Add automated release CI pipeline and update project scripts

[utkarsh232005]

…project repository link

Summary by CodeRabbit

• New Features

  • Added automated release pipeline with prebuilt binaries for multiple platforms and architectures.
  • Distribution packages now available (APT, RPM, Homebrew).

• Chores

  • Updated repository reference in the application UI.

[coderabbitai]

Warning

Review limit reached

@utkarsh232005, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 45 minutes and 31 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 9c0c07aa-5397-43e3-938f-405cee7ddb2d

📥 Commits

Reviewing files that changed from the base of the PR and between 85cc541 and 757f6db.

⛔ Files ignored due to path filters (1)

• scripts/package.sh is excluded by none and included by none

📒 Files selected for processing (1)

• .github/workflows/release.yml

📝 Walkthrough

Walkthrough

This PR introduces a complete release automation pipeline via GitHub Actions, building kdc binaries for multiple OS/architecture targets, packaging them as archives, generating distribution packages (APT/RPM) and a Homebrew formula, and synchronizing the Homebrew tap. It also updates the repository URL displayed in the dashboard UI from a personal fork reference to the organization repository.

Changes

Release Workflow Automation

Layer / File(s)	Summary
Workflow trigger and build matrix .github/workflows/release.yml	Workflow is manually triggered with contents: write permission. build-binaries job compiles kdc release binaries for Linux (amd64/arm64), macOS (amd64/arm64), and Windows (msvc) using Rust toolchain per target and conditional cross installation for non-native builds.
Release creation and archiving .github/workflows/release.yml	create-release job downloads all build artifacts, constructs version/tag from workflow input, packages binaries into versioned .zip archives (Windows) and .tar.gz archives (Unix) with preserved executable permissions, generates SHA-256 checksums, and uploads archives to the GitHub Release with checksum file.
Package generation and distribution .github/workflows/release.yml	generate-packages job runs scripts/package.sh to produce .deb and .rpm packages; generates a Homebrew formula by extracting SHA-256 values from the checksum file and deriving download URLs; uploads distribution packages and formula to the release body. update-tap job optionally clones and updates the external Homebrew tap repository using authenticated git, replacing the formula file and committing only when content has changed.

Dashboard Repository Link Update

Layer / File(s)	Summary
Dashboard GitHub link src/ui/dashboard.rs	The repository URL displayed in the welcome subtitle is updated to point to KDM-cli/kdc-cli.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🚀 From source to shelves, the binaries flow,
Across platforms and architectures they go,
Release pipelines dance with precision and care,
Now homebrew taps breathe the fresh mountain air! 📦

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main changes: adding an automated release CI pipeline (.github/workflows/release.yml) and updating project repository links in documentation and code.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Line 50: Replace floating action refs like "uses: actions/checkout@v4" with
their corresponding full 40-character commit SHAs across the release workflow;
locate every "uses:" entry mentioned (e.g., actions/checkout@v4 and the other
floating refs at the listed lines) and update each to the exact commit SHA for
that action version so the workflow is pinned to immutable commits.
- Around line 3-9: Add a top-level GitHub Actions concurrency block to serialize
runs per the provided inputs.tag_name so two workflow_dispatch runs with the
same tag don't race; add a top-level "concurrency:" mapping with "group: ${{
github.workflow }}-${{ github.event.inputs.tag_name }}" and "cancel-in-progress:
false" (or true if you prefer cancelling previous runs) to the release workflow
so runs are queued/serialized by tag_name.
- Around line 93-100: The get_version step currently injects inputs.tag_name
directly into shell which is unsafe and also assumes a leading "v"; change the
step (id get_version) to receive the tag via environment (use env: TAG_NAME: ${{
inputs.tag_name }}), validate TAG_NAME against a strict regex like
^v[0-9]+\.[0-9]+\.[0-9]+(?:[-+].*)?$ and fail (non-zero exit) if it doesn't
match, then set VERSION by stripping the leading "v" from TAG_NAME and write
both "version=${VERSION}" and "tag_name=${TAG_NAME}" to GITHUB_OUTPUT so
downstream Homebrew URLs use the validated TAG_NAME (with the v) while the
VERSION remains semver without the v; ensure TAG_NAME and VERSION are not
interpolated from untrusted shell variables elsewhere.
- Around line 11-12: The workflow currently sets workflow-level permissions
"contents: write" making all jobs (e.g., the build-binaries matrix) able to
write via GITHUB_TOKEN; remove or change the top-level permissions so "contents"
is not globally set to write, then add a job-level permissions block granting
"contents: write" only for the release-related jobs (create-release and
generate-packages) so those two jobs retain write access while build-binaries
and others keep default/read-only permissions.
- Around line 168-176: The RPM copy in scripts/package.sh uses cp
"$RPM_BUILD_DIR"/RPMS/**/*.rpm "$OUT_DIR/" but the script never enables bash
globstar so ** is not recursive and is ambiguous; update scripts/package.sh to
either enable bash globstar (shopt -s globstar) before the cp, or replace the
pattern with an explicit safe pattern like "$RPM_BUILD_DIR"/RPMS/*/*.rpm, or use
find (find "$RPM_BUILD_DIR"/RPMS -name '*.rpm' -exec cp {} "$OUT_DIR/" \;) to
reliably collect RPMs; ensure you reference the RPM_BUILD_DIR and OUT_DIR
variables and adjust the cp invocation accordingly.
- Around line 49-50: Update each actions/checkout@v4 step in the release
workflow to disable credential persistence: locate the three checkout steps
(each named "Checkout repository" using actions/checkout@v4) and add the with:
persist-credentials: false option so the checkout doesn't retain GITHUB_TOKEN
credentials across subsequent clones (the Homebrew TAP update uses TAP_TOKEN
instead).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 1e4f7b63-706c-45f5-b681-ff8f47dd2739

📥 Commits

Reviewing files that changed from the base of the PR and between 60b6257 and 85cc541.

⛔ Files ignored due to path filters (1)

• scripts/package.sh is excluded by none and included by none

📒 Files selected for processing (2)

• .github/workflows/release.yml
• src/ui/dashboard.rs

[codescene-delta-analysis]

Our agent can fix these. Install it.

Gates Passed
3 Quality Gates Passed

Quality Gate Profile: The Bare Minimum
Install CodeScene MCP: safeguard and uplift AI-generated code. Catch issues early with our IDE extension and CLI tool.