-
Notifications
You must be signed in to change notification settings - Fork 0
deployment
CSV Anonymizer releases are Tauri desktop packages built from the Vite frontend and Rust workspace. The detailed source process is docs/releasing.md; this page summarizes the repo-local release and packaging model.
Active contributors: Douwe de Vries
Release metadata must stay synchronized across:
package.jsonfrontend/package.jsonfrontend/package-lock.jsonCargo.tomlsrc-tauri/tauri.conf.jsonCHANGELOG.mdbuild/linux/io.github.ddv1982.csv-data-anonymizer.metainfo.xml
Validate the metadata before tagging:
node scripts/check-release-metadata.mjs --expected-tag v1.0.0The metadata check also validates the Tauri bundle identifier, Linux desktop identity, required icon list, changelog date, metainfo date, visible desktop name, and absence of tracked Local AI model/runtime artifacts.
Release artifacts are staged under dist/rust/artifacts.
| Platform | Artifacts |
|---|---|
| macOS | Signed and notarized .dmg installers for Apple Silicon and Intel architectures |
| Linux direct downloads |
.deb, .rpm, AppImage, .sha256 checksum sidecars, and .sha256.asc detached signatures |
| Linux APT | Signed APT repository under dist/rust/apt-pages/apt, archive keyring, repository setup package, setup checksum, setup signature, and install-apt-repo.sh
|
The GitHub Release publishes user-facing installers, checksum/signature files, APT bootstrap files, and the public archive keyring. The APT repository is published to GitHub Pages.
Use the full gate before public release work:
npm run fmt
npm run lint
npm run test
npm run typecheck
npm run deadcode:required
npm run docs:check
npm run release:check
npm run tauri:prebuilt:check
npm run frontend:e2e
npm run frontend:a11y
npm run frontend:audit
npm run cargo:audit:required
node scripts/rust-smoke.mjsRun benchmarks when performance-sensitive Rust paths changed:
cargo bench -p csv-anonymizer-core --bench csv_streaming
cargo bench -p csv-anonymizer-core --bench detector_matrix -- --sample-size 10src-tauri/tauri.conf.json uses:
-
build.beforeBuildCommand:scripts/build_frontend_for_tauri.sh -
build.frontendDist:../frontend/dist -
build.devUrl:http://localhost:5173
When CSV_ANONYMIZER_USE_PREBUILT_FRONTEND=1, scripts/build_frontend_for_tauri.sh requires an existing frontend/dist/index.html plus non-empty built CSS assets. npm run tauri:prebuilt:check verifies that missing frontend/dist and missing CSS fail as expected.
The release workflow in .github/workflows/release.yml:
- Builds the frontend.
- Installs the pinned Tauri CLI from
TAURI_CLI_VERSION. - Builds the
.appbundle withCSV_ANONYMIZER_USE_PREBUILT_FRONTEND=1. - Signs, notarizes, staples, and verifies the
.app. - Builds the
.dmgthroughscripts/package-rust-macos.mjs. - Signs, notarizes, staples, and verifies the
.dmg. - Validates artifacts with
scripts/check-rust-artifacts.mjs. - Uploads
.dmgassets to the draft GitHub Release.
Signing and notarization values are GitHub Actions secrets. Do not store their values in the repo.
Linux packaging uses scripts/package-tauri-linux.mjs and the Tauri Linux config in src-tauri/tauri.linux.conf.json.
Local or CI package validation:
node scripts/package-tauri-linux.mjs
python3 scripts/validate_linux_package_metadata.py "dist/rust/artifacts/*.deb" "dist/rust/artifacts/*.rpm"
node scripts/check-apt-repository.mjs
node scripts/check-apt-installer.mjsscripts/validate_linux_package_metadata.py extracts .deb and .rpm files and checks installed desktop files, AppStream metadata, license files, launchable IDs, binary names, release versions, and icon paths.
scripts/build_apt_repository.py builds the static APT repository from .deb artifacts. The release workflow:
- Imports the Linux signing key into a temporary GPG home.
- Builds
dist/rust/apt-pages/apt. - Exports
csv-anonymizer-archive-keyring.pgp. - Builds
csv-anonymizer-repository-setup_1.0_all.deb. - Signs repository metadata and setup-package checksum files.
- Renders
install-apt-repo.shwith the expected signing key fingerprint. - Publishes the APT Pages artifact only after package validation passes.
The installer script itself does not have a detached signature. It authenticates the repository setup package through the pinned key and signed checksum.
Pushing a v* tag triggers .github/workflows/release.yml. The workflow validates the release first, creates or refreshes a draft GitHub Release, builds macOS and Linux assets, publishes the APT repository to GitHub Pages, then publishes the GitHub Release only after all platform and APT jobs succeed.
Related pages: Testing, Tooling, Security, and Configuration.