From 55c19d31afc7ba82dc2ae6c9d5737561172900fe Mon Sep 17 00:00:00 2001
From: Ivan <ivan@quad4.io>
Date: Thu, 2 Apr 2026 13:14:22 -0500
Subject: [PATCH] feat(ci): introduce new GitHub Actions workflow for tagged
 releases, enabling builds for Windows and macOS with artifact uploads

---
 .github/workflows/build-release.yml | 108 ++++++++++++++++++++++++++
 .github/workflows/build.yml         | 113 +++++-----------------------
 scripts/ci/github-run-tests.sh      |  14 ----
 3 files changed, 127 insertions(+), 108 deletions(-)
 create mode 100644 .github/workflows/build-release.yml
 delete mode 100755 scripts/ci/github-run-tests.sh

diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
new file mode 100644
index 0000000..652ef26
--- /dev/null
+++ b/.github/workflows/build-release.yml
@@ -0,0 +1,108 @@
+# Tagged releases from master: Windows + macOS builds and upload dist/ artifacts (for Gitea or other fetch).
+#
+# Pinned first-party actions (bump tag and SHA together when upgrading):
+#   actions/checkout@v4.2.2            11bd71901bbe5b1630ceea73d27597364c9af683
+#   actions/setup-python@v5.6.0        a26af69be951a213d495a4c3e4e4022e16d87065
+#   actions/setup-node@v4.4.0          49933ea5288caeca8642d1e84afbd3f7d6820020
+#   actions/upload-artifact@v4.6.2     ea165f8d65b6e75b540449e92b4886f43607fa02
+
+name: Build release
+
+on:
+  push:
+    tags:
+      - "*"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  actions: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  NODE_OPTIONS: --max-old-space-size=8192
+  PYTHON_VERSION: "3.13"
+  NODE_VERSION: "24"
+  POETRY_VERSION: "2.1.1"
+  PNPM_VERSION: "10.32.1"
+
+jobs:
+  verify-master:
+    name: Verify tag on master
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          fetch-depth: 0
+
+      - name: Ensure tagged commit is on master
+        run: |
+          set -euo pipefail
+          git fetch origin master
+          if ! git merge-base --is-ancestor "${GITHUB_SHA}" origin/master; then
+            echo "Tagged commit is not an ancestor of origin/master; release tags must be cut from master." >&2
+            exit 1
+          fi
+
+  build-release:
+    name: Build release (${{ matrix.label }})
+    needs: verify-master
+    if: always() && (needs.verify-master.result == 'success' || needs.verify-master.result == 'skipped')
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: windows-latest
+            label: windows
+            timeout: 120
+            build_script: scripts/ci/github-build-windows.sh
+            artifact_prefix: meshchatx-windows
+          - os: macos-latest
+            label: macos
+            timeout: 180
+            build_script: scripts/ci/github-build-macos.sh
+            artifact_prefix: meshchatx-macos
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: ${{ matrix.timeout }}
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Install Poetry (PyPI pin)
+        env:
+          POETRY_VERSION: ${{ env.POETRY_VERSION }}
+        run: bash scripts/ci/github-install-poetry.sh
+
+      - name: Set up Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+
+      - name: Enable pnpm (corepack)
+        run: corepack enable && corepack prepare "pnpm@${PNPM_VERSION}" --activate
+
+      - name: Install dependencies
+        run: bash scripts/ci/github-install-deps.sh
+
+      - name: Build distributables
+        run: bash "${{ matrix.build_script }}"
+
+      - name: Upload dist artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: ${{ matrix.artifact_prefix }}-${{ github.ref_name }}-${{ github.run_id }}
+          path: dist/
+          if-no-files-found: warn
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5e8ae1d..508e1f5 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,13 +1,11 @@
-# Windows and macOS distributables on GitHub-hosted runners; Linux stays on Gitea.
+# Native build verification (Windows + macOS), no artifacts. Lint/tests run on Gitea.
 #
-# - dev branch: lint, tests, then native builds + artifact upload (similar to .gitea/workflows/build-test.yml).
-# - Any tag push (release, -rc, -dev, etc.): same tests, then builds + artifact upload only (no GitHub Release; Gitea can fetch artifacts later).
+# - dev branch / PRs to dev / workflow_dispatch: build-test only.
 #
 # Pinned first-party actions (bump tag and SHA together when upgrading):
 #   actions/checkout@v4.2.2            11bd71901bbe5b1630ceea73d27597364c9af683
 #   actions/setup-python@v5.6.0        a26af69be951a213d495a4c3e4e4022e16d87065
 #   actions/setup-node@v4.4.0          49933ea5288caeca8642d1e84afbd3f7d6820020
-#   actions/upload-artifact@v4.6.2     ea165f8d65b6e75b540449e92b4886f43607fa02
 
 name: Build
 
@@ -15,8 +13,6 @@ on:
   push:
     branches:
       - dev
-    tags:
-      - "*"
   pull_request:
     branches:
       - dev
@@ -24,7 +20,6 @@ on:
 
 permissions:
   contents: read
-  actions: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -38,44 +33,22 @@ env:
   PNPM_VERSION: "10.32.1"
 
 jobs:
-  test:
-    name: Lint and test
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-
-      - name: Set up Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Install Poetry (PyPI pin)
-        env:
-          POETRY_VERSION: ${{ env.POETRY_VERSION }}
-        run: bash scripts/ci/github-install-poetry.sh
-
-      - name: Set up Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Enable pnpm (corepack)
-        run: corepack enable && corepack prepare "pnpm@${PNPM_VERSION}" --activate
-
-      - name: Install dependencies
-        run: bash scripts/ci/github-install-deps.sh
-
-      - name: Lint and test
-        run: bash scripts/ci/github-run-tests.sh
-
-  windows:
-    name: Windows (portable + NSIS)
-    needs: test
-    if: github.event_name != 'pull_request'
-    runs-on: windows-latest
-    timeout-minutes: 120
+  build-test:
+    name: Build test (${{ matrix.label }})
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: windows-latest
+            label: windows
+            timeout: 120
+            build_script: scripts/ci/github-build-windows.sh
+          - os: macos-latest
+            label: macos
+            timeout: 180
+            build_script: scripts/ci/github-build-macos.sh
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: ${{ matrix.timeout }}
     defaults:
       run:
         shell: bash
@@ -105,52 +78,4 @@ jobs:
         run: bash scripts/ci/github-install-deps.sh
 
       - name: Build distributables
-        run: bash scripts/ci/github-build-windows.sh
-
-      - name: Upload dist artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
-        with:
-          name: meshchatx-windows-${{ github.ref_name }}-${{ github.run_id }}
-          path: dist/
-          if-no-files-found: warn
-
-  macos:
-    name: macOS (universal DMG)
-    needs: test
-    if: github.event_name != 'pull_request'
-    runs-on: macos-latest
-    timeout-minutes: 180
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-
-      - name: Set up Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Install Poetry (PyPI pin)
-        env:
-          POETRY_VERSION: ${{ env.POETRY_VERSION }}
-        run: bash scripts/ci/github-install-poetry.sh
-
-      - name: Set up Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Enable pnpm (corepack)
-        run: corepack enable && corepack prepare "pnpm@${PNPM_VERSION}" --activate
-
-      - name: Install dependencies
-        run: bash scripts/ci/github-install-deps.sh
-
-      - name: Build distributables
-        run: bash scripts/ci/github-build-macos.sh
-
-      - name: Upload dist artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
-        with:
-          name: meshchatx-macos-${{ github.ref_name }}-${{ github.run_id }}
-          path: dist/
-          if-no-files-found: warn
+        run: bash "${{ matrix.build_script }}"
diff --git a/scripts/ci/github-run-tests.sh b/scripts/ci/github-run-tests.sh
deleted file mode 100755
index 939e479..0000000
--- a/scripts/ci/github-run-tests.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/usr/bin/env bash
-# Lint and test (parity with: task lint && task test:all). Used by GitHub Actions.
-set -euo pipefail
-
-ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
-cd "$ROOT"
-
-poetry run ruff check .
-poetry run ruff format --check .
-pnpm run lint
-poetry run pytest tests/backend --cov=meshchatx/src/backend -q --tb=short
-pnpm run test -- --exclude tests/frontend/i18n.test.js
-pnpm run test tests/frontend/i18n.test.js
-poetry run pytest tests/backend/test_translator_handler.py