feat(release): auto-publish the prod release once all targets land

[Astro-Han]

Summary

Auto-publish the prod GitHub release once every target's installers and updater metadata have landed in the draft, then dispatch the R2 mirror — removing the manual "publish + pin tag + dispatch mirror" step at the end of every release.

• scripts/publish-when-complete.ts (new) — runs at the tail of each prod finalize/full target; the last target to complete flips the draft to published and dispatches the mirror.
• Single-source guard — per-target provenance markers, a content anchor, and a seal/re-read around the publish PATCH, so a release assembled from more than one commit is never published.
• scripts/verify-release.ts — an allowDraft seam plus provenance/parseUpdaterShaByUrl helpers.
• scripts/finalize-latest-yml.ts — refuses to overwrite the updater metadata of an already-published release.
• .github/workflows/build.yml — the tail publish step and actions: write on build-electron.

No related issue; this is a self-contained release-pipeline automation.

Why

The pipeline leaves a draft GitHub release after every build and nothing flips it to published, so mirror-release-to-r2.yml (which triggers on release: published) never fires, and an operator has to manually publish the draft, pin the tag to the build commit, and dispatch the mirror.

The hard part is that one version's assets are assembled across multiple, sometimes concurrent workflow_dispatch runs (mac arm64 + x64 finalize, win full), each with its own source commit, and installers carry only the version (not the commit) in their names. So a naive "publish when the draft looks complete" could publish a release whose mac and win halves came from different commits. The guard below is designed to fail closed against that.

Related Issue

None — self-contained automation of an existing manual release step. Rationale stated in Summary.

Human Review Status

Pending

Review Focus

1. The single-source guard in publish-when-complete.ts — whether a mixed-source publish is still reachable by the normal one-dispatch CI pipeline (vs. only by two concurrent same-version dispatches from different commits racing a single HTTP round-trip):
   • per-target marker pawwork-<os>-<arch>-<version>.commit holding {commit, sha512[]} (distinct cell per target → no claim race);
   • content anchor (every marker's recorded installer hash must still be in the current latest*.yml; empty record fails closed);
   • seal → settle → re-read → refuse-if-any-asset-URL-moved before the publish PATCH (the last write).
2. finalize-latest-yml.ts published-release guard (gh release view --jq .isDraft before the gh release upload --clobber loop).
3. GITHUB_TOKEN permissions — actions: write for the mirror workflow_dispatch; contents: write for marker upload/delete and the release PATCH.
4. Draft-release API correctness — drafts found via the list endpoint (they 404 on GET /releases/tags/{tag}), asset bytes via the asset API URL with Accept: application/octet-stream, marker upload via upload_url.

Risk Notes

• Permissions: build-electron gains actions: write (to gh workflow run the mirror) and keeps contents: write (release PATCH + marker upload/delete). The opencode build-workflow contract test was updated to assert this.
• Deletion behavior: provenance markers are delete-then-recreate on overwrite; the publish PATCH flips draft→false and pins target_commitish to the build commit.
• Platform / packaging / updater: touches the macOS (arm64 + x64) and Windows (x64) release/updater flow. Installer assets themselves are protected from a later same-version build by electron-builder (releaseType defaults to draft, so it skips an already-published release); only latest*.yml needed the finalize guard.
• Residual race: GitHub offers no cross-asset compare-and-swap, so a mixed-source publish is reachable only by two same-version builds from different commits dispatched concurrently and landing a write in the single HTTP round-trip between a check and its write — not the normal one-dispatch pipeline (each version is built once, from one commit). Documented in the script header. Eliminating it entirely would require the commit in asset filenames (breaks the updater, mirror, and site links) or one orchestrated workflow.
• dev/beta are unaffected: gated to channel == 'prod'; dev has no publish config, beta lives in a separate repo.
• No visible UI or copy changed (the UI checklist item below is intentionally left unticked for that reason).

How To Verify

desktop-electron full suite (bun test):                464 pass, 0 fail
  incl. publish-when-complete.test.ts (decision policy: commit-mismatch,
        completeness, content-anchor drift, empty-marker fail-closed),
        verify-release.test.ts (allowDraft seam, parseUpdaterShaByUrl),
        release-metadata-contract.test.ts (finalizer published-release guard),
        release-workflow-contract.test.ts
opencode workflow contract tests (bun test test/github):  46 pass, 0 fail
  incl. build-workflow.test.ts (build-electron permissions = actions:write + contents:write)
bun run typecheck:                                      clean
bun run typecheck:release:                              clean
actionlint .github/workflows/build.yml:                 no new findings (only
  pre-existing SC2086/SC2046 on unrelated Apple-key/notarize steps)

End-to-end cannot be exercised without a real prod release; the script is written fail-closed (incomplete → no-op draft, ambiguous/mixed → fail), so the worst case is "stays a draft, publish manually", never "publishes something broken".

Screenshots or Recordings

N/A — no visible UI or copy changes.

Checklist

How to use this checklist:

• Tick a box by replacing [ ] with [x]. Do not edit, add, or remove items.
• The bot-applied label items can only be honestly ticked AFTER the PR is opened and the labeler / priority-triage bots have run — return to the PR description and tick them then.
• Most items are required. The few that are conditional are explicitly marked (conditional); for those, leave unticked if they truly do not apply and explain why in Risk Notes. All other items must be ticked before requesting human review.

• Type label — this PR carries exactly one of bug, enhancement, task, documentation. Type labels are author-added; the labeler bot does NOT assign them. Add the label in the GitHub UI, then tick this.
• Routing labels — this PR carries at least one of app, ui, platform, harness, ci. The labeler bot assigns these on PR open based on changed paths. Confirm the bot's choice (or override if wrong), then tick this.
• Priority label — this PR carries exactly one of P0, P1, P2, P3. The priority-triage bot suggests one on PR open. Confirm or override, then tick this.
• Human Review Status above is set to Pending, Approved by @<reviewer>, or Not required: <reason> (default is Pending; "not required" is restricted to bot-authored low-risk PRs).
• I linked the related issue, or stated in Summary why there is no issue.
• I described the review focus and any meaningful risks.
• I replaced the example block in How To Verify with the real verification steps and the key result for each.
• I did not introduce unrelated refactors, dependencies, generated files, or file changes beyond the stated scope.
• (conditional) I manually checked visible UI or copy changes when needed, with screenshots or recordings. Leave unticked only if no visible UI or copy changed.
• (conditional) I considered macOS and Windows impact for platform, packaging, updater, signing, paths, shell, or permissions changes. Leave unticked only if no platform/packaging surface was touched.
• (conditional) I called out docs, release notes, dependencies, permissions, credentials, deletion behavior, generated content, or local file changes when relevant. Leave unticked only if none of those surfaces was touched.
• I reviewed the final diff for unrelated changes and suspicious dependency changes.
• I am targeting dev, and my PR title and commit messages use Conventional Commits in English.

[coderabbitai]

Warning

Review limit reached

@Astro-Han, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 1 minute and 4 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 99b13e9c-85b7-4faf-9d9b-02892a99021d

📥 Commits

Reviewing files that changed from the base of the PR and between 802bcb8 and 65a6b53.

📒 Files selected for processing (8)

• .github/workflows/build.yml
• packages/desktop-electron/scripts/finalize-latest-yml.ts
• packages/desktop-electron/scripts/publish-when-complete.test.ts
• packages/desktop-electron/scripts/publish-when-complete.ts
• packages/desktop-electron/scripts/release-metadata-contract.test.ts
• packages/desktop-electron/scripts/verify-release.test.ts
• packages/desktop-electron/scripts/verify-release.ts
• packages/opencode/test/github/build-workflow.test.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/release-auto-publish

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Suggested priority: P2 (includes non-doc, non-test paths outside the low-risk bucket).

P1/P0 are reserved for maintainer confirmation. Please relabel manually if this is a release blocker, security issue, data-loss risk, or updater/runtime failure.

[gemini-code-assist]

Code Review

This pull request introduces a new script publish-when-complete.ts (along with unit tests) to automatically publish a draft release once all build targets and updater metadata are uploaded, and then trigger an R2 mirror. It also updates verify-release.ts to support an allowDraft option to suppress draft validation errors during completeness checks. A critical issue was identified in fetchTagSha where fetching the tag ref returns the tag object SHA instead of the commit SHA for annotated tags, which would cause the commit verification check to fail. A suggestion was provided to resolve this by querying the /commits/{ref} endpoint instead.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.