BUI-249 Tauri auto-update

.github/workflows/release.yml

@@ -59,8 +59,8 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '22'
-          cache: 'npm'
+          node-version: "22"
+          cache: "npm"
 
       - name: Setup Rust
         uses: dtolnay/rust-toolchain@stable
@@ -154,7 +154,6 @@ jobs:
       - name: Build Tauri app
         uses: tauri-apps/tauri-action@v0
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VITE_PRIVY_APP_ID: ${{ secrets.VITE_PRIVY_APP_ID }}
           VITE_PRIVY_CLIENT_ID: ${{ secrets.VITE_PRIVY_CLIENT_ID }}
           VITE_SESSION_RELAY_URL: ${{ secrets.VITE_SESSION_RELAY_URL }}
@@ -166,11 +165,6 @@ jobs:
           APPLE_API_KEY: ${{ secrets.APPLE_ASC_API_KEY_ID }}
           APPLE_API_ISSUER: ${{ secrets.APPLE_ASC_API_KEY_ISSUER_UUID }}
         with:
-          tagName: ${{ github.ref_name }}
-          releaseName: 'DataConnect v__VERSION__'
-          releaseBody: 'See the assets to download this version and install.'
-          releaseDraft: false
-          prerelease: false
           args: --target ${{ matrix.target }}
 
       - name: Free disk space before finalization
@@ -182,22 +176,27 @@ jobs:
           rm -rf src-tauri/target/${{ matrix.target }}/release/build
           rm -rf src-tauri/target/${{ matrix.target }}/release/.fingerprint
           rm -rf src-tauri/target/${{ matrix.target }}/release/incremental
-          # Remove npm caches no longer needed
-          rm -rf node_modules
+          # Keep root node_modules until finalization completes because the
+          # custom macOS updater artifact signer uses the repo-pinned Tauri CLI.
+          # Removing it here breaks updater tarball signing in Finalize bundles.
           rm -rf playwright-runner/node_modules
           rm -rf ~/.cargo/registry/cache
           echo "=== Disk usage after cleanup ==="
           df -h / || true
         shell: bash
 
-      - name: Copy native modules and finalize bundles
+      - name: Finalize bundles
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
         run: |
-          set -x  # Enable verbose debugging
+          set -euo pipefail
 
-          # Copy node_modules into macOS .app bundles (preserving directory structure)
+          # Re-sign the completed macOS app and recreate the DMG from the final app.
+          # personal-server/dist/node_modules is already bundled by Tauri resources.
           if [ "${{ matrix.platform }}" = "macos-latest" ]; then
+            echo "=== Finalizing macOS bundles for ${{ matrix.target }} ==="
             # Debug: Show what's in personal-server/dist
             echo "=== Contents of personal-server/dist ==="
             ls -la personal-server/dist/ || echo "dist not found"
@@ -214,34 +213,23 @@ jobs:
                 "$node_binary"
             done
 
-            for app in src-tauri/target/${{ matrix.target }}/release/bundle/macos/*.app; do
-              [ -e "$app" ] || { echo "No .app found at $app"; continue; }
-              echo "=== Processing $app ==="
-
-              # Show current state
-              echo "Before copy - Resources contents:"
-              ls -la "$app/Contents/Resources/personal-server/dist/" || echo "personal-server/dist not in Resources"
-
-              dest="$app/Contents/Resources/personal-server/dist/node_modules"
-              mkdir -p "$dest"
-
-              # Copy with verbose output
-              if [ -d "personal-server/dist/node_modules" ]; then
-                cp -Rv personal-server/dist/node_modules/* "$dest/"
-                echo "=== After copy - node_modules contents ==="
-                ls -la "$dest/" || echo "copy failed"
-              else
-                echo "ERROR: personal-server/dist/node_modules does not exist!"
-                exit 1
-              fi
-
-              echo "Copied node_modules to $dest"
-            done
-
             # Re-sign nested binaries with their entitlements, then re-sign the .app
             for app in src-tauri/target/${{ matrix.target }}/release/bundle/macos/*.app; do
               [ -e "$app" ] || continue
 
+              echo "=== Processing $app ==="
+              app_name=$(basename "$app" .app)
+              version=$(grep '"version"' src-tauri/tauri.conf.json | head -1 | sed 's/.*: "\(.*\)".*/\1/')
+              arch=$(echo "${{ matrix.target }}" | cut -d- -f1)
+              public_arch="$arch"
+              if [ "$public_arch" = "x86_64" ]; then
+                public_arch="x64"
+              fi
+              updater_name="${app_name}_${version}_${public_arch}.app.tar.gz"
+              echo "Bundled resource contents:"
+              ls -la "$app/Contents/Resources/personal-server/dist/" || echo "personal-server/dist not in Resources"
+              ls -la "$app/Contents/Resources/personal-server/dist/node_modules/" || { echo "ERROR: node_modules NOT in app bundle!"; exit 1; }
+
               # Sign personal-server binary with JIT entitlements (--deep would strip them)
               ps_bin="$app/Contents/Resources/personal-server/dist/${{ matrix.ps_binary_name }}"
               if [ -f "$ps_bin" ]; then
@@ -264,6 +252,44 @@ jobs:
                 --sign "Developer ID Application: Corsali, Inc (${{ secrets.APPLE_TEAM_ID }})" \
                 "$app"
               echo "Re-signed $app"
+
+              # Notarize/staple the finalized .app before packaging the updater tarball.
+              APPLE_NOTARY_KEY_PATH="$APPLE_API_KEY_PATH" \
+              APPLE_NOTARY_KEY_ID="${{ secrets.APPLE_ASC_API_KEY_ID }}" \
+              APPLE_NOTARY_ISSUER="${{ secrets.APPLE_ASC_API_KEY_ISSUER_UUID }}" \
+              node scripts/notarize-macos-app.mjs \
+                --app "$app" \
+                --output-dir "src-tauri/target/${{ matrix.target }}/release/bundle/macos"
+
+              # tauri-action still leaves behind a raw archless updater tarball
+              # for the pre-finalization .app. Remove those artifacts so the
+              # release only publishes the finalized, versioned updater payloads.
+              raw_updater_name="$(basename "$app").tar.gz"
+              raw_updater_sig_name="${raw_updater_name}.sig"
+              rm -f \
+                "src-tauri/target/${{ matrix.target }}/release/bundle/macos/$raw_updater_name" \
+                "src-tauri/target/${{ matrix.target }}/release/bundle/macos/$raw_updater_sig_name"
+
+              # Create updater artifacts from the finalized notarized .app, not the pre-finalization Tauri output.
+              if [ -n "$TAURI_SIGNING_PRIVATE_KEY" ] || [ -n "$TAURI_SIGNING_PRIVATE_KEY_PATH" ]; then
+                node scripts/build-macos-updater-artifacts.mjs \
+                  --app "$app" \
+                  --output-dir "src-tauri/target/${{ matrix.target }}/release/bundle/macos" \
+                  --artifact-name "$updater_name"
+
+                # Smoke-check the updater payload after tar packaging. This must stay a hard gate.
+                updater_smoke_dir="/tmp/updater_smoke_${arch}"
+                rm -rf "$updater_smoke_dir"
+                mkdir -p "$updater_smoke_dir"
+                tar -xzf "src-tauri/target/${{ matrix.target }}/release/bundle/macos/$updater_name" -C "$updater_smoke_dir"
+                extracted_app="$updater_smoke_dir/$(basename "$app")"
+                xcrun stapler validate "$extracted_app"
+                spctl --assess -vv "$extracted_app"
+                codesign --verify --strict "$extracted_app"
+                rm -rf "$updater_smoke_dir"
+              else
+                echo "::notice::Skipping finalized macOS updater artifact generation because no Tauri updater signing key is configured"
+              fi
             done
 
             # Recreate DMG with updated .app (including Applications symlink)
@@ -272,7 +298,11 @@ jobs:
               app_name=$(basename "$app" .app)
               version=$(grep '"version"' src-tauri/tauri.conf.json | head -1 | sed 's/.*: "\(.*\)".*/\1/')
               arch=$(echo "${{ matrix.target }}" | cut -d- -f1)
-              dmg_name="${app_name}_${version}_${arch}.dmg"
+              public_arch="$arch"
+              if [ "$public_arch" = "x86_64" ]; then
+                public_arch="x64"
+              fi
+              dmg_name="${app_name}_${version}_${public_arch}.dmg"
               dmg_path="src-tauri/target/${{ matrix.target }}/release/bundle/dmg/${dmg_name}"
 
               # Create temp folder with app and Applications symlink
@@ -314,7 +344,7 @@ jobs:
               # Notarize the DMG using App Store Connect API key
               echo "=== Notarizing $dmg_path ==="
               if xcrun notarytool submit "$dmg_path" \
-                --key "${{ env.APPLE_API_KEY_PATH }}" \
+                --key "$APPLE_API_KEY_PATH" \
                 --key-id "${{ secrets.APPLE_ASC_API_KEY_ID }}" \
                 --issuer "${{ secrets.APPLE_ASC_API_KEY_ISSUER_UUID }}" \
                 --wait 2>&1 | tee /tmp/notarize_${arch}.log; then
@@ -328,7 +358,7 @@ jobs:
                 if [ -n "$submission_id" ]; then
                   echo "=== Fetching notarization log for $submission_id ==="
                   xcrun notarytool log "$submission_id" \
-                    --key "${{ env.APPLE_API_KEY_PATH }}" \
+                    --key "$APPLE_API_KEY_PATH" \
                     --key-id "${{ secrets.APPLE_ASC_API_KEY_ID }}" \
                     --issuer "${{ secrets.APPLE_ASC_API_KEY_ISSUER_UUID }}" || true
                 fi
@@ -378,6 +408,13 @@ jobs:
                 echo "Uploaded $(basename "$f")"
               fi
             done
+            for f in src-tauri/target/${{ matrix.target }}/release/bundle/macos/*.app.tar.gz \
+                     src-tauri/target/${{ matrix.target }}/release/bundle/macos/*.app.tar.gz.sig; do
+              if [ -f "$f" ]; then
+                gh release upload "${{ github.ref_name }}" "$f" --clobber
+                echo "Uploaded $(basename "$f")"
+              fi
+            done
           fi
 
           # Upload Linux artifacts
@@ -407,3 +444,46 @@ jobs:
         if: matrix.platform == 'macos-latest' && always()
         run: |
           security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true
+
+  publish_updater_manifest:
+    needs: build
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Build latest.json
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          manifest_dir="/tmp/dataconnect-updater-manifest"
+          signatures_dir="$manifest_dir/signatures"
+          release_json="$manifest_dir/release.json"
+          output_path="$manifest_dir/latest.json"
+
+          rm -rf "$manifest_dir"
+          mkdir -p "$signatures_dir"
+
+          gh api "repos/${{ github.repository }}/releases/tags/${{ github.ref_name }}" > "$release_json"
+          gh release download "${{ github.ref_name }}" \
+            --pattern "*.app.tar.gz.sig" \
+            --dir "$signatures_dir"
+
+          node scripts/build-updater-manifest.mjs \
+            --release-json "$release_json" \
+            --signature-dir "$signatures_dir" \
+            --output "$output_path"
+
+      - name: Upload latest.json
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release upload "${{ github.ref_name }}" /tmp/dataconnect-updater-manifest/latest.json --clobber