From 191642ca9f317013a2d7052c6fbfae70f6c0868b Mon Sep 17 00:00:00 2001 From: Wes Date: Sat, 13 Jun 2026 21:56:27 -0700 Subject: [PATCH] fix(release): publish manifest from successful platforms Allow the release manifest assembly job to run after a platform job fails, then include only the successful platform outputs in latest.json. This keeps ARM macOS, Linux, and Windows updates publishing while Intel macOS codesigning is broken, and automatically restores Intel updates once that job succeeds again. Co-authored-by: Pinky <44b8e82baa6e0e254e0208d68f335c283c94e7b78dd1fa10d5a49d3f13dd0435@sprout-oss.stage.blox.sqprod.co> Signed-off-by: Wes --- .github/workflows/release.yml | 88 ++++++++++++++++++++++++++++------- 1 file changed, 72 insertions(+), 16 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c8a50c523..f45890ccc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -716,7 +716,10 @@ jobs: name: Assemble multi-platform latest.json # Only tag-backed releases assemble latest.json. Branch workflow_dispatch # runs skip rolling-release uploads, so their archive URLs never exist. - if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.ref == format('v{0}', inputs.version)) + if: | + always() && + needs.setup.result == 'success' && + (github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.ref == format('v{0}', inputs.version))) runs-on: ubuntu-latest needs: [setup, release, release-macos-x64, release-linux, release-windows] timeout-minutes: 10 @@ -733,27 +736,60 @@ jobs: - name: Write signature files env: + RESULT_ARM64: ${{ needs.release.result }} + RESULT_X64: ${{ needs.release-macos-x64.result }} + RESULT_LINUX: ${{ needs.release-linux.result }} + RESULT_WIN: ${{ needs.release-windows.result }} SIG_ARM64: ${{ needs.release.outputs.sig }} SIG_X64: ${{ needs.release-macos-x64.outputs.sig }} SIG_LINUX: ${{ needs.release-linux.outputs.sig }} SIG_WIN: ${{ needs.release-windows.outputs.sig }} run: | + set -euo pipefail mkdir -p /tmp/sigs - echo "$SIG_ARM64" > /tmp/sigs/darwin-aarch64.sig - echo "$SIG_X64" > /tmp/sigs/darwin-x86_64.sig - echo "$SIG_LINUX" > /tmp/sigs/linux-x86_64.sig - echo "$SIG_WIN" > /tmp/sigs/windows-x86_64.sig + + write_sig() { + local result="$1" platform="$2" sig="$3" + if [[ "$result" == "success" ]]; then + [[ -n "$sig" ]] || { echo "::error::Missing signature for successful platform: $platform"; exit 1; } + printf '%s' "$sig" > "/tmp/sigs/${platform}.sig" + fi + } + + write_sig "$RESULT_ARM64" darwin-aarch64 "$SIG_ARM64" + write_sig "$RESULT_X64" darwin-x86_64 "$SIG_X64" + write_sig "$RESULT_LINUX" linux-x86_64 "$SIG_LINUX" + write_sig "$RESULT_WIN" windows-x86_64 "$SIG_WIN" - name: Verify archive URLs are accessible + env: + RESULT_ARM64: ${{ needs.release.result }} + RESULT_X64: ${{ needs.release-macos-x64.result }} + RESULT_LINUX: ${{ needs.release-linux.result }} + RESULT_WIN: ${{ needs.release-windows.result }} + ARCHIVE_ARM64: ${{ needs.release.outputs.archive_name }} + ARCHIVE_X64: ${{ needs.release-macos-x64.outputs.archive_name }} + ARCHIVE_LINUX: ${{ needs.release-linux.outputs.archive_name }} + ARCHIVE_WIN: ${{ needs.release-windows.outputs.archive_name }} run: | set -euo pipefail BASE="https://github.com/block/buzz/releases/download/buzz-desktop-latest" + ARCHIVES=() + + add_archive() { + local result="$1" platform="$2" archive="$3" + if [[ "$result" == "success" ]]; then + [[ -n "$archive" ]] || { echo "::error::Missing archive name for successful platform: $platform"; exit 1; } + ARCHIVES+=("$archive") + fi + } - for name in \ - "${{ needs.release.outputs.archive_name }}" \ - "${{ needs.release-macos-x64.outputs.archive_name }}" \ - "${{ needs.release-linux.outputs.archive_name }}" \ - "${{ needs.release-windows.outputs.archive_name }}"; do + add_archive "$RESULT_ARM64" darwin-aarch64 "$ARCHIVE_ARM64" + add_archive "$RESULT_X64" darwin-x86_64 "$ARCHIVE_X64" + add_archive "$RESULT_LINUX" linux-x86_64 "$ARCHIVE_LINUX" + add_archive "$RESULT_WIN" windows-x86_64 "$ARCHIVE_WIN" + + for name in "${ARCHIVES[@]}"; do echo "Checking $BASE/$name ..." success=false for attempt in 1 2 3; do @@ -772,15 +808,35 @@ jobs: echo "All archive URLs verified." - name: Generate unified latest.json + env: + RESULT_ARM64: ${{ needs.release.result }} + RESULT_X64: ${{ needs.release-macos-x64.result }} + RESULT_LINUX: ${{ needs.release-linux.result }} + RESULT_WIN: ${{ needs.release-windows.result }} + ARCHIVE_ARM64: ${{ needs.release.outputs.archive_name }} + ARCHIVE_X64: ${{ needs.release-macos-x64.outputs.archive_name }} + ARCHIVE_LINUX: ${{ needs.release-linux.outputs.archive_name }} + ARCHIVE_WIN: ${{ needs.release-windows.outputs.archive_name }} run: | + set -euo pipefail BASE="https://github.com/block/buzz/releases/download/buzz-desktop-latest" + TRIPLES=() + + add_triple() { + local result="$1" platform="$2" archive="$3" + if [[ "$result" == "success" ]]; then + [[ -n "$archive" ]] || { echo "::error::Missing archive name for successful platform: $platform"; exit 1; } + TRIPLES+=("${platform}:/tmp/sigs/${platform}.sig:${BASE}/${archive}") + fi + } + + add_triple "$RESULT_ARM64" darwin-aarch64 "$ARCHIVE_ARM64" + add_triple "$RESULT_X64" darwin-x86_64 "$ARCHIVE_X64" + add_triple "$RESULT_LINUX" linux-x86_64 "$ARCHIVE_LINUX" + add_triple "$RESULT_WIN" windows-x86_64 "$ARCHIVE_WIN" - bash desktop/scripts/generate-oss-latest-json.sh "$VERSION" \ - "darwin-aarch64:/tmp/sigs/darwin-aarch64.sig:${BASE}/${{ needs.release.outputs.archive_name }}" \ - "darwin-x86_64:/tmp/sigs/darwin-x86_64.sig:${BASE}/${{ needs.release-macos-x64.outputs.archive_name }}" \ - "linux-x86_64:/tmp/sigs/linux-x86_64.sig:${BASE}/${{ needs.release-linux.outputs.archive_name }}" \ - "windows-x86_64:/tmp/sigs/windows-x86_64.sig:${BASE}/${{ needs.release-windows.outputs.archive_name }}" \ - > latest.json + [ "${#TRIPLES[@]}" -ge 3 ] || { echo "::error::too few platforms (${#TRIPLES[@]})"; exit 1; } + bash desktop/scripts/generate-oss-latest-json.sh "$VERSION" "${TRIPLES[@]}" > latest.json cat latest.json - name: Upload latest.json to rolling release