chenchaoyi
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 96 additions & 34 deletions b/‎.github/workflows/release.yml‎
Lines changed: 96 additions & 34 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 44 additions & 8 deletions b/‎CHANGELOG.md‎
Lines changed: 44 additions & 8 deletions
diff --git a/‎docs/RELEASE.md‎
Lines changed: 28 additions & 14 deletions b/‎docs/RELEASE.md‎
Lines changed: 28 additions & 14 deletions
@@ -8,6 +8,16 @@ name: release
 #   - push of a tag matching `v*` (the release flow)
 #   - manual workflow_dispatch (dry-run; uploads to a draft release
 #     so we can inspect the artefact before cutting a real tag)
+#
+# Architecture strategy (since v1.0.8):
+#   All builds run on macos-14 (arm64). The Swift helper is built
+#   universal2 (single binary with both arm64 + x86_64 slices) and
+#   shipped in both per-arch release tarballs. The PyInstaller-frozen
+#   Python binary IS arch-specific, so we build it twice — once
+#   natively on the arm64 host, once under Rosetta 2 (`arch -x86_64`)
+#   for the Intel slice. Avoids the macos-13 runner queue, which
+#   was starving so badly that the Intel tarball was effectively
+#   never landing.
 
 on:
   push:
@@ -20,29 +30,17 @@ on:
         required: false
         default: ""
 
-# Block concurrent runs on the same ref so two tag pushes in
-# quick succession can't produce a racy double-upload.
 concurrency:
   group: release-${{ github.ref }}
   cancel-in-progress: false
 
 permissions:
-  # gh release upload needs to write to the release.
   contents: write
 
 jobs:
   build:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-14   # M1 hosted runner → arm64
-            arch: arm64
-          - os: macos-13   # x86_64 hosted runner → x86_64
-            arch: x86_64
-
-    runs-on: ${{ matrix.os }}
-
+    # Both arches build from this single arm64 runner.
+    runs-on: macos-14
     steps:
       - uses: actions/checkout@v4
 
@@ -58,49 +56,113 @@ jobs:
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
           echo "num_version=${VERSION#v}" >> "$GITHUB_OUTPUT"
 
+      - name: Ensure Rosetta 2 is installed
+        # GitHub macos-14 runners normally have Rosetta installed,
+        # but `softwareupdate --install-rosetta --agree-to-license`
+        # is the official idempotent way to be sure. The flag is a
+        # no-op if Rosetta is already there.
+        run: softwareupdate --install-rosetta --agree-to-license || true
+
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
           enable-cache: true
 
-      - name: Set up Python 3.11
+      # ---- Swift helper: build once, universal2, used by both
+      # tarballs. The helper bundle is signed ad-hoc which produces
+      # a stable cdhash across both arches — same cdhash means the
+      # TCC grants the user accumulates carry across arm64 / x86_64
+      # installs of the same release.
+      - name: Build Swift helper (universal2)
+        env:
+          DITING_HELPER_UNIVERSAL: "1"
+        run: ( cd helper && ./build.sh )
+
+      # ---- arm64 build (native) -----------------------------------
+      - name: Set up Python 3.11 (arm64 native)
         run: uv python install 3.11
 
-      - name: Sync release dependencies
-        # PyInstaller lives in the [release] group. --all-groups
-        # also pulls dev tools we don't need; --group release keeps
-        # the build env lean.
+      - name: Sync release deps (arm64)
         run: uv sync --group release --python 3.11
 
-      - name: Build Swift helper
-        run: ( cd helper && ./build.sh )
-
-      - name: Run package_release.sh
-        env:
-          # Stage everything under the workspace so the upload step
-          # can find the tarball + sha256 by glob.
-          DITING_RELEASE_VERSION: ${{ steps.ver.outputs.num_version }}
+      - name: Package arm64 tarball
         run: |
           uv run --python 3.11 \
             bash scripts/package_release.sh "${{ steps.ver.outputs.num_version }}"
 
-      - name: Upload tarball to release
+      - name: Stash arm64 tarball + sha256
+        run: |
+          mkdir -p stash
+          mv dist/diting-${{ steps.ver.outputs.num_version }}-darwin-arm64.tar.gz        stash/
+          mv dist/diting-${{ steps.ver.outputs.num_version }}-darwin-arm64.tar.gz.sha256 stash/
+
+      # ---- x86_64 build (Rosetta) ---------------------------------
+      # PyInstaller takes the arch of the currently-running Python.
+      # uv can install an x86_64 Python build on an arm64 host via
+      # the --python-platform flag; we then create a separate venv
+      # for it. All subsequent commands wrapped in `arch -x86_64`
+      # so uv, python, and any subprocess they invoke run as x86_64
+      # under Rosetta.
+      - name: Set up Python 3.11 (x86_64 via Rosetta)
+        run: |
+          arch -x86_64 /bin/bash -c '
+            curl -fsSL https://astral.sh/uv/install.sh | sh
+          '
+          # The Rosetta-installed uv lives under
+          # ~/.local/bin/uv. Use a separate cache dir so it does not
+          # collide with the arm64 uv's state.
+          echo "ROSETTA_UV=$HOME/.local/bin/uv" >> $GITHUB_ENV
+
+      - name: Install x86_64 Python via Rosetta uv
+        run: |
+          arch -x86_64 "$ROSETTA_UV" python install 3.11
+
+      - name: Wipe arm64 venv before x86_64 sync
+        # `uv sync` reuses .venv/ if present. The arm64 build above
+        # populated it with arm64 wheels (pyobjc et al.); we need a
+        # clean slate for the x86_64 install so the right wheels get
+        # pulled.
+        run: rm -rf .venv
+
+      - name: Sync release deps (x86_64)
+        run: |
+          arch -x86_64 "$ROSETTA_UV" sync --group release --python 3.11
+
+      - name: Clean previous build artefacts
+        # PyInstaller and the staging dir from the arm64 run.
+        run: rm -rf build dist
+
+      - name: Package x86_64 tarball
+        run: |
+          arch -x86_64 "$ROSETTA_UV" run --python 3.11 \
+            bash scripts/package_release.sh "${{ steps.ver.outputs.num_version }}"
+
+      - name: Restore arm64 tarball alongside x86_64
+        run: |
+          mv stash/* dist/
+
+      # ---- Upload both tarballs -----------------------------------
+      - name: Upload tarballs to release
         uses: softprops/action-gh-release@v2
         if: github.event_name == 'push'
         with:
           tag_name: ${{ steps.ver.outputs.version }}
           files: |
-            dist/diting-${{ steps.ver.outputs.num_version }}-darwin-${{ matrix.arch }}.tar.gz
-            dist/diting-${{ steps.ver.outputs.num_version }}-darwin-${{ matrix.arch }}.tar.gz.sha256
+            dist/diting-${{ steps.ver.outputs.num_version }}-darwin-arm64.tar.gz
+            dist/diting-${{ steps.ver.outputs.num_version }}-darwin-arm64.tar.gz.sha256
+            dist/diting-${{ steps.ver.outputs.num_version }}-darwin-x86_64.tar.gz
+            dist/diting-${{ steps.ver.outputs.num_version }}-darwin-x86_64.tar.gz.sha256
 
-      - name: Upload tarball as workflow artifact (dispatch dry-runs)
+      - name: Upload tarballs as workflow artifacts (dispatch dry-runs)
         if: github.event_name == 'workflow_dispatch'
         uses: actions/upload-artifact@v4
         with:
-          name: diting-${{ steps.ver.outputs.num_version }}-darwin-${{ matrix.arch }}
+          name: diting-${{ steps.ver.outputs.num_version }}-darwin
           path: |
-            dist/diting-${{ steps.ver.outputs.num_version }}-darwin-${{ matrix.arch }}.tar.gz
-            dist/diting-${{ steps.ver.outputs.num_version }}-darwin-${{ matrix.arch }}.tar.gz.sha256
+            dist/diting-${{ steps.ver.outputs.num_version }}-darwin-arm64.tar.gz
+            dist/diting-${{ steps.ver.outputs.num_version }}-darwin-arm64.tar.gz.sha256
+            dist/diting-${{ steps.ver.outputs.num_version }}-darwin-x86_64.tar.gz
+            dist/diting-${{ steps.ver.outputs.num_version }}-darwin-x86_64.tar.gz.sha256
           retention-days: 14
 
   shasums:
 
@@ -9,14 +9,14 @@ the project follows [Semantic Versioning](https://semver.org/) where
 practical. The leading `v0.x` line is allowed to break minor
 behaviours between releases.
 
-## [Unreleased]
+## [1.0.8] — 2026-05-14
 
-The install-time UX got loud — three windows in two languages on
-top of each other, with one of the prompts showing the raw
-bundle filename. This release re-shapes the helper bundle around
-a single ordered flow and gives diting its own icon end-to-end.
+Two parallel pushes land together: the helper bundle gets its own
+icon and a single ordered install flow (no more chaotic three-window
+stack on first launch), and the release workflow finally ships
+x86_64 tarballs reliably again.
 
-### Added
+### Added (helper bundle / install UX)
 - **Helper bundle ships the diting logo as its AppIcon.**
   Pre-rendered PNGs at every macOS iconset size live under
   `helper/Resources/AppIcon.iconset/` (regenerated by
@@ -34,7 +34,7 @@ a single ordered flow and gives diting its own icon end-to-end.
   and Bluetooth, so the watchdog can fire alerts without
   triggering a surprise prompt months later.
 
-### Changed
+### Changed (helper bundle / install UX)
 - **Install-time permission flow is now a single ordered wizard.**
   `HelperAppDelegate` requests Location → Bluetooth → Notifications
   in sequence; each step fires only after the previous step's auth
@@ -65,12 +65,48 @@ a single ordered flow and gives diting its own icon end-to-end.
   Eliminates the AppleScript scroll icon that used to appear in
   every alert.
 
-### Migration note
+### Changed (release flow)
+Intel (x86_64) releases land on every tag again. Prior tags
+(v1.0.0 – v1.0.7) shipped the x86_64 tarball only when the
+`macos-13` runner happened to be available — which during 2026 has
+been "almost never", since GitHub Actions has been winding down the
+Intel hosted-runner pool. v1.0.7's release sat with the Intel job
+queued for hours before the user manually unblocked arm64 by
+uploading just the arm64 SHASUMS entry.
+
+- **Release workflow now builds both arches from a single `macos-14`
+  (arm64) runner**:
+  - Swift helper is built once as **universal2** (`swift build
+    --arch arm64 --arch x86_64`) — a single .app whose binary
+    contains both arch slices. Gated by env var
+    `DITING_HELPER_UNIVERSAL=1` so local dev defaults to a
+    fast native-only build.
+  - PyInstaller's frozen Python is arch-specific (takes the running
+    Python's arch), so we build it twice: once natively on the
+    arm64 host, once under **Rosetta 2** via `arch -x86_64`. The
+    Rosetta path uses a separate `uv` install (also under Rosetta)
+    that pulls x86_64 pyobjc / ifaddr / zeroconf wheels.
+  - Both tarballs are uploaded to the release; the `shasums` job
+    aggregates as before. The release surface is unchanged from
+    v1.0.7's perspective — install.sh keeps fetching
+    `diting-<v>-darwin-<arch>.tar.gz` per `uname -m`.
+- **Local dev unchanged**: `helper/build.sh` defaults to native
+  build. Set `DITING_HELPER_UNIVERSAL=1` to test the universal2 path.
+
+### Migration note (breaking)
 The new `CFBundleIconFile` plist entry changes the bundle's cdhash.
 Users upgrading from v1.0.x will re-grant Location + Bluetooth once
 on the next install (and grant Notifications for the first time).
 Future installs at the same path retain grants.
 
+### Caveats
+- Rosetta-emulated PyInstaller is ~2× slower than native on the same
+  host — the release workflow's total wall-clock grows by ~3-5 min
+  per release. Acceptable.
+- The x86_64 frozen binary is built on an arm64 host under
+  emulation; the result has not been smoke-tested on a real Intel
+  Mac in this change. Volunteer testers welcome.
+
 ## [1.0.7] — 2026-05-13
 
 The macOS 26 install hang that survived v1.0.3 → v1.0.5 had a deeper
 
@@ -7,16 +7,26 @@ How to cut a new version that the curl-bash one-liner installs.
 
 ## What gets released
 
-Each tagged version produces three release assets on GitHub:
+Each tagged version produces these release assets on GitHub:
 
 | Asset | Built by | Consumed by |
 |---|---|---|
-| `diting-X.Y.Z-darwin-arm64.tar.gz` | matrix job `macos-14` | install.sh on Apple Silicon |
-| `diting-X.Y.Z-darwin-x86_64.tar.gz` | matrix job `macos-13` | install.sh on Intel |
-| `SHASUMS256.txt` | `shasums` job after both matrix builds | install.sh SHA verification |
+| `diting-X.Y.Z-darwin-arm64.tar.gz` | `macos-14` runner (native) | install.sh on Apple Silicon |
+| `diting-X.Y.Z-darwin-x86_64.tar.gz` | `macos-14` runner under Rosetta 2 | install.sh on Intel |
+| `<arch>.tar.gz.sha256` (×2) | `package_release.sh` (one per arch) | sidecar, aggregated by `shasums` job |
+| `SHASUMS256.txt` | `shasums` job after both arch builds | install.sh SHA verification |
+
+Both arches are built from the **same** `macos-14` (arm64) runner.
+The Swift helper is built once as a universal2 binary (one Mach-O
+with both arm64 and x86_64 slices) and shipped inside both
+tarballs. The PyInstaller-frozen Python is arch-specific and gets
+built twice: natively for arm64, under Rosetta 2 (`arch -x86_64`)
+for x86_64. See the `build` job in `.github/workflows/release.yml`
+for the full sequence.
 
 Each tarball contains a PyInstaller-frozen `diting` binary plus a
-copy of the Swift helper bundle (`diting-tianer.app`). Layout:
+copy of the universal2 Swift helper bundle (`diting-tianer.app`).
+Layout:
 
 ```
 diting-X.Y.Z/
@@ -41,11 +51,12 @@ diting-X.Y.Z/
    ```
    The tag push triggers `.github/workflows/release.yml`.
 
-3. **Watch the workflow.** Both matrix jobs (`macos-14` and
-   `macos-13`) build the helper, freeze the Python binary, run
-   `scripts/package_release.sh`, and upload the tarball + `.sha256`
-   sidecar to the release. The `shasums` job runs after both, pulls
-   the tarballs back down via `gh release download`, computes
+3. **Watch the workflow.** The single `build` job on `macos-14`
+   produces both arches: builds the universal2 helper once,
+   PyInstaller-freezes Python natively for arm64, then again under
+   Rosetta 2 for x86_64. Both tarballs + their `.sha256` sidecars
+   are uploaded to the release. The `shasums` job runs after,
+   pulls the tarballs back down via `gh release download`, computes
    `SHASUMS256.txt`, and uploads it as a sibling asset.
 
 4. **Smoke-test the install.** On a clean macOS account (or a Mac
@@ -95,10 +106,13 @@ bash scripts/package_release.sh 0.10.0-rc1
   notarization. Until then the warning fires only once per
   cdhash — re-installing the same release doesn't re-trigger it.
 
-- **`macos-13` runner deprecation.** GitHub will eventually retire
-  the Intel hosted runners. When that happens we either move
-  x86_64 builds to whatever the latest x86_64 runner is, or drop
-  x86_64 (Apple Silicon adoption is >70% of new Macs as of 2026).
+- **`macos-13` runner queue.** As of v1.0.8 (2026-05-13) the
+  workflow no longer uses `macos-13` at all. Both arches build on a
+  single `macos-14` (arm64) runner; the helper goes universal2 and
+  the frozen Python is built twice (native + Rosetta). If GitHub
+  ever retires the arm64 hosted runners too, point the workflow at
+  the current `macos-N` arm64 tier; the Rosetta 2 step keeps
+  working as long as Apple ships Rosetta.
 
 - **Upgrade users get re-prompted for Location and Bluetooth after a
   release.** Expected when the helper bundle's cdhash changes —