refactor(ci): Global refactoring of pipeline workflows while addressi…#40
Merged
Merged
Conversation
…ng current technical debt
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThe PR splits Discord automation into separate workflows and scripts, adds a shared Node setup action used by CI and build jobs, updates release and package publication workflows, and expands the workflow documentation. ChangesGitHub Actions workflow updates
Estimated code review effort🎯 4 (Complex) | ⏱️ ~75 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (3 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 10
🧹 Nitpick comments (1)
.github/scripts/discord-roadmap-sync.mjs (1)
27-34: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick winMigrate the Discord pins calls to the new API
GET /channels/{channelId}/pinsandPUT /channels/{channelId}/pins/{messageId}are the deprecated endpoints. The new API returns{ items, has_more }fromGET /channels/{channelId}/messages/pins, so this lookup should readitems[].messageand the pin call should move under/messages/pins/{messageId}.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/scripts/discord-roadmap-sync.mjs around lines 27 - 34, Update the Discord pin handling in discord-roadmap-sync.mjs to use the new pins API instead of the deprecated channel pins endpoints. In the logic around the pin lookup and pinning flow (including the fetch that reads pins and the later pin request), switch the GET request to /channels/{channelId}/messages/pins, read the returned items list and inspect each item.message for the roadmap embed title, and move the pin operation to /channels/{channelId}/messages/pins/{messageId}. Keep the existing ROADMAP_EMBED_TITLE matching and existingMessageId flow intact while adapting it to the new response shape.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/scripts/discord-pr-sync.mjs:
- Around line 195-199: The thread ID handling in discord-pr-sync.mjs is trusting
attacker-controlled PR body content from extractThreadId(body), which can
redirect bot actions to arbitrary Discord threads. Update the logic around
shouldCreateThread and the subsequent patchDiscordThread/discordPost flow to
treat any marker from pr.body as untrusted unless it can be validated against
the expected forum/channel via the Discord API or confirmed as previously
written by the bot. Ensure the bot only mutates a thread when the resolved
thread ID is verified to belong to the intended parent channel, and otherwise
ignore the marker and create/use a safe thread path.
- Line 226: The applied_tags list can exceed Discord’s 5-tag limit when
combining the status tag with mapped label tags. Update the appliedTags
construction in discord-pr-sync.mjs to cap the final array at 5 while always
keeping statusTag first when present, and apply the same clamping logic in the
other appliedTags usages in the sync flow so create/patch calls never send too
many tags.
In @.github/scripts/discord-weekly-leaderboard.mjs:
- Around line 19-34: The leaderboard logic in the search/query flow is only
reading the first page of results, so counts and totalMerged are incomplete when
there are more than 100 merged PRs. Update the search handling around
octokit.rest.search.issuesAndPullRequests and the counter/totalMerged
calculation to paginate through all result pages, accumulate every item before
ranking, and compute totalMerged from the full merged set rather than just
search.data.items.
In @.github/workflows/aur-publish.yml:
- Around line 37-44: The AUR secret check only stops the “Check AUR secrets”
step, so the later publish steps still run without a key and fail; add the same
missing-key condition as an if guard on the SSH/clone/push steps in the AUR
publish workflow. Reuse the existing AUR_SSH_PRIVATE_KEY check around the
publish-related steps so they are skipped entirely when the secret is absent,
rather than relying on exit 0 inside the first step.
- Around line 117-121: The AUR publish workflow can commit a stale .SRCINFO
because the fallback in the .SRCINFO generation step only warns when makepkg is
unavailable. Update the aur-publish job so the step using makepkg --printsrcinfo
either installs the needed Arch tooling first or fails the workflow when makepkg
cannot run, and ensure the publish path does not continue with an unchanged
.SRCINFO. Use the existing .SRCINFO generation block in the aur-publish.yml job
to locate and adjust this behavior.
- Around line 86-94: The AUR SSH setup in the workflow currently uses
ssh-keyscan, which trusts a live host response and weakens host verification.
Update the SSH config setup in the workflow to write a pinned aur.archlinux.org
known_hosts entry from a repository secret/variable instead of calling
ssh-keyscan, and keep the existing Host/IdentityFile config for the AUR
connection.
In @.github/workflows/build-native-mac.yml:
- Around line 1-23: The macOS native helper workflow is currently unreachable
because build-native-mac is only defined as a reusable workflow and nothing
calls it. Update the macOS build flow to invoke this workflow from the existing
build jobs that duplicate the native build step, referencing build-native-mac
and the macOS job definitions in build.yml and diagnostic-artifact.yml; if you
do not want to reuse it, remove the unused workflow file instead.
In @.github/workflows/build.yml:
- Around line 310-320: The macOS artifact download steps in publish-release
always fetch both architectures, which breaks single-arch workflow_dispatch
releases when one artifact is missing. Update the download steps for
openscreen-mac-arm64 and openscreen-mac-x64 so they are conditional on the built
architecture or otherwise tolerate absent artifacts, using the existing
publish-release job and actions/download-artifact invocations as the place to
adjust.
In @.github/workflows/update-homebrew-cask.yml:
- Around line 53-55: The readiness check in the release polling logic is too
broad because it counts any two DMG files instead of waiting for the specific
architecture assets. Update the asset check in the workflow step that uses gh
release view, ASSETS, and COUNT so it verifies the expected arm64 and x64 DMG
names emitted by the producer, and only proceeds when both matching assets are
present.
In `@docs/github-actions-workflows.md`:
- Line 5: The workflow inventory count in the overview is inconsistent with the
rest of the document. Update the summary in the github-actions-workflows
overview to match the actual number of workflow files shown in the graph and
section headers, or add the missing workflow entry so the count is accurate. Use
the document’s workflow inventory section and tier headers as the source of
truth when reconciling the total.
---
Nitpick comments:
In @.github/scripts/discord-roadmap-sync.mjs:
- Around line 27-34: Update the Discord pin handling in discord-roadmap-sync.mjs
to use the new pins API instead of the deprecated channel pins endpoints. In the
logic around the pin lookup and pinning flow (including the fetch that reads
pins and the later pin request), switch the GET request to
/channels/{channelId}/messages/pins, read the returned items list and inspect
each item.message for the roadmap embed title, and move the pin operation to
/channels/{channelId}/messages/pins/{messageId}. Keep the existing
ROADMAP_EMBED_TITLE matching and existingMessageId flow intact while adapting it
to the new response shape.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: caaf367a-fe73-4ae7-bfc1-e8c0f1f6fa54
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (16)
.github/actions/setup/action.yml.github/scripts/discord-pr-sync.mjs.github/scripts/discord-roadmap-sync.mjs.github/scripts/discord-weekly-leaderboard.mjs.github/workflows/aur-publish.yml.github/workflows/build-native-mac.yml.github/workflows/build.yml.github/workflows/ci.yml.github/workflows/diagnostic-artifact.yml.github/workflows/discord-pr-notify.yml.github/workflows/discord-roadmap-sync.yml.github/workflows/discord-weekly-leaderboard.yml.github/workflows/discord.yaml.github/workflows/update-homebrew-cask.ymldocs/github-actions-workflows.mdpackage.json
💤 Files with no reviewable changes (1)
- .github/workflows/discord.yaml
- discord-pr-sync: validate thread channel via Discord API before acting on body-extracted threadId to prevent attacker-controlled redirects; cap appliedTags at 5 to match Discord forum limit - discord-weekly-leaderboard: paginate search results via octokit.paginate; catch API errors gracefully instead of crashing - aur-publish: gate all publish steps on key-check output; replace ssh-keyscan with pinned known_hosts from repo variable; install arch-install-scripts for makepkg on ubuntu-latest - build.yml: tolerate missing per-arch macOS downloads via continue-on-error for single-arch workflow_dispatch - update-homebrew-cask: match exact DMG asset names in poll instead of counting any two .dmg files - discord-roadmap-sync: migrate from deprecated /pins to /messages/pins endpoints with new response shape - docs: correct workflow count from 13 to 12 - build-native-mac.yml: remove unused reusable workflow (single npm run does not justify a separate job with artifact orchestration)
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (1)
.github/workflows/build.yml (1)
310-322: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win
continue-on-errorresolves single-arch dispatch but can silently ship a release missing macOS DMGs.Adding
continue-on-error: truemakes the macOS downloads tolerant of absent artifacts, which addresses the prior single-archworkflow_dispatchconcern. However, it also suppresses transient download failures on a full tag release: if a macOS artifact build succeeded but the download step fails, the job proceeds and the "Publish release assets" step only aborts when all downloads are empty (Line 336). The net effect is a published release silently missing macOS installers.Consider scoping the tolerance to the dispatch path (or asserting expected assets are present for tag pushes) so genuine failures on a full release still fail loudly.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/build.yml around lines 310 - 322, The macOS artifact download steps in the release workflow are too permissive and can let tag releases publish without DMGs; update the download logic in the build job so the tolerance only applies to the single-arch workflow_dispatch path, while tag/release runs still fail if expected artifacts are missing. Use the existing download steps for openscreen-mac-arm64 and openscreen-mac-x64 as the place to gate this behavior, and ensure the downstream release-asset publishing path only proceeds when the expected macOS artifacts are present.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/scripts/discord-pr-sync.mjs:
- Around line 54-76: Treat PR-body thread markers as untrusted: the current
validateThreadChannel flow still returns true when botToken or forumChannelId is
missing and only verifies parent_id, which can let a forged marker pass. Update
validateThreadChannel in discord-pr-sync.mjs to fail closed unless a bot-owned
lookup can fully verify the thread, and avoid trusting marker-provided thread
data; if thread names are not reliable, use a bot-side lookup path that is
independent of the PR body before suppressing notifications or resolving the
target thread.
In @.github/workflows/aur-publish.yml:
- Around line 115-124: The fallback install step does not ensure makepkg is
actually available before the later makepkg --printsrcinfo call. Update the
Install makepkg step to explicitly install the package that provides makepkg (or
add a command -v makepkg verification) in the fallback path, and keep the
existing logic in the aur publish workflow block that checks
steps.aur_secret.outputs.configured.
---
Duplicate comments:
In @.github/workflows/build.yml:
- Around line 310-322: The macOS artifact download steps in the release workflow
are too permissive and can let tag releases publish without DMGs; update the
download logic in the build job so the tolerance only applies to the single-arch
workflow_dispatch path, while tag/release runs still fail if expected artifacts
are missing. Use the existing download steps for openscreen-mac-arm64 and
openscreen-mac-x64 as the place to gate this behavior, and ensure the downstream
release-asset publishing path only proceeds when the expected macOS artifacts
are present.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 3c0e0feb-8a07-4c5b-a175-88377992dc5e
📒 Files selected for processing (8)
.github/scripts/discord-pr-sync.mjs.github/scripts/discord-roadmap-sync.mjs.github/scripts/discord-weekly-leaderboard.mjs.github/workflows/aur-publish.yml.github/workflows/build.yml.github/workflows/discord-pr-notify.yml.github/workflows/update-homebrew-cask.ymldocs/github-actions-workflows.md
✅ Files skipped from review due to trivial changes (1)
- docs/github-actions-workflows.md
🚧 Files skipped from review as they are similar to previous changes (4)
- .github/workflows/update-homebrew-cask.yml
- .github/workflows/discord-pr-notify.yml
- .github/scripts/discord-weekly-leaderboard.mjs
- .github/scripts/discord-roadmap-sync.mjs
CodeRabbit identified two remaining weaknesses: - Validation failed open when DISCORD_BOT_TOKEN was unset (returned true, trusting any marker) - Parent-ID-only check allowed forged markers pointing to any thread in the same forum Changes: - Fail closed: return false when botToken is missing so markers are never trusted without the ability to validate - Verify thread name matches the bot's deterministic naming convention (PR # - *) so only threads the bot itself created for this specific PR pass validation - Forum channel ID check is now optional (thread name alone is a sufficient identity when parent cannot be verified)
EtienneLescot
left a comment
EtienneLescot
left a comment
Collaborator
There was a problem hiding this comment.
Thanks for the cleanup — splitting the god file, dropping the inline JS into linted .mjs, the runner.os cache-key fix, and the explicit download-artifact name: calls are all real wins. The thread-marker injection is properly closed now: validateThreadChannel fails closed without DISCORD_BOT_TOKEN and requires both parent_id === forumChannelId and channel.name.startsWith("PR #N - "). The only residual (attacker-owned thread in the same forum named PR #N - …) is bounded by who can open PRs and the data is public anyway, so I'm not blocking on it.
Left a few small items inline. This is an automatic review pass; feel free to push back on any of them.
- discord-weekly-leaderboard: replace setFailed with warning for non-critical Discord webhook failure; drop unused import - docs: remove stale build-native-mac.yml node and edges from mermaid graph; delete orphaned Tier 2 subsection - discord-pr-sync: extract validateThreadChannel into standalone module (discord-thread-validator.mjs) with dependency injection for botToken/forumChannelId so it is independently testable - test: add unit tests for validateThreadChannel covering: fail-closed without token, wrong parent rejection, sibling PR name mismatch, valid thread acceptance, API errors, and network failures - vitest.config: add .github/ to test include pattern
Author
|
Im running out of ideas for commit names :d |
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/scripts/discord-weekly-leaderboard.mjs (2)
66-75: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick winCatch rejected webhook requests too.
This only downgrades HTTP error responses. A network/TLS/DNS failure still makes
fetch(...)reject, which will red-fail the weekly cron even though this flow is supposed to warn and continue on non-critical webhook problems.Suggested fix
- const res = await fetch(`${spotlightWebhook}?wait=true`, { - method: "POST", - headers: { "Content-Type": "application/json" }, - body: JSON.stringify(payload), - }); - - if (!res.ok) { - const txt = await res.text(); - warning(`Leaderboard post failed ${res.status}: ${txt}`); - } + try { + const res = await fetch(`${spotlightWebhook}?wait=true`, { + method: "POST", + headers: { "Content-Type": "application/json" }, + body: JSON.stringify(payload), + }); + + if (!res.ok) { + const txt = await res.text(); + warning(`Leaderboard post failed ${res.status}: ${txt}`); + } + } catch (err) { + warning(`Leaderboard post failed: ${err instanceof Error ? err.message : String(err)}`); + }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/scripts/discord-weekly-leaderboard.mjs around lines 66 - 75, The webhook send in fetch for the weekly leaderboard only handles non-2xx responses, so network/TLS/DNS failures still reject and break the cron. Update the request flow in discord-weekly-leaderboard.mjs around the fetch/payload send to catch rejected fetch calls as well, log a warning with the error details, and continue execution instead of letting the job fail.
15-19: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick winPass the full ISO timestamp to
merged:.substring(0, 10)broadens the search to the whole UTC day, so “Last 7 days” can include extra PRs; GitHub search accepts fullmerged:>=YYYY-MM-DDTHH:MM:SSZtimestamps.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/scripts/discord-weekly-leaderboard.mjs around lines 15 - 19, The weekly leaderboard search in discord-weekly-leaderboard.mjs is truncating the `since` value when building `q`, which broadens the `merged:` filter to the whole day. Update the query construction to pass the full ISO timestamp from `since` directly into the `merged:>=...` qualifier, keeping the `owner`/`repo` and `q` logic otherwise unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/scripts/discord-thread-validator.mjs:
- Around line 10-13: The Discord thread validation fetch can hang indefinitely
on a stalled network path, so add an abort timeout around the request in
discord-thread-validator.mjs. Update the fetch call inside the try block to use
an AbortController (or equivalent timeout mechanism) and ensure the request is
cancelled after a short limit so the workflow can continue promptly even if
Discord is unresponsive. Keep the change localized to the validation logic that
uses fetch and threadId/botToken.
---
Outside diff comments:
In @.github/scripts/discord-weekly-leaderboard.mjs:
- Around line 66-75: The webhook send in fetch for the weekly leaderboard only
handles non-2xx responses, so network/TLS/DNS failures still reject and break
the cron. Update the request flow in discord-weekly-leaderboard.mjs around the
fetch/payload send to catch rejected fetch calls as well, log a warning with the
error details, and continue execution instead of letting the job fail.
- Around line 15-19: The weekly leaderboard search in
discord-weekly-leaderboard.mjs is truncating the `since` value when building
`q`, which broadens the `merged:` filter to the whole day. Update the query
construction to pass the full ISO timestamp from `since` directly into the
`merged:>=...` qualifier, keeping the `owner`/`repo` and `q` logic otherwise
unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 844b8bcb-6584-4653-9f67-db3023ffe262
📒 Files selected for processing (6)
.github/scripts/discord-pr-sync.mjs.github/scripts/discord-thread-validator.mjs.github/scripts/discord-thread-validator.test.mjs.github/scripts/discord-weekly-leaderboard.mjsdocs/github-actions-workflows.mdvitest.config.ts
💤 Files with no reviewable changes (1)
- docs/github-actions-workflows.md
Without a timeout, a stalled network path during the best-effort validation step can hang the job indefinitely. continue-on-error only helps after the request completes or the job-level timeout (360 min default) fires. Add a 5-second AbortController abort so the workflow moves on quickly when Discord is unreachable. - Fetch call now passes an AbortSignal with 5s timeout - Test verifies the signal is wired into fetch arguments
arch-install-scripts only provides pacstrap/arch-chroot/genfstab; it does NOT ship the makepkg binary. If pacman-package-manager failed to install and arch-install-scripts succeeded, the step exited 0 and the later makepkg --printsrcinfo call failed downstream with 'command not found'. - Try makepkg package directly in the fallback chain (the explicit provider per packages.ubuntu.com). - Verify with command -v makepkg after install so a silent failure fails the job instead of leaking past the 'Install makepkg' step. Addresses CodeRabbit comment r3484700062.
EtienneLescot
approved these changes
Jun 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Comprehensive refactor of the GitHub Actions workflows: splitting a monolithic god file, eliminating duplication, fixing a cross-platform cache collision, and adding AUR package publishing.
Type of change
Motivation
1. The
discord.yamlgod fileOne workflow file contained three entirely unrelated jobs -- PR-to-forum sync, ROADMAP.md-to-Discord pin, and weekly contributor leaderboard -- sharing no secrets, no webhooks, no logic, and only the word "Discord" in common. At 769 lines with over 700 lines of inline JavaScript inside
actions/github-script@v7, the file was untestable locally, exempt from Biome linting andtsctype-checking, and a single failure in one job could be misread as affecting the others.Solution: Split into three independent workflow files, each with its own triggers and permissions. Extracted all inline JavaScript into standalone
.mjsscripts under.github/scripts/, invoked vianode. The scripts now import@actions/coreand@actions/github(added todevDependencies) and are covered by CI lint and type-check.2. Duplicated Node.js setup across 12 jobs
The
actions/setup-node@v4+npm cipattern appeared verbatim 12 times acrossci.yml(x4),build.yml(x3),diagnostic-artifact.yml(x2), and the three new Discord workflows (x3). Any Node.js version bump required editing every occurrence and hoping none were missed.Solution: Created a composite action at
.github/actions/setup/action.yml. All jobs now useuses: ./.github/actions/setup. The version is defined in one file.3. Cross-platform caption-assets cache collision
The cache key
caption-assets-${{ hashFiles('scripts/fetch-caption-model.mjs') }}was identical across Windows, macOS, and Linux runners. While the Whisper ONNX models and ONNX Runtime WASM files are nominally architecture-independent,@xenova/transformersinstalls platform-specific npm packages, and the wasm files innode_modulescan differ per platform. A cache hit from a different OS would restore incorrect binaries silently.Solution: Added
${{ runner.os }}to the cache key so each platform gets its own cache slot.4. Implicit artifact names in
publish-releaseThe
publish-releasejob used a singleactions/download-artifact@v4call with nonameparameter, downloading all artifacts into one directory and then runningfind artifacts -type f | sort. If any upstream job renamed its artifact, the release would silently omit it rather than failing.Solution: Replaced with four explicit
download-artifactcalls, each specifying the exactname:matching the correspondingupload-artifact. A rename mismatch now fails loudly before the release is touched.5. Duplicated native macOS helper build
Both
build.yml(release packaging) anddiagnostic-artifact.yml(diagnostic bundles) contained identical steps fornpm run build:native:macwithOPENSCREEN_MAC_HELPER_ARCHS. Changes to the native build invocation needed to be mirrored in two places.Solution: Created a reusable workflow
build-native-mac.ymlwithworkflow_calltrigger, acceptingarchas an input. Both workflows call it instead of duplicating the build step.6. Race condition in Homebrew cask publishing
update-homebrew-cask.ymlattempted to download and hash DMGs immediately uponrelease: published, before Apple notarization completed (which takes up to 15 minutes). The SHA-256 was computed against a DMG that could still be unsigned or mid-notarization.Solution: Added a polling loop before the asset-finding step that waits up to 12 minutes for both DMG files to appear in the release, retrying every 30 seconds.
7. Missing AUR package
The project already builds
.pacmanpackages viaelectron-builder --linux pacmaninbuild-linux, and publishes to Homebrew, WinGet, and Nix -- but had no AUR workflow for Arch Linux users.Solution: Added
aur-publish.yml. On release publish, it finds the.pacmanasset, computes its SHA-256, updatesPKGBUILDand.SRCINFOin the AUR git repository via SSH, and pushes. Conditional onvars.AUR_PACKAGE_NAMEandsecrets.AUR_SSH_PRIVATE_KEY.Don't forget to add the
secrets.AUR_SSH_PRIVATE_KEYbefore the next release!Files changed
.github/actions/setup/action.yml.github/workflows/ci.yml.github/workflows/build.ymldownload-artifact, cache key fix.github/workflows/diagnostic-artifact.yml.github/workflows/discord.yaml.github/workflows/discord-pr-notify.yml.github/workflows/discord-roadmap-sync.yml.github/workflows/discord-weekly-leaderboard.yml.github/scripts/discord-pr-sync.mjsactions/github-scriptinline JS.github/scripts/discord-roadmap-sync.mjsactions/github-scriptinline JS.github/scripts/discord-weekly-leaderboard.mjsactions/github-scriptinline JS.github/workflows/update-homebrew-cask.yml.github/workflows/build-native-mac.yml.github/workflows/aur-publish.ymlpackage.json/package-lock.json@actions/coreand@actions/githubas devDependenciesdocs/github-actions-workflows.mdTesting
actionlint-- clean on all 13 workflow filesbiome check-- clean on all 3 new.mjsscriptstsc --noEmit-- clean (scripts are covered by the project tsconfig)Summary by CodeRabbit
.github/.