A vX.Y tag may point at a commit behind the main tip; --depth=1 only fetched
the tip, so git checkout of the tag commit failed (unable to read tree).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Extract the relevant CHANGELOG.md section as the release body instead of the
static "Auto-built from SHA": on a vX.Y tag take that version's section, else
the latest released version section.
- Publish step is now tag-aware: a vX.Y tag push builds, signs and publishes a
named non-prerelease (keeping the git tag); main/dispatch keep the rolling
'latest' prerelease. Body built with jq for safe escaping.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The step uses `docker exec xetup-web`, which needs the docker socket in the
job container (runner container.docker_host is "-", so it is absent). It runs
after the signed release is published and only refreshes a cosmetic "last
build" indicator, so its failure must not fail the build.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Lets the release workflow be re-run on demand (e.g. after rotating the
Trusted Signing secret) in addition to push-triggered builds.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add a signing step after the build that authenticates the Entra service
principal (client_credentials), fetches a Trusted Signing access token, and
signs xetup.exe with jsign using the X9.cz s.r.o. certificate profile plus an
RFC3161 timestamp (timestamp.acs.microsoft.com). jsign is pinned by version
and sha256. Trusted Signing certs are short-lived (~3 days); the timestamp
keeps the signature valid past expiry, so timestamping must succeed and the
step fails hard otherwise.
Only AZURE_CLIENT_SECRET needs to be set as a Forgejo Actions secret; the
non-secret identifiers are inlined in the workflow.
gitignore the local manual-signing helpers (sign*.sh) and the *.unsigned
build backup.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Adds docker-cli to build container (docker socket passed through by runner)
and writes sha + timestamp to xetup-web container after successful release.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Atera agent: download URL requires MFA in browser session, so
Invoke-WebRequest gets HTML instead of MSI. Changed to bundled
MSI from assets/Atera/ - download once from dashboard, no network
dependency. Graceful skip with log message when MSI not present.
Removed unused --resume argument from X9-Resume scheduled task
registration. Resume is detected via state file, not CLI flag.
CI pipeline: added mingw-w64-gcc and CGO_ENABLED=1 for Walk
cross-compilation (required since Walk migration from Fyne).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Walk uses Win32 controls directly — works on VMware ESXi, Hyper-V and any VM
without GPU. No CGo, no MinGW needed.
- internal/gui/gui.go: 3-phase Walk declarative GUI (form → live run → summary)
- cmd/xetup/app.manifest: UAC requireAdministrator + ComCtl32 v6 + DPI awareness
- CI: remove MinGW, add rsrc generation step, simplified build
