Skip to content

docs: replace readme image with updated design capture #13

docs: replace readme image with updated design capture

docs: replace readme image with updated design capture #13

Workflow file for this run

name: Release

Check failure on line 1 in .github/workflows/release.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/release.yml

Invalid workflow file

(Line: 9, Col: 5): Unexpected value ''
on:
workflow_dispatch:
push:
tags:
- "v*"
env:
permissions:
contents: read
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: false
jobs:
build-macos:
runs-on: macos-latest
timeout-minutes: 90
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.2.2
- name: Use Node.js 22
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22
cache: npm
- name: Install dependencies
run: npm ci
- name: Audit dependencies (prod-only, release gate)
run: npm audit --omit=dev --audit-level=moderate
# Moderate+ vulnerabilities fail the build (per AGENTS.md "npm audit --omit=dev --audit-level=moderate is a release gate").
# High-only would be too permissive for a security-sensitive third-party client.
- name: Verify generated icon
run: npm run verify:icon
- name: Verify release packaging hardening (VERIFY-052)
run: npm run verify:release-packaging-hardening
- name: Lint (zero warnings)
run: npm run lint:eslint
# Mirrors the CI workflow gate so a release cannot ship with an ESLint
# warning that the regular PR pipeline would have caught.
- name: Typecheck
run: npm run typecheck
- name: Test
run: npm test
- name: Build
run: npm run build
- name: Warn if macOS signing credentials are absent
if: startsWith(github.ref, 'refs/tags/v')
run: |
if [[ -z "${{ secrets.CSC_LINK }}" || -z "${{ secrets.CSC_KEY_PASSWORD }}" || -z "${{ secrets.APPLE_ID }}" || -z "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}" || -z "${{ secrets.APPLE_TEAM_ID }}" ]]; then
echo "::warning::macOS signing/notarization credentials not configured — release will be unsigned."
fi
- name: Package macOS artifacts (Development)
if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
run: npm run dist:mac
env:
CSC_IDENTITY_AUTO_DISCOVERY: "false"
- name: Package macOS artifacts (Release)
if: startsWith(github.ref, 'refs/tags/v')
run: npm run dist:mac
env:
CSC_LINK: ${{ secrets.CSC_LINK }}
CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
- name: Generate SHA-256 checksums
run: npm run checksum:release
- name: Verify release artifacts
run: npm run verify:dist:mac
- name: Verify archive hygiene (no tracked contaminants)
run: node scripts/verify-archive-clean.cjs
- name: Upload macOS artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: venice-forge-macos-${{ github.ref_name }}
path: |
release/*
if-no-files-found: error
build-windows:
runs-on: windows-latest
timeout-minutes: 90
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.2.2
- name: Use Node.js 22
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22
cache: npm
- name: Install dependencies
run: npm ci
- name: Audit dependencies (prod-only, release gate)
run: npm audit --omit=dev --audit-level=moderate
# Moderate+ vulnerabilities fail the build (per AGENTS.md "npm audit --omit=dev --audit-level=moderate is a release gate").
# High-only would be too permissive for a security-sensitive third-party client.
- name: Verify generated icon
run: npm run verify:icon
- name: Verify release packaging hardening (VERIFY-052)
run: npm run verify:release-packaging-hardening
- name: Lint (zero warnings)
run: npm run lint:eslint
# Mirrors the CI workflow gate so a release cannot ship with an ESLint
# warning that the regular PR pipeline would have caught.
- name: Typecheck
run: npm run typecheck
- name: Test
run: npm test
- name: Build
run: npm run build
- name: Warn if Windows signing credentials are absent
if: startsWith(github.ref, 'refs/tags/v')
shell: bash
run: |
if [[ -z "${{ secrets.WIN_CSC_LINK }}" || -z "${{ secrets.WIN_CSC_KEY_PASSWORD }}" ]]; then
echo "::warning::Windows signing credentials not configured — release will be unsigned."
fi
- name: Package Windows artifacts (Development)
if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
run: npm run dist:win
env:
CSC_IDENTITY_AUTO_DISCOVERY: "false"
- name: Package Windows artifacts (Release)
if: startsWith(github.ref, 'refs/tags/v')
run: npm run dist:win
env:
CSC_IDENTITY_AUTO_DISCOVERY: "false"
WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }}
WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
- name: Generate SHA-256 checksums
run: npm run checksum:release
- name: Verify release artifacts
run: npm run verify:dist:win
- name: Verify archive hygiene (no tracked contaminants)
run: node scripts/verify-archive-clean.cjs
- name: Upload Windows artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: venice-forge-windows-${{ github.ref_name }}
path: |
release/*
if-no-files-found: error
build-linux:
runs-on: ubuntu-latest
timeout-minutes: 90
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.2.2
- name: Use Node.js 22
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22
cache: npm
- name: Install dependencies
run: npm ci
- name: Audit dependencies (prod-only, release gate)
run: npm audit --omit=dev --audit-level=moderate
- name: Verify generated icon
run: npm run verify:icon
- name: Verify release packaging hardening (VERIFY-052)
run: npm run verify:release-packaging-hardening
- name: Lint (zero warnings)
run: npm run lint:eslint
# Mirrors the CI workflow gate so a release cannot ship with an ESLint
# warning that the regular PR pipeline would have caught.
- name: Typecheck
run: npm run typecheck
- name: Test
run: npm test
- name: Build
run: npm run build
- name: Package Linux artifacts
run: npm run dist:linux
- name: Generate SHA-256 checksums
run: npm run checksum:release
- name: Verify Linux release artifacts
run: npm run verify:dist:linux
- name: Verify archive hygiene (no tracked contaminants)
run: node scripts/verify-archive-clean.cjs
- name: Upload Linux artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: venice-forge-linux-${{ github.ref_name }}
path: |
release/*
if-no-files-found: error
publish:
runs-on: ubuntu-latest
needs: [build-macos, build-windows, build-linux]
if: startsWith(github.ref, 'refs/tags/v')
timeout-minutes: 30
permissions:
contents: write
steps:
- name: Download macOS artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: venice-forge-macos-${{ github.ref_name }}
path: release/
- name: Download Windows artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: venice-forge-windows-${{ github.ref_name }}
path: release/
- name: Download Linux artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: venice-forge-linux-${{ github.ref_name }}
path: release/
- name: Publish to GitHub Releases
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
with:
files: release/*
draft: false
prerelease: false