feat(desktop): linux makers + ci matrix; also extend mac attestation to .dmg#650
Merged
jeevanpillay merged 3 commits intomainfrom May 6, 2026
Merged
feat(desktop): linux makers + ci matrix; also extend mac attestation to .dmg#650jeevanpillay merged 3 commits intomainfrom
jeevanpillay merged 3 commits intomainfrom
Conversation
Register MakerDeb + MakerRpm with explicit ["linux"] platform gating and distro metadata (maintainer, license, homepage, categories, icon) so electron-forge can produce .deb/.rpm artifacts on Linux hosts. macOS makers are unchanged; mac builds stay clean of Linux outputs because each maker's platform filter handles the routing. Phase 1 of W3 Linux makers + CI matrix (thoughts/shared/plans/2026-05-06-desktop-w3-linux-makers.md).
Expand the Desktop CI job from a single macos-14 runner to a [macos-14, ubuntu-22.04] matrix so Linux maker regressions surface on PRs. Linux leg apt-installs rpm + fakeroot (dpkg-deb is preinstalled) and fails fast via a which-check. The package step is unchanged on both legs: electron-forge defaults to host platform and the maker platform filters in forge.config.ts route the right makers per leg. Phase 2 of W3 Linux makers + CI matrix (thoughts/shared/plans/2026-05-06-desktop-w3-linux-makers.md).
Split the existing build job into build_macos (renamed, no behavior change) and build_linux (new). The Linux job runs on [ubuntu-22.04, ubuntu-22.04-arm] for x64+arm64 with a matrix include map, installs rpm + fakeroot with a which-check, stamps version/buildFlavor/buildNumber/signingMode the same way the mac leg does, runs electron-forge publish --platform=linux, and attests both .deb and .rpm via attest-build-provenance. Sentry env vars are intentionally absent on the Linux job: the mac leg already uploads sourcemaps and Sentry's debug-id pairing dedupes server-side, so a Linux upload would only race the mac one. Bundled mac-side improvement: extend the existing attestation glob from *.zip alone to *.zip + *.dmg so the DMG release artifact gets the same provenance attestation the ZIP already does. finalize.needs is updated to [prepare, build_macos, build_linux]. The update-feed generator stays mac-only — Linux Sparkle is FULL DEFER per the parent doc, so no latest-linux-*.json is emitted yet. apps/desktop/README.md gains a Linux install subsection (.deb / .rpm naming convention, apt/dnf install commands, "auto-update not wired" note) and the Release section now describes the multi-platform pipeline. Parent doc Status Tracker (§5) splits the old "Windows MSIX + Linux makers — RELEASE" row into a landed Linux row and a still-deferred Windows MSIX row tied to the EV-cert blocker. Phase 3 of W3 Linux makers + CI matrix (thoughts/shared/plans/2026-05-06-desktop-w3-linux-makers.md).
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
📝 WalkthroughWalkthroughDesktop application build pipeline extended to support Linux packaging in addition to macOS. CI workflow now runs matrix builds on macOS and Ubuntu. Release workflow split into platform-specific jobs. Electron Forge configured with Deb and RPM makers, and documentation updated. ChangesLinux Platform Build Support
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
.github/workflows/desktop-release.yml (2)
13-16:⚠️ Potential issue | 🟠 Major | ⚡ Quick win[blocker] Add
timeout-minutestoprepareandfinalizejobs
prepareandfinalizelack explicit timeouts, so hangs can run indefinitely and block release lanes.As per coding guidelines,
.github/workflows/**: Every job needs timeout-minutes to prevent runaway CI.Also applies to: 243-247
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/desktop-release.yml around lines 13 - 16, Add an explicit timeout-minutes field to the GitHub Actions jobs named prepare and finalize so they cannot hang indefinitely; locate the job definitions for "prepare: name: Prepare draft release" and the "finalize" job in the same workflow and add a timeout-minutes: <N> (choose an appropriate value like 10 or 30) directly under runs-on to enforce the CI timeout per coding guidelines.
24-25:⚠️ Potential issue | 🟠 Major | ⚡ Quick win[blocker] Pin all GitHub Actions to commit SHAs
All actions across jobs use mutable tags (
@v4,@v2) instead of full commit SHAs. This breaks hardening policy and leaves the release pipeline exposed to tag movement, compromised registries, or supply-chain attacks. Replace with pinned commits immediately.Affected actions:
actions/checkout,pnpm/action-setup,actions/setup-node,actions/attest-build-provenancein prepare (line 24), build_macos (lines 87, 89, 91, 167), build_linux (lines 195, 197, 199, 237), and finalize (line 245).[warning] Add timeout-minutes to prepare and finalize jobs
prepareandfinalizejobs lacktimeout-minutes, risking runaway builds. Addtimeout-minutesto both jobs per policy.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/desktop-release.yml around lines 24 - 25, Pin all GitHub Actions usages to immutable commit SHAs: replace instances of actions/checkout@v4, pnpm/action-setup@v2, actions/setup-node@v3, and actions/attest-build-provenance@v1 (found in the prepare, build_macos, build_linux and finalize job blocks) with their corresponding full commit SHA pins and update any other mutable tags in those jobs; additionally add a timeout-minutes key to the prepare and finalize job definitions to enforce job time limits. Ensure you update every occurrence (prepare lines around the checkout and setup steps, build_macos/build_linux setup steps, and finalize attest step) so no mutable tags remain..github/workflows/desktop-ci.yml (1)
44-53:⚠️ Potential issue | 🔴 Critical | ⚡ Quick win[blocker] Pin workflow actions to immutable SHAs
actions/checkout@v4andactions/setup-node@v4use mutable tags. Pinning to full commit SHAs eliminates supply-chain drift risk and blocks auto-updates that could introduce breaking changes.Required changes
- uses: actions/checkout@v4 # Pin to specific SHA instead of v4 - uses: actions/setup-node@v4 # Pin to specific SHA instead of v4🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/desktop-ci.yml around lines 44 - 53, Replace the mutable tags for the GitHub Actions steps that use actions/checkout@v4 and actions/setup-node@v4 by pinning them to their respective immutable commit SHAs: locate the steps referencing "uses: actions/checkout@v4" and "uses: actions/setup-node@v4" in the workflow and update each "uses" value to the full commit SHA for the desired release (e.g., actions/checkout@<full-sha> and actions/setup-node@<full-sha>), keeping the existing "with" configuration (fetch-depth/cache/node-version) unchanged so the workflow behavior remains the same.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@apps/desktop/forge.config.ts`:
- Around line 5-7: Replace direct imports of MakerDeb, MakerDMG, MakerRpm from
"@electron-forge/..." with an internal vendor abstraction: add a new module
"@vendor/forge" that re-exports the makers and any publishers (e.g., export {
MakerDeb, MakerDMG, MakerRpm } from "@electron-forge/maker-deb|dmg|rpm" or
centralize their re-exports), then change the imports in forge.config.ts to
import { MakerDeb, MakerDMG, MakerRpm } from "@vendor/forge"; alternatively, if
direct imports are intentional for build-only config files, add a documented
exemption in CLAUDE.md describing that config/build files (like forge.config.ts)
are allowed to import third-party build SDKs directly and list the rationale and
scope of the exemption.
---
Outside diff comments:
In @.github/workflows/desktop-ci.yml:
- Around line 44-53: Replace the mutable tags for the GitHub Actions steps that
use actions/checkout@v4 and actions/setup-node@v4 by pinning them to their
respective immutable commit SHAs: locate the steps referencing "uses:
actions/checkout@v4" and "uses: actions/setup-node@v4" in the workflow and
update each "uses" value to the full commit SHA for the desired release (e.g.,
actions/checkout@<full-sha> and actions/setup-node@<full-sha>), keeping the
existing "with" configuration (fetch-depth/cache/node-version) unchanged so the
workflow behavior remains the same.
In @.github/workflows/desktop-release.yml:
- Around line 13-16: Add an explicit timeout-minutes field to the GitHub Actions
jobs named prepare and finalize so they cannot hang indefinitely; locate the job
definitions for "prepare: name: Prepare draft release" and the "finalize" job in
the same workflow and add a timeout-minutes: <N> (choose an appropriate value
like 10 or 30) directly under runs-on to enforce the CI timeout per coding
guidelines.
- Around line 24-25: Pin all GitHub Actions usages to immutable commit SHAs:
replace instances of actions/checkout@v4, pnpm/action-setup@v2,
actions/setup-node@v3, and actions/attest-build-provenance@v1 (found in the
prepare, build_macos, build_linux and finalize job blocks) with their
corresponding full commit SHA pins and update any other mutable tags in those
jobs; additionally add a timeout-minutes key to the prepare and finalize job
definitions to enforce job time limits. Ensure you update every occurrence
(prepare lines around the checkout and setup steps, build_macos/build_linux
setup steps, and finalize attest step) so no mutable tags remain.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 4443b786-9923-43b9-9a25-efdff48bc3dc
⛔ Files ignored due to path filters (2)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml,!**/pnpm-lock.yamlthoughts/shared/research/2026-04-23-codex-vs-lightfast-desktop-production-gap.mdis excluded by!thoughts/**
📒 Files selected for processing (5)
.github/workflows/desktop-ci.yml.github/workflows/desktop-release.ymlapps/desktop/README.mdapps/desktop/forge.config.tsapps/desktop/package.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
thoughts/shared/plans/2026-05-06-desktop-w3-linux-makers.md. Adds Linux.deb/.rpmproduction paths (per-arch x64 + arm64) so we can ship to Linux while macOS signing remains Apple-blocked.MakerDeb+MakerRpmregistered inforge.config.tswith explicit["linux"]platform gating; devDeps + lockfile updated.desktop-ci.ymlexpands to a[macos-14, ubuntu-22.04]matrix so Linux maker regressions surface on PRs.desktop-release.ymlsplitsbuildintobuild_macos(rename, no behavior change) + newbuild_linuxjob on[ubuntu-22.04, ubuntu-22.04-arm]. README + parent-doc Status Tracker updated.*.zipalone to*.zip + *.dmg. The DMG is a release artifact too and should carry the same provenance attestation the ZIP already does.generate-update-feed.mjsstays mac-only — Linux Sparkle is FULL DEFER per parent doc §1, andupdater.tsreturnsnullon Linux, so there is no in-app consumer for alatest-linux-*.jsonfeed yet. The future Linux Sparkle PR will define the real consumer contract.What We're NOT Doingin the plan): Windows MSIX, Linux package signing, hosted apt/yum repository, Linux Sparkle, Linux Sentry sourcemap upload (mac leg already uploads via debug-id; server-side dedupes).Local verification
pnpm install --frozen-lockfile✓ ·typecheck✓ ·test✓ (38 tests across 3 files) ·pnpm package✓ ·pnpm make --platform=darwin --arch=arm64produced exactlyLightfast-0.0.0-arm64.dmg+zip/darwin/arm64/Lightfast-darwin-arm64-0.0.0.zip— zero Linux artifacts leaked into the mac path despiteMakerSquirrel/MakerDMGlacking explicit platform filters.js-yaml.build_macos.matrixunchanged;build_linux.matrixusesinclude:form pairingx64↔ubuntu-22.04andarm64↔ubuntu-22.04-arm.finalize.needs = [prepare, build_macos, build_linux].Branch protection note
The
build→build_macosrename changes the required-status-check name. Before merging, verifyDesktop release / buildis not currently a required check onmain— if it is, update the rule toDesktop release / build_macos(and addDesktop release / build_linux). Memory state suggests onlyDesktop CI / Typecheck + package (unsigned)is required, so no rule update is expected, but verify.Test plan
Typecheck + package (unsigned, macos-14)andTypecheck + package (unsigned, ubuntu-22.04)legs go green; the Linux leg's package log shows electron-forge selectingMakerDeb+MakerRpm.@lightfast/desktop@0.1.0-rc.5; workflow goes green onprepare, bothbuild_macosarch legs, bothbuild_linuxarch legs, andfinalize.lightfast_<version>_amd64.deb,lightfast_<version>_arm64.deb,lightfast-<version>.x86_64.rpm,lightfast-<version>.aarch64.rpm. Nolatest-linux-*.jsonfiles (intentional).gh attestation list --owner lightfastaishows attestations for the 4 Linux binaries and (now) the 2 mac.dmgartifacts.dpkg-deb -I lightfast_<version>_amd64.debshowsMaintainer: Lightfast <releases@lightfast.ai>,Homepage: https://lightfast.ai.rpm -qpi lightfast-<version>.x86_64.rpmshowsLicense : MIT,URL : https://lightfast.ai.sudo apt install ./lightfast_<version>_amd64.debon Ubuntu 22.04 launches the primary window;sudo dnf install ./lightfast-<version>.x86_64.rpmon Fedora launches the primary window.lightfast://deep-link / PKCE callback completes on at least one Linux install; primary window flips to signed-in.Follow-up
thoughts/shared/research/2026-05-06-desktop-deferred-grouping-for-worktrees.mdto "landed" (intentionally deferred from this PR per the plan).Summary by CodeRabbit
New Features
Documentation