Skip to content

Add a Prod build and a QC build#14

Merged
ndenny merged 12 commits into
developfrom
add-prod-build
Jun 15, 2026
Merged

Add a Prod build and a QC build#14
ndenny merged 12 commits into
developfrom
add-prod-build

Conversation

@ndenny

@ndenny ndenny commented Jun 12, 2026

Copy link
Copy Markdown
Member

Add configuration files for production and QC environments; update main.go to reference them

@ndenny ndenny marked this pull request as ready for review June 12, 2026 21:46
ndenny and others added 2 commits June 12, 2026 14:56
This branch replaced the auto-discovered root .goreleaser.yml with two
env-specific configs but placed them under dist/, which is gitignored,
so they never reached CI — the release job failed with
"open dist/config.yaml: no such file or directory". (goreleaser's
--clean also wipes dist/ at startup, so committing them there would not
work either.) Relocate both to a tracked .goreleaser/ directory and
point the release and develop workflows at the new paths.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ndenny ndenny enabled auto-merge June 12, 2026 22:22
ndenny and others added 5 commits June 12, 2026 15:44
- ServeHTTP now HTML-escapes the error/error_description query params
  before interpolating them into the error page, preventing reflected
  XSS via the localhost redirect URL.
- The release tag guard fetches origin/main* explicitly before
  git branch --contains, since tag pushes don't populate remote-tracking
  refs and the check would otherwise fail on legitimate main tags.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Snapshot (--snapshot) dispatches now build with config-qc.yaml so they
produce QC binaries, and the resulting dist artifacts are uploaded to the
workflow run as qc-snapshot-artifacts for download. Previously snapshot
runs used the prod config and uploaded nothing.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Snapshot runs previously bundled every artifact under a single
qc-snapshot-artifacts entry, which GitHub serves as one combined zip.
Upload each platform archive (and checksums.txt) as its own artifact so
the Actions run lists them individually. Non-snapshot release runs keep
the combined release-artifacts bundle the macOS job depends on.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Previously the release-macos job was gated off entirely for snapshot
(QC) builds, so snapshot darwin archives were never signed and only the
unsigned placeholders from the build job were available.

Now the macOS job runs for snapshot dispatches too: it pulls the
individually-uploaded QC artifacts, signs/notarizes the darwin archives,
and re-uploads the signed archives (and updated checksums.txt) as
individual assets, overwriting the unsigned placeholders. The tag-release
path is unchanged — it still downloads the combined release-artifacts
bundle and produces macos-signed-artifacts. The artifacts.json checksum
patch is skipped when that file is absent (snapshot builds).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Merges to develop run develop.yml on every push, so notarizing the macOS
builds each time wastes time and Apple notary quota — those are internal
QC artifacts, not externally distributed. Drop the notarytool submit step
and the now-unused APPLE_ID/APPLE_ID_PASSWORD/APPLE_TEAM_ID env vars,
keeping codesign + verify. Notarization is retained for snapshot
dispatches and tagged releases in release.yml.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ndenny ndenny merged commit bd5247b into develop Jun 15, 2026
1 check passed
@ndenny ndenny deleted the add-prod-build branch June 15, 2026 09:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants