sudacode
48f10dbb03
- Move completed tasks (85, 117, 118, 155) to backlog/completed/ - Delete superseded task files (166 verification, 172 drilldown) - Add stats dashboard milestone m-1 - Add new tasks (190, 194) - Update task metadata across remaining backlog items - Add changelog fragments for stats, mpv args, and subtitle filtering
4.3 KiB
id, title, status, assignee, created_date, updated_date, labels, dependencies, references, priority, ordinal
| id | title | status | assignee | created_date | updated_date | labels | dependencies | references | priority | ordinal | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| TASK-134 | Harden Windows release signing against transient SignPath failures | Done |
|
2026-03-09 00:00 | 2026-03-18 05:28 |
|
|
high | 52500 |
Description
The tag-driven Release workflow currently fails the Windows lane if the SignPath connector returns transient 502 errors during submission, and the tagged build scripts also allow electron-builder to implicitly publish unsigned artifacts before the final release job runs. Harden the workflow so transient SignPath outages get bounded retries and release packaging never auto-publishes unsigned assets.
Acceptance Criteria
- #1 Windows release signing retries transient SignPath submission failures within the release workflow before failing the job.
- #2 Release packaging scripts disable electron-builder implicit publish so build jobs do not upload unsigned assets on tag builds.
- #3 Regression coverage fails if SignPath retry scaffolding or publish suppression is removed.
Implementation Plan
- Add a regression test for the release workflow/package script shape covering SignPath retries and
--publish never. - Patch the Windows release job to retry SignPath submission a bounded number of times and still fail hard if every attempt fails.
- Update tagged package build scripts to disable implicit electron-builder publishing during release builds.
- Run targeted release-workflow verification and capture any remaining manual release cleanup needed for
v0.5.0.
Implementation Notes
The failed Windows signing step in GitHub Actions run 22836585479 was not caused by missing secrets or an artifact-shape mismatch. The SignPath GitHub action retried repeated 502 responses from the SignPath connector for several minutes and then failed the job.
Hardened .github/workflows/release.yml by replacing the single SignPath submission with three bounded attempts. The second and third submissions only run if the previous attempt failed, and the job now fails with an explicit rerun message only after all three attempts fail. Signed-artifact upload is keyed to the successful attempt so the release job still consumes the normal windows artifact name.
Also fixed a separate release regression exposed by the same run: electron-builder was implicitly publishing unsigned release assets during tag builds because the packaging scripts did not set --publish never and the workflow injected GH_TOKEN into build jobs. Updated the relevant package scripts to pass --publish never, removed GH_TOKEN from the packaging jobs, and made the final publish step force --draft=false when editing an existing tag release so previously-created draft releases get published.
Verification: bun test src/release-workflow.test.ts, bun run typecheck, and bun run test:fast all passed locally after restoring the missing local libsql install with bun install --frozen-lockfile.
Final Summary
Windows release signing is now resilient to transient SignPath connector outages. The release workflow retries the SignPath submission up to three times before failing, and only uploads the signed Windows artifact from the attempt that succeeded.
Release packaging also no longer auto-publishes unsigned assets on tag builds. The electron-builder scripts now force --publish never, the build jobs no longer pass GH_TOKEN into packaging steps, and the final GitHub release publish step explicitly clears draft state when updating an existing tag release.
Validation: bun test src/release-workflow.test.ts, bun run typecheck, bun run test:fast.
Manual follow-up for the failed v0.5.0 release: rerun the Release workflow after merging/pushing this fix, then clean up the stray draft/untagged release assets created by the failed run if they remain.