Skip to content

Classify Sparkle security updates from release tags#105

Merged
jmcte merged 1 commit into
mainfrom
codex/issue-57-sparkle-release-metadata
Jul 12, 2026
Merged

Classify Sparkle security updates from release tags#105
jmcte merged 1 commit into
mainfrom
codex/issue-57-sparkle-release-metadata

Conversation

@jmcte

@jmcte jmcte commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Summary

  • make Sparkle archive URLs and item links resolve to the tagged GitHub release rather than generator-local paths
  • classify critical security updates through immutable annotated-tag metadata
  • require annotated tags for critical classifications and reject duplicate metadata lines
  • generate matching Security or Changes release-note sections and guard the behavior with appcast contract tests

Governing Issue

Refs #57

This advances the remaining in-app update release contract. It does not close #57: the first signed/notarized production release and live appcast still require configured Apple signing/notary credentials and Sparkle release variables.

Validation

  • bash scripts/test-prepare-sparkle-appcast.sh
  • bash scripts/ci/validate-appcast-contract.sh
  • bash -n scripts/prepare-sparkle-appcast.sh scripts/test-prepare-sparkle-appcast.sh scripts/ci/validate-appcast-contract.sh
  • ruby -e 'require "yaml"; YAML.load_file(".github/workflows/release.yml")'\n- bash scripts/ci/run-fast-checks.sh\n- git diff --check\n\n## Release use\nCreate a normal tag for an ordinary update. For a security update, create an annotated tag containing:\n\ntext\nAPW-Sparkle-Critical-Update-Version: all\n\n\nUse a concrete Sparkle version instead of all when the critical prompt should apply only through that installed version.

Pass immutable annotated-tag metadata through the release workflow to generate signed critical-update appcasts with canonical GitHub archive and release URLs. Extend the appcast contract and regression coverage. Refs #57.

@athena-omt athena-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Athena review: approved.

Evidence checked:

  • Branch head 08b63f7 is based on current main 7433d2e, so this review is against a fresh head.
  • Live checks are green on the latest run: Rust test, Rust checks/lint, PR Fast CI gate, Fast Checks, and secrets validation. The cancelled PR Fast CI entries are from the superseded run, followed by successful rerun entries.
  • Auto-merge is already enabled with squash.
  • Focused local checks passed on OMT-NAS: bash scripts/test-prepare-sparkle-appcast.sh and bash scripts/ci/validate-appcast-contract.sh.

I did not find a blocking issue in the annotated-tag critical-update flow, generator argument forwarding, appcast contract checks, or release-note security-section guard.

@jmcte
jmcte merged commit d7f7b1d into main Jul 12, 2026
9 of 14 checks passed
@jmcte
jmcte deleted the codex/issue-57-sparkle-release-metadata branch July 12, 2026 19:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Roadmap: in-app updates for APW.app (Sparkle or equivalent)

3 participants