AprilNEA · AprilNEA · May 31, 2026 · May 31, 2026 · May 31, 2026 · May 31, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,7 +15,7 @@ jobs:
     name: rustfmt
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
         with:
           components: rustfmt
@@ -25,7 +25,7 @@ jobs:
     name: clippy
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
         with:
           components: clippy
@@ -43,7 +43,7 @@ jobs:
     name: cargo check (linux)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
       - run: |
@@ -64,7 +64,7 @@ jobs:
     name: tests (linux)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
       - run: |
@@ -80,7 +80,7 @@ jobs:
     name: tests (macos)
     runs-on: macos-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
       - run: cargo test --workspace --all-targets
@@ -89,7 +89,7 @@ jobs:
     name: cargo check (windows)
     runs-on: windows-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
       # openlogi-gui's GPUI/Metal deps don't build on Windows yet — restrict to

diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml
@@ -22,7 +22,7 @@ jobs:
       group: release-plz-pr-${{ github.ref }}
       cancel-in-progress: false
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -62,7 +62,7 @@ jobs:
 
       - name: Mint GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@v3
         with:
           app-id: ${{ steps.load_secrets.outputs.GITHUB_APP_ID }}
           private-key: ${{ steps.app_key.outputs.pem }}
@@ -87,12 +87,40 @@ jobs:
             fi
           done
       - name: Run release-plz (release-pr)
+        id: release_pr
         uses: release-plz/action@v0.5
         with:
           command: release-pr
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           CARGO_REGISTRY_TOKEN: ${{ steps.load_secrets.outputs.CARGO_REGISTRY_TOKEN }}
+      # `release-plz/action` swallows a release-pr HTTP 422 as a warning and
+      # reports no PR, which silently stalls releases (it looks identical to a
+      # quiet week of commits). Fail loudly when release-plz opened/updated no
+      # release PR, none is already open, yet release-worthy commits exist since
+      # the last tag — that combination means a swallowed failure, not a no-op.
+      - name: Guard against a silently stalled release
+        if: steps.release_pr.outputs.prs_created == 'false'
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          REPO: ${{ github.repository }}
+        run: |
+          # An already-open release PR is the normal "updated, not created" path.
+          open_release_pr=$(gh pr list --repo "$REPO" --state open --json headRefName \
+            --jq '[.[] | select(.headRefName | startswith("release-plz-"))] | length')
+          if [ "$open_release_pr" != "0" ]; then
+            echo "A release PR is already open — nothing to flag."
+            exit 0
+          fi
+          last_tag=$(git describe --tags --abbrev=0 --match 'v*' 2>/dev/null || true)
+          range="${last_tag:+$last_tag..}HEAD"
+          worthy=$(git log "$range" --format='%s' \
+            | grep -cE '^(feat|fix|perf)(\(.+\))?!?:|^[a-z]+(\(.+\))?!:' || true)
+          if [ "$worthy" != "0" ]; then
+            echo "::error::release-plz opened no release PR, but $worthy release-worthy commit(s) exist since ${last_tag:-repo start} and none is open — likely a swallowed release-plz failure (see the release-pr step)."
+            exit 1
+          fi
+          echo "No release PR and no release-worthy commits since ${last_tag:-repo start}; nothing to release."
 
   # On every push to master, publishes any crate whose manifest version is not yet
   # on crates.io — i.e. a no-op until the release PR is merged, at which point it
@@ -104,7 +132,7 @@ jobs:
       contents: write
       pull-requests: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -141,7 +169,7 @@ jobs:
 
       - name: Mint GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@v3
         with:
           app-id: ${{ steps.load_secrets.outputs.GITHUB_APP_ID }}
           private-key: ${{ steps.app_key.outputs.pem }}

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -20,7 +20,7 @@ jobs:
     env:
       OPENLOGI_BUNDLE_ASSETS: ${{ vars.OPENLOGI_BUNDLE_ASSETS }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - uses: dtolnay/rust-toolchain@stable
 
@@ -121,20 +121,23 @@ jobs:
           codesign --verify --verbose=2 "$dmg"
 
       - name: Notarize DMG
-        uses: lando/notarize-action@v2
-        with:
-          product-path: target/release/OpenLogi.dmg
-          appstore-connect-username: ${{ steps.load_secrets.outputs.APPLE_ID }}
-          appstore-connect-password: ${{ steps.load_secrets.outputs.APPLE_PASSWORD }}
-          appstore-connect-team-id: ${{ steps.load_secrets.outputs.APPLE_TEAM_ID }}
-          primary-bundle-id: org.openlogi.openlogi
-          tool: notarytool
-          verbose: true
+        env:
+          APPLE_ID: ${{ steps.load_secrets.outputs.APPLE_ID }}
+          APPLE_PASSWORD: ${{ steps.load_secrets.outputs.APPLE_PASSWORD }}
+          APPLE_TEAM_ID: ${{ steps.load_secrets.outputs.APPLE_TEAM_ID }}
+        run: |
+          set -euo pipefail
+          xcrun notarytool submit target/release/OpenLogi.dmg \
+            --apple-id "$APPLE_ID" \
+            --password "$APPLE_PASSWORD" \
+            --team-id "$APPLE_TEAM_ID" \
+            --wait
 
       - name: Staple DMG
-        uses: BoundfoxStudios/action-xcode-staple@v1
-        with:
-          product-path: target/release/OpenLogi.dmg
+        run: |
+          set -euo pipefail
+          xcrun stapler staple target/release/OpenLogi.dmg
+          xcrun stapler validate target/release/OpenLogi.dmg
 
       - name: Collect DMG artifact
         run: |
@@ -144,15 +147,15 @@ jobs:
           cp target/release/OpenLogi.dmg "dist/OpenLogi-${ref_name}-macos.dmg"
           shasum -a 256 dist/*.dmg > dist/SHA256SUMS
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         with:
           name: OpenLogi-macos-dmg
           path: |
             dist/*.dmg
             dist/SHA256SUMS
 
       - name: Attach DMG to GitHub Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v3
         with:
           files: |
             dist/*.dmg
@@ -175,15 +178,15 @@ jobs:
 
       - name: Mint homebrew-tap token (GitHub App)
         id: tap_token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@v3
         with:
           app-id: ${{ steps.load_secrets.outputs.GITHUB_APP_ID }}
           private-key: ${{ steps.app_key.outputs.pem }}
           owner: AprilNEA
           repositories: homebrew-tap
 
       - name: Dispatch homebrew-tap update
-        uses: peter-evans/repository-dispatch@v3
+        uses: peter-evans/repository-dispatch@v4
         with:
           token: ${{ steps.tap_token.outputs.token }}
           repository: AprilNEA/homebrew-tap

diff --git a/crates/openlogi-gui/src/platform/mod.rs b/crates/openlogi-gui/src/platform/mod.rs
@@ -2,5 +2,7 @@
 
 pub mod launch_agent;
 pub mod single_instance;
+#[cfg(target_os = "macos")]
+mod status_item;
 pub mod tray;
 pub mod updater;