docs: add release checklist

[Astro-Han]

Summary

Add a tracked release checklist and a post-release verification helper for PawWork desktop releases.

Why

The v0.2.5 release exposed process gaps around release notes timing, manual release command handling, and updater metadata verification. This PR documents the intended release flow and adds a script that verifies user-facing installers plus updater metadata before release issues are closed.

Related Issue

Closes #120

How To Verify

cd packages/desktop-electron && bun test scripts/verify-release.test.ts
cd packages/desktop-electron && bun run typecheck
cd packages/desktop-electron && bun test
git diff --check
bun packages/desktop-electron/scripts/verify-release.ts v0.2.5

Expected result for the final command: it fails on v0.2.5 because that release's current latest-mac.yml does not include pawwork-mac-arm64.zip. That is the historical release gap this checklist/helper is meant to catch for future releases.

Screenshots or Recordings

Not included. This is a release process and verification script change with no visible UI.

Checklist

• I linked the related issue, or stated why there is no issue
• This PR has type, scope, and priority labels, or I requested maintainer labeling
• I listed the relevant verification steps, including tests when behavior changed
• I manually checked visible UI or copy changes when needed, with screenshots or recordings
• I considered macOS and Windows impact for desktop, packaging, updater, signing, paths, shell, or permissions changes
• I called out docs, release notes, dependencies, permissions, credentials, deletion behavior, or generated/local file changes when relevant
• I am targeting dev, and my PR title and commit messages use Conventional Commits in English

Summary by CodeRabbit

• Documentation

  • Added a stable release checklist documenting end-to-end desktop release steps (preflight, build, notarization, publish, and post-release verification), with English and Chinese release-note guidance.

• Tests

  • Added comprehensive tests covering release verification logic and many failure scenarios to ensure artifact and metadata integrity.

• Chores

  • Added a release verification utility to validate release state, required installers/sidecars, updater pointers, and tag formatting before publishing.

[coderabbitai]

Warning

Rate limit exceeded

@Astro-Han has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 50 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 6 minutes and 50 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: e57f2a75-5858-4e35-aaf2-3fab7a11194d

📥 Commits

Reviewing files that changed from the base of the PR and between ddbb4df and 6851af9.

📒 Files selected for processing (3)

• .github/RELEASE_CHECKLIST.md
• packages/desktop-electron/scripts/verify-release.test.ts
• packages/desktop-electron/scripts/verify-release.ts

📝 Walkthrough

Walkthrough

Adds a tracked release runbook at .github/RELEASE_CHECKLIST.md, a TypeScript post-release verification script packages/desktop-electron/scripts/verify-release.ts, and a Bun test suite validating verification logic and updater/asset consistency.

Changes

Cohort / File(s)	Summary
Release Checklist .github/RELEASE_CHECKLIST.md	New documented end-to-end desktop release runbook: preflight PR checks, version bump/tag validations, GitHub Release drafting (English first, then Chinese), build/publish steps (macOS notarization workflows and Windows build), publish gating, and post-release verification + issue closeout.
Release Verification Script packages/desktop-electron/scripts/verify-release.ts	New TypeScript CLI that defines GithubAsset/GithubRelease types, normalizeTag, parseUpdaterFileUrls, and verifyReleasePayload. Fetches release by tag (optional GH_TOKEN), downloads latest.yml/latest-mac.yml, ensures no draft/prerelease, checks required installer/sidecar assets exist, and validates updater YAML references.
Verification Tests packages/desktop-electron/scripts/verify-release.test.ts	New Bun test suite covering normalizeTag, parseUpdaterFileUrls, successful payload verification, and multiple failure scenarios (missing assets, malformed updater YAML, draft/prerelease detection, and missing updater entries).

Sequence Diagram(s)

sequenceDiagram
  participant Runner as Release Runner
  participant Script as verify-release.ts
  participant GitHub as GitHub API
  participant Assets as Release Assets (downloads)

  Runner->>Script: invoke with tag (and optional owner/repo)
  Script->>GitHub: GET release by tag
  GitHub-->>Script: release JSON (assets list, draft/prerelease flags)
  Script->>Assets: download `latest.yml` and `latest-mac.yml` (if present)
  Script-->>Script: parse updater YAML -> extract URLs
  Script->>Assets: verify referenced asset names exist in release assets
  Script-->>Runner: success or list of verification failures (exit codes)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped through tags and YAML streams,

Checked downloads, not just dreams,
DMGs and EXEs in sight,
Updater links all set just right,
Hooray — releases snug and bright! 🎉

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title 'docs: add release checklist' is partially related but misleading—the PR adds three files (checklist, test file, and verification script) where the verification script is a substantial tool, not purely documentation.	Revise the title to reflect the primary change; consider 'feat: add release checklist and verification script' or similar to better represent the full scope.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description comprehensively covers all required template sections: summary, why, related issue, how to verify with explicit commands, and a completed checklist addressing all items.
Linked Issues check	✅ Passed	The PR successfully implements all acceptance criteria from issue #120: tracked RELEASE_CHECKLIST.md with release flow documentation, post-release verification script covering all required checks, and workflow command documentation.
Out of Scope Changes check	✅ Passed	All three files directly support the release hardening objectives: RELEASE_CHECKLIST.md documents the flow, verify-release.ts implements verification, and verify-release.test.ts tests the verification utility comprehensively.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/release-process-hardening

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive release checklist and a new verification script to automate the validation of GitHub release assets and updater metadata for the PawWork desktop application. The script is accompanied by a suite of unit tests. Review feedback highlights several areas for improving the script's robustness, including more resilient YAML parsing to handle quoted strings, better error handling for missing assets to ensure all failures are reported at once, and implementing try-catch blocks to handle network or API exceptions gracefully.

[Astro-Han]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/desktop-electron/scripts/verify-release.test.ts`:
- Around line 54-65: Add a regression test that ensures parseUpdaterFileUrls
correctly parses quoted YAML scalar values and ignores inline comments: update
the test suite (the test that currently checks unquoted values in
verify-release.test.ts) to include a new case where url and path entries are
quoted (e.g. "pawwork-mac-arm64.zip") and include optional inline comments on
those lines; assert the returned array matches the expected filenames so
parseUpdaterFileUrls handles quoted scalars and comments as in real updater YAML
variants.

In `@packages/desktop-electron/scripts/verify-release.ts`:
- Around line 34-46: The parseUpdaterFileUrls extractor currently returns values
with surrounding quotes and inline comments which breaks matching; update
parseUpdaterFileUrls to post-process each captured value (from fileMatch[1] and
pathMatch[1]) by trimming whitespace, stripping matching surrounding single or
double quotes, and removing any trailing inline comment (e.g., split/remove
content after an unescaped '#' or simply remove ' #...' and following). Ensure
this normalization is applied before pushing into urls so entries like url:
"foo.zip" # comment or path: 'bar' are normalized to foo.zip and bar.
- Around line 148-150: Wrap the top-level invocation of main() in an explicit
try/catch so any thrown error is caught and produces deterministic CLI output
and a non-zero exit code: when import.meta.main is true, call await main()
inside a try block and in catch log a concise failure message including the
error (e.g., error.message) to stderr (console.error or process.stderr.write)
and call process.exit(1); reference the existing top-level invocation of main()
to locate where to add the try/catch.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 5f217168-18d8-48e3-9f4b-e28ed397c593

📥 Commits

Reviewing files that changed from the base of the PR and between 935ab33 and b3dc15b.

📒 Files selected for processing (3)

• .github/RELEASE_CHECKLIST.md
• packages/desktop-electron/scripts/verify-release.test.ts
• packages/desktop-electron/scripts/verify-release.ts

[Astro-Han]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[Astro-Han]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[Astro-Han]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/RELEASE_CHECKLIST.md:
- Around line 109-112: Update the publish command string "gh release edit vX.Y.Z
--repo Astro-Han/pawwork --draft=false --latest" to explicitly clear prerelease
by adding --prerelease=false so the command becomes "gh release edit vX.Y.Z
--repo Astro-Han/pawwork --draft=false --latest --prerelease=false".

In `@packages/desktop-electron/scripts/verify-release.ts`:
- Around line 138-147: The fetchText and fetchJson helpers currently use the
default fetch with no timeout; add a bounded timeout by creating an
AbortController, passing controller.signal into fetch(...) in both fetchText and
fetchJson, and scheduling a setTimeout to call controller.abort() after a
configurable timeout (e.g. constant DEFAULT_FETCH_TIMEOUT_MS); clear the timeout
when the response arrives and ensure abort errors are surfaced (wrap or rethrow
so formatFetchError still applies) so stalled GitHub API/asset requests fail
fast instead of hanging the verifier.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 24f79f8a-1955-4caa-8767-2d1920b8b631

📥 Commits

Reviewing files that changed from the base of the PR and between b3dc15b and ddbb4df.

📒 Files selected for processing (3)

• .github/RELEASE_CHECKLIST.md
• packages/desktop-electron/scripts/verify-release.test.ts
• packages/desktop-electron/scripts/verify-release.ts