refactor: extract release workflow scripts into modular files

[senamakel]

Summary

• Extracted all inline bash from release.yml and release-packages.yml into 10 standalone scripts under scripts/release/
• Each script is self-contained with usage docs, runnable manually for debugging
• Scripts support DRY_RUN=true where applicable (homebrew, apt, npm)
• Reduced workflow YAML by ~535 lines of inline bash, replaced with single-line script calls

New scripts

Script	Purpose
bump-version.js	Version bump across package.json, tauri.conf.json, Cargo.toml
stage-sidecar.sh	Stage + verify sidecar binary for Tauri bundler
sign-and-notarize-macos.sh	macOS code signing, notarization, stapling
repackage-dmg.sh	Re-create and notarize DMG after .app signing
upload-macos-artifacts.sh	Re-upload notarized artifacts to GitHub release
package-cli-tarball.sh	Package CLI binary into release tarball + sha256
build-linux-arm64.sh	Build Linux arm64 CLI tarball
update-homebrew.sh	Render Homebrew formula and commit to tap repo
build-apt-packages.sh	Build .deb packages, apt repo, deploy to gh-pages
publish-npm.sh	Stamp version and publish to npm

Test plan

• All scripts exit with usage message when called without arguments
• bump-version.js patch — bumps version correctly across all 3 files
• package-cli-tarball.sh — creates valid tarball + sha256 from dummy binary
• stage-sidecar.sh — stages and verifies binary correctly
• sign-and-notarize-macos.sh — validates required env vars before proceeding
• publish-npm.sh — runs with DRY_RUN mode
• update-homebrew.sh — fixed bash 3.2 compatibility (no declare -A)
• Full CI validation on next release

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features
  • Releases now publish notarized macOS apps, Linux arm64 CLI tarballs, apt packages, Homebrew formula updates, and npm packages consistently.
• Chores
  • Release automation consolidated into reusable scripts for more reliable, repeatable multi-platform publishing and version bumping.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: abfe8f4d-775b-434c-96da-d32adf83bcf0

📥 Commits

Reviewing files that changed from the base of the PR and between 8982f23 and 62029c9.

📒 Files selected for processing (1)

• .github/workflows/release.yml

---

📝 Walkthrough

Walkthrough

Workflows moved inline release/build/sign/publish logic into new executable scripts under scripts/release/ (and a bump-version Node script). GitHub Actions now invoke these scripts with arguments and environment variables to perform versioning, packaging, macOS signing/notarization, Homebrew updates, apt package building/deployment, and npm publishing.

Changes

Cohort / File(s)	Summary
Workflows \.github/workflows/release.yml, \.github/workflows/release-packages.yml	Replaced large inline release steps with calls to dedicated scripts; workflows now pass args/env into script entrypoints.
Versioning scripts/release/bump-version.js	New Node.js CLI to compute next SemVer from release type and write version into app/package.json, app/src-tauri/tauri.conf.json, and app/src-tauri/Cargo.toml; emits version and tag.
CLI Packaging & Build scripts/release/package-cli-tarball.sh, scripts/release/build-linux-arm64.sh	New scripts to build (arm64 via cargo), stage, tarball CLI binaries, generate SHA256 checksums, and optionally upload to GitHub releases.
macOS signing/notarization & upload scripts/release/sign-and-notarize-macos.sh, scripts/release/repackage-dmg.sh, scripts/release/upload-macos-artifacts.sh	New scripts to import certs, sign executables and sidecars, notarize/staple zips/DMGs, repackage DMGs, and re-upload macOS artifacts to GitHub releases.
Sidecar staging scripts/release/stage-sidecar.sh	New script to copy/build artifacts into app/src-tauri/binaries/*, ensure presence and executability for bundling.
Homebrew scripts/release/update-homebrew.sh	New script to download release tarballs, compute SHAs, render formula from template, commit and optionally push changes to tap.
APT / Debian scripts/release/build-apt-packages.sh, scripts/build-apt-repo.sh*	New script to download release tarballs, build architecture-specific .deb packages, assemble apt repo, and optionally deploy to gh-pages. (scripts/build-apt-repo.sh invoked; not shown here).
npm publish scripts/release/publish-npm.sh	New script to stamp npm package version and run npm publish with SKIP_OPENHUMAN_BINARY_DOWNLOAD=1, supporting dry-run.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant GH_Workflow as GitHub Actions
  participant Release_Scripts as scripts/release/*
  participant GH_Release as GitHub Release (gh)
  participant Apple as Apple Notary
  participant Homebrew as Homebrew Tap Repo
  participant Apt_GH_Pages as gh-pages apt repo
  rect rgba(135,206,235,0.5)
    GH_Workflow->>Release_Scripts: invoke bump-version / build / sign / package / publish (args + env)
  end
  Release_Scripts->>GH_Release: gh release download / upload assets
  Release_Scripts->>Apple: submit notarization (xcrun notarytool)
  Apple-->>Release_Scripts: notarization result + staple
  Release_Scripts->>Homebrew: compute SHAs and push updated Formula
  Release_Scripts->>Apt_GH_Pages: build .deb, assemble apt repo, commit/push to gh-pages
  Release_Scripts->>GH_Release: upload final artifacts (tarballs, checksums, DMG)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• refactor: extract release workflow scripts into modular files #175 — Implements the same refactor: moves inline GitHub Actions release steps into scripts/release/* and updates workflows to call those scripts.

Poem

🐰 I hopped through workflows, scripts in tow,
Bumped the version, built the tar and tar.gz so;
I signed the Mac, and stapled what I could,
Pushed Homebrew, apt and npm — tidy and good.
Cheers! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'refactor: extract release workflow scripts into modular files' accurately summarizes the main change: extracting ~535 lines of inline bash from workflow YAML into 10 standalone scripts under scripts/release/.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}