name: Release Desktop # STAGE 1 of the decoupled release pipeline: BUILD ONLY. # Builds the desktop client for macOS (arm64 + x64) and Windows (x64), mirrors # the installers to R2, and registers them in D1 as UNPUBLISHED (is_latest=0) # so the website keeps serving the previous release. It does NOT notarize # (Apple's notary service stalls this large bundle for hours) and does NOT # create a GitHub Release. # # Full flow: # 1. (this workflow) build + upload to R2 + D1 as unpublished. # 2. (local) download the mac dmgs, run desktop/build/notarize-dmg.sh to # notarize + staple + re-upload the stapled dmgs to R2. # 3. (Publish Desktop workflow) flip D1 is_latest=1 and attach GitHub # Release assets — makes the version live on the site. # # Push a tag like `v1.2.0` (or use workflow_dispatch) to run stage 1. on: push: tags: - "v*" # Manual trigger for testing the full pipeline without cutting a real tag. workflow_dispatch: inputs: version: description: "Version to stamp (e.g. 1.0.0-test). Used for package.json and R2 path." type: string default: "0.0.0-dev" publish_r2: description: "Upload installers to R2 + register in D1 (needs Cloudflare secrets)" type: boolean default: false permissions: contents: write jobs: build: name: Build ${{ matrix.name }} runs-on: ${{ matrix.os }} strategy: # Don't cancel the other platforms if one fails — we want to see all # failures in a single run. fail-fast: false matrix: include: - name: macOS arm64 os: macos-14 platform: mac arch: arm64 eb_flags: --mac --arm64 - name: macOS x64 os: macos-15-intel platform: mac arch: x64 eb_flags: --mac --x64 - name: Windows x64 os: windows-latest platform: win arch: x64 eb_flags: --win --x64 steps: - name: Checkout uses: actions/checkout@v4 - name: Derive version # Tag push: strip the leading "v" from GITHUB_REF_NAME (e.g. v1.2.0). # Manual dispatch: use the provided version input. id: ver shell: bash run: | if [ "${{ github.event_name }}" = "push" ]; then ref="${GITHUB_REF_NAME:-}" echo "version=${ref#v}" >> "$GITHUB_OUTPUT" else echo "version=${{ github.event.inputs.version }}" >> "$GITHUB_OUTPUT" fi - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.11" - name: Set up Node uses: actions/setup-node@v4 with: node-version: "20" - name: Build Python backend (PyInstaller) shell: bash run: | python -m pip install --upgrade pip pip install -r desktop/build/requirements-desktop.txt pip install pyinstaller # Run from repo root so the spec's relative datas resolve correctly. pyinstaller desktop/build/cowagent-backend.spec \ --noconfirm \ --distpath desktop/build/dist \ --workpath desktop/build/build-work - name: Install desktop deps working-directory: desktop run: npm ci - name: Write version into package.json working-directory: desktop shell: bash run: npm version "${{ steps.ver.outputs.version }}" --no-git-tag-version --allow-same-version - name: Build & publish (electron-builder) working-directory: desktop shell: bash env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Signing secrets are passed through as-is; we only export them to the # environment below when non-empty. An empty CSC_LINK would make # electron-builder try to load a bogus certificate and fail, so unset # is the correct state for unsigned builds. MAC_CSC_LINK: ${{ secrets.MAC_CSC_LINK }} MAC_CSC_KEY_PASSWORD: ${{ secrets.MAC_CSC_KEY_PASSWORD }} WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }} WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }} run: | npm run build # Only export signing vars when provided. Empty strings are NOT the # same as unset to electron-builder: an empty CSC_LINK is treated as # a (broken) certificate path and aborts the build. Leaving them # unset makes electron-builder fall back to an unsigned build. if [ -n "$MAC_CSC_LINK" ]; then export CSC_LINK="$MAC_CSC_LINK" export CSC_KEY_PASSWORD="$MAC_CSC_KEY_PASSWORD" fi if [ -z "$WIN_CSC_LINK" ]; then unset WIN_CSC_LINK WIN_CSC_KEY_PASSWORD fi # Never let electron-builder publish: our publish target is a generic # (read-only) feed served from R2/D1, which it can't upload to. We mirror # installers to R2 and register them in D1 ourselves (publish-r2 job). # `--publish never` still emits the latest*.yml files. # Use the dynamic config (electron-builder.js): it populates # mac.binaries (backend Mach-O files to sign). Notarization is NOT done # here — Apple's notary service keeps this large bundle "In Progress" # for hours, so it's decoupled into a manual local step # (desktop/build/notarize-dmg.sh) run after this build produces the # signed dmg. The dmg is signed + hardened-runtime, so it only needs a # ticket stapled later. npx electron-builder ${{ matrix.eb_flags }} --config electron-builder.js --publish never # Upload artifacts regardless of outcome, so a failed run still surfaces # the built installers (and, on success, the notarized+stapled dmg). - name: Upload artifacts if: always() uses: actions/upload-artifact@v4 with: # One bundle per platform/arch so the publish job can collect them all. name: cowagent-${{ matrix.platform }}-${{ matrix.arch }} path: | desktop/release/*.dmg desktop/release/*.exe desktop/release/*.yml desktop/release/*.blockmap if-no-files-found: ignore retention-days: 7 # Mirror the release installers to R2 (CDN-backed) and register them in D1 so # cowagent.ai/download/{platform}/latest can resolve and count downloads. # Runs only on tag pushes, and is a no-op (skips) until the Cloudflare secrets # are configured, so it never blocks unsigned/dry builds. publish-r2: name: Publish to R2 + D1 # Require every platform in the build matrix to succeed before publishing, # so a release on R2/D1 is always complete (all installers present) rather # than partial. needs: build already gates on all matrix jobs succeeding. needs: build runs-on: ubuntu-latest # Run on a tag push, or on a manual dispatch when publish_r2 is checked. if: >- (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish_r2 == 'true') steps: - name: Checkout uses: actions/checkout@v4 - name: Guard on Cloudflare secrets id: guard env: CF_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} run: | if [ -n "$CF_TOKEN" ]; then echo "enabled=true" >> "$GITHUB_OUTPUT" else echo "enabled=false" >> "$GITHUB_OUTPUT" echo "::notice::CLOUDFLARE_API_TOKEN not set — skipping R2/D1 publish." fi - name: Derive version if: steps.guard.outputs.enabled == 'true' id: ver run: | if [ "${{ github.event_name }}" = "push" ]; then echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT" else echo "version=${{ github.event.inputs.version }}" >> "$GITHUB_OUTPUT" fi - name: Download all build artifacts if: steps.guard.outputs.enabled == 'true' uses: actions/download-artifact@v4 with: path: artifacts - name: Stage installers if: steps.guard.outputs.enabled == 'true' id: stage run: | mkdir -p dist # Flatten installers + their .blockmap (used by electron-updater for # differential downloads) from every per-platform artifact dir. The # .yml feed is generated dynamically by the /update Function from D1, # so the yml files themselves don't need to go to R2. find artifacts -type f \( -name '*.dmg' -o -name '*.exe' -o -name '*.blockmap' \) -exec cp {} dist/ \; echo "Staged files:"; ls -la dist # When the whole matrix failed there's nothing to publish; flag it so # the R2/D1 steps skip instead of writing an empty/partial release. if [ -n "$(ls -A dist 2>/dev/null)" ]; then echo "has_files=true" >> "$GITHUB_OUTPUT" else echo "has_files=false" >> "$GITHUB_OUTPUT" echo "::warning::No installers found in any artifact — skipping R2/D1 publish." fi - name: Upload installers to R2 if: steps.guard.outputs.enabled == 'true' && steps.stage.outputs.has_files == 'true' env: CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} VER: ${{ steps.ver.outputs.version }} run: | # Reuse the existing cow-skills bucket under a desktop/ prefix; this # is served by the cdn.cowagent.ai custom domain. for f in dist/*; do base="$(basename "$f")" key="desktop/v${VER}/${base}" echo "==> Uploading $base -> r2://cow-skills/$key" npx --yes wrangler@latest r2 object put "cow-skills/$key" \ --file "$f" --remote done - name: Register release rows in D1 if: steps.guard.outputs.enabled == 'true' && steps.stage.outputs.has_files == 'true' env: CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} VER: ${{ steps.ver.outputs.version }} run: | # Map each installer filename to a platform id. dmg arch is in the # name (…-arm64.dmg / …-x64.dmg); .exe is the Windows installer. sql_file="$(mktemp)" # This build job ALWAYS registers rows as unpublished (is_latest=0), so # /download/
/latest keeps serving the previous release and the new # version stays invisible on the site. macOS dmgs still need to be # notarized+stapled locally (build/notarize-dmg.sh) before they're # safe to ship. Promotion to latest happens later, only after # notarization, via the separate "Publish Desktop" workflow. echo "==> Registering $VER as unpublished (is_latest=0)." # Compute sha512 (base64, the format electron-updater validates) from # the actual staged files rather than electron-builder's latest*.yml. # NOTE: for macOS the dmg is re-hashed later by the publish workflow # after stapling (stapling rewrites the dmg bytes), so the sha stored # here is a placeholder for mac and authoritative only for win. sha_for_file() { openssl dgst -sha512 -binary "$1" | openssl base64 -A; } for f in dist/*; do base="$(basename "$f")" size="$(stat -c%s "$f")" case "$base" in *arm64.dmg) platform="mac-arm64" ;; *x64.dmg) platform="mac-x64" ;; *.exe) platform="win" ;; *) echo "Skipping unrecognized artifact: $base"; continue ;; esac key="v${VER}/${base}" sha="$(sha_for_file "$f")" # SQL-escape single quotes defensively (base64 has none, but be safe). sha="${sha//\'/\'\'}" # Never mark latest here — the row is unpublished until the separate # publish workflow promotes it after notarization. echo "INSERT OR REPLACE INTO releases (version, platform, filename, size, sha512, is_latest) VALUES ('${VER}', '${platform}', '${key}', ${size}, '${sha}', 0);" >> "$sql_file" done echo "==> D1 statements:"; cat "$sql_file" npx --yes wrangler@latest d1 execute cow-desktop --remote --file "$sql_file"