fix: include mac updater config in signed app

[Astro-Han]

Summary

• Write Electron updater local config into macOS app resources from afterPack, before signing.
• Reuse the same beta/prod GitHub publish config for app-update.yml to avoid repo drift.
• Verify final notarized zip and dmg artifacts include the updater config and keep strict codesign checks.

Why

Clicking Check for Updates in packaged PawWork can fail with ENOENT when Contents/Resources/app-update.yml is missing. The release flow signs the .app before the finalize packaging step, so the updater config must be present before signing rather than added later.

Related Issue

Fixes #165

How To Verify

cd packages/desktop-electron
bun test electron-builder-app-update.test.ts scripts/write-app-update-config.test.ts scripts/release-workflow-contract.test.ts
bun run typecheck:release
bun run typecheck
cd ../..
bun turbo typecheck
bun turbo test:ci

Screenshots or Recordings

N/A, packaging and release workflow change only.

Checklist

• I linked the related issue, or stated why there is no issue
• This PR has type, scope, and priority labels, or I requested maintainer labeling
• I listed the relevant verification steps, including tests when behavior changed
• I manually checked visible UI or copy changes when needed, with screenshots or recordings
• I considered macOS and Windows impact for desktop, packaging, updater, signing, paths, shell, or permissions changes
• I called out docs, release notes, dependencies, permissions, credentials, deletion behavior, or generated/local file changes when relevant
• I am targeting dev, and my PR title and commit messages use Conventional Commits in English

Summary by CodeRabbit

• New Features

  • Enhanced app update configuration validation with channel-to-repository mapping for dev, beta, and production releases.
  • Stricter code signing verification for macOS builds.

• Chores

  • Added release-specific TypeScript configuration and validation checks.
  • Improved build configuration and release workflow reliability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 218fe273-db9d-460f-bdc4-1f83aad5adb8

📥 Commits

Reviewing files that changed from the base of the PR and between 359de32 and 3084358.

📒 Files selected for processing (8)

• .github/workflows/build.yml
• packages/desktop-electron/electron-builder-app-update.test.ts
• packages/desktop-electron/electron-builder.config.ts
• packages/desktop-electron/package.json
• packages/desktop-electron/scripts/release-workflow-contract.test.ts
• packages/desktop-electron/scripts/write-app-update-config.test.ts
• packages/desktop-electron/scripts/write-app-update-config.ts
• packages/desktop-electron/tsconfig.release.json

---

📝 Walkthrough

Walkthrough

These changes implement app-update.yml generation and verification for macOS builds. A new script writes channel-specific configuration to the app bundle during the build process, the Electron Builder configuration integrates this via afterPack hooks, comprehensive tests validate the generation logic, and CI workflow changes extend verification to ensure the file exists in packaged artifacts before signing.

Changes

Cohort / File(s)	Summary
App Update Configuration packages/desktop-electron/scripts/write-app-update-config.ts, packages/desktop-electron/scripts/write-app-update-config.test.ts	New module for serializing and writing app-update.yml to macOS app bundles with GitHub provider config; includes tests validating YAML output and file writing behavior for different channel configurations.
Electron Builder Integration packages/desktop-electron/electron-builder.config.ts, packages/desktop-electron/electron-builder-app-update.test.ts	Refactored config to use parameterized createConfig(), introduces getPublishConfig() utility, wraps afterPack hook to invoke app-update.yml writing on macOS; tests verify publish config mapping and afterPack hook integration.
CI Workflow & Verification .github/workflows/build.yml, packages/desktop-electron/scripts/release-workflow-contract.test.ts	Extended build workflow with verify_app_update_config() validation of app-update.yml contents and stricter codesign verification; new test suite asserts workflow contains expected verification steps and repository matching logic.
Build Configuration packages/desktop-electron/package.json, packages/desktop-electron/tsconfig.release.json	Added typecheck:release script and corresponding TypeScript config scoped to release-critical files.

Sequence Diagram

sequenceDiagram
    participant Build as Build System
    participant AfterPack as afterPack Hook
    participant FileSystem as File System
    participant AppBundle as App Bundle
    participant CI as CI Workflow
    participant Verify as verify_app_update_config()

    Build->>Build: createConfig() with channel
    Build->>Build: getPublishConfig(channel)
    Build->>Build: attach publish + afterPack
    Build->>AfterPack: Execute on macOS
    AfterPack->>AfterPack: Check if publish exists
    AfterPack->>FileSystem: serializeAppUpdateConfig()
    FileSystem->>FileSystem: Format YAML (owner, repo, channel)
    AfterPack->>FileSystem: writeAppUpdateConfig(resourcesDir)
    FileSystem->>AppBundle: Write app-update.yml<br/>to Contents/Resources/
    Build->>AppBundle: Sign & Notarize
    AppBundle->>CI: Upload to Release
    CI->>Verify: Run verification
    Verify->>AppBundle: Check app-update.yml exists
    Verify->>AppBundle: Validate provider, owner, repo, channel
    Verify->>AppBundle: codesign --verify --deep --strict
    Verify->>CI: Verification Result

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

ci

Poem

🐰 A fluffy path to app updates bright,
Config files written in the dead of night,
Verify deep, codesign with care,
Your macOS bundles, beyond compare!
✨ hops happily ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: include mac updater config in signed app' accurately summarizes the main change—writing the updater config into the macOS app before signing.
Description check	✅ Passed	The description covers all required template sections: summary, why, related issue, how to verify, and a completed checklist matching the repository template.
Linked Issues check	✅ Passed	All code changes directly address issue #165: app-update.yml is written to Resources before signing [write-app-update-config.ts, electron-builder.config.ts], tests validate the behavior [electron-builder-app-update.test.ts, write-app-update-config.test.ts], and release verification confirms presence in final artifacts [build.yml, release-workflow-contract.test.ts].
Out of Scope Changes check	✅ Passed	All changes are scoped to app-update.yml integration: new script module, config updates, tests, build workflow verification, and TypeScript release config—no unrelated modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-i165-app-update-yml

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a mechanism to automatically generate and write the app-update.yml configuration file for macOS builds during the Electron packaging process. Key changes include the addition of a writeAppUpdateConfig utility, a new afterPack hook in the Electron builder configuration, and several test files to verify the configuration logic and CI/CD workflow integration. Feedback was provided to improve the robustness of the afterPack hook by preventing the overwriting of existing hooks, using packager-provided metadata for the product name, and ensuring the publish configuration is defined before use.