Skip to content

docs: sync deploy.md with current release workflow #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nedtwigg merged 1 commit into from
May 24, 2026
+7 −5
Merged

docs: sync deploy.md with current release workflow #89

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions docs/specs/deploy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ Stage 2: Local (sign-and-deploy.sh)

## Stage 1: CI workflow

Triggered by tag push `v*`. Three parallel jobs:
Triggered by tag push `v*`. Three jobs run in parallel — `build-standalone`, `build-vscode`, and `security-audit` — and `publish-vscode` runs after all three succeed:

The workflow defaults `GITHUB_TOKEN` to read-only repository access with:

Expand Down Expand Up @@ -120,18 +120,20 @@ Runs on `ubuntu-latest`:
7. Publish a GitHub artifact attestation for the manifest
8. Upload the manifest plus `.vsix` as artifact

### Job: `security-audit`

Calls the reusable `security-audit.yaml` workflow, which audits the repo against `SECURITY.md` (the same audit that runs nightly via schedule). `publish-vscode` is gated on it, so a failing security audit blocks the VS Code Marketplace publish.

### Job: `publish-vscode`

Runs after `build-vscode` succeeds:
Runs after `build-standalone`, `build-vscode`, and `security-audit` succeed:
1. Enter the `vscode-extension-publish` GitHub environment
2. Download `.vsix` artifact
3. `pnpm exec vsce publish --packagePath *.vsix --no-dependencies`
4. `pnpm exec ovsx publish --packagePath *.vsix --no-dependencies`

This runs in CI because VSCode Marketplace publishing uses PAT tokens (no hardware key needed). The `vscode-extension-publish` environment must require reviewer approval and allow deployments only from `v*` tags. Store `VSCE_PAT` and `OVSX_PAT` as environment secrets there, not broad repository secrets.

**Migration note:** This replaces the existing `.github/workflows/publish-vscode.yml`, which was triggered by `vscode-ext/v*` tags and has never been run. That workflow should be deleted when the unified release workflow is created. Fixes from the old workflow: use `ubuntu-latest` instead of `macos-latest`, upgrade to Node 22, and unify under the `v*` tag convention.

## Stage 2: Local script

`scripts/sign-and-deploy.sh` is the source of truth for the local pipeline (download, sign, notarize, package, release). Run with no args or `--help` to see subcommands.
Expand All @@ -156,7 +158,7 @@ The local script must also select release artifacts by strict expected paths ins

Release upload likewise uses only the three stable output filenames (`Dormouse-macos-aarch64.tar.gz`, `Dormouse-windows-x64-setup.exe`, `Dormouse-linux-x86_64.AppImage`) and fails if `release-signed/release-assets` contains any other files.

When rebuilding the Windows installer locally, the script patches the Tauri-generated NSIS `ADDITIONALPLUGINSPATH` and `OUTFILE` values to the expected local plugin directory and installer path before running `makensis`.
When rebuilding the Windows installer locally, the script rewrites the absolute CI-runner paths baked into the Tauri-generated NSIS `.nsi` script (via `scripts/patch-nsis-paths.pl`) and patches the `ADDITIONALPLUGINSPATH` and `OUTFILE` defines to the expected local plugin directory and installer path before running `makensis`.

### One-time setup

Expand Down
Loading