docs: replace readme image with updated design capture #13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | ||
| on: | ||
| workflow_dispatch: | ||
| push: | ||
| tags: | ||
| - "v*" | ||
| env: | ||
| permissions: | ||
| contents: read | ||
| concurrency: | ||
| group: release-${{ github.ref }} | ||
| cancel-in-progress: false | ||
| jobs: | ||
| build-macos: | ||
| runs-on: macos-latest | ||
| timeout-minutes: 90 | ||
| steps: | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.2.2 | ||
| - name: Use Node.js 22 | ||
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | ||
| with: | ||
| node-version: 22 | ||
| cache: npm | ||
| - name: Install dependencies | ||
| run: npm ci | ||
| - name: Audit dependencies (prod-only, release gate) | ||
| run: npm audit --omit=dev --audit-level=moderate | ||
| # Moderate+ vulnerabilities fail the build (per AGENTS.md "npm audit --omit=dev --audit-level=moderate is a release gate"). | ||
| # High-only would be too permissive for a security-sensitive third-party client. | ||
| - name: Verify generated icon | ||
| run: npm run verify:icon | ||
| - name: Verify release packaging hardening (VERIFY-052) | ||
| run: npm run verify:release-packaging-hardening | ||
| - name: Lint (zero warnings) | ||
| run: npm run lint:eslint | ||
| # Mirrors the CI workflow gate so a release cannot ship with an ESLint | ||
| # warning that the regular PR pipeline would have caught. | ||
| - name: Typecheck | ||
| run: npm run typecheck | ||
| - name: Test | ||
| run: npm test | ||
| - name: Build | ||
| run: npm run build | ||
| - name: Warn if macOS signing credentials are absent | ||
| if: startsWith(github.ref, 'refs/tags/v') | ||
| run: | | ||
| if [[ -z "${{ secrets.CSC_LINK }}" || -z "${{ secrets.CSC_KEY_PASSWORD }}" || -z "${{ secrets.APPLE_ID }}" || -z "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}" || -z "${{ secrets.APPLE_TEAM_ID }}" ]]; then | ||
| echo "::warning::macOS signing/notarization credentials not configured — release will be unsigned." | ||
| fi | ||
| - name: Package macOS artifacts (Development) | ||
| if: ${{ !startsWith(github.ref, 'refs/tags/v') }} | ||
| run: npm run dist:mac | ||
| env: | ||
| CSC_IDENTITY_AUTO_DISCOVERY: "false" | ||
| - name: Package macOS artifacts (Release) | ||
| if: startsWith(github.ref, 'refs/tags/v') | ||
| run: npm run dist:mac | ||
| env: | ||
| CSC_LINK: ${{ secrets.CSC_LINK }} | ||
| CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} | ||
| APPLE_ID: ${{ secrets.APPLE_ID }} | ||
| APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} | ||
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | ||
| - name: Generate SHA-256 checksums | ||
| run: npm run checksum:release | ||
| - name: Verify release artifacts | ||
| run: npm run verify:dist:mac | ||
| - name: Verify archive hygiene (no tracked contaminants) | ||
| run: node scripts/verify-archive-clean.cjs | ||
| - name: Upload macOS artifacts | ||
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | ||
| with: | ||
| name: venice-forge-macos-${{ github.ref_name }} | ||
| path: | | ||
| release/* | ||
| if-no-files-found: error | ||
| build-windows: | ||
| runs-on: windows-latest | ||
| timeout-minutes: 90 | ||
| steps: | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.2.2 | ||
| - name: Use Node.js 22 | ||
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | ||
| with: | ||
| node-version: 22 | ||
| cache: npm | ||
| - name: Install dependencies | ||
| run: npm ci | ||
| - name: Audit dependencies (prod-only, release gate) | ||
| run: npm audit --omit=dev --audit-level=moderate | ||
| # Moderate+ vulnerabilities fail the build (per AGENTS.md "npm audit --omit=dev --audit-level=moderate is a release gate"). | ||
| # High-only would be too permissive for a security-sensitive third-party client. | ||
| - name: Verify generated icon | ||
| run: npm run verify:icon | ||
| - name: Verify release packaging hardening (VERIFY-052) | ||
| run: npm run verify:release-packaging-hardening | ||
| - name: Lint (zero warnings) | ||
| run: npm run lint:eslint | ||
| # Mirrors the CI workflow gate so a release cannot ship with an ESLint | ||
| # warning that the regular PR pipeline would have caught. | ||
| - name: Typecheck | ||
| run: npm run typecheck | ||
| - name: Test | ||
| run: npm test | ||
| - name: Build | ||
| run: npm run build | ||
| - name: Warn if Windows signing credentials are absent | ||
| if: startsWith(github.ref, 'refs/tags/v') | ||
| shell: bash | ||
| run: | | ||
| if [[ -z "${{ secrets.WIN_CSC_LINK }}" || -z "${{ secrets.WIN_CSC_KEY_PASSWORD }}" ]]; then | ||
| echo "::warning::Windows signing credentials not configured — release will be unsigned." | ||
| fi | ||
| - name: Package Windows artifacts (Development) | ||
| if: ${{ !startsWith(github.ref, 'refs/tags/v') }} | ||
| run: npm run dist:win | ||
| env: | ||
| CSC_IDENTITY_AUTO_DISCOVERY: "false" | ||
| - name: Package Windows artifacts (Release) | ||
| if: startsWith(github.ref, 'refs/tags/v') | ||
| run: npm run dist:win | ||
| env: | ||
| CSC_IDENTITY_AUTO_DISCOVERY: "false" | ||
| WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }} | ||
| WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }} | ||
| - name: Generate SHA-256 checksums | ||
| run: npm run checksum:release | ||
| - name: Verify release artifacts | ||
| run: npm run verify:dist:win | ||
| - name: Verify archive hygiene (no tracked contaminants) | ||
| run: node scripts/verify-archive-clean.cjs | ||
| - name: Upload Windows artifacts | ||
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | ||
| with: | ||
| name: venice-forge-windows-${{ github.ref_name }} | ||
| path: | | ||
| release/* | ||
| if-no-files-found: error | ||
| build-linux: | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 90 | ||
| steps: | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.2.2 | ||
| - name: Use Node.js 22 | ||
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | ||
| with: | ||
| node-version: 22 | ||
| cache: npm | ||
| - name: Install dependencies | ||
| run: npm ci | ||
| - name: Audit dependencies (prod-only, release gate) | ||
| run: npm audit --omit=dev --audit-level=moderate | ||
| - name: Verify generated icon | ||
| run: npm run verify:icon | ||
| - name: Verify release packaging hardening (VERIFY-052) | ||
| run: npm run verify:release-packaging-hardening | ||
| - name: Lint (zero warnings) | ||
| run: npm run lint:eslint | ||
| # Mirrors the CI workflow gate so a release cannot ship with an ESLint | ||
| # warning that the regular PR pipeline would have caught. | ||
| - name: Typecheck | ||
| run: npm run typecheck | ||
| - name: Test | ||
| run: npm test | ||
| - name: Build | ||
| run: npm run build | ||
| - name: Package Linux artifacts | ||
| run: npm run dist:linux | ||
| - name: Generate SHA-256 checksums | ||
| run: npm run checksum:release | ||
| - name: Verify Linux release artifacts | ||
| run: npm run verify:dist:linux | ||
| - name: Verify archive hygiene (no tracked contaminants) | ||
| run: node scripts/verify-archive-clean.cjs | ||
| - name: Upload Linux artifacts | ||
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | ||
| with: | ||
| name: venice-forge-linux-${{ github.ref_name }} | ||
| path: | | ||
| release/* | ||
| if-no-files-found: error | ||
| publish: | ||
| runs-on: ubuntu-latest | ||
| needs: [build-macos, build-windows, build-linux] | ||
| if: startsWith(github.ref, 'refs/tags/v') | ||
| timeout-minutes: 30 | ||
| permissions: | ||
| contents: write | ||
| steps: | ||
| - name: Download macOS artifacts | ||
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | ||
| with: | ||
| name: venice-forge-macos-${{ github.ref_name }} | ||
| path: release/ | ||
| - name: Download Windows artifacts | ||
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | ||
| with: | ||
| name: venice-forge-windows-${{ github.ref_name }} | ||
| path: release/ | ||
| - name: Download Linux artifacts | ||
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | ||
| with: | ||
| name: venice-forge-linux-${{ github.ref_name }} | ||
| path: release/ | ||
| - name: Publish to GitHub Releases | ||
| uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 | ||
| with: | ||
| files: release/* | ||
| draft: false | ||
| prerelease: false | ||