Skip to content

build: publish Linux Flatpak, deb, and rpm artifacts#492

Open
shantur wants to merge 5 commits into
devfrom
restore-deb
Open

build: publish Linux Flatpak, deb, and rpm artifacts#492
shantur wants to merge 5 commits into
devfrom
restore-deb

Conversation

@shantur
Copy link
Copy Markdown
Collaborator

@shantur shantur commented May 21, 2026

Summary

  • Restore Tauri Linux .deb and .rpm release artifacts alongside AppImage and zip outputs.
  • Add Flatpak packaging for Electron and Tauri Linux builds.
  • Harden Linux package builds by adding required runtime dependencies and fixing CI/Docker resource prep issues.

Validation

  • Parsed edited package JSON files successfully.
  • Checked packages/tauri-app/scripts/build-flatpak.js and scripts/desktop-server-resources.cjs with node --check.
  • Parsed .github/workflows/build-and-upload.yml as YAML.
  • Ran Ubuntu 24.04 Docker reproductions for the Electron and Tauri Linux workflow steps.
  • Electron Docker run produced Linux zip and AppImage before Flatpak failed due local Docker bwrap namespace restrictions.
  • Tauri Docker run produced AppImage, deb, and rpm before Flatpak failed due local Docker seccomp/bubblewrap restrictions.

Notes

  • Local Docker could not fully verify Flatpak bundles because flatpak-builder/bubblewrap could not create the required namespaces/seccomp filters in this host container environment. Native GitHub Ubuntu runners should not have that Docker sandbox limitation, but CI should confirm.

@shantur
build: publish linux flatpak deb and rpm artifacts
3de5ecb 
Restore Tauri Debian and RPM assets while adding Flatpak outputs for both desktop variants so Linux users have package-manager and sandboxed alternatives to AppImage.

Electron Flatpak packaging now installs the required Freedesktop runtime in CI, and Tauri Flatpak packaging uses a generated manifest around the existing release binary and packaged resources. The Linux dependency list also includes xdg-utils because Tauri AppImage bundling requires xdg-open.

Docker-based Ubuntu 24.04 reproductions verified Electron zip/AppImage creation and Tauri AppImage/deb/rpm creation. Local Docker could not complete Flatpak builds because bubblewrap cannot create/seccomp namespaces in this host container environment, which should not apply to native GitHub runners.
@shantur
Copy link
Copy Markdown
Collaborator Author

shantur commented May 21, 2026

@CodeNomadBot

I want you to perform the gatekeeper checks for latest PR state

check for regressions
check for better possible implementations
Be the PR gatekeeper
Be ruthless about code quality

@codenomadbot
Copy link
Copy Markdown
Contributor

codenomadbot Bot commented May 21, 2026

Understood request: perform a strict gatekeeper review of the latest PR state, looking for regressions and better implementations. Assumption: this is review-only; I did not change code.

Findings

  1. Blocking: the Tauri Flatpak bundle is built from a host-linked Ubuntu binary, but the Flatpak manifest does not bundle or build the native dependency closure inside the Flatpak runtime. See packages/tauri-app/scripts/build-flatpak.js:57-89 and .github/workflows/build-and-upload.yml:640-659. The workflow installs libwebkit2gtk-4.1-dev, libsoup-3.0-dev, libayatana-appindicator3-dev, etc. on the GitHub runner, then copies the resulting binary into an org.gnome.Platform//46 bundle. At runtime, Flatpak exposes /app plus the selected runtime, not the host runner’s apt libraries. Unless every linked soname is present and ABI-compatible in org.gnome.Platform//46, users can get an immediate loader failure even though CI produced a .flatpak. I would not merge this until the bundle is either built inside the Flatpak SDK with required modules declared, or the manifest explicitly includes the needed shared-library closure, plus a CI smoke test that installs and runs the generated Flatpak in a clean environment.

  2. High: the Electron Linux workflow does not assert that a Flatpak artifact was actually produced. See .github/workflows/build-and-upload.yml:330-349. The upload loop and actions/upload-artifact path include *.flatpak, but they still succeed as long as zip/AppImage files exist; if-no-files-found: error only fails when none of the listed patterns produce any files. If electron-builder skips or stops emitting the Flatpak artifact, this release path can silently publish a Linux build without the requested Flatpak. Add an explicit post-build check for zip, AppImage, and Flatpak, similar to the Tauri packaging gate.

  3. Medium: the Tauri Flatpak metadata is now a second hand-written Linux app metadata source that already diverges from the existing Tauri Linux desktop file. Compare packages/tauri-app/scripts/build-flatpak.js:44-55 with packages/tauri-app/src-tauri/icons/linux/ai.neuralnomads.codenomad.client.desktop:1-9. The new Flatpak file changes categories/visibility/icon identity and drops StartupWMClass; that is launcher behavior, not just packaging trivia. Better implementation: reuse the existing desktop metadata where possible, or centralize the values so deb/rpm/AppImage/Flatpak do not drift.

Validation Performed

  • git diff --check dev...HEAD passed.
  • node --check packages/tauri-app/scripts/build-flatpak.js passed.
  • node --check scripts/desktop-server-resources.cjs passed.
  • Parsed the edited package.json files successfully.

Validation Not Completed

  • Workflow YAML parsing could not run locally because the workspace dependencies are not installed and yaml is unavailable in this checkout.
  • npm exec -- tsc -p packages/opencode-plugin/tsconfig.json could not run locally for the same reason; npm resolved to the registry placeholder instead of a local TypeScript install.

Gatekeeper verdict: do not merge until at least findings 1 and 2 are addressed or disproven with CI evidence that installs and launches the exact generated Flatpak artifacts.

--
Yours,
CodeNomadBot

@shantur
build: verify linux flatpak artifacts
b919efc 
Add explicit Electron Linux artifact gating so the release job fails if Flatpak output is missing rather than silently uploading only zip/AppImage assets.

Reuse the existing Tauri Linux desktop metadata for Flatpak packaging to avoid drift across deb, rpm, AppImage, and Flatpak launchers. The workflow now installs the generated Tauri Flatpak and runs ldd inside the sandbox to catch missing runtime libraries before upload.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 21, 2026

PR builds are available as GitHub Actions artifacts:

https://github.com/NeuralNomadsAI/CodeNomad/actions/runs/26214382534

Artifacts expire in 7 days.
Artifacts:

  • pr-492-3de5ecb7e90d017a070decffa4415d15448f48b2-electron-windows

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 21, 2026

PR builds are available as GitHub Actions artifacts:

https://github.com/NeuralNomadsAI/CodeNomad/actions/runs/26214736258

Artifacts expire in 7 days.
Artifacts:

  • pr-492-b919efcf26df61f9a058492d3ef1c51a000ad33d-tauri-macos
  • pr-492-b919efcf26df61f9a058492d3ef1c51a000ad33d-tauri-windows
  • pr-492-b919efcf26df61f9a058492d3ef1c51a000ad33d-electron-macos
  • pr-492-b919efcf26df61f9a058492d3ef1c51a000ad33d-tauri-macos-arm64
  • pr-492-b919efcf26df61f9a058492d3ef1c51a000ad33d-electron-windows

@shantur
Copy link
Copy Markdown
Collaborator Author

shantur commented May 21, 2026

@CodeNomadBot

again

@codenomadbot
Copy link
Copy Markdown
Contributor

codenomadbot Bot commented May 21, 2026

Understood request: again means rerun the same strict gatekeeper review on the latest PR state. Assumption: review-only; I made no code changes. Current local PR head reviewed: b919efc (build: verify linux flatpak artifacts).

Findings

  1. High: the latest PR artifact signal still does not show the Linux artifacts this PR is meant to publish. The refreshed thread has an artifacts comment for b919efc26df61f9a058492d3ef1c51a000ad33d, but it lists only tauri-macos, tauri-windows, electron-macos, tauri-macos-arm64, and electron-windows. There is no electron-linux or tauri-linux artifact listed. Until the workflow produces and publishes those artifacts for the latest SHA, the core release-path claim remains unproven. This is especially important because the PR is specifically about Linux Flatpak/deb/rpm/AppImage outputs.

  2. High: the new Tauri Flatpak reuses a desktop file that hides the app from launchers. packages/tauri-app/scripts/build-flatpak.js:44 copies packages/tauri-app/src-tauri/icons/linux/ai.neuralnomads.codenomad.client.desktop, whose contents include Categories= and NoDisplay=true at lines 2 and 7. For a Flatpak artifact, that means the installed desktop integration is likely invisible or poor-quality even if the bundle installs successfully. Better implementation: use shared metadata that is valid for all Linux packages, or use a Flatpak-specific desktop entry with a real category such as Development;IDE; and without NoDisplay=true unless hiding the app is intentional.

  3. Medium: the Tauri Flatpak runtime check is a good improvement, but it only proves file presence and dynamic loader closure, not that the packaged app can actually start. See .github/workflows/build-and-upload.yml:726-732. ldd catches missing sonames, but it will not catch failures in WebKit/GTK initialization, resource lookup from /app/lib/CodeNomad/resources, or sandbox-permission startup regressions. If CI can support it, add a bounded launch smoke under Flatpak, ideally with a headless display/dbus setup, or at least a purpose-built --version/--smoke command that initializes the same resource paths without opening the full UI.

  4. Low: the Tauri package discovery helper is fragile under set -euo pipefail. .github/workflows/build-and-upload.yml:744-751 uses find ... | head -n1 for each artifact type. With pipefail, find can exit non-zero from SIGPIPE when head stops after the first match, which can make the packaging step flaky if multiple matching files exist. Prefer find "$SEARCH_ROOT" -type f -iname "$1" -print -quit to avoid the pipeline entirely.

Validation Performed

  • git diff --check dev...HEAD passed.
  • node --check packages/tauri-app/scripts/build-flatpak.js passed.
  • node --check scripts/desktop-server-resources.cjs passed.
  • Parsed the edited package.json files successfully.
  • Parsed .github/workflows/build-and-upload.yml successfully with Ruby YAML.

Gatekeeper verdict: still do not merge until the latest SHA has successful Linux artifacts visible from CI, and the Flatpak desktop metadata issue is fixed or explicitly justified.

--
Yours,
CodeNomadBot

@shantur
build: stabilize linux flatpak packaging
a81f7bc 
Move Electron Flatpak packaging out of electron-builder's bundled flatpak target and into a repository-controlled flatpak-builder manifest generated from the linux-unpacked app. This keeps the zip and AppImage build path unchanged while producing an explicit .flatpak artifact after electron-builder completes.

Bump the Tauri Flatpak runtime from GNOME 46 to GNOME 47 so the Ubuntu 24.04-built binary can satisfy its GLIBC_2.39 runtime dependency during the CI install smoke check.

Validation: node --check for both Flatpak scripts, JSON parse for the Electron package, Ruby YAML parse for the workflow, and git diff --check.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 21, 2026

PR builds are available as GitHub Actions artifacts:

https://github.com/NeuralNomadsAI/CodeNomad/actions/runs/26217525781

Artifacts expire in 7 days.
Artifacts:

  • pr-492-a81f7bc0fedf9766d95803a05f4eeaff43beb722-tauri-macos
  • pr-492-a81f7bc0fedf9766d95803a05f4eeaff43beb722-tauri-linux
  • pr-492-a81f7bc0fedf9766d95803a05f4eeaff43beb722-tauri-windows
  • pr-492-a81f7bc0fedf9766d95803a05f4eeaff43beb722-electron-macos
  • pr-492-a81f7bc0fedf9766d95803a05f4eeaff43beb722-tauri-macos-arm64
  • pr-492-a81f7bc0fedf9766d95803a05f4eeaff43beb722-electron-windows

@shantur
build: use valid electron flatpak icon
14dd18f 
Install the existing 512x512 PWA icon into the Electron Flatpak hicolor 512x512 location instead of the 1024x1024 application icon. Flatpak export validates icon dimensions against the target icon directory and rejected the previous artifact.

Validation: node --check packages/electron-app/scripts/build-flatpak.js and git diff --check.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 21, 2026

PR builds are available as GitHub Actions artifacts:

https://github.com/NeuralNomadsAI/CodeNomad/actions/runs/26218587088

Artifacts expire in 7 days.
Artifacts:

  • pr-492-14dd18fded146e7b322b6411bada9feb6a183f93-tauri-macos
  • pr-492-14dd18fded146e7b322b6411bada9feb6a183f93-tauri-linux
  • pr-492-14dd18fded146e7b322b6411bada9feb6a183f93-tauri-windows
  • pr-492-14dd18fded146e7b322b6411bada9feb6a183f93-electron-macos
  • pr-492-14dd18fded146e7b322b6411bada9feb6a183f93-electron-linux
  • pr-492-14dd18fded146e7b322b6411bada9feb6a183f93-tauri-macos-arm64
  • pr-492-14dd18fded146e7b322b6411bada9feb6a183f93-electron-windows

@shantur
build: preserve tauri artifact versions in pr builds
7e1856e 
Use the Tauri package version when the reusable PR build workflow does not provide VERSION. PR validation intentionally leaves release version inputs empty, but artifact filenames should still include the package version rather than producing names like CodeNomad-Tauri-linux-x64-.flatpak.

Validation: Ruby YAML parse for the workflow and git diff --check.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 24, 2026

PR builds are available as GitHub Actions artifacts:

https://github.com/NeuralNomadsAI/CodeNomad/actions/runs/26353839603

Artifacts expire in 7 days.
Artifacts:

  • pr-492-7e1856eba37bfd91a818fa75551a15ae3bc63790-tauri-macos
  • pr-492-7e1856eba37bfd91a818fa75551a15ae3bc63790-tauri-linux
  • pr-492-7e1856eba37bfd91a818fa75551a15ae3bc63790-tauri-windows
  • pr-492-7e1856eba37bfd91a818fa75551a15ae3bc63790-electron-macos
  • pr-492-7e1856eba37bfd91a818fa75551a15ae3bc63790-electron-linux
  • pr-492-7e1856eba37bfd91a818fa75551a15ae3bc63790-tauri-macos-arm64
  • pr-492-7e1856eba37bfd91a818fa75551a15ae3bc63790-electron-windows

@pascalandr
Copy link
Copy Markdown
Contributor

pascalandr commented May 25, 2026
edited
Loading

@shantur in my opinion maybe just .deb and .AppImage are enough

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shantur @pascalandr