Skip to content

deployment

Douwe de Vries edited this page Jul 1, 2026 · 1 revision

Deployment

CSV Anonymizer releases are Tauri desktop packages built from the Vite frontend and Rust workspace. The detailed source process is docs/releasing.md; this page summarizes the repo-local release and packaging model.

Active contributors: Douwe de Vries

Release inputs

Release metadata must stay synchronized across:

  • package.json
  • frontend/package.json
  • frontend/package-lock.json
  • Cargo.toml
  • src-tauri/tauri.conf.json
  • CHANGELOG.md
  • build/linux/io.github.ddv1982.csv-data-anonymizer.metainfo.xml

Validate the metadata before tagging:

node scripts/check-release-metadata.mjs --expected-tag v1.0.0

The metadata check also validates the Tauri bundle identifier, Linux desktop identity, required icon list, changelog date, metainfo date, visible desktop name, and absence of tracked Local AI model/runtime artifacts.

Artifact model

Release artifacts are staged under dist/rust/artifacts.

Platform Artifacts
macOS Signed and notarized .dmg installers for Apple Silicon and Intel architectures
Linux direct downloads .deb, .rpm, AppImage, .sha256 checksum sidecars, and .sha256.asc detached signatures
Linux APT Signed APT repository under dist/rust/apt-pages/apt, archive keyring, repository setup package, setup checksum, setup signature, and install-apt-repo.sh

The GitHub Release publishes user-facing installers, checksum/signature files, APT bootstrap files, and the public archive keyring. The APT repository is published to GitHub Pages.

Local validation before a tag

Use the full gate before public release work:

npm run fmt
npm run lint
npm run test
npm run typecheck
npm run deadcode:required
npm run docs:check
npm run release:check
npm run tauri:prebuilt:check
npm run frontend:e2e
npm run frontend:a11y
npm run frontend:audit
npm run cargo:audit:required
node scripts/rust-smoke.mjs

Run benchmarks when performance-sensitive Rust paths changed:

cargo bench -p csv-anonymizer-core --bench csv_streaming
cargo bench -p csv-anonymizer-core --bench detector_matrix -- --sample-size 10

Tauri frontend packaging contract

src-tauri/tauri.conf.json uses:

  • build.beforeBuildCommand: scripts/build_frontend_for_tauri.sh
  • build.frontendDist: ../frontend/dist
  • build.devUrl: http://localhost:5173

When CSV_ANONYMIZER_USE_PREBUILT_FRONTEND=1, scripts/build_frontend_for_tauri.sh requires an existing frontend/dist/index.html plus non-empty built CSS assets. npm run tauri:prebuilt:check verifies that missing frontend/dist and missing CSS fail as expected.

macOS package flow

The release workflow in .github/workflows/release.yml:

  1. Builds the frontend.
  2. Installs the pinned Tauri CLI from TAURI_CLI_VERSION.
  3. Builds the .app bundle with CSV_ANONYMIZER_USE_PREBUILT_FRONTEND=1.
  4. Signs, notarizes, staples, and verifies the .app.
  5. Builds the .dmg through scripts/package-rust-macos.mjs.
  6. Signs, notarizes, staples, and verifies the .dmg.
  7. Validates artifacts with scripts/check-rust-artifacts.mjs.
  8. Uploads .dmg assets to the draft GitHub Release.

Signing and notarization values are GitHub Actions secrets. Do not store their values in the repo.

Linux package flow

Linux packaging uses scripts/package-tauri-linux.mjs and the Tauri Linux config in src-tauri/tauri.linux.conf.json.

Local or CI package validation:

node scripts/package-tauri-linux.mjs
python3 scripts/validate_linux_package_metadata.py "dist/rust/artifacts/*.deb" "dist/rust/artifacts/*.rpm"
node scripts/check-apt-repository.mjs
node scripts/check-apt-installer.mjs

scripts/validate_linux_package_metadata.py extracts .deb and .rpm files and checks installed desktop files, AppStream metadata, license files, launchable IDs, binary names, release versions, and icon paths.

APT repository flow

scripts/build_apt_repository.py builds the static APT repository from .deb artifacts. The release workflow:

  1. Imports the Linux signing key into a temporary GPG home.
  2. Builds dist/rust/apt-pages/apt.
  3. Exports csv-anonymizer-archive-keyring.pgp.
  4. Builds csv-anonymizer-repository-setup_1.0_all.deb.
  5. Signs repository metadata and setup-package checksum files.
  6. Renders install-apt-repo.sh with the expected signing key fingerprint.
  7. Publishes the APT Pages artifact only after package validation passes.

The installer script itself does not have a detached signature. It authenticates the repository setup package through the pinned key and signed checksum.

Tag-triggered release behavior

Pushing a v* tag triggers .github/workflows/release.yml. The workflow validates the release first, creates or refreshes a draft GitHub Release, builds macOS and Linux assets, publishes the APT repository to GitHub Pages, then publishes the GitHub Release only after all platform and APT jobs succeed.

Related pages: Testing, Tooling, Security, and Configuration.

Clone this wiki locally