_id="$(gh release view "$RELEASE_TAG" --json databaseId --jq '.databaseId')"
+          fi
+          echo "release_id=$release_id" >> "$GITHUB_OUTPUT"
+
+  publish:
+    name: Build and publish desktop bundles
+    needs: [release-info, create-release]
+    if: always() && needs.release-info.result == 'success' && needs.create-release.result == 'success'
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            target: aarch64-apple-darwin
+          - os: windows-latest
+            target: x86_64-pc-windows-msvc
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ needs.release-info.outputs.ref }}
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: ${{ matrix.target }}
+
+      - uses: Swatinem/rust-cache@v2
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Verify release version sync
+        run: pnpm release:check-version
+
+      - uses: tauri-apps/tauri-action@v0.6.2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          projectPath: ./apps/desktop
+          tauriScript: pnpm tauri
+          releaseId: ${{ needs.create-release.outputs.release_id }}
+          tagName: ${{ needs.release-info.outputs.tag }}
+          args: --target ${{ matrix.target }} --ci
+          retryAttempts: 2
+          includeUpdaterJson: false
+          assetNamePattern: OpenGoat_[version]_[platform]_[arch][_setup].[ext]
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -106,7 +106,7 @@ jobs:
         if: steps.check_changesets.outputs.has_changesets == 'true'
         run: |
           VERSION="$(node -p "require('./packages/cli/package.json').version")"
-          git add packages/contracts/package.json packages/core/package.json packages/cli/package.json CHANGELOG.md .changeset
+          git add VERSION Cargo.lock Cargo.toml package.json apps/desktop/package.json apps/desktop/src-tauri/tauri.conf.json packages/contracts/package.json packages/core/package.json packages/sidecar/package.json packages/cli/package.json CHANGELOG.md .changeset
           git commit -m "chore: release ${VERSION}"
           git tag "v${VERSION}"
           git push
@@ -131,4 +131,8 @@ jobs:
             exit 1
           fi
 
-          gh release create "v${VERSION}" --title "v${VERSION}" --notes-file "$NOTES_FILE"
+          if gh release view "v${VERSION}" >/dev/null 2>&1; then
+            gh release edit "v${VERSION}" --title "v${VERSION}" --notes-file "$NOTES_FILE"
+          else
+            gh release create "v${VERSION}" --title "v${VERSION}" --notes-file "$NOTES_FILE"
+          fi
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -4,7 +4,7 @@
 
 We use **Changesets** to gather release notes, but we release using **CalVer** (Date-based versioning, e.g., `YYYY.M.D`).
 
-### How to Create a Release
+### Package Releases
 
 1.  **Work as usual**: Make your changes in a feature branch.
 2.  **Add a changeset**: Before merging, run `npm run changeset`.
@@ -19,6 +19,16 @@ We use **Changesets** to gather release notes, but we release using **CalVer** (
       - Publish to NPM.
       - Push the version commit and tag back to the repo.
 
+### Desktop Releases
+
+Desktop installers are published through the GitHub Actions workflow `Desktop Release`.
+
+- Run it manually with a target version such as `2026.4.7`, or let it react automatically to a pushed `v2026.4.7` tag.
+- The workflow synchronizes `VERSION`, package metadata, Tauri config, and Cargo workspace version before building desktop artifacts.
+- It publishes macOS and Windows installers to the matching GitHub release.
+
+See [`docs/releases.md`](docs/releases.md) for the desktop release workflow details and repository prerequisites.
+
 ### Prerequisite
 
-To publish to NPM, the repository needs the `NPM_TOKEN` secret configured in GitHub context.
+To publish packages from GitHub Actions, npm trusted publishing must remain configured for this repository.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -7,7 +7,7 @@ authors = ["OpenGoat"]
 edition = "2024"
 license = "Proprietary"
 rust-version = "1.94"
-version = "0.1.0"
+version = "2026.2.23"
 
 [workspace.dependencies]
 reqwest = { version = "0.13.2", default-features = false, features = ["http2", "json", "rustls"] }
diff --git a/VERSION b/VERSION
@@ -0,0 +1 @@
+2026.2.23
diff --git a/apps/desktop/package.json b/apps/desktop/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@opengoat/desktop",
   "private": true,
-  "version": "0.1.0",
+  "version": "2026.2.23",
   "type": "module",
   "scripts": {
     "dev": "vite",
diff --git a/apps/desktop/src-tauri/tauri.conf.json b/apps/desktop/src-tauri/tauri.conf.json
@@ -1,12 +1,12 @@
 {
   "$schema": "https://schema.tauri.app/config/2",
   "productName": "OpenGoat",
-  "version": "0.1.0",
+  "version": "2026.2.23",
   "identifier": "com.opengoat.app",
   "build": {
     "beforeDevCommand": "pnpm --dir ../../ desktop:frontend:dev",
     "devUrl": "http://localhost:1430",
-    "beforeBuildCommand": "pnpm --dir ../../ desktop:frontend:build && pnpm --dir ../../ sidecar:bundle",
+    "beforeBuildCommand": "pnpm --dir ../../ desktop:frontend:release-build && pnpm --dir ../../ sidecar:bundle",
     "frontendDist": "../dist"
   },
   "app": {
@@ -27,6 +27,9 @@
   },
   "bundle": {
     "active": true,
+    "macOS": {
+      "signingIdentity": "-"
+    },
     "resources": {
       "../../../packages/sidecar/.bundle/": "sidecar/"
     },
diff --git a/docs/releases.md b/docs/releases.md
@@ -0,0 +1,47 @@
+# Desktop Releases
+
+OpenGoat desktop releases are versioned from the root [`VERSION`](../VERSION) file.
+
+## What ships
+
+The desktop release workflow publishes:
+
+- macOS desktop bundles for Apple Silicon as `.app` and `.dmg`
+- Windows desktop installers as `.msi` and NSIS `.exe`
+
+The workflow is defined in [`/.github/workflows/desktop-release.yml`](../.github/workflows/desktop-release.yml).
+
+## How to cut a desktop release
+
+Use GitHub Actions and run the `Desktop Release` workflow manually.
+
+Inputs:
+
+- `version`: release version without the `v` prefix, for example `2026.4.7`
+- `prerelease`: set to `true` when publishing a prerelease
+
+The workflow will:
+
+1. Synchronize the repository version metadata to the requested release version
+2. Commit the version bump as `chore(release): cut vX.Y.Z`
+3. Create and push the `vX.Y.Z` tag
+4. Create the GitHub release if it does not already exist
+5. Build macOS and Windows desktop bundles
+6. Upload the generated installers to that release
+
+The workflow also runs automatically on `v*` tag pushes. That makes it compatible with the existing Changesets-based npm release flow: once the npm release workflow tags a version, desktop artifacts are attached to the same GitHub release.
+
+## Repository prerequisites
+
+- GitHub Actions must have `Read and write permissions` so the workflow can push the release commit and tag with `GITHUB_TOKEN`
+- If your default branch is protected, GitHub Actions must be allowed to push the automated `chore(release): cut vX.Y.Z` commit, or you should cut releases from an unprotected release branch
+- Hosted runners must stay enabled for both `macos-latest` and `windows-latest`
+
+## Signing
+
+Local and CI macOS builds use Tauri's ad-hoc signing identity (`-`) by default. That is suitable for internal testing only.
+
+For broader production distribution, add platform signing credentials before relying on these artifacts:
+
+- macOS: Developer ID Application certificate and notarization credentials
+- Windows: code-signing certificate
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@opengoat/opengoat-monorepo",
-  "version": "0.1.0",
+  "version": "2026.2.23",
   "private": true,
   "description": "OpenGoat monorepo workspace",
   "type": "module",
@@ -14,6 +14,7 @@
     "desktop:dev": "pnpm --filter @opengoat/desktop tauri dev",
     "desktop:frontend:build": "pnpm --filter @opengoat/desktop build",
     "desktop:frontend:dev": "pnpm --filter @opengoat/desktop dev",
+    "desktop:frontend:release-build": "pnpm --filter @opengoat/desktop exec vite build",
     "sidecar:bundle": "pnpm --filter @opengoat/sidecar bundle:prepare",
     "sidecar:build": "pnpm --filter @opengoat/sidecar build",
     "sidecar:dev": "pnpm --filter @opengoat/sidecar dev",
@@ -26,6 +27,8 @@
     "test:watch": "vitest",
     "typecheck": "pnpm --filter @opengoat/contracts build && pnpm --filter @opengoat/core typecheck && pnpm --filter opengoat typecheck",
     "changeset": "changeset",
+    "release:check-version": "node scripts/sync-version.mjs --check",
+    "release:sync-version": "node scripts/sync-version.mjs",
     "version-packages": "node scripts/release.mjs",
     "release": "node scripts/release.mjs",
     "prepare": "husky",
diff --git a/packages/sidecar/package.json b/packages/sidecar/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@opengoat/sidecar",
   "private": true,
-  "version": "0.1.0",
+  "version": "2026.2.23",
   "type": "module",
   "exports": {
     ".": {
diff --git a/scripts/release.mjs b/scripts/release.mjs
diff --git a/scripts/sync-version.mjs b/scripts/sync-version.mjs

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@opengoat/desktop",`
`3`	`3`	`"private": true,`
`4`		`- "version": "0.1.0",`
	`4`	`+ "version": "2026.2.23",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"scripts": {`
`7`	`7`	`"dev": "vite",`