build(flatpak): add CI build job, update metainfo, fix JVM heap for runners

[nitheeshdr]

Summary

Closes #208.

The Flatpak packaging infrastructure (packaging/flatpak/) is already on main. This PR wires it into CI and fixes two issues that blocked a working build:

• CI job (build-flatpak): runs flatpak/flatpak-github-actions/flatpak-builder@v6 on every push to generate-installers, produces GitHub-Store-x86_64.flatpak, and uploads it as the linux-flatpak artifact. The bundle is staged and included in the draft release alongside .deb, .rpm, AppImage, and Arch packages.
• JVM heap reduction: the Flatpak manifest had -Xmx6g -XX:MaxMetaspaceSize=2g. GitHub Actions ubuntu-latest runners have 7 GB total RAM, leaving no headroom for the OS and flatpak-builder itself. Reduced to -Xmx4g -XX:MaxMetaspaceSize=1g, matching the project's standard GRADLE_OPTS.
• Metainfo releases: zed.rainxch.githubstore.metainfo.xml previously only listed release 1.6.2. Added entries for 1.7.0, 1.8.0, 1.8.1, and 1.8.2 with dates and brief descriptions so the Flathub listing will show an accurate history once the app is submitted.

Test plan

• Push to generate-installers branch and verify the build-flatpak job passes
• Confirm GitHub-Store-x86_64.flatpak appears in the draft release assets
• Run flatpak-builder-lint manifest packaging/flatpak/zed.rainxch.githubstore.yml locally (no errors expected)
• Run appstreamcli validate packaging/flatpak/zed.rainxch.githubstore.metainfo.xml to verify new release entries are valid

Summary by CodeRabbit

• New Features

  • Linux Flatpak installer now available for streamlined installation on Flatpak-compatible systems.

• Chores

  • Updated application release history and AppStream metadata.
  • Adjusted build environment memory settings to improve packaging reliability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 702c1eb8-ad5d-4485-925a-6732c59aacbb

📥 Commits

Reviewing files that changed from the base of the PR and between 7abfda4 and 7845c54.

📒 Files selected for processing (1)

• .github/workflows/build-desktop-platforms.yml

---

Walkthrough

This PR adds official Flatpak build and release support: a new GitHub Actions job builds a Linux Flatpak artifact, the release staging copies and counts staged .flatpak files and enforces completeness, and Flatpak manifest and AppStream release metadata are updated.

Changes

Flatpak Build Pipeline and Configuration

Layer / File(s)	Summary
Flatpak Build Job and Release Artifact Handling .github/workflows/build-desktop-platforms.yml	New build-flatpak job builds the Linux Flatpak installer; release job waits for it. Release staging script initializes a Flatpak artifact counter, copies .flatpak files into release-files/, outputs the count, and enforces that Flatpak bundles must be present to publish.
Flatpak Manifest and Release Metadata packaging/flatpak/zed.rainxch.githubstore.yml, packaging/flatpak/zed.rainxch.githubstore.metainfo.xml	Gradle JVM heap and metaspace JVM args adjusted in the Flatpak manifest; AppStream metainfo gains four new <release> entries (1.8.2, 1.8.1, 1.8.0, 1.7.0) with dates and descriptions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• OpenHub-Store/GitHub-Store#336: Modifies Flatpak packaging assets and related manifest settings.
• OpenHub-Store/GitHub-Store#339: Previously updated the Flatpak manifest (finish-args and Gradle args).
• OpenHub-Store/GitHub-Store#474: Related changes to release aggregation and artifact completeness guarding logic.

Poem

🐰 A little rabbit hops with glee and cheer,
Building Flatpaks so all Linux friends draw near.
JARs wrapped snug in bundles tight,
Staged and counted through the night—
Hooray, the Store for every distro's near!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the primary changes: adding a Flatpak CI build job, updating metainfo release entries, and fixing JVM heap settings for GitHub Actions runners.
Linked Issues check	✅ Passed	The PR directly implements Flatpak packaging support requested in #208 by adding CI automation, updating release metadata, and fixing build issues to enable Flathub distribution.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing Flatpak support: CI workflow integration, manifest JVM configuration, and release metadata—all within scope of #208.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR wires the existing Flatpak packaging manifest into CI and fixes two pre-existing issues that blocked a working build.

• Adds a build-flatpak CI job using flatpak/flatpak-github-actions/flatpak-builder@v6, with a content-addressed cache key (hashFiles of flatpak-sources.json + manifest), manual artifact upload with if-no-files-found: error, and proper inclusion in the release job's needs list and completeness guard.
• Reduces the Gradle JVM heap in the Flatpak manifest from -Xmx6g -XX:MaxMetaspaceSize=2g to -Xmx4g -XX:MaxMetaspaceSize=1g to leave headroom on 7 GB GitHub Actions runners.
• Backfills four missing release entries (1.7.0 – 1.8.2) in metainfo.xml in correct newest-first AppStream order.

Confidence Score: 5/5

Safe to merge — all three changed files make straightforward, well-scoped additions with no logic regressions.

The CI job is correctly structured: content-addressed cache key, explicit artifact guard (if-no-files-found: error), proper needs wiring, and a matching completeness check in the release script. The JVM heap reduction is conservative and well-justified. The metainfo XML additions are valid AppStream format in the correct order.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/build-desktop-platforms.yml	Adds build-flatpak CI job wired into the release pipeline; cache key, artifact upload, and completeness guard are all correctly implemented.
packaging/flatpak/zed.rainxch.githubstore.yml	JVM heap reduced from -Xmx6g/-XX:MaxMetaspaceSize=2g to -Xmx4g/-XX:MaxMetaspaceSize=1g to fit GitHub Actions runner constraints.
packaging/flatpak/zed.rainxch.githubstore.metainfo.xml	Four missing release entries (1.7.0 – 1.8.2) added in correct newest-first order with proper AppStream format.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[push to generate-installers] --> B[build-windows]
    A --> C[build-macos x64]
    A --> D[build-macos arm64]
    A --> E[build-linux]
    A --> F[build-flatpak]

    B --> G[sign-windows]
    C --> H[merge-macos-artifacts]
    D --> H

    G --> R[release: Draft release]
    H --> R
    E --> R
    F --> R

    R --> S[Stage all artifacts]
    S --> T{Completeness guard}
    T -- all groups present --> U[Create/update draft release]
    T -- any group missing --> V[Fail: list missing groups]

    style F fill:#90EE90,stroke:#333
    style U fill:#90EE90,stroke:#333

Loading

_{Reviews (3): Last reviewed commit: "fix(flatpak): add permissions block and ..." | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-desktop-platforms.yml:
- Around line 513-514: The checkout step "Checkout code" using
actions/checkout@v4 should explicitly disable persisting GitHub credentials: add
the key persist-credentials: false under that step (the step that has name
"Checkout code" and uses "actions/checkout@v4") so credentials are not written
into .git/config and cannot be leaked into build artifacts.
- Around line 509-532: The build-flatpak job currently inherits workflow-level
permissions; add an explicit permissions block on the build-flatpak job to
follow least-privilege practices by restricting access to only what the job
needs (e.g., set permissions: contents: read) so the job can read the repository
and still upload artifacts via the existing actions/upload-artifact step; update
the job named build-flatpak to include this permissions block.
- Line 514: Replace the mutable action tags with immutable commit SHAs: locate
the three uses entries referencing actions/checkout@v4,
flatpak/flatpak-github-actions/flatpak-builder@v6, and
actions/upload-artifact@v4 and update each to the corresponding commit SHA (the
full 40-char commit hash) instead of the tag; follow the same pattern used for
the SignPath action (which is pinned to a commit SHA) to ensure supply-chain
security and reproducibility.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8057a21a-4c73-48f9-bfe3-23663cb567cf

📥 Commits

Reviewing files that changed from the base of the PR and between c6022cf and 7abfda4.

📒 Files selected for processing (3)

• .github/workflows/build-desktop-platforms.yml
• packaging/flatpak/zed.rainxch.githubstore.metainfo.xml
• packaging/flatpak/zed.rainxch.githubstore.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoff

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch commit SHAs for action version tags

echo "=== actions/checkout@v4 ==="
gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'

echo "=== flatpak/flatpak-github-actions/flatpak-builder@v6 ==="
gh api repos/flatpak/flatpak-github-actions/git/refs/tags/flatpak-builder/v6 --jq '.object.sha' 2>/dev/null || \
  echo "Note: flatpak-builder may use a different ref structure; check manually"

echo "=== actions/upload-artifact@v4 ==="
gh api repos/actions/upload-artifact/git/refs/tags/v4 --jq '.object.sha'

Repository: OpenHub-Store/GitHub-Store

Length of output: 506

---

🏁 Script executed:

# Examine the workflow file around the mentioned lines
cat -n .github/workflows/build-desktop-platforms.yml | sed -n '125,135p'
cat -n .github/workflows/build-desktop-platforms.yml | sed -n '510,530p'

Repository: OpenHub-Store/GitHub-Store

Length of output: 1638

---

Pin action references to commit SHAs for supply chain security.

Actions at lines 514, 517, and 526 are referenced by mutable tags (@v4, @v6) instead of immutable commit SHAs. A compromised or force-pushed tag could inject malicious code. Pin to specific commit hashes as demonstrated by the SignPath action at line 131.

Update:

• Line 514: actions/checkout@v4 → pin to specific commit SHA
• Line 517: flatpak/flatpak-github-actions/flatpak-builder@v6 → pin to specific commit SHA
• Line 526: actions/upload-artifact@v4 → pin to specific commit SHA

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 513-514: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 514-514: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-desktop-platforms.yml at line 514, Replace the
mutable action tags with immutable commit SHAs: locate the three uses entries
referencing actions/checkout@v4,
flatpak/flatpak-github-actions/flatpak-builder@v6, and
actions/upload-artifact@v4 and update each to the corresponding commit SHA (the
full 40-char commit hash) instead of the tag; follow the same pattern used for
the SignPath action (which is pinned to a commit SHA) to ensure supply-chain
security and reproducibility.

[greptile-apps]

Want your agent to iterate on Greptile's feedback? Try greploops.