Skip to content

Commit bf38a2a

Browse files
authored
Merge pull request #171 from switchifyapp/docs/agents-release-process-170
Update AGENTS release process documentation
2 parents 08a5871 + 22972c9 commit bf38a2a

1 file changed

Lines changed: 65 additions & 5 deletions

File tree

AGENTS.md

Lines changed: 65 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -78,9 +78,69 @@ For desktop input or packaging changes, also run the relevant manual smoke path:
7878

7979
## Release flow
8080

81-
Release automation is not implemented yet. Until a release issue defines the final flow:
81+
Only the maintainer should publish releases.
8282

83-
- Use semantic versions for early packages.
84-
- Do not tag releases without a dedicated release issue.
85-
- Do not publish installers without a Windows smoke test.
86-
- Do not add code signing, auto-update, WinGet, or cross-platform packaging unless an issue explicitly scopes it.
83+
Release builds are published from tags named `vX.Y.Z`, where `X.Y.Z` must match `package.json`.
84+
85+
The release workflow is `.github/workflows/release.yml`. It runs on the self-hosted Windows signing runner with the `switchify-signing` label. The runner is expected to have:
86+
87+
- Windows.
88+
- Node and npm.
89+
- GitHub CLI authentication available to the workflow.
90+
- Windows SDK signing tools available, including `signtool`.
91+
- The Certum SimplySign certificate available in `Cert:\CurrentUser\My`.
92+
- An active SimplySign session before the release job runs.
93+
94+
Production release signing uses Certum SimplySign through `signtool`. Do not document or commit the real certificate thumbprint. Use placeholders in docs and examples.
95+
96+
Required signing environment for production packaging:
97+
98+
```powershell
99+
$env:SWITCHIFY_SIGNING_MODE = "certum-simplysign"
100+
$env:SWITCHIFY_CERTUM_CERT_THUMBPRINT = "<certum-certificate-thumbprint>"
101+
$env:SWITCHIFY_CERTUM_TIMESTAMP_URL = "http://time.certum.pl"
102+
```
103+
104+
The release workflow:
105+
106+
- installs dependencies with `npm ci`
107+
- runs `npm run typecheck`
108+
- runs `npm test`
109+
- verifies the Certum signing certificate
110+
- builds native helpers
111+
- packages the Windows x64 NSIS installer with `npm run package:win`
112+
- verifies the tag matches `package.json`
113+
- uploads all top-level `dist` release assets to GitHub Releases, including the signed installer and updater metadata
114+
115+
Local packaging with `npm run package:win` creates artifacts under `dist`. It does not publish a GitHub release.
116+
117+
Before publishing a release, the maintainer should run or confirm the Windows smoke path:
118+
119+
- signed installer verifies with Authenticode
120+
- installer installs per-machine under `C:\Program Files\Switchify PC\`
121+
- `npm run package:win:verify-uiaccess` passes
122+
- app launches and stays running
123+
- tray menu works
124+
- Bluetooth pairing works
125+
- authenticated ping works
126+
- mouse, click, right-click, scroll, keyboard/text, media, and window control commands work
127+
- Settings > Updates can check, download, and show `Install update` in packaged builds
128+
- updater metadata exists in `dist\latest.yml` and packaged `resources\app-update.yml`
129+
130+
To publish a release, the maintainer may push an annotated tag:
131+
132+
```powershell
133+
git tag -a vX.Y.Z -m "Release vX.Y.Z"
134+
git push origin vX.Y.Z
135+
```
136+
137+
The workflow can also be dispatched manually by the maintainer with a `tag` input.
138+
139+
Do not:
140+
141+
- publish releases from contributor machines
142+
- tag releases without maintainer intent
143+
- hard-code a real certificate thumbprint in docs
144+
- bypass the signed Windows runner for production installers
145+
- publish unsigned production installers
146+
- change signing, updater, WinGet, or cross-platform release behavior unless a dedicated issue explicitly scopes it

0 commit comments

Comments
 (0)