Publish

[newbe36524]

Summary by CodeRabbit

• Chores
  • Improved internal build and release infrastructure with centralized release metadata management.
  • Enhanced Windows artifact signing and verification processes for improved security and reliability.
  • Refined production preview release channel tracking and versioning logic.
  • Streamlined cross-platform build pipeline dependencies for more efficient artifact generation and deployment.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR refactors two GitHub Actions workflows to centralize release metadata and enhance the production preview channel. build.yml introduces a prepare-release job that computes version, channel, and release metadata once, then wires all downstream build, publish, and sync jobs to use those outputs. publish-dev.yml transitions from dev to production preview builds, adds explicit Artifact Signing validation with catalog-based signature verification, and simplifies orchestration to check only build results rather than publish-shard jobs.

Changes

Release Metadata Centralization (build.yml)

Layer / File(s)	Summary
Prepare-release job setup .github/workflows/build.yml	The prepare-release job is added/updated to compute and export release metadata (version, release_tag, release_name, channel, channel_source, version_source, is_tag_release), and the build-windows job is wired to depend on prepare-release.
Windows build integration with prepared metadata .github/workflows/build.yml	The Windows build job wires RELEASE_CHANNEL from prepare-release outputs, adds a step to sync package.json to the prepared version, refines Azure login conditions to exclude appx targets, and updates build summaries and Feishu notifications to report the prepared version and release_tag.
Cross-platform build integration .github/workflows/build.yml	The build-platform-artifacts job wires prepare-release as a dependency, sets RELEASE_CHANNEL from prepare-release outputs, replaces local version-sync logic with prepared version, and updates Linux/macOS packaging summaries to include prepared version and channel.
Publishing jobs gating and release metadata .github/workflows/build.yml	The publish-windows-release and publish-platform-release jobs are updated to gate on is_tag_release from prepare-release and to set GitHub Release tag_name from prepare-release.outputs.release_tag (instead of github.ref_name) for all platforms.
Build-summary and Azure-sync integration .github/workflows/build.yml	The build-summary job now depends on prepare-release, exposes channel from prepare-release outputs, uses is_tag_release for determining tag-vs-non-tag behavior, includes Windows AppX in the platform list conditionally, and publishes prepared metadata. The sync-azure-upload job is rewired to depend on prepare-release and build-summary, uses prepare-release release_tag instead of github.ref_name, and gates on build-summary outputs.

Publish-dev Workflow: Production Preview Channel and Signing (publish-dev.yml)

Layer / File(s)	Summary
Workflow name and release-prep logic .github/workflows/publish-dev.yml	The workflow display name changes to "Publish Production Preview Build", permissions/concurrency/environment are updated for the stable preview channel, and the release-preparation job is reworked to compute the next stable preview version by querying GitHub releases (preferring highest draft stable semver tag) or deriving from git tags or package.json version.
Windows signing policy and validation .github/workflows/publish-dev.yml	Windows job permissions are set, a signing-policy step determines whether Artifact Signing is required based on environment, and a validation step fails early with a step-summary message when required Azure signing configuration secrets are missing.
Windows artifact collection and catalog generation .github/workflows/publish-dev.yml	The Windows build step is renamed, artifact collection logic is extended to track a windows-signable catalog file path, the catalog file is generated by collecting artifact paths relative to the package dir (normalized, sorted, uniqued), and a catalog_path output is exposed for downstream steps.
ZIP payload staging and signature verification .github/workflows/publish-dev.yml	ZIP payload preparation inputs are extended to pass the catalog path into the staging script, additional signable file lists are built, exactly one root desktop executable is enforced in the ZIP payload, an updated catalog of resolved paths (including signable inputs and root EXE) is created, Azure login and artifact-signing-action conditionally run for signing root EXEs and unpacked ZIP roots, and signature verification runs in strict mode using the generated catalog.
Windows summary, artifact upload, and failure notifications .github/workflows/publish-dev.yml	A dedicated "Summarize Windows package build" step is added, Windows preview bundles are uploaded with 30-day retention, and a Feishu webhook notification step is introduced to post signing failure notifications.
Platform artifact builds and orchestration .github/workflows/publish-dev.yml	The non-Windows build matrix is aligned so macOS targets rely on artifact_glob; platform build steps use the linux platform flag for Linux targets; artifact summaries are updated with version and target details; preview bundles are uploaded with new naming and 30-day retention; a "Publish Preview Summary" job is added; and the final orchestration status is simplified to check only build results.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• HagiCode-org/desktop#39: This PR substantially rewrites the prepare-release/version/channel logic and platform orchestration in publish-dev.yml that were introduced in PR #39.
• HagiCode-org/desktop#7: Both PRs modify the Azure sync GitHub Actions wiring in build.yml, including how release_tag is passed downstream.

Poem

🐰 A rabbit hops through workflows, organizing with care,
Release metadata gathered, then shared everywhere—
From Windows to Linux, from preview to tag,
Each job now knows its version before they all flag.
Signing's on duty, with catalogs tight,
Building production previews—a rabbit's delight! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Publish' is vague and non-descriptive, failing to convey meaningful information about the significant workflow changes that reorganize release metadata handling and publishing logic.	Consider a more specific title such as 'Refactor release workflow to centralize metadata preparation' or 'Centralize release metadata in GitHub Actions workflow'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch publish

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}