Skip to content

[pull] trunk from cli:trunk#185

Merged
pull[bot] merged 37 commits into
arc675:trunkfrom
cli:trunk
Jul 13, 2026
Merged

[pull] trunk from cli:trunk#185
pull[bot] merged 37 commits into
arc675:trunkfrom
cli:trunk

Conversation

@pull

@pull pull Bot commented Jul 13, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

williammartin and others added 30 commits May 22, 2026 18:52
The release workflow currently checks out github/cli.github.com using
a personal access token (SITE_DEPLOY_PAT) owned by an individual
maintainer to push generated docs, the index.html version stamp, and
RPM/DEB package metadata.

Replace that with a short-lived installation token minted at runtime
from the new gh-cli-site-deployer GitHub App, owned by the github
org and installed only on github/cli.github.com with Contents:write
permission. The App's credentials live in the production environment
as SITE_DEPLOY_APP_CLIENT_ID and SITE_DEPLOY_APP_PRIVATE_KEY,
federated from the github-cli Vault.

The token mint step is guarded on inputs.environment == 'production'
because non-production environments don't have the App credentials
and don't push to the site anyway (the Publish site step is already
gated on DO_PUBLISH which requires production). github/cli.github.com
is public, so the checkout in non-production falls back to
GITHUB_TOKEN for anonymous read access, matching existing behavior.

Also update docs/release-process-deep-dive.md to reflect the new
flow.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Fix workflow inputs for actions/create-github-app-token by replacing the incorrect app-id key with client-id in multiple deploy job steps. This corrects the parameter name (four occurrences) so the Action receives the expected secret (DEPLOY_APP_ID) and can generate deployment tokens successfully. No other changes to the workflow or action version were made.
Update .github/workflows/deployment.yml to rename the deploy secret from DEPLOY_APP_ID to DEPLOY_APP_CLIENT_ID and adjust all create-github-app-token steps to use the new secret (client-id: ${{ secrets.DEPLOY_APP_CLIENT_ID }}). This clarifies that the secret is the GitHub App Client ID used to generate deploy tokens and keeps the workflow consistent across multiple deploy-token job invocations.
Set `timeout-minutes: 20` for the Linux, macOS, and Windows deployment jobs in the deployment workflow to prevent stalled runs from hanging indefinitely.
Gate signing in sign.ps1 on a new DO_PUBLISH env var, set in the
deployment workflow to true only for production. This avoids attempting
code signing in non-production environments, consistent with the
existing DO_PUBLISH gating used elsewhere in the workflow.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Introduce a dry_run input (default true) to the deployment workflow so
artifacts are built and signed but no GitHub Release is created and no
site is published. Rename DO_PUBLISH to DO_SIGN_ARTIFACTS for the
Windows signing path so signing remains driven solely by environment,
independent of publish gating, and set it on the MSI signing step.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Rework the macOS deployment signing to use App Store Connect API key
based notarization and a Developer ID certificate identifier.

- Use a single consistent keychain (build.keychain) for signing and
  notarization; the notarization credentials previously targeted a
  keychain that was never created.
- Gate the App Store Connect API key and notarization credential steps
  on the production environment so non-production builds (with empty
  secrets) no longer fail.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Convert the deployment workflow from reusable `workflow_call` to manual `workflow_dispatch`, removing the extra `repository` input and forwarded secret declarations. Drop per-job deploy app token generation and custom checkout token/repository overrides, relying on the default checkout context instead. Update release publishing to use `secrets.GITHUB_TOKEN` for GH CLI authentication.
Helps debug 'no identity found' failures by printing the codesigning
identities available in the build keychain, so DEVELOPER_ID_CERT_IDENTIFIER
can be verified against the actual imported certificate.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Reflects the reworked macOS code-signing/notarization flow (dedicated
build.keychain, App Store Connect API key, notarytool keychain profile,
DEVELOPER_ID_CERT_IDENTIFIER/MAC_APP_SIGNING_IDENTITY), documents the new
dry_run input and its publishing gates, the ref input and per-job
timeouts, the Windows DO_SIGN_ARTIFACTS flag, and the GitHub App site
deploy token replacing SITE_DEPLOY_PAT.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The deployment workflow's dry_run input defaults to true so manual UI
dispatches are safe by default. script/release, however, is used to
initiate real releases, so it now passes -f dry_run=false and exposes an
opt-in --dry-run flag. Without this, releases triggered via script/release
silently became no-ops (no attestation, no GitHub Release, no site push).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The ref input was added in anticipation of calling this workflow via
workflow_call from another repo. Since it remains a workflow_dispatch
workflow, drop the input and let actions/checkout default to the ref that
triggered the dispatch (the --ref passed to gh workflow run). This also
fixes script/release --branch, which previously selected the workflow file
ref but still built trunk because inputs.ref defaulted to trunk.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Interpolating ${{ secrets.* }} directly into the run: script meant a
certificate password containing a single quote (or other shell
metacharacters) would break quoting and could inject commands. Map the
cert and password into the step env and reference them as quoted shell
variables instead, and remove the temporary .p12 after import.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Mirror the Windows job: script/sign now skips codesign/notarization unless
DO_SIGN_ARTIFACTS is set to a non-false value, and the macOS Build and
Notarize steps set it to production-only. Previously, staging macOS builds
would run codesign against a keychain that was never provisioned (the
cert-install step is production-only) whenever MAC_APP_SIGNING_IDENTITY was
defined at repository scope, breaking non-production builds.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Append a '(dry run)' suffix to run-name when inputs.dry_run is true so dry
runs are distinguishable from real deployments in the Actions UI.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
niik and others added 7 commits July 3, 2026 08:39
The workflow was reverted to source APPLE_DEVELOPER_INSTALLER_ID from
vars.APPLE_DEVELOPER_INSTALLER_ID, but the docs snippet still showed
vars.MAC_APP_SIGNING_IDENTITY.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The note claimed the step now passes vars.MAC_APP_SIGNING_IDENTITY, but
the workflow still passes the (unset) vars.APPLE_DEVELOPER_INSTALLER_ID.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Prevents word-splitting/globbing if the keychain path ever contains
spaces or glob characters.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Babak K. Shandiz <babakks@github.com>
Bring the release deep-dive in line with the final branch state:
site steps gated on production, createrepo/reprepro gate on
environment instead of GPG_SIGN, dropped github.token fallback,
quoted keychain paths, and documented the script/release --dry-run
default. Also restore the reprepro env: key that was dropped when
GPG_SIGN was removed, which had left the workflow YAML invalid.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Harden deployment workflow
@pull pull Bot locked and limited conversation to collaborators Jul 13, 2026
@pull pull Bot added the ⤵️ pull label Jul 13, 2026
@pull pull Bot merged commit c14cbaa into arc675:trunk Jul 13, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants