feat(gui): in-app auto-updater via tauri-plugin-updater

.github/workflows/ci.yml

@@ -22,6 +22,8 @@ jobs:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
+        with:
+          cache-bin: "false"
       # rompatch-gui needs a built frontend dist and (on Linux) WebKit2GTK
       # system deps. We test it in the dedicated `gui` job, so exclude here.
       - run: cargo test --workspace --all-targets --exclude rompatch-gui
@@ -36,6 +38,8 @@ jobs:
         with:
           components: rustfmt, clippy
       - uses: Swatinem/rust-cache@v2
+        with:
+          cache-bin: "false"
       - run: cargo fmt --all -- --check
       - run: cargo clippy --workspace --all-targets --exclude rompatch-gui -- -D warnings
 
@@ -71,6 +75,10 @@ jobs:
       - uses: Swatinem/rust-cache@v2
         with:
           key: gui
+          # dtolnay/rust-toolchain manages ~/.cargo/bin; letting rust-cache
+          # restore a stale bin dir from a prior run clobbers the freshly
+          # installed proxies and `cargo` ends up invoking rustup-init.
+          cache-bin: "false"
       - name: install frontend deps
         run: pnpm install --frozen-lockfile
         working-directory: crates/rompatch-gui/ui
@@ -126,39 +134,78 @@ jobs:
           APPLE_ID: ${{ secrets.APPLE_ID }}
           APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
           APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
         run: cargo tauri build --target universal-apple-darwin
       - name: tauri build universal .dmg (unsigned)
         if: startsWith(github.ref, 'refs/tags/') && env.APPLE_SIGNING_ENABLED != 'true'
         working-directory: crates/rompatch-gui
+        env:
+          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
         run: cargo tauri build --target universal-apple-darwin
       - name: verify notarization + signature
         if: startsWith(github.ref, 'refs/tags/') && env.APPLE_SIGNING_ENABLED == 'true'
         run: |
           DMG=$(ls target/universal-apple-darwin/release/bundle/dmg/*.dmg | head -1)
           xcrun stapler validate "$DMG"
           spctl --assess --type open --context context:primary-signature "$DMG"
+      # Build the Tauri updater manifest. The endpoint configured in
+      # tauri.conf.json resolves `releases/latest/download/latest.json` to
+      # whichever release GitHub marks as "latest", so this file just needs
+      # to ship alongside the signed .app.tar.gz.
+      - name: build latest.json updater manifest
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          set -euo pipefail
+          VERSION="${GITHUB_REF_NAME#v}"
+          BUNDLE_DIR="target/universal-apple-darwin/release/bundle/macos"
+          TARBALL_PATH=$(ls "$BUNDLE_DIR"/*.app.tar.gz | head -1)
+          TARBALL=$(basename "$TARBALL_PATH")
+          SIG=$(cat "$TARBALL_PATH.sig")
+          URL="https://github.com/${{ github.repository }}/releases/download/${GITHUB_REF_NAME}/${TARBALL}"
+          jq -n \
+            --arg v "$VERSION" \
+            --arg sig "$SIG" \
+            --arg url "$URL" \
+            --arg notes "See https://github.com/${{ github.repository }}/releases/tag/${GITHUB_REF_NAME} for details" \
+            '{
+              version: $v,
+              notes: $notes,
+              pub_date: (now | todate),
+              platforms: { "darwin-universal": { signature: $sig, url: $url } }
+            }' > latest.json
+          cat latest.json
       # Sigstore-backed build provenance attestation. Free, transparency-
       # logged, and verifiable by anyone with `gh attestation verify`.
-      # Runs on every tag regardless of Apple-signing state.
-      - name: attest .dmg
+      # Runs on every tag regardless of Apple-signing state. Covers both
+      # the .dmg (fresh install) and .app.tar.gz (in-app updater).
+      - name: attest release artifacts
         if: startsWith(github.ref, 'refs/tags/')
         uses: actions/attest-build-provenance@v2
         with:
-          subject-path: target/universal-apple-darwin/release/bundle/dmg/*.dmg
+          subject-path: |
+            target/universal-apple-darwin/release/bundle/dmg/*.dmg
+            target/universal-apple-darwin/release/bundle/macos/*.app.tar.gz
       - name: upload .dmg artifact
         if: startsWith(github.ref, 'refs/tags/')
         uses: actions/upload-artifact@v4
         with:
           name: rompatch-gui-macos-universal
           path: target/universal-apple-darwin/release/bundle/dmg/*.dmg
-      # Auto-create a GitHub Release with auto-generated release notes
-      # and the .dmg attached.
+      # Auto-create a GitHub Release with auto-generated release notes,
+      # the .dmg for fresh installs, and the .app.tar.gz + .sig + latest.json
+      # for the in-app updater.
       - name: create GitHub Release
         if: startsWith(github.ref, 'refs/tags/')
         uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
         with:
           generate_release_notes: true
-          files: target/universal-apple-darwin/release/bundle/dmg/*.dmg
+          files: |
+            target/universal-apple-darwin/release/bundle/dmg/*.dmg
+            target/universal-apple-darwin/release/bundle/macos/*.app.tar.gz
+            target/universal-apple-darwin/release/bundle/macos/*.app.tar.gz.sig
+            latest.json
       - name: cleanup keychain
         if: always() && startsWith(github.ref, 'refs/tags/') && env.APPLE_SIGNING_ENABLED == 'true'
         run: |
@@ -180,6 +227,8 @@ jobs:
         with:
           components: llvm-tools-preview
       - uses: Swatinem/rust-cache@v2
+        with:
+          cache-bin: "false"
       - uses: taiki-e/install-action@cargo-llvm-cov
       - run: cargo llvm-cov --workspace --exclude rompatch-gui --lcov --output-path lcov.info
       - run: cargo llvm-cov report --summary-only
@@ -197,6 +246,7 @@ jobs:
       - uses: Swatinem/rust-cache@v2
         with:
           workspaces: fuzz -> fuzz/target
+          cache-bin: "false"
       - uses: taiki-e/install-action@v2
         with:
           tool: cargo-fuzz