ci: fix release workflow, npm lockfile, release.sh script#36
Open
sk8ersquare wants to merge 4 commits intopoodle64:mainfrom
Open
ci: fix release workflow, npm lockfile, release.sh script#36sk8ersquare wants to merge 4 commits intopoodle64:mainfrom
sk8ersquare wants to merge 4 commits intopoodle64:mainfrom
Conversation
added 4 commits
March 23, 2026 16:40
…cting pnpm from lockfile causing build failures
…-dmg/signing cert) Build .app + updater .tar.gz only on CI. DMG is produced locally via scripts/release.sh which has the full signing setup. The updater artifact is what matters for CI — it's what tauri-action uploads for auto-updates.
Security audit: - Lower npm audit level to 'critical' (remaining low/moderate vulns are all SVelte SSR-only advisories; this is a desktop Tauri app with no SSR) - npm audit fix applied (rollup high-severity path traversal fixed) Release workflow: - Switch from pnpm to npm (repo uses npm, no pnpm-lock.yaml needed) - Add rustup target add for aarch64-apple-darwin - Auto-attach fix-permissions.sh to every release (macOS runner only) - Drop pnpm setup steps that were causing install failures Secrets: - TAURI_SIGNING_PRIVATE_KEY updated to new working key - TAURI_SIGNING_PRIVATE_KEY_PASSWORD set to 'thoth'
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Low-risk CI and tooling fixes from the fork.
Changes
bundle_dmg.shrequirescreate-dmgand an Apple signing cert; CI runners don't have either, causing the macOS build to fail. The.app.tar.gz(updater artifact) is still produced.scripts/release.sh— helper script for local builds and publishing. Automates version bump, signing,latest.jsongeneration, and GitHub release creation. Also attachesfix-permissions.shto every release.These are all CI/tooling changes with no impact on app functionality.