feat(desktop): ship-readiness metadata & CI scaffolding (#5255)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-12 00:28:20 -04:00 · 2026-04-27 15:23:44 -05:00
parent a751a0a728
commit ff3b77748b
8 changed files with 120 additions and 24 deletions
--- a/.github/release.yml
+++ b/.github/release.yml
@@ -26,6 +26,9 @@ changelog:
      labels:
        - enhancement
        - feature
+    - title: 🖥️ Desktop
+      labels:
+        - desktop
    - title: 🛠️ Fixes
      labels:
        - bug
--- a/.github/workflows/pr_enforce_labels.yml
+++ b/.github/workflows/pr_enforce_labels.yml
@@ -29,7 +29,7 @@ jobs:
          script: |
            // Extract labels from the payload directly to avoid extra API calls
            const latestLabels = context.payload.pull_request.labels.map(label => label.name);
-            const requiredLabels = ['bugfix', 'enhancement', 'automation', 'dependencies', 'repo', 'release', 'refactor', 'chore', 'ci', 'build', 'testing', 'documentation'];
+            const requiredLabels = ['bugfix', 'enhancement', 'automation', 'dependencies', 'repo', 'release', 'refactor', 'desktop', 'chore', 'ci', 'build', 'testing', 'documentation'];
            console.log('Labels from payload:', latestLabels);
            const hasRequiredLabel = latestLabels.some(label => requiredLabels.includes(label));
            if (!hasRequiredLabel) {
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -53,6 +53,14 @@ on:
        required: false
      INTERNAL_BUILDS_HOST_PAT:
        required: false
+      APPLE_SIGNING_IDENTITY:
+        required: false
+      APPLE_ID:
+        required: false
+      APPLE_APP_SPECIFIC_PASSWORD:
+        required: false
+      APPLE_TEAM_ID:
+        required: false

 concurrency:
  group: ${{ github.workflow }}-${{ inputs.tag_name }}
@@ -284,7 +292,13 @@ jobs:
      - name: Package Native Distributions
        env:
          ORG_GRADLE_PROJECT_appVersionName: ${{ needs.prepare-build-info.outputs.APP_VERSION_NAME }}
+          VERSION_CODE: ${{ needs.prepare-build-info.outputs.APP_VERSION_CODE }}
          APPIMAGE_EXTRACT_AND_RUN: 1
+          SIGN_MACOS: ${{ runner.os == 'macOS' && 'true' || 'false' }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        # Quote the -P flag: PowerShell on Windows interprets the dot in
        # `-PaboutLibraries.release=true` as member access on `-PaboutLibraries`,
        # splitting the token and feeding `.release=true` to Gradle as a task name.
@@ -309,6 +323,18 @@ jobs:
          retention-days: 1
          if-no-files-found: ignore

+      - name: Attest Desktop artifact provenance
+        if: success()
+        uses: actions/attest-build-provenance@v4
+        with:
+          subject-path: |
+            desktop/build/compose/binaries/main-release/*/*.dmg
+            desktop/build/compose/binaries/main-release/*/*.msi
+            desktop/build/compose/binaries/main-release/*/*.exe
+            desktop/build/compose/binaries/main-release/*/*.deb
+            desktop/build/compose/binaries/main-release/*/*.rpm
+            desktop/build/compose/binaries/main-release/*/*.AppImage
+
  github-release:
    if: ${{ !cancelled() && !failure() }}
    runs-on: ubuntu-24.04-arm