ci: release pipeline (tag → draft GitHub release) + CI checks + protocol-bump guard

yyq1025 · claude · yyq1025 · commit ef442bf332f2 · 2026-06-10T22:38:39.000-05:00
- release-menubar.yml: tag push → macos-15 arm64 → version assertion (tag must equal menubar package.json) → typecheck/tests → sign + notarize (CSC_LINK / ASC API key secrets) → electron-builder publishes dmg/zip/blockmap/latest-mac.yml to a DRAFT release → commit log since the previous tag becomes the release body. Draft-first is the safety gate: electron-updater only sees published releases. - ci.yml: push/PR — biome ci, workspace typecheck, app tsc (not covered by `pnpm -r`), vitest; plus the protocol-version guard from #7 (protocol src changed without a package version bump fails; [skip-proto-bump] escape hatch for wire-neutral changes). - electron-builder.cjs: publish switches from the placeholder R2 generic provider to GitHub Releases (releaseType: draft); SIDECODE_UPDATE_URL stays as the local static-feed override for updater testing. - updater.ts: comment sync (feed = GitHub Releases, published only). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,89 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  checks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4 # version from root package.json `packageManager`
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24
+          cache: pnpm
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: biome
+        run: pnpm exec biome ci .
+
+      - name: Typecheck (workspace)
+        run: pnpm -r typecheck
+
+      # The app package has no typecheck script (`pnpm -r` skips it) — run
+      # tsc directly so daemon-client / UI changes are covered too.
+      - name: Typecheck (app)
+        working-directory: packages/app
+        run: npx tsc --noEmit
+
+      - name: Tests
+        run: pnpm test
+
+  # Guard for sidecodeapp/sidecode#7: the wire contract's version IS
+  # packages/protocol/package.json `version` (PROTOCOL_VERSION reads it at
+  # module load). A schema change without a bump means two ends running
+  # different wire shapes still pass the handshake and break in opaque ways.
+  # This enforces the cheap invariant: protocol src changed → version changed.
+  # (Judging patch-vs-minor correctness stays a human call — see the bump
+  # policy comment in packages/protocol/src/index.ts; closed z.enum case-adds
+  # are the documented trap.)
+  protocol-version-guard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Protocol src changed → version must be bumped
+        run: |
+          if [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then
+            BASE="origin/$GITHUB_BASE_REF"
+            git fetch --quiet origin "$GITHUB_BASE_REF"
+            RANGE="$(git merge-base "$BASE" HEAD)..HEAD"
+          else
+            BEFORE="${{ github.event.before }}"
+            # Zero SHA = branch creation / force-push without a usable base;
+            # nothing meaningful to diff against.
+            if [ "$BEFORE" = "0000000000000000000000000000000000000000" ] || ! git cat-file -e "$BEFORE" 2>/dev/null; then
+              echo "no usable base commit — skipping"
+              exit 0
+            fi
+            RANGE="$BEFORE..HEAD"
+          fi
+
+          if ! git diff --name-only "$RANGE" -- 'packages/protocol/src/**' | grep -q .; then
+            echo "protocol src untouched — ok"
+            exit 0
+          fi
+
+          # Escape hatch for comment-only / pure-refactor changes that don't
+          # alter the wire shape: put [skip-proto-bump] in any commit message
+          # in the range.
+          if git log --format=%B "$RANGE" | grep -qF "[skip-proto-bump]"; then
+            echo "[skip-proto-bump] present — skipping"
+            exit 0
+          fi
+
+          if git diff "$RANGE" -- packages/protocol/package.json | grep -q '^[-+]  "version"'; then
+            echo "protocol src changed and version bumped — ok"
+            exit 0
+          fi
+
+          echo "::error::packages/protocol/src changed but packages/protocol/package.json version was not bumped. Bump it (patch = additive, minor = breaking during 0.x — see the bump policy in packages/protocol/src/index.ts), or add [skip-proto-bump] to the commit message for wire-neutral changes."
+          exit 1
diff --git a/.github/workflows/release-menubar.yml b/.github/workflows/release-menubar.yml
@@ -0,0 +1,105 @@
+name: Release menubar
+
+# Tag-driven release of the Mac menu bar app, draft-first:
+#
+#   git tag v0.0.2 && git push origin v0.0.2
+#     → this workflow builds, signs, notarizes, and uploads
+#       dmg + zip + blockmap + latest-mac.yml to a DRAFT GitHub release
+#     → smoke-test the draft's dmg locally, then click "Publish release"
+#
+# electron-updater only sees PUBLISHED releases, so the draft is the safety
+# gate: installed apps' periodic checks (electron/updater.ts, 6h) start
+# picking the version up only at the moment of manual publish. A bad build
+# never reaches users — delete the draft and re-tag.
+#
+# Required repo secrets (Settings → Secrets and variables → Actions):
+#   CSC_LINK           base64 of the Developer ID Application .p12 export
+#   CSC_KEY_PASSWORD   password chosen at .p12 export
+#   APPLE_API_KEY_P8   base64 of the App Store Connect API .p8 key
+#   APPLE_API_KEY_ID   the key's ID
+#   APPLE_API_ISSUER   the ASC issuer UUID
+# (electron-builder imports the cert into a temp keychain via CSC_LINK and
+# notarizes via notarytool with the API key — same env contract as the local
+# `package:mac:notarize` script's .env.local.)
+
+on:
+  push:
+    tags: ["v*"]
+
+permissions:
+  contents: write # create the draft release + upload assets
+
+jobs:
+  release:
+    runs-on: macos-15 # Apple Silicon — we ship arm64-only (V0)
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # full history + tags for the commit-log release notes
+
+      - uses: pnpm/action-setup@v4 # version from root package.json `packageManager`
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24
+          cache: pnpm
+
+      - run: pnpm install --frozen-lockfile
+
+      # The feed (latest-mac.yml) advertises the package.json version; if the
+      # tag disagrees, installed apps would update to something other than
+      # what the tag claims. Fail fast instead.
+      - name: Assert tag matches menubar package version
+        run: |
+          TAG_VERSION="${GITHUB_REF_NAME#v}"
+          PKG_VERSION=$(node -p "require('./packages/menubar/package.json').version")
+          if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
+            echo "::error::tag $GITHUB_REF_NAME but packages/menubar/package.json is $PKG_VERSION — bump the package version (or re-tag) so the update feed stays truthful"
+            exit 1
+          fi
+
+      - name: Typecheck + tests
+        run: |
+          pnpm -r typecheck
+          pnpm test
+
+      - name: Write App Store Connect API key
+        env:
+          APPLE_API_KEY_P8: ${{ secrets.APPLE_API_KEY_P8 }}
+        run: |
+          echo "$APPLE_API_KEY_P8" | base64 --decode > "$RUNNER_TEMP/asc-api-key.p8"
+          echo "APPLE_API_KEY=$RUNNER_TEMP/asc-api-key.p8" >> "$GITHUB_ENV"
+
+      - name: Build, sign, notarize, upload to draft release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CSC_LINK: ${{ secrets.CSC_LINK }}
+          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+          # APPLE_API_KEY exported by the previous step; its presence flips
+          # electron-builder.cjs's `notarize` gate on.
+          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+        run: |
+          pnpm --filter '@sidecodeapp/menubar...' run build
+          pnpm --filter @sidecodeapp/menubar exec electron-builder --mac --arm64 --publish always
+
+      # electron-builder creates the draft with an empty body; fill it with the
+      # commit log since the previous tag. Direct-to-main workflow means GitHub's
+      # PR-based auto-notes would be empty — the commit subjects ARE the
+      # changelog here. Hand-write a short "What's new" above the list before
+      # publishing.
+      - name: Attach commit log to the draft release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG="$GITHUB_REF_NAME"
+          PREV=$(git describe --tags --abbrev=0 "$TAG^" 2>/dev/null || true)
+          RANGE="${PREV:+$PREV..}$TAG"
+          {
+            echo "<!-- Add a short user-facing What's New above the commit list before publishing. -->"
+            echo ""
+            echo "## Commits${PREV:+ since $PREV}"
+            echo ""
+            git log --no-merges --pretty='- %s' "$RANGE"
+          } > "$RUNNER_TEMP/notes.md"
+          gh release edit "$TAG" --draft=true --notes-file "$RUNNER_TEMP/notes.md"
diff --git a/packages/menubar/electron-builder.cjs b/packages/menubar/electron-builder.cjs
@@ -53,15 +53,25 @@ module.exports = {
     // (Squirrel.Mac) requires a signed AND notarized build to install.
     notarize,
   },
-  // electron-updater feed. Generic = any static host; generating this makes the
-  // build emit latest-mac.yml + .blockmap (differential updates). The packaged
-  // app's embedded app-update.yml bakes in whatever url is set at BUILD time.
-  // SIDECODE_UPDATE_URL overrides the feed at build time (e.g. point a test
-  // build at a local static server); otherwise the real R2 host (TODO).
-  publish: {
-    provider: "generic",
-    url:
-      process.env.SIDECODE_UPDATE_URL || "https://REPLACE_WITH_R2_PUBLIC_URL",
-    channel: "latest",
-  },
+  // electron-updater feed. The packaged app's embedded app-update.yml bakes in
+  // whatever is set at BUILD time:
+  //  - default: GitHub Releases (latest-mac.yml + .blockmap published as release
+  //    assets; electron-updater polls the latest PUBLISHED release anonymously —
+  //    this is why drafts are the release pipeline's safety gate).
+  //  - SIDECODE_UPDATE_URL: generic-provider override for pointing a local test
+  //    build at a static server (e.g. `npx serve release/`).
+  // `releaseType: "draft"` means CI's `--publish always` creates a DRAFT release;
+  // installed apps only see it once it's manually published.
+  publish: process.env.SIDECODE_UPDATE_URL
+    ? {
+        provider: "generic",
+        url: process.env.SIDECODE_UPDATE_URL,
+        channel: "latest",
+      }
+    : {
+        provider: "github",
+        owner: "sidecodeapp",
+        repo: "sidecode",
+        releaseType: "draft",
+      },
 };
diff --git a/packages/menubar/electron/updater.ts b/packages/menubar/electron/updater.ts
@@ -33,8 +33,9 @@ export function getUpdateState(): UpdateState {
 export function initUpdater(opts: { onStateChange: () => void }): void {
   // Auto-update only runs in packaged builds — Squirrel.Mac needs the installed
   // .app, and the feed is the embedded app-update.yml (from electron-builder.cjs
-  // publish.url). In dev it's inert; test via a packaged build pointed at a feed
-  // with SIDECODE_UPDATE_URL.
+  // `publish`: GitHub Releases by default, latest PUBLISHED release only). In dev
+  // it's inert; test via a packaged build pointed at a static feed with
+  // SIDECODE_UPDATE_URL.
   if (!app.isPackaged) return;
   onChange = opts.onStateChange;
   autoUpdater.autoDownload = true;
