ci(updater): minisign release artifact signing

[fernandotonon]

Summary

• Adds sign-release-artifacts job to deploy.yml (runs on release: published after platform builds finish).
• Downloads release zip/dmg/deb, writes SHA256SUMS, signs each file + manifest with minisign, smoke-verifies with packaging/updater/minisign.pub, uploads *.minisig + SHA256SUMS + pubkey.
• Updates docs/AUTO_UPDATER_DESIGN.md to document the live CI path.

Follow-up to #722 / spike #440. Requires MINISIGN_SECRET_KEY (+ MINISIGN_PASSWORD for encrypted keys) — already configured.

Test plan

• Merge and verify on next GitHub Release publish
• Confirm release assets include .minisig, SHA256SUMS, SHA256SUMS.minisig, minisign.pub
• minisign -Vm <asset> -x <asset>.minisig -P <pubkey> succeeds locally

Made with Cursor

Summary by CodeRabbit

• New Features

  • Release artifacts are now cryptographically signed, enabling users to verify authenticity and integrity of downloads.
  • SHA256 checksums are automatically generated and signed for each release.

• Documentation

  • Updated design documentation to reflect the implemented release signing workflow and verification process.

[coderabbitai]

Warning

Review limit reached

@fernandotonon, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 44 minutes and 47 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0d77414e-86b0-4de2-a5db-0b54ff10acf5

📥 Commits

Reviewing files that changed from the base of the PR and between 6cf49db and 9e71844.

📒 Files selected for processing (1)

• .github/workflows/deploy.yml

📝 Walkthrough

Walkthrough

A new sign-release-artifacts GitHub Actions job is added to deploy.yml. It triggers on release.published, depends on the platform build jobs, polls for required release assets, downloads them, signs each with minisign (using a base64-decoded secret key), generates and signs SHA256SUMS, verifies all signatures, and uploads the results back to the release. Documentation in AUTO_UPDATER_DESIGN.md is updated to reflect the feature as implemented.

Changes

Release Artifact Signing

Layer / File(s)	Summary
Job definition and asset polling .github/workflows/deploy.yml	Declares the sign-release-artifacts job with release.published trigger, dependencies on Windows/Linux/macOS build jobs, minisign installation, and a retry loop (10 attempts, 30 s backoff) polling gh release view until all required assets appear.
Download, sign, verify, and upload .github/workflows/deploy.yml	Downloads required artifacts into release-assets/, base64-decodes MINISIGN_SECRET_KEY to a restricted-permission temp file, signs each artifact and the generated sorted SHA256SUMS (with optional MINISIGN_PASSWORD), runs smoke-test verification against packaging/updater/minisign.pub, then uploads all .minisig files, SHA256SUMS, and minisign.pub to the release with --clobber.
Docs: CI signing implemented docs/AUTO_UPDATER_DESIGN.md	Replaces the "planned — follow-up PR" signing section with an implemented-in-deploy.yml specification covering the job's asset wait, download, sign, verify, and upload steps along with the required secrets and public key location.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fernandotonon/QtMeshEditor#722: Directly related — that PR planned the minisign CI signing workflow and drafted the same docs/AUTO_UPDATER_DESIGN.md section that this PR implements and marks as complete.

Poem

🐇 Hop hop, the bunny signs with flair,
A minisign key decoded from thin air.
SHA256SUMS line up in a row,
Each .minisig gleams with a cryptographic glow.
The release is sealed — the artifacts are true,
No tampering slips past this fluffy review! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description covers the key technical changes and includes a test plan, but does not follow the provided template structure (Summary, Technical Details, PS1 runtime rip sections).	Align the description with the repository template by reorganizing into Summary, Technical Details, and other required sections to maintain consistency with other PRs.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding minisign-based signing of release artifacts in the CI pipeline.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/auto-updater-ci-signing

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6f2da25db5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Wait for each release asset before signing

On release runs this exits as soon as any three assets are visible, but this workflow publishes more than that: the Windows zip and setup exe, the Linux .deb, and the macOS .dmg. If one required artifact is still not visible through the release API (for example the DMG), gh release download can still match the other QtMeshEditor-* assets plus the deb, so the signing step completes and uploads SHA256SUMS without ever signing the missing artifact. Please wait for the exact expected filenames, or fail after download if any are absent, before signing.

Useful? React with 👍 / 👎.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy.yml:
- Line 2044: The `actions/checkout@v4` action at line 2044 uses a floating tag
instead of a pinned commit SHA, which creates supply-chain security risk.
Additionally, the job downloads and signs release artifacts without requiring
git credentials, so persisted credentials are unnecessary. Replace the floating
tag `@v4` with a specific commit SHA and add `with: persist-credentials: false`
to the checkout action configuration to harden against supply-chain drift and
reduce the credential exposure surface.
- Line 2054: Move the `github.ref_name` template expression to an environment
variable to prevent shell injection vulnerabilities. In the
`sign-release-artifacts` job, define an environment variable that captures
`github.ref_name` before any bash commands execute, then replace all direct
interpolations of `${{ github.ref_name }}` with references to this environment
variable throughout the job. Apply the same fix to the `update-homebrew-cask`
job, defining the environment variable once and using it instead of direct
template interpolation in all subsequent bash commands. This ensures that
crafted release tags cannot inject shell syntax and execute arbitrary commands.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fd3400ec-3611-4066-a5bb-8b9e846c50e0

📥 Commits

Reviewing files that changed from the base of the PR and between 29accd8 and 6cf49db.

📒 Files selected for processing (2)

• .github/workflows/deploy.yml
• docs/AUTO_UPDATER_DESIGN.md

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud