chore: sync main into develop (0.7.0 + CI fixes)

.github/workflows/ci.yml

@@ -37,7 +37,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
@@ -67,12 +67,25 @@ jobs:
 
           echo "OK: no dependabot commits authored by non-bot users."
 
+  tauri-devtools-guard:
+    name: Guard tauri devtools feature
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Guard against `devtools` Cargo feature on tauri
+        run: |
+          if grep -E 'tauri\s*=\s*\{[^}]*features\s*=\s*\[[^]]*devtools[^]]*\]' app/src-tauri/Cargo.toml; then
+            echo "::error::tauri crate has 'devtools' feature enabled — release builds would ship devtools."
+            exit 1
+          fi
+          echo "OK: devtools feature not enabled."
+
   typecheck:
     name: Typecheck
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: yarn
@@ -83,8 +96,8 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: yarn
@@ -95,8 +108,8 @@ jobs:
     name: Prettier
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: yarn
@@ -107,8 +120,8 @@ jobs:
     name: Unit tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: yarn
@@ -117,11 +130,15 @@ jobs:
 
   e2e:
     name: Playwright E2E (optional)
-    runs-on: ubuntu-22.04
+    # Ubuntu 24.04 is required: Playwright 1.59 ships a WebKit build that
+    # links against libgtk-4, libavif.so.13, libmanette, libhyphen — none of
+    # which are available on the 22.04 image, so `browserType.launch` dies
+    # with "Host system is missing dependencies" before a single test runs.
+    runs-on: ubuntu-24.04
     continue-on-error: true
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: yarn
@@ -138,12 +155,19 @@ jobs:
           VITE_IMPRINT_PHONE="+49 30 0000000"
           VITE_IMPRINT_RESPONSIBLE_PERSON="Max Mustermann"
           EOF
+      # Split install-deps from browser install: in Playwright 1.59 the
+      # `--with-deps` flag silently skips the apt-get step when the workspace
+      # is invoked via `yarn workspace`, leaving WebKit without its GTK-4 /
+      # flite / hyphen / manette bundle. Running install-deps directly under
+      # sudo fixes it for real.
+      - name: Install Playwright system deps
+        run: sudo yarn workspace @recrest/tests exec playwright install-deps
       - name: Install Playwright browsers
-        run: yarn workspace @recrest/tests exec playwright install --with-deps
+        run: yarn workspace @recrest/tests exec playwright install
       - run: yarn test:e2e
       - name: Upload Playwright report on failure
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: playwright-report
           path: tests/playwright-report
@@ -153,8 +177,8 @@ jobs:
     name: Storybook build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: yarn
@@ -165,8 +189,8 @@ jobs:
     name: Web production build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: yarn
@@ -178,8 +202,8 @@ jobs:
     name: Landingpage production build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: yarn
@@ -195,6 +219,7 @@ jobs:
       [
         branch-name,
         dependabot-type,
+        tauri-devtools-guard,
         typecheck,
         lint,
         format,

.github/workflows/deploy-landingpage.yml

@@ -23,8 +23,8 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: yarn
@@ -41,8 +41,8 @@ jobs:
           VITE_IMPRINT_EMAIL: ${{ secrets.VITE_IMPRINT_EMAIL }}
           VITE_IMPRINT_PHONE: ${{ secrets.VITE_IMPRINT_PHONE }}
           VITE_IMPRINT_RESPONSIBLE_PERSON: ${{ secrets.VITE_IMPRINT_RESPONSIBLE_PERSON }}
-      - uses: actions/configure-pages@v5
-      - uses: actions/upload-pages-artifact@v3
+      - uses: actions/configure-pages@v6
+      - uses: actions/upload-pages-artifact@v5
         with:
           path: landingpage/dist
 
@@ -55,4 +55,4 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     steps:
       - id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@v5

.github/workflows/release-tauri-beta.yml

@@ -24,16 +24,16 @@ jobs:
     name: Generate installer assets
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           ref: ${{ inputs.ref }}
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: yarn
       - uses: ./.github/actions/install-deps
       - run: yarn workspace @recrest/app gen:installer-assets
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         with:
           name: installer-assets-build
           path: app/src-tauri/installer-assets/build/
@@ -58,11 +58,11 @@ jobs:
     runs-on: ${{ matrix.platform }}
     continue-on-error: true
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           ref: ${{ inputs.ref }}
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: yarn
@@ -89,36 +89,63 @@ jobs:
       - uses: ./.github/actions/install-deps
 
       - name: Download installer-asset bitmaps
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           name: installer-assets-build
           path: app/src-tauri/installer-assets/build/
 
-      - name: Build Tauri app (unsigned)
-        if: ${{ env.TAURI_SIGNING_PRIVATE_KEY == '' }}
-        uses: tauri-apps/tauri-action@v0
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-        with:
-          args: ${{ matrix.args }}
-          projectPath: ./app
-
-      - name: Build Tauri app (signed)
-        if: ${{ env.TAURI_SIGNING_PRIVATE_KEY != '' }}
-        uses: tauri-apps/tauri-action@v0
+      # Forward signing secrets only when populated. Tauri's bundler reads the
+      # signing env vars via `std::env::var`, which returns `Ok("")` for set-
+      # but-empty — not `Err(NotPresent)`. Piping `${{ secrets.FOO }}` directly
+      # into `env:` therefore triggers sign/notarize paths even when FOO is
+      # unset in the repo, failing e.g. `security import` with an empty .p12.
+      # This step writes each secret to $GITHUB_ENV only if non-empty, so
+      # missing secrets stay genuinely unset and Tauri skips the feature.
+      - name: Forward signing secrets (when configured)
+        shell: bash
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
-          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
           APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
           APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
           APPLE_ID: ${{ secrets.APPLE_ID }}
           APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
           APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
+          WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
+          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
+        run: |
+          set -eu
+          forward() {
+            local name="$1"
+            local val="${!name-}"
+            if [ -n "$val" ]; then
+              {
+                printf '%s<<__RECREST_EOF__\n' "$name"
+                printf '%s\n' "$val"
+                printf '__RECREST_EOF__\n'
+              } >> "$GITHUB_ENV"
+              echo "forwarded: $name"
+            else
+              echo "skipped (empty): $name"
+            fi
+          }
+          forward APPLE_CERTIFICATE
+          forward APPLE_CERTIFICATE_PASSWORD
+          forward APPLE_SIGNING_IDENTITY
+          forward APPLE_ID
+          forward APPLE_PASSWORD
+          forward APPLE_TEAM_ID
+          forward WINDOWS_CERTIFICATE
+          forward WINDOWS_CERTIFICATE_PASSWORD
+          forward TAURI_SIGNING_PRIVATE_KEY
+          forward TAURI_SIGNING_PRIVATE_KEY_PASSWORD
+
+      - name: Build Tauri app
+        uses: tauri-apps/tauri-action@v0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
         with:
           args: ${{ matrix.args }}
           projectPath: ./app
@@ -140,7 +167,7 @@ jobs:
           ls -la "stage/${{ matrix.os }}" || true
 
       - name: Upload staging artifact (${{ matrix.os }})
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: recrest-beta-staging-${{ matrix.os }}
           path: stage/
@@ -154,7 +181,7 @@ jobs:
     if: ${{ always() && needs.build.result != 'cancelled' }}
     steps:
       - name: Download all staging artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           pattern: recrest-beta-staging-*
           path: merged/
@@ -164,7 +191,7 @@ jobs:
         run: ls -R merged || true
 
       - name: Upload consolidated artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: recrest-beta-${{ github.sha }}
           path: merged/