ci: reuse tauri config prep and relax updater mismatch strictness

zouyonghe · zouyonghe · commit 466c411108e9 · 2026-02-25T11:35:54.000+09:00
diff --git a/.github/actions/prepare-tauri-build-config/action.yml b/.github/actions/prepare-tauri-build-config/action.yml
@@ -0,0 +1,29 @@
+name: Prepare Tauri Build Config
+description: Render temporary Tauri build config and export ASTRBOT_TAURI_CONFIG_PATH.
+
+inputs:
+  updater-endpoint:
+    description: Updater latest.json endpoint URL override.
+    required: false
+    default: ''
+  updater-pubkey:
+    description: Updater public key override.
+    required: false
+    default: ''
+  output-path:
+    description: Generated Tauri build config path.
+    required: false
+    default: src-tauri/tauri.build.config.json
+
+runs:
+  using: composite
+  steps:
+    - name: Render config
+      shell: bash
+      run: |
+        set -euo pipefail
+        python3 scripts/ci/render-tauri-build-config.py \
+          --output "${{ inputs.output-path }}" \
+          --updater-endpoint "${{ inputs.updater-endpoint }}" \
+          --updater-pubkey "${{ inputs.updater-pubkey }}"
+        echo "ASTRBOT_TAURI_CONFIG_PATH=${{ inputs.output-path }}" >> "${GITHUB_ENV}"
diff --git a/.github/workflows/build-desktop-tauri.yml b/.github/workflows/build-desktop-tauri.yml
@@ -50,6 +50,8 @@ env:
   # Optional override. When empty, scripts/ci/render-tauri-build-config.py applies the centralized default endpoint.
   ASTRBOT_UPDATER_ENDPOINT: ${{ vars.ASTRBOT_UPDATER_ENDPOINT || '' }}
   ASTRBOT_UPDATER_PUBKEY: ${{ vars.ASTRBOT_UPDATER_PUBKEY || '' }}
+  # Strict mode for updater manifest generation on version mismatches.
+  ASTRBOT_UPDATER_MANIFEST_STRICT_VERSION_MATCH: ${{ vars.ASTRBOT_UPDATER_MANIFEST_STRICT_VERSION_MATCH || '0' }}
 
 jobs:
   resolve_build_context:
@@ -203,19 +205,11 @@ jobs:
         with:
           astrbot_version: ${{ steps.desktop_version.outputs.normalized }}
 
-      - name: Prepare Tauri build config (Linux)
-        env:
-          ASTRBOT_UPDATER_ENDPOINT: ${{ env.ASTRBOT_UPDATER_ENDPOINT }}
-          ASTRBOT_UPDATER_PUBKEY: ${{ env.ASTRBOT_UPDATER_PUBKEY }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          config_path="src-tauri/tauri.build.config.json"
-          python3 scripts/ci/render-tauri-build-config.py \
-            --output "${config_path}" \
-            --updater-endpoint "${ASTRBOT_UPDATER_ENDPOINT}" \
-            --updater-pubkey "${ASTRBOT_UPDATER_PUBKEY}"
-          echo "ASTRBOT_TAURI_CONFIG_PATH=${config_path}" >> "${GITHUB_ENV}"
+      - name: Prepare Tauri build config
+        uses: ./.github/actions/prepare-tauri-build-config
+        with:
+          updater-endpoint: ${{ env.ASTRBOT_UPDATER_ENDPOINT }}
+          updater-pubkey: ${{ env.ASTRBOT_UPDATER_PUBKEY }}
 
       - name: Build desktop installers (Linux)
         env:
@@ -315,19 +309,11 @@ jobs:
             --override-source "env:ASTRBOT_MACOS_APP_BUNDLE_NAME" \
             --github-output "${GITHUB_OUTPUT}"
 
-      - name: Prepare Tauri build config (macOS)
-        env:
-          ASTRBOT_UPDATER_ENDPOINT: ${{ env.ASTRBOT_UPDATER_ENDPOINT }}
-          ASTRBOT_UPDATER_PUBKEY: ${{ env.ASTRBOT_UPDATER_PUBKEY }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          config_path="src-tauri/tauri.build.config.json"
-          python3 scripts/ci/render-tauri-build-config.py \
-            --output "${config_path}" \
-            --updater-endpoint "${ASTRBOT_UPDATER_ENDPOINT}" \
-            --updater-pubkey "${ASTRBOT_UPDATER_PUBKEY}"
-          echo "ASTRBOT_TAURI_CONFIG_PATH=${config_path}" >> "${GITHUB_ENV}"
+      - name: Prepare Tauri build config
+        uses: ./.github/actions/prepare-tauri-build-config
+        with:
+          updater-endpoint: ${{ env.ASTRBOT_UPDATER_ENDPOINT }}
+          updater-pubkey: ${{ env.ASTRBOT_UPDATER_PUBKEY }}
 
       - name: Build desktop app bundle (macOS)
         env:
@@ -491,19 +477,11 @@ jobs:
         with:
           astrbot_version: ${{ steps.desktop_version.outputs.normalized }}
 
-      - name: Prepare Tauri build config (Windows)
-        env:
-          ASTRBOT_UPDATER_ENDPOINT: ${{ env.ASTRBOT_UPDATER_ENDPOINT }}
-          ASTRBOT_UPDATER_PUBKEY: ${{ env.ASTRBOT_UPDATER_PUBKEY }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          config_path="src-tauri/tauri.build.config.json"
-          python3 scripts/ci/render-tauri-build-config.py \
-            --output "${config_path}" \
-            --updater-endpoint "${ASTRBOT_UPDATER_ENDPOINT}" \
-            --updater-pubkey "${ASTRBOT_UPDATER_PUBKEY}"
-          echo "ASTRBOT_TAURI_CONFIG_PATH=${config_path}" >> "${GITHUB_ENV}"
+      - name: Prepare Tauri build config
+        uses: ./.github/actions/prepare-tauri-build-config
+        with:
+          updater-endpoint: ${{ env.ASTRBOT_UPDATER_ENDPOINT }}
+          updater-pubkey: ${{ env.ASTRBOT_UPDATER_PUBKEY }}
 
       - name: Build desktop installers (Windows)
         env:
@@ -615,15 +593,25 @@ jobs:
         env:
           RELEASE_TAG: ${{ needs.resolve_build_context.outputs.release_tag }}
           RELEASE_VERSION: ${{ needs.resolve_build_context.outputs.astrbot_version }}
+          ASTRBOT_UPDATER_MANIFEST_STRICT_VERSION_MATCH: ${{ env.ASTRBOT_UPDATER_MANIFEST_STRICT_VERSION_MATCH }}
         shell: bash
         run: |
           set -euo pipefail
-          python3 scripts/ci/generate-updater-manifest.py \
-            --root release-artifacts \
-            --repository "${GITHUB_REPOSITORY}" \
-            --release-tag "${RELEASE_TAG}" \
-            --version "${RELEASE_VERSION}" \
+          manifest_args=(
+            --root release-artifacts
+            --repository "${GITHUB_REPOSITORY}"
+            --release-tag "${RELEASE_TAG}"
+            --version "${RELEASE_VERSION}"
             --output release-artifacts/latest.json
+          )
+          strict_flag="$(printf '%s' "${ASTRBOT_UPDATER_MANIFEST_STRICT_VERSION_MATCH}" | tr '[:upper:]' '[:lower:]')"
+          case "${strict_flag}" in
+            1|true|yes|on)
+              manifest_args+=(--strict-version-match)
+              ;;
+          esac
+          python3 scripts/ci/generate-updater-manifest.py \
+            "${manifest_args[@]}"
 
       - name: Remove existing assets from target release
         env:
diff --git a/README.md b/README.md
@@ -121,25 +121,30 @@ make signing-key
 
 export TAURI_SIGNING_PRIVATE_KEY_PATH="$HOME/.tauri/astrbot.key"
 export TAURI_SIGNING_PRIVATE_KEY_PASSWORD='你的密码'
+export ASTRBOT_UPDATER_PUBKEY_FILE="$HOME/.tauri/astrbot.key.pub"
+export ASTRBOT_TAURI_BUNDLES="deb,rpm,appimage"
 
-make build-signed \
-  ASTRBOT_UPDATER_PUBKEY_FILE="$HOME/.tauri/astrbot.key.pub" \
-  ASTRBOT_TAURI_BUNDLES="deb,rpm,appimage"
+make build-signed
 ```
 
 说明：
 
+- 私钥可用路径变量 `TAURI_SIGNING_PRIVATE_KEY_PATH`，公钥可用路径变量 `ASTRBOT_UPDATER_PUBKEY_FILE`。
+- 也支持直接传内容：`TAURI_SIGNING_PRIVATE_KEY`（私钥内容）和 `ASTRBOT_UPDATER_PUBKEY`（公钥内容）。
 - `make build-signed` 会自动生成临时覆盖配置 `src-tauri/tauri.build.config.json`，并用 `cargo tauri build --config ...` 构建。
 - 默认 updater endpoint 由 `scripts/ci/render-tauri-build-config.py` 统一定义（上游地址）。
 - 临时覆盖配置已在 `.gitignore` 中，不会误提交。
 
 ### 本地切换到 fork 更新源（测试用）
 
 ```bash
-make build-signed \
-  ASTRBOT_UPDATER_PUBKEY_FILE="$HOME/.tauri/astrbot.key.pub" \
-  ASTRBOT_UPDATER_ENDPOINT="https://github.com/<your-name>/AstrBot-desktop/releases/latest/download/latest.json" \
-  ASTRBOT_TAURI_BUNDLES="deb,rpm,appimage"
+export TAURI_SIGNING_PRIVATE_KEY_PATH="$HOME/.tauri/astrbot.key"
+export TAURI_SIGNING_PRIVATE_KEY_PASSWORD='你的密码'
+export ASTRBOT_UPDATER_PUBKEY_FILE="$HOME/.tauri/astrbot.key.pub"
+export ASTRBOT_UPDATER_ENDPOINT="https://github.com/<your-name>/AstrBot-desktop/releases/latest/download/latest.json"
+export ASTRBOT_TAURI_BUNDLES="deb,rpm,appimage"
+
+make build-signed
 ```
 
 注意：`ASTRBOT_UPDATER_ENDPOINT` 对应的发布资产，必须使用与 `ASTRBOT_UPDATER_PUBKEY` 匹配的私钥签名。
diff --git a/scripts/ci/generate-updater-manifest.py b/scripts/ci/generate-updater-manifest.py
@@ -49,6 +49,11 @@ def parse_args() -> argparse.Namespace:
         required=True,
         help="Updater manifest version (SemVer or v-prefixed SemVer).",
     )
+    parser.add_argument(
+        "--strict-version-match",
+        action="store_true",
+        help="Fail when updater artifact version does not match --version.",
+    )
     parser.add_argument("--output", required=True, help="Output latest.json path.")
     return parser.parse_args()
 
@@ -118,12 +123,14 @@ def main() -> int:
 
     if mismatched_versions:
         for asset_name, raw_version in mismatched_versions:
+            level = "::error::" if args.strict_version_match else "::warning::"
             print(
-                "::error::[updater-manifest] "
+                f"{level}[updater-manifest] "
                 f"artifact version mismatch: {asset_name} has version {raw_version!r}, "
-                f"expected {args.version!r}"
+                f"expected {args.version!r} (normalized: {expected_version!r})"
             )
-        return 1
+        if args.strict_version_match:
+            return 1
 
     if not platforms:
         print("[updater-manifest] no updater assets found; skip latest.json generation")
