Files
Lumotia/.github/workflows/build.yml
Jake 3770815fbf
Some checks failed
check / cargo check (macos-latest) (push) Has been cancelled
check / cargo check (ubuntu-22.04) (push) Has been cancelled
check / cargo check (windows-latest) (push) Has been cancelled
check / svelte build + lint (push) Has been cancelled
agent: lumotia — v0.1 release-completion run
Closes the code-side v0.1 ship gate. All quality gates green:
cargo fmt/clippy/test (~327 tests), npm check (0/0), vitest 13/13,
scripts/dogfood-rebrand-drill.sh 8/8.

Phase F — first-run onboarding promoted to v0.1
- FirstRunPage with skip-to-main + failure recovery + event recording
- Six onboarding commands (record/list/has-completed + lumotia_events)
- Storage migration v17 (onboarding_events + lumotia_events tables)

UI hardening (in-scope items from v0.1-ui-hardening.md)
- StatusPill + PostCaptureCard components, 21st preview entry
- Sidebar recording-as-sacred-state (opacity + aria-disabled, reduced-motion)
- Settings 6-section regroup + Help section + Activation log + Privacy toggle
- Error-state copy sweep (DictationPage + SettingsPage, plain-language)
- Global :focus-visible rule, textarea outlines restored
- Ctrl+K / Ctrl+, / Escape bindings in +layout

LLM resilience
- rule_based_extract_tasks (regex-free imperative-verb extractor) +
  extract_tasks_with_fallback wrapper — task extraction never returns zero
- tokio::time::timeout(120s) wraps cleanup/tags/tasks commands

Release artefacts
- LICENSE (canonical AGPL-3.0), CHANGELOG (Keep-a-Changelog format)
- v0.1-release-notes, privacy-and-ai-use, install-warnings,
  tester-onboarding-kit, tester-acceptance-runbook, code-signing-setup,
  apple-silicon-rb08-runbook, virtual-audio-setup, v0.1-contrast-audit
- Workspace versioning + AGPL spdx; npm exact-pin (10 ranges removed)
- AppImage SHA-256 sidecar in build.yml
- README v0.1 section + Reporting-issues; canonical repo slug

Closure pass — items moved from human-required to code-complete
- KI-02 Linux idle inhibit: zbus 5 → org.freedesktop.login1.Manager.Inhibit
- KI-03 Windows sleep prevention: SetThreadExecutionState(ES_CONTINUOUS|...)
- acquire/release_idle_inhibit Tauri commands, wired in DictationPage
- Diagnostic-bundle frontend wire-up (Settings → Help button)
- WCAG-AA contrast fix via .btn-filled-text utility (no token changes)
- 8 destructive-action sites wrapped in plain-language confirm() guards
- KNOWN-ISSUES.md + v0.1-known-limitations.md updated (KI-02/03 fixed)

Scripts
- pre-tag-verify.sh, tag-day.sh, smoke-linux + driver
- parse-diagnostic-bundle.sh, parse-activation-log.py

Per-item audit trail: docs/release/v0.1-completion-status.md
Remaining: W-01…W-08 (signing certs, hardware probes, smoke matrix,
tester recruitment) — see docs/release/v0.1-known-limitations.md.
2026-05-15 06:59:08 +01:00

202 lines
7.9 KiB
YAML

# Cross-platform release build. Produces installer artifacts for
# Linux (.AppImage + .deb), Windows (.msi + .exe), macOS (.dmg + .app).
#
# Triggers:
# - Manual: any branch via "Run workflow" in the GitHub Actions UI.
# Use this to build a Windows binary on demand to dual-boot test.
# - Tag push (v*): builds + drafts a GitHub Release with all artifacts
# attached. Tag a release with `git tag v0.2.0 && git push --tags`.
#
# Artifacts:
# - workflow_dispatch builds: uploaded as Action artifacts
# (visible in the run page, downloadable for 30 days).
# - tag builds: attached to a draft GitHub Release named after the tag.
# Promote the draft to a release when ready.
#
# Signing:
# - macOS: signing + notarisation activate automatically when the
# APPLE_* secrets are set in the repo. Builds unsigned if absent.
# See docs/release/code-signing-setup.md for the cert walkthrough.
# - Windows: signing activates automatically when WINDOWS_CERTIFICATE
# + WINDOWS_CERTIFICATE_PASSWORD are set. Builds unsigned if absent.
# See docs/release/code-signing-setup.md for the cert walkthrough.
name: build
on:
push:
tags: ['v*']
workflow_dispatch:
inputs:
tag_name:
description: 'Optional tag name to attach the build to (leave blank for plain artifacts)'
required: false
concurrency:
group: build-${{ github.ref }}
cancel-in-progress: false # let release builds finish even on tag re-pushes
jobs:
build:
name: build (${{ matrix.os }})
permissions:
contents: write # needed to create draft releases on tag pushes
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-22.04
artifact_glob: |
src-tauri/target/release/bundle/appimage/*.AppImage
src-tauri/target/release/bundle/appimage/*.AppImage.sha256
src-tauri/target/release/bundle/deb/*.deb
- os: windows-latest
artifact_glob: |
src-tauri/target/release/bundle/msi/*.msi
src-tauri/target/release/bundle/nsis/*.exe
- os: macos-latest
artifact_glob: |
src-tauri/target/release/bundle/dmg/*.dmg
src-tauri/target/release/bundle/macos/*.app
runs-on: ${{ matrix.os }}
timeout-minutes: 60
steps:
- uses: actions/checkout@v4
# System packages — same as check.yml but locked to release-build needs.
# See check.yml for the per-package rationale (bindgen → libclang,
# llama-cpp-sys-2 vulkan feature → libvulkan / VULKAN_SDK).
- name: Install Linux deps
if: matrix.os == 'ubuntu-22.04'
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
libwebkit2gtk-4.1-dev \
libappindicator3-dev \
librsvg2-dev \
libasound2-dev \
libudev-dev \
patchelf \
cmake \
build-essential \
libclang-dev \
clang \
libvulkan-dev \
glslang-tools \
spirv-tools
LIBCLANG_CANDIDATE=$(ls -d /usr/lib/llvm-*/lib 2>/dev/null | sort -V | tail -n1)
if [ -z "$LIBCLANG_CANDIDATE" ]; then
LIBCLANG_CANDIDATE=/usr/lib/x86_64-linux-gnu
fi
echo "LIBCLANG_PATH=$LIBCLANG_CANDIDATE" >> "$GITHUB_ENV"
- name: Install macOS deps
if: matrix.os == 'macos-latest'
run: |
brew list cmake >/dev/null 2>&1 || brew install cmake
brew list llvm >/dev/null 2>&1 || brew install llvm
brew install vulkan-headers vulkan-loader molten-vk shaderc
echo "LIBCLANG_PATH=$(brew --prefix llvm)/lib" >> "$GITHUB_ENV"
BREW_PREFIX=$(brew --prefix)
echo "VULKAN_SDK=$BREW_PREFIX" >> "$GITHUB_ENV"
echo "CMAKE_PREFIX_PATH=$BREW_PREFIX" >> "$GITHUB_ENV"
- name: Install Windows deps
if: matrix.os == 'windows-latest'
shell: pwsh
run: |
cmake --version
choco install -y llvm --no-progress
choco install -y vulkan-sdk --no-progress
$sdkRoot = Get-ChildItem -Directory "C:\VulkanSDK" | Sort-Object Name -Descending | Select-Object -First 1
if (-not $sdkRoot) {
Write-Error "VulkanSDK directory not found under C:\VulkanSDK after choco install"
exit 1
}
echo "VULKAN_SDK=$($sdkRoot.FullName)" >> $env:GITHUB_ENV
echo "LIBCLANG_PATH=C:\Program Files\LLVM\bin" >> $env:GITHUB_ENV
- name: Install Node
uses: actions/setup-node@v4
with:
node-version: 20
cache: npm
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
# Workspace is at the repo root; target dir is ./target (not
# src-tauri/target). See note in check.yml for details.
- name: Cache Rust
uses: Swatinem/rust-cache@v2
with:
workspaces: .
shared-key: magnotia-build-${{ matrix.os }}
- name: Install JS deps
run: npm ci
# tauri-action handles `tauri build` plus, on tag pushes, attaches
# artifacts to a GitHub draft release. Empty tagName disables the
# release-creation behaviour for manual workflow_dispatch runs.
- name: Build (release)
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# macOS code-signing + notarisation. Builds unsigned if these secrets aren't set.
# Set via: gh secret set APPLE_SIGNING_IDENTITY --body "..." (etc.)
# See docs/release/code-signing-setup.md for the cert procurement walkthrough.
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
# Windows code-signing. Builds unsigned if these secrets aren't set.
# Set via: gh secret set WINDOWS_CERTIFICATE --body "..." (etc.)
# See docs/release/code-signing-setup.md for the cert procurement walkthrough.
WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
with:
# If pushed as a tag, use the tag name; otherwise leave empty
# so tauri-action builds artifacts but does not touch releases.
tagName: ${{ github.ref_type == 'tag' && github.ref_name || (inputs.tag_name || '') }}
releaseName: ${{ github.ref_type == 'tag' && github.ref_name || (inputs.tag_name || '') }}
releaseDraft: true
prerelease: false
# Build all bundle types the OS supports.
args: ''
- name: Compute AppImage SHA-256
if: runner.os == 'Linux'
shell: bash
run: |
set -euo pipefail
cd src-tauri/target/release/bundle/appimage
for img in *.AppImage; do
sha256sum "$img" > "$img.sha256"
echo "Generated: $img.sha256"
cat "$img.sha256"
done
# Always upload as an Actions artifact too — accessible from the
# workflow run page even if the release-creation step was skipped.
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: magnotia-${{ matrix.os }}-${{ github.sha }}
path: ${{ matrix.artifact_glob }}
retention-days: 30
if-no-files-found: warn
- name: Report artifact sizes
if: always()
shell: bash
run: |
if [ -d src-tauri/target/release/bundle ]; then
find src-tauri/target/release/bundle -type f \
\( -name '*.AppImage' -o -name '*.deb' -o -name '*.msi' -o -name '*.exe' -o -name '*.dmg' -o -name '*.app' \) \
-exec du -h {} + | sort -h
fi