jsgrrchg · seifzellaban · May 28, 2026 · May 28, 2026 · May 28, 2026 · May 28, 2026
diff --git a/.github/workflows/release-desktop.yml b/.github/workflows/release-desktop.yml
@@ -86,7 +86,9 @@ jobs:
 
     build-target:
         name: Build ${{ matrix.target }}
-        needs: prepare
+        needs:
+            - prepare
+            - apt-repository-preflight
         runs-on: ${{ matrix.runner }}
         strategy:
             fail-fast: false
@@ -167,7 +169,7 @@ jobs:
                   EOF
                   fi
                   sudo apt-get update
-                  sudo apt-get install -y pkg-config libcap-dev
+                  sudo apt-get install -y pkg-config libcap-dev gnupg rpm
                   if [[ "${{ matrix.target }}" == "aarch64-unknown-linux-gnu" ]]; then
                     sudo apt-get install -y gcc-aarch64-linux-gnu libcap-dev:arm64 libssl-dev:arm64
                     echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc" >> "$GITHUB_ENV"
@@ -346,6 +348,33 @@ jobs:
                   verify_universal "$APP_PATH/Contents/Resources/native-backend/binaries/codex-acp"
                   verify_universal "$APP_PATH/Contents/Resources/native-backend/embedded/node/bin/node"
 
+            - name: Sign Linux RPM package
+              if: matrix.platform == 'linux'
+              shell: bash
+              env:
+                  APT_REPO_GPG_PRIVATE_KEY: ${{ secrets.APT_REPO_GPG_PRIVATE_KEY }}
+                  APT_REPO_GPG_PASSPHRASE: ${{ secrets.APT_REPO_GPG_PASSPHRASE }}
+                  APT_REPO_GPG_KEY_ID: ${{ secrets.APT_REPO_GPG_KEY_ID }}
+              run: |
+                  for name in APT_REPO_GPG_PRIVATE_KEY APT_REPO_GPG_PASSPHRASE APT_REPO_GPG_KEY_ID; do
+                    if [[ -z "${!name}" ]]; then
+                      echo "Missing required GitHub Actions secret: ${name}" >&2
+                      exit 1
+                    fi
+                  done
+
+                  export GNUPGHOME
+                  GNUPGHOME="$(mktemp -d)"
+                  trap 'rm -rf "$GNUPGHOME"' EXIT
+                  chmod 700 "$GNUPGHOME"
+                  printf '%s' "$APT_REPO_GPG_PRIVATE_KEY" | gpg --batch --import
+                  gpg --batch --armor --export "$APT_REPO_GPG_KEY_ID" > "$RUNNER_TEMP/neverwrite-rpm-signing-key.asc"
+                  sudo rpm --import "$RUNNER_TEMP/neverwrite-rpm-signing-key.asc"
+
+                  node scripts/sign-rpm-packages.mjs \
+                    --rpm-dir "$RUNNER_TEMP/electron-dist" \
+                    --key-id "$APT_REPO_GPG_KEY_ID"
+
             - name: Stage release assets and target metadata
               shell: bash
               run: |
@@ -369,6 +398,16 @@ jobs:
                     --version "${{ needs.prepare.outputs.version }}" \
                     --install
 
+            - name: Validate Linux RPM package
+              if: matrix.platform == 'linux'
+              shell: bash
+              run: |
+                  node apps/desktop/scripts/validate-linux-rpm-package.mjs \
+                    --staged-assets-dir "$RUNNER_TEMP/release-assets" \
+                    --target ${{ matrix.target }} \
+                    --version "${{ needs.prepare.outputs.version }}" \
+                    --require-signature
+
             - name: Upload release asset artifact
               uses: actions/upload-artifact@v4
               with:
@@ -815,8 +854,8 @@ jobs:
                   }
                   EOF
 
-            - name: Install APT repository tools
-              run: sudo apt-get update && sudo apt-get install -y dpkg gnupg gzip
+            - name: Install Linux repository tools
+              run: sudo apt-get update && sudo apt-get install -y createrepo-c dpkg gnupg gzip rpm
 
             - name: Build APT repository
               shell: bash
@@ -831,6 +870,18 @@ jobs:
                     --suite stable \
                     --component main
 
+            - name: Build DNF repository
+              shell: bash
+              env:
+                  PAGES_DIR: ${{ runner.temp }}/gh-pages
+              run: |
+                  node scripts/build-dnf-repository.mjs \
+                    --version "${{ needs.prepare.outputs.version }}" \
+                    --tag "${{ needs.prepare.outputs.tag }}" \
+                    --release-assets-dir .artifacts/release-assets \
+                    --pages-dir "$PAGES_DIR" \
+                    --repo-slug "${{ needs.prepare.outputs.repo_slug }}"
+
             - name: Sign APT repository
               shell: bash
               env:
@@ -857,6 +908,30 @@ jobs:
                     --key-id "$APT_REPO_GPG_KEY_ID" \
                     --suite stable
 
+            - name: Sign DNF repository
+              shell: bash
+              env:
+                  APT_REPO_GPG_PRIVATE_KEY: ${{ secrets.APT_REPO_GPG_PRIVATE_KEY }}
+                  APT_REPO_GPG_PASSPHRASE: ${{ secrets.APT_REPO_GPG_PASSPHRASE }}
+                  APT_REPO_GPG_KEY_ID: ${{ secrets.APT_REPO_GPG_KEY_ID }}
+                  PAGES_DIR: ${{ runner.temp }}/gh-pages
+              run: |
+                  for name in APT_REPO_GPG_PRIVATE_KEY APT_REPO_GPG_PASSPHRASE APT_REPO_GPG_KEY_ID; do
+                    if [[ -z "${!name}" ]]; then
+                      echo "Missing required GitHub Actions secret: ${name}" >&2
+                      exit 1
+                    fi
+                  done
+
+                  export GNUPGHOME
+                  GNUPGHOME="$(mktemp -d)"
+                  trap 'rm -rf "$GNUPGHOME"' EXIT
+                  chmod 700 "$GNUPGHOME"
+                  printf '%s' "$APT_REPO_GPG_PRIVATE_KEY" | gpg --batch --import
+                  node scripts/sign-dnf-repository.mjs \
+                    --dnf-dir "$PAGES_DIR/dnf" \
+                    --key-id "$APT_REPO_GPG_KEY_ID"
+
             - name: Validate APT repository
               shell: bash
               env:
@@ -868,6 +943,15 @@ jobs:
                     --suite stable \
                     --component main
 
+            - name: Validate DNF repository
+              shell: bash
+              env:
+                  PAGES_DIR: ${{ runner.temp }}/gh-pages
+              run: |
+                  node scripts/validate-dnf-repository.mjs \
+                    --dnf-dir "$PAGES_DIR/dnf" \
+                    --version "${{ needs.prepare.outputs.version }}"
+
             - name: Validate APT repository with apt
               shell: bash
               env:
@@ -895,7 +979,31 @@ jobs:
                       apt-get install -y --download-only "neverwrite=$VERSION"
                     '
 
-            - name: Publish APT repository to gh-pages
+            - name: Validate DNF repository with dnf
+              shell: bash
+              env:
+                  PAGES_DIR: ${{ runner.temp }}/gh-pages
+                  VERSION: ${{ needs.prepare.outputs.version }}
+              run: |
+                  docker run --rm \
+                    -e VERSION="$VERSION" \
+                    -v "$PAGES_DIR/dnf:/repo:ro" \
+                    fedora:40 \
+                    bash -lc '
+                      set -euo pipefail
+                      cp /repo/neverwrite-archive-keyring.asc /etc/pki/rpm-gpg/
+                      rpm --import /repo/neverwrite-archive-keyring.asc
+                      cp /repo/neverwrite.repo.example /etc/yum.repos.d/neverwrite.repo
+                      sed -i "s|baseurl=.*|baseurl=file:///repo|" /etc/yum.repos.d/neverwrite.repo
+                      sed -i "s|gpgkey=.*|gpgkey=file:///repo/neverwrite-archive-keyring.asc|" /etc/yum.repos.d/neverwrite.repo
+                      dnf -y makecache
+                      dnf info neverwrite
+                      dnf info neverwrite | grep -F "$VERSION"
+                      dnf install -y --downloadonly neverwrite
+                      echo "DNF repository validated successfully."
+                    '
+
+            - name: Publish Linux repositories to gh-pages
               shell: bash
               env:
                   PAGES_DIR: ${{ runner.temp }}/gh-pages
@@ -904,11 +1012,11 @@ jobs:
                     cd "$PAGES_DIR"
                     git config user.name "github-actions[bot]"
                     git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-                    git add apt .nojekyll
+                    git add apt dnf .nojekyll
                     if git diff --cached --quiet; then
-                      echo "No APT repository changes to publish."
+                      echo "No Linux repository changes to publish."
                     else
-                      git commit -m "Publish APT repository for ${{ needs.prepare.outputs.tag }}"
+                      git commit -m "Publish Linux repositories for ${{ needs.prepare.outputs.tag }}"
                       git push origin HEAD:gh-pages
                     fi
                   )
diff --git a/apps/desktop/electron-builder.config.mjs b/apps/desktop/electron-builder.config.mjs
@@ -208,7 +208,7 @@ export default {
     },
     linux: {
         icon: path.join("build", "icons", "icon.png"),
-        target: ["AppImage", "deb"],
+        target: ["AppImage", "deb", "rpm"],
         category: "Utility",
         executableName: "neverwrite",
         artifactName: "${productName}-${version}-${arch}.AppImage",
@@ -227,4 +227,10 @@ export default {
         artifactName: "${productName}-${version}-${arch}.deb",
         publish: null,
     },
+    rpm: {
+        packageName: "neverwrite",
+        maintainer: "NeverWrite Maintainers <jsgrrchg@users.noreply.github.com>",
+        artifactName: "${productName}-${version}-${arch}.rpm",
+        publish: null,
+    },
 };
diff --git a/apps/desktop/scripts/electron-builder-config.test.mjs b/apps/desktop/scripts/electron-builder-config.test.mjs
@@ -51,7 +51,7 @@ test("desktop app icons are wired for all packaged platforms", () => {
     assert.equal(config.mac.icon, "build/icons/icon.icns");
     assert.equal(config.win.icon, "build/icons/icon.ico");
     assert.equal(config.linux.icon, "build/icons/icon.png");
-    assert.deepEqual(config.linux.target, ["AppImage", "deb"]);
+    assert.deepEqual(config.linux.target, ["AppImage", "deb", "rpm"]);
     assert.equal(config.nsis.installerIcon, "build/icons/icon.ico");
     assert.equal(config.nsis.uninstallerIcon, "build/icons/icon.ico");
     assert.equal(config.nsis.installerHeaderIcon, "build/icons/icon.ico");
@@ -62,7 +62,21 @@ test("Debian package metadata is stable for Ubuntu/Debian releases", () => {
     assert.equal(config.deb.packageName, "neverwrite");
     assert.equal(config.deb.packageCategory, "utils");
     assert.equal(config.deb.priority, "optional");
+    assert.equal(
+        config.deb.maintainer,
+        "NeverWrite Maintainers <jsgrrchg@users.noreply.github.com>",
+    );
     assert.equal(config.deb.artifactName, "${productName}-${version}-${arch}.deb");
     assert.equal(config.deb.publish, null);
     assert.equal(config.deb.synopsis, "AI-powered writing workspace");
 });
+
+test("RPM package metadata is stable for Fedora/RHEL releases", () => {
+    assert.equal(config.rpm.packageName, "neverwrite");
+    assert.equal(
+        config.rpm.maintainer,
+        "NeverWrite Maintainers <jsgrrchg@users.noreply.github.com>",
+    );
+    assert.equal(config.rpm.artifactName, "${productName}-${version}-${arch}.rpm");
+    assert.equal(config.rpm.publish, null);
+});
diff --git a/apps/desktop/scripts/stage-electron-release-assets.mjs b/apps/desktop/scripts/stage-electron-release-assets.mjs
@@ -9,7 +9,9 @@ import {
     buildElectronUpdaterAssetName,
     buildGitHubReleaseAssetUrl,
     buildPublicReleaseAssetName,
+    buildRpmPackageAssetName,
     debianArchForBuildTarget,
+    describeRpmPackage,
     feedTargetForBuildTarget,
     metadataFileNameForBuildTarget,
 } from "../../../scripts/electron-release-lib.mjs";
@@ -211,17 +213,21 @@ function collectArtifacts(distDir, buildTarget, version) {
             (filePath) => path.basename(filePath) === expectedDebAssetName,
             `${debianArchForBuildTarget(buildTarget)} Debian package named ${expectedDebAssetName}`,
         );
+        const expectedRpmAssetName = buildRpmPackageAssetName(version, buildTarget);
+        const rpmPackagePath = findSingleFile(
+            distDir,
+            (filePath) => path.basename(filePath) === expectedRpmAssetName,
+            `${describeRpmPackage(buildTarget)} named ${expectedRpmAssetName}`,
+        );
 
         return {
             feedPath,
             manualAssetPath: appImagePath,
             updaterAssetPath: appImagePath,
             blockmapPath,
             additionalManualArtifacts: [
-                {
-                    kind: "deb",
-                    sourcePath: debPackagePath,
-                },
+                { kind: "deb", sourcePath: debPackagePath },
+                { kind: "rpm", sourcePath: rpmPackagePath },
             ],
         };
     }
@@ -490,7 +496,8 @@ function shouldKeepFeedArtifact(sourceValue, buildTarget) {
     if (
         buildTarget.endsWith("-unknown-linux-gnu") &&
         typeof sourceValue === "string" &&
-        sourceValue.toLowerCase().endsWith(".deb")
+        (sourceValue.toLowerCase().endsWith(".deb") ||
+         sourceValue.toLowerCase().endsWith(".rpm"))
     ) {
         return false;
     }
@@ -530,6 +537,17 @@ function stageAdditionalManualAssets({
     outputDir,
 }) {
     return artifacts.additionalManualArtifacts.map((artifact) => {
+        if (artifact.kind === "rpm") {
+            const assetName = buildRpmPackageAssetName(version, target);
+            const destinationPath = path.join(outputDir, assetName);
+            copyIfNeeded(artifact.sourcePath, destinationPath);
+            return {
+                kind: artifact.kind,
+                assetName,
+                sizeBytes: fileSizeInBytes(destinationPath),
+            };
+        }
+
         if (artifact.kind !== "deb") {
             throw new Error(
                 `Unsupported additional manual artifact kind "${artifact.kind}".`,