chore: improve updater build flow and docs

zouyonghe · zouyonghe · commit e62bcbbbb62b · 2026-02-25T10:45:11.000+09:00
diff --git a/.github/workflows/build-desktop-tauri.yml b/.github/workflows/build-desktop-tauri.yml
@@ -47,6 +47,9 @@ env:
   # build outputs will include signed updater bundles and *.sig files.
   TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY || '' }}
   TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD || '' }}
+  # Default updater source points to upstream release latest.json; can be overridden per repo/fork.
+  ASTRBOT_UPDATER_ENDPOINT: ${{ vars.ASTRBOT_UPDATER_ENDPOINT || 'https://github.com/AstrBotDevs/AstrBot-desktop/releases/latest/download/latest.json' }}
+  ASTRBOT_UPDATER_PUBKEY: ${{ vars.ASTRBOT_UPDATER_PUBKEY || '' }}
 
 jobs:
   resolve_build_context:
@@ -200,6 +203,20 @@ jobs:
         with:
           astrbot_version: ${{ steps.desktop_version.outputs.normalized }}
 
+      - name: Prepare Tauri build config (Linux)
+        env:
+          ASTRBOT_UPDATER_ENDPOINT: ${{ env.ASTRBOT_UPDATER_ENDPOINT }}
+          ASTRBOT_UPDATER_PUBKEY: ${{ env.ASTRBOT_UPDATER_PUBKEY }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          config_path="src-tauri/tauri.build.config.json"
+          python3 scripts/ci/render-tauri-build-config.py \
+            --output "${config_path}" \
+            --updater-endpoint "${ASTRBOT_UPDATER_ENDPOINT}" \
+            --updater-pubkey "${ASTRBOT_UPDATER_PUBKEY}"
+          echo "ASTRBOT_TAURI_CONFIG_PATH=${config_path}" >> "${GITHUB_ENV}"
+
       - name: Build desktop installers (Linux)
         env:
           ASTRBOT_SOURCE_GIT_URL: ${{ needs.resolve_build_context.outputs.source_git_url }}
@@ -208,7 +225,7 @@ jobs:
           ASTRBOT_LINUX_BUNDLES: ${{ env.ASTRBOT_LINUX_BUNDLES }}
           GITHUB_TOKEN: ${{ github.token }}
           GH_TOKEN: ${{ github.token }}
-        run: cargo tauri build --bundles "${ASTRBOT_LINUX_BUNDLES}"
+        run: cargo tauri build --config "${ASTRBOT_TAURI_CONFIG_PATH}" --bundles "${ASTRBOT_LINUX_BUNDLES}"
 
       - name: Collect Linux updater artifacts (if any)
         env:
@@ -298,6 +315,20 @@ jobs:
             --override-source "env:ASTRBOT_MACOS_APP_BUNDLE_NAME" \
             --github-output "${GITHUB_OUTPUT}"
 
+      - name: Prepare Tauri build config (macOS)
+        env:
+          ASTRBOT_UPDATER_ENDPOINT: ${{ env.ASTRBOT_UPDATER_ENDPOINT }}
+          ASTRBOT_UPDATER_PUBKEY: ${{ env.ASTRBOT_UPDATER_PUBKEY }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          config_path="src-tauri/tauri.build.config.json"
+          python3 scripts/ci/render-tauri-build-config.py \
+            --output "${config_path}" \
+            --updater-endpoint "${ASTRBOT_UPDATER_ENDPOINT}" \
+            --updater-pubkey "${ASTRBOT_UPDATER_PUBKEY}"
+          echo "ASTRBOT_TAURI_CONFIG_PATH=${config_path}" >> "${GITHUB_ENV}"
+
       - name: Build desktop app bundle (macOS)
         env:
           ASTRBOT_SOURCE_GIT_URL: ${{ needs.resolve_build_context.outputs.source_git_url }}
@@ -341,7 +372,7 @@ jobs:
 
           for attempt in $(seq 1 "${max_attempts}"); do
             build_log="$(mktemp -t tauri-macos-build.XXXXXX.log)"
-            if cargo tauri build --verbose --target ${{ matrix.target }} --bundles app 2>&1 | tee "${build_log}"; then
+            if cargo tauri build --verbose --config "${ASTRBOT_TAURI_CONFIG_PATH}" --target ${{ matrix.target }} --bundles app 2>&1 | tee "${build_log}"; then
               rm -f "${build_log}" || true
               break
             fi
@@ -460,6 +491,20 @@ jobs:
         with:
           astrbot_version: ${{ steps.desktop_version.outputs.normalized }}
 
+      - name: Prepare Tauri build config (Windows)
+        env:
+          ASTRBOT_UPDATER_ENDPOINT: ${{ env.ASTRBOT_UPDATER_ENDPOINT }}
+          ASTRBOT_UPDATER_PUBKEY: ${{ env.ASTRBOT_UPDATER_PUBKEY }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          config_path="src-tauri/tauri.build.config.json"
+          python3 scripts/ci/render-tauri-build-config.py \
+            --output "${config_path}" \
+            --updater-endpoint "${ASTRBOT_UPDATER_ENDPOINT}" \
+            --updater-pubkey "${ASTRBOT_UPDATER_PUBKEY}"
+          echo "ASTRBOT_TAURI_CONFIG_PATH=${config_path}" >> "${GITHUB_ENV}"
+
       - name: Build desktop installers (Windows)
         env:
           ASTRBOT_SOURCE_GIT_URL: ${{ needs.resolve_build_context.outputs.source_git_url }}
diff --git a/.gitignore b/.gitignore
@@ -14,6 +14,7 @@ resources/webui/
 # rust/tauri build outputs
 src-tauri/target/
 src-tauri/gen/
+src-tauri/tauri.build.config.json
 
 # logs
 *.log
diff --git a/Makefile b/Makefile
@@ -15,13 +15,21 @@ RUST_MANIFEST ?= src-tauri/Cargo.toml
 NODE_MODULES_DIR ?= node_modules
 PNPM_STORE_DIR ?= .pnpm-store
 TAURI_TARGET_DIR ?= src-tauri/target
+TAURI_BUILD_CONFIG ?= src-tauri/tauri.build.config.json
+TAURI_SIGNING_PRIVATE_KEY_OUT ?= $(HOME)/.tauri/astrbot.key
+ASTRBOT_UPDATER_ENDPOINT ?= https://github.com/AstrBotDevs/AstrBot-desktop/releases/latest/download/latest.json
+ASTRBOT_UPDATER_PUBKEY ?=
+ASTRBOT_UPDATER_PUBKEY_FILE ?=
+ASTRBOT_ENABLE_UPDATER_ARTIFACTS ?= 1
+ASTRBOT_TAURI_BUNDLES ?=
 # Single source of env keys managed by `make clean-env`.
 # If build/resource scripts start consuming a new persistent env var, add it here.
-ASTRBOT_ENV_KEYS := ASTRBOT_SOURCE_DIR ASTRBOT_SOURCE_GIT_URL ASTRBOT_SOURCE_GIT_REF ASTRBOT_DESKTOP_VERSION ASTRBOT_BUILD_SOURCE_DIR
+ASTRBOT_ENV_KEYS := ASTRBOT_SOURCE_DIR ASTRBOT_SOURCE_GIT_URL ASTRBOT_SOURCE_GIT_REF ASTRBOT_DESKTOP_VERSION ASTRBOT_BUILD_SOURCE_DIR ASTRBOT_UPDATER_ENDPOINT ASTRBOT_UPDATER_PUBKEY ASTRBOT_UPDATER_PUBKEY_FILE ASTRBOT_ENABLE_UPDATER_ARTIFACTS ASTRBOT_TAURI_BUNDLES TAURI_SIGNING_PRIVATE_KEY TAURI_SIGNING_PRIVATE_KEY_PATH TAURI_SIGNING_PRIVATE_KEY_PASSWORD
 # Hash of ASTRBOT_ENV_KEYS for stale reset-script detection in `make clean-env`.
 ASTRBOT_ENV_KEYS_HASH := $(shell (printf '%s\n' "$(ASTRBOT_ENV_KEYS)" | shasum -a 256 2>/dev/null || printf '%s\n' "$(ASTRBOT_ENV_KEYS)" | sha256sum 2>/dev/null || printf '%s\n' "$(ASTRBOT_ENV_KEYS)" | cksum 2>/dev/null) | awk '{print $$1}' | head -n 1)
 
 .PHONY: help deps sync-version update prepare-webui prepare-backend prepare-resources dev build \
+	signing-key render-tauri-config build-signed \
 	prepare rebuild lint test doctor prune size clean clean-rust clean-resources \
 	clean-vendor-local clean-vendor clean-node clean-env clean-all
 
@@ -38,6 +46,12 @@ help:
 	@echo "  make dev                Run Tauri dev"
 	@echo "  make build              Run Tauri build"
 	@echo "                          (set ASTRBOT_SOURCE_DIR=... or ASTRBOT_BUILD_SOURCE_DIR=...)"
+	@echo "  make signing-key        Generate updater signing key pair"
+	@echo "                          (TAURI_SIGNING_PRIVATE_KEY_OUT=$(TAURI_SIGNING_PRIVATE_KEY_OUT))"
+	@echo "  make render-tauri-config Generate temporary tauri build override config"
+	@echo "                          (ASTRBOT_UPDATER_ENDPOINT / ASTRBOT_UPDATER_PUBKEY / ASTRBOT_UPDATER_PUBKEY_FILE)"
+	@echo "  make build-signed       Build with --config $(TAURI_BUILD_CONFIG)"
+	@echo "                          (optional ASTRBOT_TAURI_BUNDLES=deb,rpm,appimage)"
 	@echo "  make rebuild            Clean and build"
 	@echo "  make lint               Run formatting and clippy checks"
 	@echo "  make test               Run Rust + script behavior tests"
@@ -104,6 +118,51 @@ build:
 	fi; \
 	pnpm run build
 
+signing-key:
+	cargo tauri signer generate -w "$(TAURI_SIGNING_PRIVATE_KEY_OUT)"
+
+render-tauri-config:
+	@set -e; \
+	updater_pubkey="$(ASTRBOT_UPDATER_PUBKEY)"; \
+	if [ -z "$$updater_pubkey" ] && [ -n "$(ASTRBOT_UPDATER_PUBKEY_FILE)" ]; then \
+		updater_pubkey="$$(cat "$(ASTRBOT_UPDATER_PUBKEY_FILE)")"; \
+	fi; \
+	disable_flag=""; \
+	case "$(ASTRBOT_ENABLE_UPDATER_ARTIFACTS)" in \
+		0|false|False|FALSE|no|No|NO|off|Off|OFF) disable_flag="--disable-updater-artifacts" ;; \
+	esac; \
+	python3 scripts/ci/render-tauri-build-config.py \
+		--output "$(TAURI_BUILD_CONFIG)" \
+		--updater-endpoint "$(ASTRBOT_UPDATER_ENDPOINT)" \
+		--updater-pubkey "$$updater_pubkey" \
+		$$disable_flag
+
+build-signed: render-tauri-config
+	@set -e; \
+	build_version="$(ASTRBOT_DESKTOP_VERSION)"; \
+	build_source_dir="$(ASTRBOT_BUILD_SOURCE_DIR)"; \
+	if [ -z "$$build_source_dir" ]; then \
+		build_source_dir="$(ASTRBOT_SOURCE_DIR)"; \
+	fi; \
+	if [ -z "$$build_version" ]; then \
+		build_version="$$(node -e "console.log(require('./package.json').version)")"; \
+	fi; \
+	if [ -n "$$build_source_dir" ]; then \
+		echo "Using build source dir: $$build_source_dir"; \
+	fi; \
+	echo "Build resource source dir: $${build_source_dir:-<auto vendor from git ref>}"; \
+	export ASTRBOT_SOURCE_GIT_URL="$(ASTRBOT_SOURCE_GIT_URL)"; \
+	export ASTRBOT_SOURCE_GIT_REF="$(ASTRBOT_SOURCE_GIT_REF)"; \
+	export ASTRBOT_DESKTOP_VERSION="$$build_version"; \
+	if [ -n "$$build_source_dir" ]; then \
+		export ASTRBOT_SOURCE_DIR="$$build_source_dir"; \
+	fi; \
+	build_cmd="cargo tauri build --config $(TAURI_BUILD_CONFIG)"; \
+	if [ -n "$(ASTRBOT_TAURI_BUNDLES)" ]; then \
+		build_cmd="$$build_cmd --bundles \"$(ASTRBOT_TAURI_BUNDLES)\""; \
+	fi; \
+	eval "$$build_cmd"
+
 rebuild: clean build
 
 lint:
diff --git a/README.md b/README.md
@@ -110,72 +110,54 @@ source .astrbot-reset-env.sh
 
 ## 应用内升级（Updater）与签名构建
 
-当前 CI 已支持上传 updater 产物并生成 `latest.json`，但要真正启用应用内升级，还需要完成以下配置。
+推荐使用 `make`，避免手动拼接长命令。
 
-### 1. 配置 GitHub Actions（远程构建）
+### 本地从头构建（推荐）
 
-在仓库 `Settings -> Secrets and variables -> Actions` 配置：
+```bash
+make deps
+make prepare
+make signing-key
 
-- `TAURI_SIGNING_PRIVATE_KEY`：Tauri updater 私钥内容（多行文本）
-- `TAURI_SIGNING_PRIVATE_KEY_PASSWORD`：私钥密码
-- `ASTRBOT_LINUX_BUNDLES`（可选）：Linux 打包目标，建议 `deb,rpm,appimage`（需要 Linux updater 时）
-
-### 2. 配置 Tauri updater（仓库文件）
-
-在 `src-tauri/tauri.conf.json` 中启用 updater 配置（示例）：
-
-```json
-{
-  "bundle": {
-    "createUpdaterArtifacts": true
-  },
-  "plugins": {
-    "updater": {
-      "active": true,
-      "endpoints": [
-        "https://github.com/AstrBotDevs/AstrBot-desktop/releases/latest/download/latest.json"
-      ],
-      "pubkey": "<tauri signer 生成的公钥>"
-    }
-  }
-}
+export TAURI_SIGNING_PRIVATE_KEY_PATH="$HOME/.tauri/astrbot.key"
+export TAURI_SIGNING_PRIVATE_KEY_PASSWORD='你的密码'
+
+make build-signed \
+  ASTRBOT_UPDATER_PUBKEY_FILE="$HOME/.tauri/astrbot.key.pub" \
+  ASTRBOT_TAURI_BUNDLES="deb,rpm,appimage"
 ```
 
 说明：
 
-- `pubkey` 必须与签名私钥配对，否则客户端会校验失败。
-- `latest.json` 会在 release 阶段由 CI 自动生成并上传。
+- `make build-signed` 会自动生成临时覆盖配置 `src-tauri/tauri.build.config.json`，并用 `cargo tauri build --config ...` 构建。
+- 默认 updater endpoint 指向上游：
+  `https://github.com/AstrBotDevs/AstrBot-desktop/releases/latest/download/latest.json`
+- 临时覆盖配置已在 `.gitignore` 中，不会误提交。
 
-### 3. 本地生成密钥与签名构建
-
-生成私钥/公钥：
+### 本地切换到 fork 更新源（测试用）
 
 ```bash
-cargo tauri signer generate -w ~/.tauri/astrbot.key
+make build-signed \
+  ASTRBOT_UPDATER_PUBKEY_FILE="$HOME/.tauri/astrbot.key.pub" \
+  ASTRBOT_UPDATER_ENDPOINT="https://github.com/<your-name>/AstrBot-desktop/releases/latest/download/latest.json" \
+  ASTRBOT_TAURI_BUNDLES="deb,rpm,appimage"
 ```
 
-设置签名环境变量（二选一）：
+注意：`ASTRBOT_UPDATER_ENDPOINT` 对应的发布资产，必须使用与 `ASTRBOT_UPDATER_PUBKEY` 匹配的私钥签名。
 
-```bash
-# 方式 A：直接传私钥内容
-export TAURI_SIGNING_PRIVATE_KEY="$(cat ~/.tauri/astrbot.key)"
-export TAURI_SIGNING_PRIVATE_KEY_PASSWORD='你的密码'
-```
+### CI（GitHub Actions）需要配置
 
-```bash
-# 方式 B：传私钥路径
-export TAURI_SIGNING_PRIVATE_KEY_PATH="$HOME/.tauri/astrbot.key"
-export TAURI_SIGNING_PRIVATE_KEY_PASSWORD='你的密码'
-```
+在仓库 `Settings -> Secrets and variables -> Actions` 配置：
 
-执行构建：
+- `TAURI_SIGNING_PRIVATE_KEY`：Tauri updater 私钥内容（多行）
+- `TAURI_SIGNING_PRIVATE_KEY_PASSWORD`：私钥密码
+- `ASTRBOT_UPDATER_PUBKEY`：与私钥配对的公钥
+- `ASTRBOT_UPDATER_ENDPOINT`（可选）：覆盖更新源（默认上游）
+- `ASTRBOT_LINUX_BUNDLES`（可选）：建议 `deb,rpm,appimage`
 
-```bash
-# Linux（包含 updater 常用目标）
-cargo tauri build --bundles "deb,rpm,appimage"
-```
+CI 在发布阶段会自动生成并上传 `latest.json` 与 updater 产物（含 `.sig`）。
 
-可用以下命令检查是否生成 updater 产物与签名文件：
+### 产物检查
 
 ```bash
 find src-tauri/target/release/bundle -type f | rg 'updater|\.sig$|AppImage\.tar\.gz|\.app\.tar\.gz|nsis\.zip'
diff --git a/scripts/ci/build-windows-installers.sh b/scripts/ci/build-windows-installers.sh
@@ -24,8 +24,14 @@ if [ -z "${bundles}" ]; then
   exit 1
 fi
 
+tauri_config_path="${ASTRBOT_TAURI_CONFIG_PATH:-}"
+tauri_build_args=(--bundles "${bundles}")
+if [ -n "${tauri_config_path}" ]; then
+  tauri_build_args=(--config "${tauri_config_path}" "${tauri_build_args[@]}")
+fi
+
 echo "Building Windows installers with bundles: ${bundles}"
 (
   cd "${root_dir}"
-  cargo tauri build --bundles "${bundles}"
+  cargo tauri build "${tauri_build_args[@]}"
 )
diff --git a/scripts/ci/render-tauri-build-config.py b/scripts/ci/render-tauri-build-config.py
@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+
+from __future__ import annotations
+
+import argparse
+import json
+import pathlib
+
+DEFAULT_UPDATER_ENDPOINT = (
+    "https://github.com/AstrBotDevs/AstrBot-desktop/releases/latest/download/latest.json"
+)
+
+
+def parse_args() -> argparse.Namespace:
+    parser = argparse.ArgumentParser(
+        description="Render a temporary Tauri config override for CI/local builds."
+    )
+    parser.add_argument("--output", required=True, help="Path to output JSON config file.")
+    parser.add_argument(
+        "--updater-endpoint",
+        default=DEFAULT_UPDATER_ENDPOINT,
+        help="Updater latest.json endpoint URL.",
+    )
+    parser.add_argument(
+        "--updater-pubkey",
+        default="",
+        help="Updater public key. If empty, plugins.updater override is skipped.",
+    )
+    parser.add_argument(
+        "--disable-updater-artifacts",
+        action="store_true",
+        help="Disable bundle.createUpdaterArtifacts override.",
+    )
+    return parser.parse_args()
+
+
+def main() -> int:
+    args = parse_args()
+    output_path = pathlib.Path(args.output)
+    updater_endpoint = args.updater_endpoint.strip()
+    updater_pubkey = args.updater_pubkey.strip()
+
+    config: dict[str, object] = {}
+    if not args.disable_updater_artifacts:
+        config["bundle"] = {"createUpdaterArtifacts": True}
+
+    if updater_endpoint and updater_pubkey:
+        config["plugins"] = {
+            "updater": {
+                "active": True,
+                "endpoints": [updater_endpoint],
+                "pubkey": updater_pubkey,
+            }
+        }
+    elif updater_endpoint and not updater_pubkey:
+        print(
+            "::warning::[tauri-build-config] "
+            "ASTRBOT_UPDATER_PUBKEY is empty; skip plugins.updater override."
+        )
+
+    output_path.parent.mkdir(parents=True, exist_ok=True)
+    output_path.write_text(
+        json.dumps(config, ensure_ascii=False, indent=2) + "\n",
+        encoding="utf-8",
+    )
+    print(f"[tauri-build-config] generated: {output_path}")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())
diff --git a/src-tauri/src/desktop_bridge_commands.rs b/src-tauri/src/desktop_bridge_commands.rs
@@ -247,7 +247,11 @@ pub(crate) async fn desktop_bridge_install_desktop_app_update(
     append_desktop_log(&format!(
         "desktop app update installed to version {target_version}; restarting app"
     ));
-    app_handle.restart();
+    app_handle.request_restart();
+    BackendBridgeResult {
+        ok: true,
+        reason: None,
+    }
 }
 
 #[tauri::command]
