From 45a42475638d969aa768bc383b44e8ee07b50c69 Mon Sep 17 00:00:00 2001
From: Jason <jasonzhu081207@gmail.com>
Date: Wed, 6 May 2026 23:20:14 +0800
Subject: [PATCH] ci: harden release workflow

---
 .github/workflows/release.yml | 92 +++++++++++++++++++++++------------
 1 file changed, 62 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 917a8b4..6627afa 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -28,7 +28,23 @@ jobs:
           node-version: 24
           cache: "npm"
       - name: Install Dependencies
-        run: npm install
+        run: npm install --ignore-scripts
+
+      - name: Ensure mac key helpers are executable
+        shell: bash
+        run: |
+          set -euo pipefail
+          for file in \
+            resources/key/macos/universal/xkey_helper \
+            resources/key/macos/universal/image_scan_helper \
+            resources/key/macos/universal/xkey_helper_macos \
+            resources/key/macos/universal/libwx_key.dylib
+          do
+            if [ -f "$file" ]; then
+              chmod +x "$file"
+              ls -l "$file"
+            fi
+          done
 
       - name: Sync version with tag
         shell: bash
@@ -52,9 +68,9 @@ jobs:
           set -euo pipefail
           export ELECTRON_BUILDER_BINARIES_MIRROR="https://github.com/electron-userland/electron-builder-binaries/releases/download/"
           echo "Using ELECTRON_BUILDER_BINARIES_MIRROR=$ELECTRON_BUILDER_BINARIES_MIRROR"
-          if ! npx electron-builder --mac dmg zip --arm64 --publish always '--config.publish.owner=${{ github.repository_owner }}' '--config.publish.repo=${{ github.event.repository.name }}'; then
+          if ! npx electron-builder --mac dmg zip --arm64 --publish always '--config.npmRebuild=false' '--config.publish.owner=${{ github.repository_owner }}' '--config.publish.repo=${{ github.event.repository.name }}'; then
             echo "::warning::DMG packaging failed (hdiutil instability on runner). Retrying with ZIP only."
-            npx electron-builder --mac zip --arm64 --publish always '--config.publish.owner=${{ github.repository_owner }}' '--config.publish.repo=${{ github.event.repository.name }}'
+            npx electron-builder --mac zip --arm64 --publish always '--config.npmRebuild=false' '--config.publish.owner=${{ github.repository_owner }}' '--config.publish.repo=${{ github.event.repository.name }}'
           fi
 
       - name: Inject minimumVersion into latest yml
@@ -327,33 +343,49 @@ jobs:
           retry_cmd 5 3 gh release edit "$TAG" --repo "$REPO" --notes-file release_notes.md
 
   deploy-aur:
-      runs-on: ubuntu-latest
-      needs: [release-linux] 
-      if: startsWith(github.ref, 'refs/tags/v')
-      steps:
-        - name: Checkout code
-          uses: actions/checkout@v5
-          with:
-            fetch-depth: 0
+    runs-on: ubuntu-latest
+    needs: [release-linux]
+    if: startsWith(github.ref, 'refs/tags/v')
+    steps:
+      - name: Check AUR credentials
+        id: aur-credentials
+        shell: bash
+        env:
+          AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
+        run: |
+          if [ -z "${AUR_SSH_PRIVATE_KEY}" ]; then
+            echo "::notice::AUR_SSH_PRIVATE_KEY is not configured; skipping AUR publish."
+            echo "enabled=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "enabled=true" >> "$GITHUB_OUTPUT"
+          fi
 
-        - name: Update PKGBUILD version
-          run: |
-            NEW_VER=$(echo "${{ github.ref_name }}" | sed 's/^v//')
-            sed -i "s/^pkgver=.*/pkgver=${NEW_VER}/" resources/installer/linux/PKGBUILD
-            sed -i "s/^pkgrel=.*/pkgrel=1/" resources/installer/linux/PKGBUILD
+      - name: Checkout code
+        if: steps.aur-credentials.outputs.enabled == 'true'
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
 
-        - name: Publish AUR package
-          uses: KSXGitHub/github-actions-deploy-aur@master
-          with:
-            pkgname: weflow
-            pkgbuild: resources/installer/linux/PKGBUILD
-            updpkgsums: true
-            assets: |
-              resources/installer/linux/weflow.desktop
-              resources/installer/linux/icon.png
-              resources/installer/linux/.gitignore
+      - name: Update PKGBUILD version
+        if: steps.aur-credentials.outputs.enabled == 'true'
+        run: |
+          NEW_VER=$(echo "${{ github.ref_name }}" | sed 's/^v//')
+          sed -i "s/^pkgver=.*/pkgver=${NEW_VER}/" resources/installer/linux/PKGBUILD
+          sed -i "s/^pkgrel=.*/pkgrel=1/" resources/installer/linux/PKGBUILD
 
-            ssh_private_key: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
-            commit_username: H3CoF6
-            commit_email: h3cof6@gmail.com
-            ssh_keyscan_types: ed25519
+      - name: Publish AUR package
+        if: steps.aur-credentials.outputs.enabled == 'true'
+        uses: KSXGitHub/github-actions-deploy-aur@master
+        with:
+          pkgname: weflow
+          pkgbuild: resources/installer/linux/PKGBUILD
+          updpkgsums: true
+          assets: |
+            resources/installer/linux/weflow.desktop
+            resources/installer/linux/icon.png
+            resources/installer/linux/.gitignore
+
+          ssh_private_key: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
+          commit_username: H3CoF6
+          commit_email: h3cof6@gmail.com
+          ssh_keyscan_types: ed25519