Add SHA256 checksum generation to release builds

[yujonglee]

Summary

Adds SHA256 checksum generation for desktop release artifacts. Each release will now include .sha256 files alongside the binaries (DMG and AppImage files) in GitHub Releases.

Changes:

• New reusable action .github/actions/generate_checksums that generates SHA256 checksums for a list of files
• Updated desktop_cd.yaml publish job to generate checksums after downloading artifacts from R2 and include them in the release

Updates since last revision

• Added required name and description metadata fields to the composite action (per CodeRabbit review)

Review & Testing Checklist for Human

• Verify the conditional expressions in lines 311-314 produce the expected file list when builds succeed/fail (the ternary operators output empty strings for failed builds, which the action skips)
• Confirm the action's error handling is appropriate - it will fail the release if any expected file is missing
• Test by running a nightly release and verifying .sha256 files appear in the GitHub Release assets

Notes

This PR only covers the CI/workflow side. The changelog page (apps/web/src/routes/_view/changelog/$slug.tsx) will need a separate update to display checksum links to users (similar to Docker Desktop's UI).

The action uses sha256sum which is available on the Linux runner (depot-ubuntu-24.04-8) used by the publish job.

---

Link to Devin run: https://app.devin.ai/sessions/737f0cd7c8fb4b14b08f5ee7061e0f69
Requested by: yujonglee (@yujonglee)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[netlify]

✅ Deploy Preview for hyprnote-storybook ready!

Name	Link
🔨 Latest commit	05f5025
🔍 Latest deploy log	https://app.netlify.com/projects/hyprnote-storybook/deploys/692ad92625e523000858a650
😎 Deploy Preview	https://deploy-preview-1994--hyprnote-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for hyprnote ready!

Name	Link
🔨 Latest commit	05f5025
🔍 Latest deploy log	https://app.netlify.com/projects/hyprnote/deploys/692ad92685bd6f00085b102d
😎 Deploy Preview	https://deploy-preview-1994--hyprnote.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new GitHub composite action that generates SHA-256 checksum files for provided artifacts and integrates that action into the desktop CD workflow to conditionally include generated checksum files in the aggregated release artifacts.

Changes

Cohort / File(s)	Summary
Checksum generation action ​.github/actions/generate_checksums/action.yaml	New composite action with required files input: reads newline-separated file list, skips empty lines, validates existence, generates <filename>.sha256 using sha256sum, accumulates a comma-separated checksum_files output written to $GITHUB_OUTPUT, uses bash with set -euo pipefail.
Release workflow integration ​.github/workflows/desktop_cd.yaml	Adds a checksums step invoking the new action for macOS DMG and Linux AppImage artifacts; conditionally appends the action's checksum_files output to the workflow-level ARTIFACTS aggregation so checksum files are included in the release when present.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review attention: .github/actions/generate_checksums/action.yaml (shell script correctness, edge-case handling, $GITHUB_OUTPUT formatting), and .github/workflows/desktop_cd.yaml (step inputs, conditional expressions, proper propagation/appending of checksum_files to ARTIFACTS).

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main change: adding SHA256 checksum generation to release builds, which directly matches the PR's core objective.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining the purpose, implementation details, testing checklist, and noting future work on the changelog UI.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch devin/1764415353-add-checksums

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c9e8a6b and 05f5025.

📒 Files selected for processing (1)

• .github/actions/generate_checksums/action.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Redirect rules - hyprnote
• GitHub Check: Header rules - hyprnote
• GitHub Check: Pages changed - hyprnote
• GitHub Check: fmt

🔇 Additional comments (4)

.github/actions/generate_checksums/action.yaml (4)

1-2: Metadata fields now properly defined.

The previously flagged critical issue about missing name and description fields has been addressed. These are now correctly present and will allow the action to validate properly with GitHub Actions.

---

4-12: Input and output schema is well-structured.

The action properly defines required input (files as newline-separated strings) and outputs (checksum_files as comma-separated paths) with clear descriptions. The output value correctly references the step ID and output key.

---

19-43: Shell script logic is sound with proper error handling and quoting.

The implementation correctly:

• Uses strict error handling (set -euo pipefail) for reliability
• Validates file existence and exits with status 1 on missing files (lines 29–32)
• Skips empty lines in the input (lines 25–27)
• Properly quotes variable expansions to handle filenames with spaces (lines 34, 37–39)
• Accumulates comma-separated output without leading commas (lines 36–40)
• Writes output in correct GitHub Actions format (line 43)

The here-string syntax on line 41 correctly passes the newline-separated input to the while loop.

---

24-43: Verify sha256sum availability in workflow runtime.

The action depends on the sha256sum command being available in the runner environment. Per the PR description, this is deployed on depot-ubuntu-24.04-8, where sha256sum is standard. However, confirm that the desktop_cd.yaml workflow uses a compatible runner before merge.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/desktop_cd.yaml (1)

308-314: Consider simplifying the input format using conditional flow.

The current approach uses ternary expressions (${{ condition && 'file' || '' }}) that produce empty lines, which the downstream action must skip. While this works, a clearer pattern would be to conditionally output file names only when needed.

Consider refactoring to explicitly build the input list:

- id: checksums
  uses: ./.github/actions/generate_checksums
  with:
    files: |
      ${{ needs.build-macos.result == 'success' && format('hyprnote-macos-aarch64.dmg{0}hyprnote-macos-x86_64.dmg', char(10)) || '' }}
      ${{ needs.build-linux.result == 'success' && 'hyprnote-linux-x86_64.AppImage' || '' }}

Alternatively, construct the input dynamically in a preceding script step to avoid empty lines entirely.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c5e5c38 and c9e8a6b.

📒 Files selected for processing (2)

• .github/actions/generate_checksums/action.yaml (1 hunks)
• .github/workflows/desktop_cd.yaml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.9)

.github/workflows/desktop_cd.yaml

309-309: description is required in metadata of "" action at "/home/jailuser/git/.github/actions/generate_checksums/action.yaml"

(action)

---

309-309: name is required in action metadata "/home/jailuser/git/.github/actions/generate_checksums/action.yaml"

(action)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Redirect rules - hyprnote
• GitHub Check: Header rules - hyprnote
• GitHub Check: Pages changed - hyprnote
• GitHub Check: fmt

🔇 Additional comments (2)

.github/workflows/desktop_cd.yaml (1)

332-334: Artifact integration logic is sound.

The conditional appending of checksums to the artifacts list is correct. The check for non-empty checksum_files output ensures checksums are only included when available, and the comma-separated format matches the expected artifacts list structure.

.github/actions/generate_checksums/action.yaml (1)

11-40: Bash implementation is well-structured with solid error handling.

The script correctly uses strict mode (set -euo pipefail), validates file existence before processing, properly skips empty lines, and generates checksums with correct output formatting. The comma-separated list construction for multiple files is accurate.