qwen-code/.github/workflows/desktop-release.yml
Salman Chishti df6be035e1
Upgrade GitHub Actions for Node 24 compatibility (#5157)
* Upgrade GitHub Actions for Node 24 compatibility

Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>

* ci: update remaining checkout pins

---------

Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>
Co-authored-by: qwen-code-dev-bot <qwen-code-dev-bot@users.noreply.github.com>
Co-authored-by: 易良 <1204183885@qq.com>
Co-authored-by: yiliang114 <effortyiliang@gmail.com>
2026-07-07 12:17:22 +00:00

740 lines
27 KiB
YAML

name: 'Desktop Release'
run-name: 'Desktop release ${{ inputs.version }}'
on:
workflow_dispatch:
inputs:
version:
description: 'Desktop app version to release, for example 0.0.2 or v0.0.2'
required: true
type: 'string'
release_name:
description: 'Release title. Defaults to the tag.'
required: false
type: 'string'
qwen_code_source:
description: 'Qwen Code runtime source to vendor into the desktop app.'
required: true
default: 'source_branch'
type: 'choice'
options:
- 'npm_latest'
- 'source_branch'
qwen_code_ref:
description: 'Current repository branch, tag, or commit when qwen_code_source is source_branch.'
required: false
default: 'main'
type: 'string'
dry_run:
description: 'Build installers only. Do not create or update a GitHub Release.'
required: true
default: true
type: 'boolean'
draft:
description: 'Create a draft release.'
required: true
default: true
type: 'boolean'
prerelease:
description: 'Mark the release as a prerelease.'
required: true
default: false
type: 'boolean'
clobber:
description: 'Replace same-named assets when uploading to an existing release.'
required: true
default: false
type: 'boolean'
permissions:
contents: 'read'
concurrency:
group: 'desktop-release-${{ inputs.version }}'
cancel-in-progress: false
env:
BUN_VERSION: '1.3.9'
CRAFT_BRAND: 'qwen-code'
DESKTOP_UPDATE_FEED_TAG: 'desktop-latest'
jobs:
release_metadata:
name: 'Prepare Release Source'
runs-on: 'ubuntu-latest'
timeout-minutes: 10
permissions:
contents: 'write'
outputs:
qwen_code_ref: '${{ steps.qwen-code-ref.outputs.ref }}'
qwen_code_sha: '${{ steps.qwen-code-ref.outputs.sha }}'
release_branch: '${{ steps.release-branch.outputs.branch }}'
release_ref: '${{ steps.release-branch.outputs.ref }}'
tag: '${{ steps.release-tag.outputs.tag }}'
version: '${{ steps.release-version.outputs.version }}'
steps:
- name: 'Check out source'
uses: 'actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10' # v6.0.3
with:
fetch-depth: 0
- name: 'Set up Node'
uses: 'actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e' # v6.4.0
with:
node-version-file: '.nvmrc'
- name: 'Set up Bun'
uses: 'oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6' # v2
with:
bun-version: '${{ env.BUN_VERSION }}'
- name: 'Install dependencies'
working-directory: 'packages/desktop'
run: 'bun install --frozen-lockfile'
- name: 'Configure Git user'
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
- name: 'Require main for publishing'
if: '${{ inputs.dry_run == false }}'
env:
SOURCE_REF: '${{ github.ref_name }}'
run: |
set -euo pipefail
if [ "$SOURCE_REF" != "main" ]; then
echo "::error::Desktop releases with dry_run=false must be run from main. Current ref: $SOURCE_REF"
exit 1
fi
- name: 'Resolve Qwen Code source ref'
id: 'qwen-code-ref'
shell: 'bash'
env:
IS_DRY_RUN: '${{ inputs.dry_run }}'
QWEN_CODE_REF_INPUT: '${{ inputs.qwen_code_ref }}'
QWEN_CODE_SOURCE_INPUT: '${{ inputs.qwen_code_source }}'
run: |
set -euo pipefail
if [ "$QWEN_CODE_SOURCE_INPUT" != "source_branch" ]; then
echo "ref=" >> "$GITHUB_OUTPUT"
echo "sha=" >> "$GITHUB_OUTPUT"
exit 0
fi
if [ -z "$QWEN_CODE_REF_INPUT" ]; then
echo "::error::qwen_code_ref is required when qwen_code_source is source_branch."
exit 1
fi
if [ "$IS_DRY_RUN" = "false" ] && [[ "$QWEN_CODE_REF_INPUT" == refs/pull/* ]]; then
echo "::error::Published desktop releases cannot vendor refs/pull/*."
exit 1
fi
if ! git fetch origin "$QWEN_CODE_REF_INPUT"; then
if ! git fetch origin "refs/heads/$QWEN_CODE_REF_INPUT"; then
git fetch origin "refs/tags/$QWEN_CODE_REF_INPUT"
fi
fi
sha="$(git rev-parse FETCH_HEAD)"
if [ "$IS_DRY_RUN" = "false" ]; then
git fetch origin main:refs/remotes/origin/main
if ! git merge-base --is-ancestor "$sha" refs/remotes/origin/main; then
echo "::error::Published desktop releases can only vendor commits reachable from main."
exit 1
fi
fi
echo "ref=$QWEN_CODE_REF_INPUT" >> "$GITHUB_OUTPUT"
echo "sha=$sha" >> "$GITHUB_OUTPUT"
echo "Resolved Qwen Code ref $QWEN_CODE_REF_INPUT to $sha"
- name: 'Bump desktop version'
working-directory: 'packages/desktop'
env:
INPUT_VERSION: '${{ inputs.version }}'
run: 'bun run bump-desktop-version "$INPUT_VERSION"'
- name: 'Validate release version'
working-directory: 'packages/desktop'
id: 'release-version'
env:
INPUT_VERSION: '${{ inputs.version }}'
run: 'bun run check-release-version --version "$INPUT_VERSION"'
- name: 'Prepare desktop release tag'
id: 'release-tag'
env:
RELEASE_TAG: '${{ steps.release-version.outputs.tag }}'
run: 'echo "tag=desktop-${RELEASE_TAG}" >> "$GITHUB_OUTPUT"'
- name: 'Create release branch'
working-directory: 'packages/desktop'
id: 'release-branch'
env:
IS_DRY_RUN: '${{ inputs.dry_run }}'
RELEASE_TAG: '${{ steps.release-tag.outputs.tag }}'
run: |
set -euo pipefail
branch="release/${RELEASE_TAG}"
git switch -C "$branch"
git add package.json apps/electron/package.json packages/shared/package.json
if git diff --staged --quiet; then
echo "No desktop version changes to commit."
else
git commit -m "chore(release): desktop ${RELEASE_TAG}"
fi
echo "branch=$branch" >> "$GITHUB_OUTPUT"
if [ "$IS_DRY_RUN" = "false" ]; then
remote_sha="$(git ls-remote --heads origin "$branch" | awk '{print $1}')"
if [ -n "$remote_sha" ]; then
git push --force-with-lease="refs/heads/$branch:$remote_sha" origin "HEAD:refs/heads/$branch"
else
git push origin "HEAD:refs/heads/$branch"
fi
echo "ref=$branch" >> "$GITHUB_OUTPUT"
else
echo "Dry run enabled. Skipping release branch push."
echo "ref=$GITHUB_SHA" >> "$GITHUB_OUTPUT"
fi
build:
name: 'Build ${{ matrix.name }}'
runs-on: '${{ matrix.os }}'
timeout-minutes: 90
needs: 'release_metadata'
env:
RELEASE_TAG: '${{ needs.release_metadata.outputs.tag }}'
RELEASE_VERSION: '${{ needs.release_metadata.outputs.version }}'
strategy:
fail-fast: false
matrix:
include:
- name: 'macOS'
os: 'macos-latest'
command: 'bun run dist:mac:no-publish'
- name: 'Windows'
os: 'windows-latest'
command: 'bun run dist:win:no-publish'
- name: 'Linux'
os: 'ubuntu-22.04'
command: 'bun run dist:linux:no-publish'
steps:
- name: 'Check out source'
uses: 'actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10' # v6.0.3
with:
ref: '${{ needs.release_metadata.outputs.release_ref }}'
- name: 'Set up Node'
uses: 'actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e' # v6.4.0
with:
node-version-file: '.nvmrc'
- name: 'Check out Qwen Code source'
if: "${{ inputs.qwen_code_source == 'source_branch' }}"
shell: 'bash'
env:
QWEN_CODE_REF_INPUT: '${{ needs.release_metadata.outputs.qwen_code_ref }}'
QWEN_CODE_SHA: '${{ needs.release_metadata.outputs.qwen_code_sha }}'
QWEN_CODE_SOURCE_ROOT: '${{ runner.temp }}/qwen-code-source'
run: |
set -euo pipefail
if [ -z "$QWEN_CODE_SHA" ]; then
echo "::error::Resolved Qwen Code source SHA is missing."
exit 1
fi
rm -rf "$QWEN_CODE_SOURCE_ROOT"
git init "$QWEN_CODE_SOURCE_ROOT"
git -C "$QWEN_CODE_SOURCE_ROOT" remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
if ! git -C "$QWEN_CODE_SOURCE_ROOT" fetch --depth=1 origin "$QWEN_CODE_SHA"; then
if ! git -C "$QWEN_CODE_SOURCE_ROOT" fetch --depth=1 origin "$QWEN_CODE_REF_INPUT"; then
if ! git -C "$QWEN_CODE_SOURCE_ROOT" fetch --depth=1 origin "refs/heads/$QWEN_CODE_REF_INPUT"; then
git -C "$QWEN_CODE_SOURCE_ROOT" fetch --depth=1 origin "refs/tags/$QWEN_CODE_REF_INPUT"
fi
fi
fi
actual_sha="$(git -C "$QWEN_CODE_SOURCE_ROOT" rev-parse FETCH_HEAD)"
if [ "$actual_sha" != "$QWEN_CODE_SHA" ]; then
echo "::error::Qwen Code ref $QWEN_CODE_REF_INPUT resolved to $actual_sha, expected $QWEN_CODE_SHA."
exit 1
fi
git -C "$QWEN_CODE_SOURCE_ROOT" checkout --detach "$QWEN_CODE_SHA"
git config --global --add safe.directory "$QWEN_CODE_SOURCE_ROOT"
- name: 'Set up Bun'
uses: 'oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6' # v2
with:
bun-version: '${{ env.BUN_VERSION }}'
- name: 'Install Linux packaging dependencies'
if: "runner.os == 'Linux'"
run: |
sudo apt-get update
sudo apt-get install -y libfuse2
- name: 'Install dependencies'
working-directory: 'packages/desktop'
run: 'bun install --frozen-lockfile'
- name: 'Install Qwen Code source dependencies'
if: "${{ inputs.qwen_code_source == 'source_branch' }}"
working-directory: '${{ runner.temp }}/qwen-code-source'
run: 'npm ci'
- name: 'Bump desktop version'
working-directory: 'packages/desktop'
run: 'bun run bump-desktop-version "${{ needs.release_metadata.outputs.version }}"'
- name: 'Confirm release version'
working-directory: 'packages/desktop'
run: 'bun run check-release-version --version "${{ needs.release_metadata.outputs.version }}"'
- name: 'Configure Qwen Code runtime source'
shell: 'bash'
env:
QWEN_CODE_REF_INPUT: '${{ needs.release_metadata.outputs.qwen_code_ref }}'
QWEN_CODE_SHA: '${{ needs.release_metadata.outputs.qwen_code_sha }}'
QWEN_CODE_SOURCE_INPUT: '${{ inputs.qwen_code_source }}'
QWEN_CODE_SOURCE_ROOT: '${{ runner.temp }}/qwen-code-source'
run: |
set -euo pipefail
case "$QWEN_CODE_SOURCE_INPUT" in
npm_latest)
echo "QWEN_CODE_VERSION=latest" >> "$GITHUB_ENV"
echo "Using Qwen Code runtime from npm dist-tag: latest"
;;
source_branch)
if [ -z "$QWEN_CODE_REF_INPUT" ]; then
echo "::error::qwen_code_ref is required when qwen_code_source is source_branch."
exit 1
fi
echo "QWEN_CODE_ROOT=$QWEN_CODE_SOURCE_ROOT" >> "$GITHUB_ENV"
echo "Using Qwen Code runtime from ${GITHUB_REPOSITORY} ref: $QWEN_CODE_REF_INPUT ($QWEN_CODE_SHA)"
;;
*)
echo "::error::Unknown qwen_code_source: $QWEN_CODE_SOURCE_INPUT"
exit 1
;;
esac
- name: 'Verify desktop update feed target'
working-directory: 'packages/desktop'
shell: 'bash'
env:
EXPECTED_UPDATE_URL: 'https://github.com/${{ github.repository }}/releases/download/${{ env.DESKTOP_UPDATE_FEED_TAG }}'
run: |
set -euo pipefail
bun run electron:builder-config
actual_update_url="$(node <<'NODE'
const fs = require('node:fs');
const yaml = require('js-yaml');
const config = yaml.load(
fs.readFileSync('apps/electron/electron-builder.generated.yml', 'utf8'),
);
const publish = config?.publish;
if (!publish || typeof publish.provider !== 'string') {
process.exit(1);
}
if (publish.provider === 'github') {
if (!publish.owner || !publish.repo) process.exit(1);
console.log(`https://github.com/${publish.owner}/${publish.repo}/releases`);
} else if (publish.provider === 'generic') {
if (!publish.url) process.exit(1);
console.log(publish.url);
} else {
process.exit(1);
}
NODE
)"
if [ "$actual_update_url" != "$EXPECTED_UPDATE_URL" ]; then
echo "::error::Desktop update feed points to $actual_update_url, expected $EXPECTED_UPDATE_URL."
exit 1
fi
echo "Desktop update feed: ${actual_update_url}"
- name: 'Configure optional signing secrets'
shell: 'bash'
env:
IS_DRY_RUN: '${{ inputs.dry_run }}'
APPLE_NOTARY_API_KEY_P8_BASE64_SECRET: '${{ secrets.APPLE_NOTARY_API_KEY_P8_BASE64 }}'
APPLE_NOTARY_KEY_ID_SECRET: '${{ secrets.APPLE_NOTARY_KEY_ID }}'
APPLE_NOTARY_ISSUER_ID_SECRET: '${{ secrets.APPLE_NOTARY_ISSUER_ID }}'
APPLE_TEAM_ID_SECRET: '${{ secrets.APPLE_TEAM_ID }}'
MAC_CSC_KEY_PASSWORD_SECRET: '${{ secrets.MAC_CSC_KEY_PASSWORD }}'
MAC_CSC_LINK_SECRET: '${{ secrets.MAC_CSC_LINK }}'
CSC_KEY_PASSWORD_SECRET: '${{ secrets.CSC_KEY_PASSWORD }}'
CSC_LINK_SECRET: '${{ secrets.CSC_LINK }}'
WIN_CSC_KEY_PASSWORD_SECRET: '${{ secrets.WIN_CSC_KEY_PASSWORD }}'
WIN_CSC_LINK_SECRET: '${{ secrets.WIN_CSC_LINK }}'
SENTRY_ELECTRON_INGEST_URL_SECRET: '${{ secrets.SENTRY_ELECTRON_INGEST_URL }}'
run: |
set -euo pipefail
append_env() {
local name="$1"
local value="$2"
if [ -z "$value" ]; then
return
fi
{
echo "$name<<__${name}__"
printf '%s\n' "$value"
echo "__${name}__"
} >> "$GITHUB_ENV"
}
mac_csc_link="${MAC_CSC_LINK_SECRET:-$CSC_LINK_SECRET}"
mac_csc_key_password="${MAC_CSC_KEY_PASSWORD_SECRET:-$CSC_KEY_PASSWORD_SECRET}"
allow_unsigned_artifacts() {
if [ "$IS_DRY_RUN" = "true" ]; then
return 0
fi
return 1
}
if [ "$RUNNER_OS" = "macOS" ]; then
if [ -n "$mac_csc_link" ]; then
if [ -z "$mac_csc_key_password" ]; then
echo "::error::MAC_CSC_LINK/CSC_LINK is configured, but MAC_CSC_KEY_PASSWORD/CSC_KEY_PASSWORD is missing."
exit 1
fi
if [ "$IS_DRY_RUN" = "false" ]; then
if [ -z "$APPLE_NOTARY_API_KEY_P8_BASE64_SECRET" ] || [ -z "$APPLE_NOTARY_KEY_ID_SECRET" ] || [ -z "$APPLE_NOTARY_ISSUER_ID_SECRET" ] || [ -z "$APPLE_TEAM_ID_SECRET" ]; then
echo "::error::Published macOS desktop releases require APPLE_NOTARY_API_KEY_P8_BASE64, APPLE_NOTARY_KEY_ID, APPLE_NOTARY_ISSUER_ID, and APPLE_TEAM_ID for notarization."
exit 1
fi
fi
# Materialize the App Store Connect API key (.p8) so electron-builder
# (>=24) notarizes via notarytool. It reads APPLE_API_KEY (a path to
# the .p8 file), APPLE_API_KEY_ID, and APPLE_API_ISSUER from the env.
if [ -n "$APPLE_NOTARY_API_KEY_P8_BASE64_SECRET" ] && [ -n "$APPLE_NOTARY_KEY_ID_SECRET" ] && [ -n "$APPLE_NOTARY_ISSUER_ID_SECRET" ]; then
api_key_path="${RUNNER_TEMP}/apple-notary-key.p8"
printf '%s' "$APPLE_NOTARY_API_KEY_P8_BASE64_SECRET" | base64 --decode > "$api_key_path"
append_env "APPLE_API_KEY" "$api_key_path"
append_env "APPLE_API_KEY_ID" "$APPLE_NOTARY_KEY_ID_SECRET"
append_env "APPLE_API_ISSUER" "$APPLE_NOTARY_ISSUER_ID_SECRET"
fi
append_env "CSC_LINK" "$mac_csc_link"
append_env "CSC_KEY_PASSWORD" "$mac_csc_key_password"
append_env "APPLE_TEAM_ID" "$APPLE_TEAM_ID_SECRET"
echo "CSC_IDENTITY_AUTO_DISCOVERY=true" >> "$GITHUB_ENV"
else
if ! allow_unsigned_artifacts; then
echo "::error::Published macOS desktop releases require MAC_CSC_LINK/CSC_LINK and MAC_CSC_KEY_PASSWORD/CSC_KEY_PASSWORD so auto-update signature validation can pass."
exit 1
fi
echo "CSC_IDENTITY_AUTO_DISCOVERY=false" >> "$GITHUB_ENV"
fi
elif [ "$RUNNER_OS" = "Windows" ]; then
if [ -n "$WIN_CSC_LINK_SECRET" ]; then
if [ -z "$WIN_CSC_KEY_PASSWORD_SECRET" ]; then
echo "::error::WIN_CSC_LINK is configured, but WIN_CSC_KEY_PASSWORD is missing."
exit 1
fi
append_env "WIN_CSC_LINK" "$WIN_CSC_LINK_SECRET"
append_env "WIN_CSC_KEY_PASSWORD" "$WIN_CSC_KEY_PASSWORD_SECRET"
else
if [ "$IS_DRY_RUN" = "true" ]; then
echo "Windows signing certificate is not configured; Windows dry-run artifacts will be unsigned."
else
echo "::warning::Windows signing certificate is not configured; published Windows desktop releases will be unsigned."
fi
fi
else
if [ "$RUNNER_OS" != "Linux" ] && [ -n "$CSC_LINK_SECRET" ]; then
echo "::warning::CSC_LINK is configured but not used on $RUNNER_OS."
fi
fi
append_env "SENTRY_ELECTRON_INGEST_URL" "$SENTRY_ELECTRON_INGEST_URL_SECRET"
- name: 'Build desktop installer'
working-directory: 'packages/desktop'
# Build jobs only produce artifacts. The publish job below owns GitHub
# Release creation/upload so dry-run, draft, prerelease, and replace
# behavior stays centralized.
run: '${{ matrix.command }}'
- name: 'Upload installer artifacts'
uses: 'actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a' # v7.0.1
with:
name: 'desktop-${{ matrix.name }}'
if-no-files-found: 'error'
retention-days: 14
path: |
packages/desktop/apps/electron/release/*.AppImage
packages/desktop/apps/electron/release/*.blockmap
packages/desktop/apps/electron/release/*.dmg
packages/desktop/apps/electron/release/*.exe
packages/desktop/apps/electron/release/*.yml
packages/desktop/apps/electron/release/*.zip
publish:
name: 'Publish GitHub Release'
runs-on: 'ubuntu-latest'
timeout-minutes: 20
needs:
- 'build'
- 'release_metadata'
if: '${{ inputs.dry_run == false }}'
permissions:
contents: 'write'
env:
RELEASE_TAG: '${{ needs.release_metadata.outputs.tag }}'
RELEASE_VERSION: '${{ needs.release_metadata.outputs.version }}'
steps:
- name: 'Download installer artifacts'
uses: 'actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c' # v8.0.1
with:
path: 'release-assets'
merge-multiple: true
- name: 'Publish release assets'
env:
GH_REPO: '${{ github.repository }}'
GH_TOKEN: '${{ github.token }}'
RELEASE_DRAFT: '${{ inputs.draft }}'
RELEASE_NAME: '${{ inputs.release_name }}'
RELEASE_PRERELEASE: '${{ inputs.prerelease }}'
RELEASE_TARGET: '${{ needs.release_metadata.outputs.release_ref }}'
UPDATE_FEED_TAG: '${{ env.DESKTOP_UPDATE_FEED_TAG }}'
UPLOAD_CLOBBER: '${{ inputs.clobber }}'
run: |
set -euo pipefail
if [[ "$RELEASE_TAG" != desktop-v* ]]; then
echo "::error::Desktop releases must use a desktop-v* tag. Got: $RELEASE_TAG"
exit 1
fi
assets=()
while IFS= read -r -d '' file; do
assets+=("$file")
done < <(find release-assets -type f -print0 | sort -z)
if [ "${#assets[@]}" -eq 0 ]; then
echo "No release assets were downloaded."
exit 1
fi
printf 'Release assets:\n'
printf ' %s\n' "${assets[@]}"
title="${RELEASE_NAME:-$RELEASE_TAG}"
if gh release view "$RELEASE_TAG" >/dev/null 2>&1; then
upload_args=("$RELEASE_TAG" "${assets[@]}")
if [ "$UPLOAD_CLOBBER" = "true" ]; then
upload_args+=(--clobber)
fi
gh release upload "${upload_args[@]}"
else
previous_tag="$(
gh release list \
--repo "$GH_REPO" \
--limit 100 \
--json tagName,isDraft,isPrerelease \
--jq '.[] | select(.isDraft == false and .isPrerelease == false and (.tagName | startswith("desktop-v"))) | .tagName' \
| grep -vxF "$RELEASE_TAG" \
| head -n 1 \
|| true
)"
create_args=(
"$RELEASE_TAG"
"${assets[@]}"
--generate-notes
--target "$RELEASE_TARGET"
--title "$title"
)
if [ -n "$previous_tag" ]; then
echo "Using $previous_tag as the release notes start tag."
create_args+=(--notes-start-tag "$previous_tag")
else
echo "No previous published stable release found for release notes."
fi
if [ "$RELEASE_DRAFT" = "true" ]; then
create_args+=(--draft)
fi
if [ "$RELEASE_PRERELEASE" = "true" ]; then
create_args+=(--prerelease)
fi
create_args+=(--latest=false)
gh release create "${create_args[@]}"
fi
if [ "$RELEASE_DRAFT" = "true" ] || [ "$RELEASE_PRERELEASE" = "true" ]; then
echo "Skipping $UPDATE_FEED_TAG update for draft or prerelease desktop release."
else
feed_title="Qwen Code Desktop latest"
feed_notes="Auto-update feed for ${RELEASE_TAG}. See https://github.com/${GH_REPO}/releases/tag/${RELEASE_TAG}."
feed_upload_args=("$UPDATE_FEED_TAG" "${assets[@]}" --clobber)
if gh release view "$UPDATE_FEED_TAG" >/dev/null 2>&1; then
gh release edit "$UPDATE_FEED_TAG" \
--draft=false \
--prerelease=false \
--latest=false \
--target "$RELEASE_TARGET" \
--title "$feed_title" \
--notes "$feed_notes"
gh release upload "${feed_upload_args[@]}"
else
gh release create "$UPDATE_FEED_TAG" "${assets[@]}" \
--latest=false \
--target "$RELEASE_TARGET" \
--title "$feed_title" \
--notes "$feed_notes"
fi
fi
sync-version:
name: 'Sync Release Version to Main'
runs-on: 'ubuntu-latest'
timeout-minutes: 10
needs:
- 'publish'
- 'release_metadata'
if: '${{ inputs.dry_run == false && inputs.draft == false && inputs.prerelease == false }}'
permissions:
contents: 'write'
pull-requests: 'write'
steps:
- name: 'Require CI bot token'
env:
CI_BOT_PAT_SECRET: '${{ secrets.CI_BOT_PAT }}'
run: |
set -euo pipefail
if [ -z "$CI_BOT_PAT_SECRET" ]; then
echo "::error::CI_BOT_PAT is required because GITHUB_TOKEN-created PRs do not trigger pull_request workflows."
exit 1
fi
- name: 'Create version sync PR'
id: 'version-pr'
env:
GH_TOKEN: '${{ secrets.CI_BOT_PAT }}'
RELEASE_BRANCH: '${{ needs.release_metadata.outputs.release_branch }}'
RELEASE_TAG: '${{ needs.release_metadata.outputs.tag }}'
run: |
set -euo pipefail
pr_url="$(gh pr list \
--repo "$GITHUB_REPOSITORY" \
--head "$RELEASE_BRANCH" \
--base main \
--json url \
--jq '.[0].url')"
if [ -z "$pr_url" ]; then
pr_url="$(gh pr create \
--repo "$GITHUB_REPOSITORY" \
--base main \
--head "$RELEASE_BRANCH" \
--label 'skip-changelog' \
--title "chore(release): desktop ${RELEASE_TAG}" \
--body "Automated desktop release PR for ${RELEASE_TAG}. Syncs desktop package versions on main.")"
fi
echo "url=$pr_url" >> "$GITHUB_OUTPUT"
- name: 'Enable auto-merge'
env:
GH_TOKEN: '${{ secrets.CI_BOT_PAT }}'
PR_URL: '${{ steps.version-pr.outputs.url }}'
RELEASE_TAG: '${{ needs.release_metadata.outputs.tag }}'
run: |
set -euo pipefail
# No --delete-branch: main has a merge queue and gh rejects the flag
# when one is enabled (the queue owns the merge; head-branch deletion
# follows the repo's "Automatically delete head branches" setting).
gh pr merge "$PR_URL" \
--squash \
--auto \
--subject "chore(release): desktop ${RELEASE_TAG} [skip ci]"
dry-run-summary:
name: 'Dry Run Summary'
runs-on: 'ubuntu-latest'
timeout-minutes: 10
needs:
- 'build'
- 'release_metadata'
if: '${{ inputs.dry_run }}'
env:
RELEASE_TAG: '${{ needs.release_metadata.outputs.tag }}'
RELEASE_VERSION: '${{ needs.release_metadata.outputs.version }}'
steps:
- name: 'Download installer artifacts'
uses: 'actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c' # v8.0.1
with:
path: 'release-assets'
merge-multiple: true
- name: 'List release assets'
run: |
set -euo pipefail
assets=()
while IFS= read -r -d '' file; do
assets+=("$file")
done < <(find release-assets -type f -print0 | sort -z)
if [ "${#assets[@]}" -eq 0 ]; then
echo "No release assets were downloaded."
exit 1
fi
{
echo "## Desktop release dry run"
echo
echo "Version: $RELEASE_VERSION"
echo "Release tag: $RELEASE_TAG"
echo
echo "Built ${#assets[@]} asset(s). No GitHub Release was created or updated."
echo
echo "| Asset | Size |"
echo "| --- | ---: |"
for file in "${assets[@]}"; do
size=$(du -h "$file" | cut -f1)
echo "| $(basename "$file") | $size |"
done
} >> "$GITHUB_STEP_SUMMARY"