release: harden v0.24.0 rollout

Author: BunsDev

.github/workflows/release.yml

@@ -10,11 +10,6 @@ on:
         description: "Release version (for example 1.2.3 or v1.2.3)"
         required: true
         type: string
-      publish_cli:
-        description: "Publish the okcodes CLI to npm after the desktop release finalizes"
-        required: false
-        default: false
-        type: boolean
 
 permissions:
   contents: write
@@ -228,6 +223,9 @@ jobs:
               "$AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME" \
               "$AZURE_TRUSTED_SIGNING_PUBLISHER_NAME"; then
               args+=(--signed --require-signed)
+            elif [[ "${{ needs.preflight.outputs.is_prerelease }}" == "false" ]]; then
+              echo "Missing Azure Trusted Signing secrets for a stable Windows release." >&2
+              exit 1
             else
               echo "Azure Trusted Signing secrets not configured; building unsigned Windows artifact." >&2
             fi
@@ -288,12 +286,8 @@ jobs:
     name: iOS signing preflight
     needs: [preflight]
     runs-on: ubuntu-24.04
-    outputs:
-      enabled: ${{ steps.check.outputs.enabled }}
-      missing: ${{ steps.check.outputs.missing }}
     steps:
-      - id: check
-        name: Check iOS signing secrets
+      - name: Check iOS signing secrets
         shell: bash
         env:
           IOS_CERTIFICATE_P12: ${{ secrets.IOS_CERTIFICATE_P12 }}
@@ -325,21 +319,17 @@ jobs:
             fi
           done
 
-          if (( ${#missing[@]} == 0 )); then
-            echo "enabled=true" >> "$GITHUB_OUTPUT"
-            echo "missing=" >> "$GITHUB_OUTPUT"
-            echo "All required iOS signing secrets are configured."
-          else
+          if (( ${#missing[@]} > 0 )); then
             missing_csv="$(IFS=,; echo "${missing[*]}")"
-            echo "enabled=false" >> "$GITHUB_OUTPUT"
-            echo "missing=$missing_csv" >> "$GITHUB_OUTPUT"
-            echo "Skipping iOS TestFlight because the following required secrets are missing: $missing_csv"
+            echo "Missing required iOS signing secrets: $missing_csv" >&2
+            exit 1
           fi
 
+          echo "All required iOS signing secrets are configured."
+
   ios_testflight:
     name: iOS TestFlight
     needs: [preflight, ios_signing_preflight]
-    if: ${{ needs.ios_signing_preflight.outputs.enabled == 'true' }}
     runs-on: macos-14
     env:
       RELEASE_VERSION: ${{ needs.preflight.outputs.version }}
@@ -525,20 +515,19 @@ jobs:
 
   publish_cli:
     name: Publish CLI
-    needs: [preflight, finalize]
-    if: ${{ !cancelled() && needs.finalize.result == 'success' && github.event_name == 'workflow_dispatch' && inputs.publish_cli }}
-    continue-on-error: true
+    needs: [preflight, desktop_build, ios_signing_preflight, ios_testflight]
+    if: ${{ !cancelled() && needs.preflight.result == 'success' && needs.desktop_build.result == 'success' && needs.ios_signing_preflight.result == 'success' && needs.ios_testflight.result == 'success' }}
     runs-on: ubuntu-24.04
     env:
       NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
       OKCODE_COMMIT_HASH: ${{ github.sha }}
       OKCODE_BUILD_TIMESTAMP: ${{ needs.preflight.outputs.build_timestamp }}
       OKCODE_RELEASE_CHANNEL: ${{ needs.preflight.outputs.release_channel }}
     steps:
-      - name: Checkout finalized main
+      - name: Checkout release commit
         uses: actions/checkout@v6
         with:
-          ref: main
+          ref: ${{ needs.preflight.outputs.ref }}
           fetch-depth: 0
 
       - name: Setup Bun
@@ -555,29 +544,14 @@ jobs:
       - name: Install dependencies
         run: bun install --frozen-lockfile
 
-      - name: Assert package versions match stated release version
-        env:
-          RELEASE_VERSION: ${{ needs.preflight.outputs.version }}
+      - name: Validate npm publish token
+        shell: bash
         run: |
-          node <<'NODE'
-          const fs = require('fs');
-          const files = [
-            'apps/server/package.json',
-            'apps/desktop/package.json',
-            'apps/web/package.json',
-            'apps/mobile/package.json',
-            'packages/contracts/package.json',
-          ];
-          const expected = process.env.RELEASE_VERSION;
-          const mismatches = files.filter((file) => {
-            const version = JSON.parse(fs.readFileSync(file, 'utf8')).version;
-            return version !== expected;
-          });
-          if (mismatches.length > 0) {
-            console.error(`Package version mismatch for release ${expected}: ${mismatches.join(', ')}`);
-            process.exit(1);
-          }
-          NODE
+          set -euo pipefail
+          [[ -n "$NODE_AUTH_TOKEN" ]] || { echo "Missing secret NODE_AUTH_TOKEN" >&2; exit 1; }
+
+      - name: Align package versions to release version
+        run: node scripts/update-release-package-versions.ts "${{ needs.preflight.outputs.version }}"
 
       - name: Build CLI package
         run: bun run build --filter=@okcode/web --filter=okcodes
@@ -607,8 +581,8 @@ jobs:
 
   release:
     name: Publish GitHub Release
-    needs: [preflight, desktop_build, ios_signing_preflight, ios_testflight]
-    if: ${{ always() && !cancelled() && needs.preflight.result == 'success' && needs.desktop_build.result == 'success' && needs.ios_signing_preflight.result == 'success' && (needs.ios_testflight.result == 'success' || needs.ios_testflight.result == 'skipped') }}
+    needs: [preflight, desktop_build, ios_signing_preflight, ios_testflight, publish_cli]
+    if: ${{ always() && !cancelled() && needs.preflight.result == 'success' && needs.desktop_build.result == 'success' && needs.ios_signing_preflight.result == 'success' && needs.ios_testflight.result == 'success' && needs.publish_cli.result == 'success' }}
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
@@ -643,6 +617,9 @@ jobs:
           cp "$notes" release-assets/okcode-RELEASE-NOTES.md
           cp "$manifest" release-assets/okcode-ASSETS-MANIFEST.md
 
+      - name: Validate release asset completeness
+        run: node scripts/validate-release-assets.ts release-assets
+
       - name: Publish release
         uses: softprops/action-gh-release@v2
         with:

docs/releases/v0.24.0.md

@@ -21,7 +21,7 @@ Theme presets, markdown rendering unification, project icon support, and active-
 
 ## Upgrade and install
 
-- **CLI:** `npm install -g okcodes@0.24.0` (after the package is published to npm manually).
+- **CLI:** `npm install -g okcodes@0.24.0` once the coordinated release workflow finishes.
 - **Desktop:** Download from [GitHub Releases](https://github.com/OpenKnots/okcode/releases/tag/v0.24.0). Filenames are listed in [assets.md](v0.24.0/assets.md).
 - **iOS:** Available via TestFlight (uploaded automatically by the Release iOS workflow).
 

docs/releases/v0.24.0/assets.md

@@ -1,6 +1,6 @@
 # v0.24.0 — Release assets (manifest)
 
-Binaries are **not** stored in this git repository; they are attached to the [GitHub Release for `v0.24.0`](https://github.com/OpenKnots/okcode/releases/tag/v0.24.0) by the [Release Desktop workflow](../../.github/workflows/release.yml).
+Binaries are **not** stored in this git repository; they are attached to the [GitHub Release for `v0.24.0`](https://github.com/OpenKnots/okcode/releases/tag/v0.24.0) by the [Release workflow](../../.github/workflows/release.yml).
 
 The GitHub Release also includes **documentation attachments** (same content as in-repo, stable filenames for download):
 

docs/releases/v0.24.0/rollout-checklist.md

@@ -35,7 +35,7 @@ Step-by-step playbook for the v0.24.0 release. Each phase must complete before a
 - [ ] Push the release-prep commit to `main`.
 - [ ] Create and push tag `v0.24.0`.
 - [ ] Verify the coordinated `release.yml` workflow starts.
-- [ ] Monitor the pipeline through Preflight, Desktop builds, iOS signing preflight, optional iOS TestFlight, Publish GitHub Release, Finalize release, and optional CLI publish if started through manual dispatch.
+- [ ] Monitor the pipeline through Preflight, Desktop builds, iOS signing preflight, iOS TestFlight, Publish CLI, Publish GitHub Release, and Finalize release.
 
 ### Asset verification
 

scripts/prepare-release.ts

@@ -263,7 +263,7 @@ ${highlights || "- See changelog for detailed changes."}
 
 ## Upgrade and install
 
-- **CLI:** \`npm install -g okcodes@${version}\` (after the package is published to npm manually).
+- **CLI:** \`npm install -g okcodes@${version}\` once the coordinated release workflow finishes.
 - **Desktop:** Download from [GitHub Releases](${REPO_URL}/releases/tag/v${version}). Filenames are listed in [assets.md](v${version}/assets.md).
 - **iOS:** Available via TestFlight (uploaded automatically by the Release iOS workflow).
 
@@ -282,7 +282,7 @@ OK Code remains early work in progress. Expect rough edges around session recove
 function generateAssetManifest(version: string): string {
   return `# v${version} — Release assets (manifest)
 
-Binaries are **not** stored in this git repository; they are attached to the [GitHub Release for \`v${version}\`](${REPO_URL}/releases/tag/v${version}) by the [Release Desktop workflow](../../.github/workflows/release.yml).
+Binaries are **not** stored in this git repository; they are attached to the [GitHub Release for \`v${version}\`](${REPO_URL}/releases/tag/v${version}) by the [Release workflow](../../.github/workflows/release.yml).
 
 The GitHub Release also includes **documentation attachments** (same content as in-repo, stable filenames for download):
 
@@ -378,7 +378,7 @@ Step-by-step playbook for the v${version} release. Each phase must complete befo
 - [ ] Push the release-prep commit to \`main\`.
 - [ ] Create and push tag \`v${version}\`.
 - [ ] Verify the coordinated \`release.yml\` workflow starts.
-- [ ] Monitor the pipeline through Preflight, Desktop builds, iOS signing preflight, optional iOS TestFlight, Publish GitHub Release, Finalize release, and optional CLI publish if started through manual dispatch.
+- [ ] Monitor the pipeline through Preflight, Desktop builds, iOS signing preflight, iOS TestFlight, Publish CLI, Publish GitHub Release, and Finalize release.
 
 ### Asset verification
 
@@ -885,12 +885,6 @@ async function main(): Promise<void> {
       log("--", "Would commit release documentation.");
       log("--", `Would create tag: ${tag}`);
       log("--", `Would push tag: ${tag}`);
-      if (fullMatrix) {
-        log(
-          "--",
-          `Would optionally publish the CLI after release via: gh workflow run release.yml -f version=${version} -f publish_cli=true`,
-        );
-      }
     } else {
       log("--", "Skipping commit/tag/push (--skip-commit).");
     }
@@ -934,11 +928,7 @@ async function main(): Promise<void> {
     if (fullMatrix) {
       log(
         "!!",
-        "The current release workflow already runs the full platform matrix on tag push. Use workflow_dispatch with publish_cli=true only if you need the optional CLI publish lane.",
-      );
-      log(
-        "!!",
-        `Optional CLI publish dispatch: gh workflow run release.yml -f version=${version} -f publish_cli=true`,
+        "The current release workflow already runs the full platform matrix on tag push. The --full-matrix flag is deprecated and no longer changes release behavior.",
       );
     }
   }
@@ -971,11 +961,6 @@ async function main(): Promise<void> {
     console.log(`    3. git commit -m "release: prepare v${version}"`);
     console.log(`    4. git push origin main`);
     console.log(`    5. git tag ${tag} && git push origin ${tag}`);
-    if (fullMatrix) {
-      console.log(
-        `    6. Optional CLI publish dispatch: gh workflow run release.yml -f version=${version} -f publish_cli=true`,
-      );
-    }
     console.log("");
   }
 }

scripts/release-smoke.ts

@@ -70,6 +70,27 @@ releaseDate: '2026-03-08T10:36:07.540Z'
   return { arm64Path, x64Path };
 }
 
+function writeReleaseAssetFixtures(targetRoot: string): void {
+  const assetDirectory = resolve(targetRoot, "release-assets");
+  mkdirSync(assetDirectory, { recursive: true });
+
+  for (const assetName of [
+    "OK-Code-9.9.9-smoke.0-arm64.dmg",
+    "OK-Code-9.9.9-smoke.0-arm64.zip",
+    "OK-Code-9.9.9-smoke.0-arm64.zip.blockmap",
+    "OK-Code-9.9.9-smoke.0.AppImage",
+    "OK-Code-9.9.9-smoke.0.exe",
+    "OK-Code-9.9.9-smoke.0.exe.blockmap",
+    "latest-linux.yml",
+    "latest.yml",
+    "okcode-CHANGELOG.md",
+    "okcode-RELEASE-NOTES.md",
+    "okcode-ASSETS-MANIFEST.md",
+  ]) {
+    writeFileSync(resolve(assetDirectory, assetName), `${assetName}\n`);
+  }
+}
+
 function assertContains(haystack: string, needle: string, message: string): void {
   if (!haystack.includes(needle)) {
     throw new Error(message);
@@ -108,6 +129,7 @@ try {
   );
 
   const { arm64Path, x64Path } = writeMacManifestFixtures(tempRoot);
+  writeReleaseAssetFixtures(tempRoot);
   execFileSync(
     process.execPath,
     [resolve(repoRoot, "scripts/merge-mac-update-manifests.ts"), arm64Path, x64Path],
@@ -129,6 +151,15 @@ try {
     "Merged manifest is missing the x64 asset.",
   );
 
+  execFileSync(
+    process.execPath,
+    [resolve(repoRoot, "scripts/validate-release-assets.ts"), resolve(tempRoot, "release-assets")],
+    {
+      cwd: repoRoot,
+      stdio: "inherit",
+    },
+  );
+
   console.log("Release smoke checks passed.");
 } finally {
   rmSync(tempRoot, { recursive: true, force: true });

scripts/validate-release-assets.test.ts

@@ -0,0 +1,41 @@
+import { assert, describe, it } from "@effect/vitest";
+
+import { validateReleaseAssets } from "./validate-release-assets.ts";
+
+describe("validateReleaseAssets", () => {
+  const completeAssetSet = [
+    "OK-Code-0.24.0-arm64.dmg",
+    "OK-Code-0.24.0-arm64.zip",
+    "OK-Code-0.24.0-arm64.zip.blockmap",
+    "OK-Code-0.24.0.AppImage",
+    "OK-Code-0.24.0.exe",
+    "OK-Code-0.24.0.exe.blockmap",
+    "latest-mac.yml",
+    "latest-linux.yml",
+    "latest.yml",
+    "okcode-CHANGELOG.md",
+    "okcode-RELEASE-NOTES.md",
+    "okcode-ASSETS-MANIFEST.md",
+  ];
+
+  it("accepts a complete coordinated release asset set", () => {
+    assert.doesNotThrow(() => validateReleaseAssets(completeAssetSet));
+  });
+
+  it("rejects releases that are missing a required desktop asset class", () => {
+    assert.throws(
+      () => validateReleaseAssets(completeAssetSet.filter((asset) => asset !== "latest-linux.yml")),
+      /Missing required release assets: linux updater manifest/,
+    );
+  });
+
+  it("rejects releases that are missing required documentation attachments", () => {
+    assert.throws(
+      () =>
+        validateReleaseAssets(
+          completeAssetSet.filter((asset) => asset !== "okcode-ASSETS-MANIFEST.md"),
+        ),
+      /Missing required release assets: asset manifest attachment/,
+    );
+  });
+});