chore: TASK-075 automate Winget updates on release

[pascalandr]

Summary

• add a release-published workflow that prepares and submits Winget manifest updates automatically
• poll the GitHub Release API for the stable Windows Tauri asset and compute its SHA-256 before submission
• document the maintainer secret and repository variables needed for the Winget automation flow

Validation

• node --check "scripts/winget/resolve-release-asset.cjs"
• node "scripts/winget/resolve-release-asset.cjs" --help
• dry-run resolver against the published v0.16.0 release asset

Notes

• skips draft and prerelease GitHub releases
• uses the maintainer fork submission flow for microsoft/winget-pkgs
• live PR submission still depends on configuring WINGET_GITHUB_TOKEN
• Fixes Update winget whenever new version is released #462

[github-actions]

PR builds are available as GitHub Actions artifacts:

https://github.com/NeuralNomadsAI/CodeNomad/actions/runs/26710992633

Artifacts expire in 7 days.
Artifacts:

• pr-513-fc67a18b39d08476bbc951df68a70692489a29e1-tauri-macos
• pr-513-fc67a18b39d08476bbc951df68a70692489a29e1-tauri-linux
• pr-513-fc67a18b39d08476bbc951df68a70692489a29e1-tauri-windows
• pr-513-fc67a18b39d08476bbc951df68a70692489a29e1-electron-macos
• pr-513-fc67a18b39d08476bbc951df68a70692489a29e1-tauri-macos-arm64
• pr-513-fc67a18b39d08476bbc951df68a70692489a29e1-electron-windows
• pr-513-fc67a18b39d08476bbc951df68a70692489a29e1-electron-linux

[github-actions]

PR builds are available as GitHub Actions artifacts:

https://github.com/NeuralNomadsAI/CodeNomad/actions/runs/26713520559

Artifacts expire in 7 days.
Artifacts:

• pr-513-fc67a18b39d08476bbc951df68a70692489a29e1-tauri-macos
• pr-513-fc67a18b39d08476bbc951df68a70692489a29e1-tauri-linux
• pr-513-fc67a18b39d08476bbc951df68a70692489a29e1-electron-macos
• pr-513-fc67a18b39d08476bbc951df68a70692489a29e1-tauri-windows
• pr-513-fc67a18b39d08476bbc951df68a70692489a29e1-tauri-macos-arm64
• pr-513-fc67a18b39d08476bbc951df68a70692489a29e1-electron-windows
• pr-513-fc67a18b39d08476bbc951df68a70692489a29e1-electron-linux

[shantur]

@CodeNomadBot

I want you to perform the gatekeeper checks for latest PR state

check for regressions
check for better possible implementations
Be the PR gatekeeper
Be ruthless about code quality

[codenomadbot]

Understood request: perform a ruthless gatekeeper review of the latest PR state for regressions and better implementation options. I treated this as review-only and did not modify the PR.

Gatekeeper result: no merge-blocking regression found in the current diff.

Findings:

• Non-blocking reliability concern: .github/workflows/update-winget.yml uses a 900s default wait for the Windows Tauri release asset. The current v0.16.0 release published at 10:10:43Z and the matching Windows Tauri zip appeared at 10:24:01Z, leaving only about 100 seconds of buffer. That is tight for CI variance. I would strongly prefer either a 30-45 minute default timeout or triggering Winget submission after the release asset upload workflow completes, rather than racing the release.published event.
• Non-blocking implementation concern: scripts/winget/resolve-release-asset.cjs downloads the full Windows zip to compute SHA-256, but the SHA is only logged and is not passed into winget-releaser; Komac/winget-releaser computes the manifest hash from the URL anyway. This adds a large network dependency to every release. Better options: use asset.digest when present and only fall back to downloading, or remove the hash step unless it is used as an explicit verification gate.
• Non-blocking hardening concern: the resolver writes GitHub Actions outputs as plain key=value lines. Current generated values are single-line and safe, but custom --asset-regex/template-derived output could become malformed if a future value includes newline-like content. Not urgent for the current defaults, but the multiline-safe $GITHUB_OUTPUT format would be more robust.

Validation performed:

• Reviewed the full PR diff: new Winget workflow, resolver script, and docs.
• Checked current release artifact naming in .github/workflows/build-and-upload.yml; the default template matches CodeNomad-Tauri-windows-x64-{version}.zip.
• Checked vedantmgoyal9/winget-releaser@v2 action inputs and behavior from its action.yml; the supplied inputs are valid.
• Ran node --check "scripts/winget/resolve-release-asset.cjs" successfully.
• Ran node "scripts/winget/resolve-release-asset.cjs" --help successfully.
• Ran the resolver against v0.16.0 release id 322465145; it resolved CodeNomad-Tauri-windows-x64-0.16.0.zip and SHA-256 554E89D6A8DE0780B4A4C6C4B4DE5ADEBE866642C3183596665AE0352667F0BD, matching the existing Winget manifest.

I could not run actionlint locally because it is not installed in this environment.

--
Yours,
CodeNomadBot

[shantur]

@pascalandr - Approving on the basis that this is tested at your end