chore: release 26.0.19

CHANGELOG.md

@@ -7,4 +7,8 @@
 - Added verbose logging in `MainView` to trace server loading, selection, and fetch/ping activity when the list appears empty.
 - Switched `MainView` and `ServerFormView` to the version-aware API client (`APIFactory`/`APIv2_12`) for server summaries and introduced a shared `PingService`.
 - Detection now probes `meta.api_version` so future API versions are selected automatically, and the ping loop logs only failures to keep output quiet.
+- Introduced repository-wide version management via `version.json` + `scripts/sync_version.sh`, ensuring Xcode targets and release artifacts stay aligned.
+- Enhanced `scripts/build_release.sh` to timestamp/harden signatures, notarize DMGs, and optionally publish tagged releases (pre-release by default) with ZIP/DMG assets directly to Gitea when credentials are configured.
+- Integrated Sparkle (via Swift Package Manager) to handle automatic update checks, downloads, signature verification, and relaunches, replacing the previous custom updater UI. Preferences now simply surface Sparkle's check/download toggles.
+- `scripts/build_release.sh` can optionally run Sparkle’s `generate_appcast` (when signing key and download prefix env vars are set), producing a ready-to-host `appcast.xml` alongside the ZIP/DMG artifacts.
 - Further reduced MainView console noise by removing redundant refresh/onAppear logs.

NOTES.md

@@ -3,6 +3,7 @@
     dynamic Data
     static Data
 
-add a merker for "reboot required"
+add a marker for "reboot required"
-Add dmg download option for macOS
+
-Add versioning
+dummy2
+                    

README.md

@@ -8,9 +8,10 @@ iKeyMon is a native macOS app written in SwiftUI that provides live monitoring f
 - Shows CPU load, memory usage, swap usage, and disk usage
 - Periodic ping via `/api/ping` endpoint to check if a server is reachable
 - Colored status indicator for each server in the list
-- Automatic updates:
+- Automatic refreshes:
   - Ping every 10 seconds
   - Server info every 60 seconds
+- Built-in Sparkle updater (automatic checks, downloads, and relaunch once a signed release is available)
 - Organized layout using tabs: General / Resources / Services
 - Stores API keys securely in the macOS Keychain
 - Native macOS look & feel using SwiftUI
@@ -46,6 +47,60 @@ Use the helper script to produce distributables in `dist/`:
 ```
 
 It cleans previous artifacts, builds the `Release` configuration, and drops both `iKeyMon-<version>.zip` and `iKeyMon-<version>.dmg` into the `dist` folder (ignored by git). To enable codesigning + notarization, copy `signing.env.example` to `.signing.env`, fill in your Developer ID identity, Apple ID, team ID, and app-specific password. The script sources that file locally (it remains gitignored) and performs signing/notarization when the values are present.
+
+To auto-publish the artifacts as a Gitea release, extend `.signing.env` with:
+
+```
+GITEA_TOKEN="..."
+GITEA_OWNER="tracer"
+GITEA_REPO="iKeyMon"
+# optional: GITEA_API_BASE="https://git.24unix.net/api/v1"
+# optional: GITEA_TARGET_COMMIT="master"
+# optional: GITEA_PRERELEASE="false"   # defaults to true until preferences are done
+# optional Sparkle feed helpers:
+# SPARKLE_EDDSA_KEY_FILE="$HOME/.config/Sparkle/iKeyMon.key"
+# SPARKLE_DOWNLOAD_BASE_URL="https://git.24unix.net/tracer/iKeyMon/releases/download"
+# SPARKLE_DOWNLOAD_SUBDIR_TEMPLATE="v{{VERSION}}"
+# SPARKLE_APPCAST_OUTPUT="$ROOT_DIR/Sparkle/appcast.xml"  # default
+```
+
+`GITEA_TARGET_COMMIT` defaults to the current `HEAD` commit, so overriding it lets you publish from another branch if needed. Whenever those variables are set, the script will create (or reuse) tag `v<version>` and upload both ZIP and DMG as release assets automatically.
+
+If you re-run the release script for the same version, it removes any existing assets with the same filenames before uploading, so you never end up with duplicate ZIP/DMG files on the release page.
+
+### Sparkle updates
+
+iKeyMon uses [Sparkle](https://sparkle-project.org/) for macOS-safe updates.
+
+1. Generate an EdDSA key pair once (`./Packages/Sparkle/bin/generate_keys`). Store the private key on-disk (for example `~/.config/Sparkle/iKeyMon.key`, which the build script expects) and copy the public key into the `SUPublicEDKey` entry (see Info.plist notes below).
+2. `./scripts/build_release.sh` signs the ZIP with Sparkle’s `sign_update` tool and invokes `generate_appcast` automatically when the Sparkle variables are present. The generated feed is written to `Sparkle/appcast.xml`, so commit that file after every release. Set `SPARKLE_DOWNLOAD_BASE_URL` to the static portion of your release-download endpoint (e.g. `https://…/releases/download`) and `SPARKLE_DOWNLOAD_SUBDIR_TEMPLATE` to the path segment that should be inserted before each asset (default `v{{VERSION}}` mirrors how Gitea exposes assets). The feed stays inside the repo (it is not uploaded as a release asset).
+3. Set `SUFeedURL` in Info.plist (or the corresponding build setting) to the raw URL of `Sparkle/appcast.xml` inside this repo (e.g. `https://git.24unix.net/tracer/iKeyMon/raw/branch/master/Sparkle/appcast.xml`).
+
+Preferences expose Sparkle’s built-in toggles for “Automatically check” and “Automatically download”, and the toolbar button simply calls Sparkle’s “Check for Updates…” sheet.
+
+> `./scripts/build_release.sh` will call `generate_appcast` for you when `SPARKLE_EDDSA_KEY_FILE`, `SPARKLE_DOWNLOAD_BASE_URL`, and (optionally) `SPARKLE_DOWNLOAD_SUBDIR_TEMPLATE` are set. It tries to locate Sparkle’s CLI in DerivedData automatically, but you can override the path via `SPARKLE_GENERATE_APPCAST`. The resulting feed is written to `SPARKLE_APPCAST_OUTPUT` (defaults to `Sparkle/appcast.xml`).
+
+> Build settings include `INFOPLIST_KEY_SUFeedURL` and `INFOPLIST_KEY_SUPublicEDKey`. Make sure to fill both before shipping a build so Sparkle knows where to fetch updates and how to verify them.
+
+### Automated release push
+
+If you want `git push origin master` to build/sign/notarize/upload automatically, enable the provided pre-push hook:
+
+```bash
+git config core.hooksPath hooks
+```
+
+The hook (see `hooks/pre-push`) watches for pushes that include `refs/heads/master`, automatically bumps `marketing_version` (incrementing the last component), runs `scripts/build_release.sh`, stages `version.json`, `iKeyMon.xcodeproj/project.pbxproj`, and `Sparkle/appcast.xml`, then creates a commit `chore: release <version>`. It performs its own `git push` behind the scenes and cancels the original push command so you don't upload the same refs twice—once you see “Release … pushed. Original push cancelled”, you're done (Git will report the original push failed; that's expected). To skip the automation temporarily, prepend `SKIP_RELEASE=1` to your `git push` command.
+
+The bumping logic lives in `scripts/bump_version.sh` (feel free to run it manually if you need to create a release without pushing).
+
+### Versioning workflow
+
+- The canonical marketing version lives in `version.json` and follows the format `YY.major.minor` (example: `26.1.2`). Update that file manually whenever you cut a new release branch.
+- The build number is derived automatically from the git commit count on the current branch (you can override it by exporting `BUILD_NUMBER` before running the script if needed).
+- Run `./scripts/sync_version.sh` anytime after editing `version.json` (the release script already calls it). The helper updates `MARKETING_VERSION` and `CURRENT_PROJECT_VERSION` inside `iKeyMon.xcodeproj`, keeping Xcode, the app bundle, and release artifacts in sync.
+- `scripts/build_release.sh` reads the same `version.json` for naming the generated ZIP/DMG, so the artifact names, Info.plist values, and UI displays all stay aligned.
+
 ## 📦 License
 
 MIT — see [LICENSE](LICENSE) for details.

Sources/Extensions/View+Shimmer.swift

@@ -15,11 +15,10 @@ struct ShimmerModifier: ViewModifier {
                 guard active else { return }
                 animate()
             }
-            .onChange(of: active) { isActive in
+            .onChange(of: active) {
-                if isActive {
+                guard active else { return }
-                    phase = -1
+                phase = -1
-                    animate()
+                animate()
-                }
             }
     }
 

Sources/ViewModels/SparkleUpdater.swift

@@ -0,0 +1,26 @@
+import Sparkle
+import Foundation
+
+@MainActor
+final class SparkleUpdater: NSObject, ObservableObject {
+    let controller: SPUStandardUpdaterController
+
+    override init() {
+        self.controller = SPUStandardUpdaterController(startingUpdater: true, updaterDelegate: nil, userDriverDelegate: nil)
+        super.init()
+    }
+
+    var automaticallyChecksForUpdates: Bool {
+        get { controller.updater.automaticallyChecksForUpdates }
+        set { controller.updater.automaticallyChecksForUpdates = newValue }
+    }
+
+    var automaticallyDownloadsUpdates: Bool {
+        get { controller.updater.automaticallyDownloadsUpdates }
+        set { controller.updater.automaticallyDownloadsUpdates = newValue }
+    }
+
+    func checkForUpdates() {
+        controller.checkForUpdates(nil)
+    }
+}

Sources/Views/MainView.swift

@@ -12,14 +12,13 @@ struct MainView: View {
     private static let serverOrderKeyStatic = "serverOrder"
     private static let storedServersKeyStatic = "storedServers"
 
+    @EnvironmentObject private var sparkleUpdater: SparkleUpdater
     @State var showAddServerSheet: Bool = false
     @State private var serverBeingEdited: Server?
     @State private var serverToDelete: Server?
     @State private var showDeleteConfirmation = false
     @State private var isFetchingInfo: Bool = false
     @State private var refreshTimer = Timer.publish(every: 60, on: .main, in: .common).autoconnect()
-    @State private var progress: Double = 0
-    @State private var lastRefresh = Date()
     @State private var pingTimer: Timer?
     private let serverOrderKey = MainView.serverOrderKeyStatic
     private let storedServersKey = MainView.storedServersKeyStatic
@@ -30,9 +29,9 @@ struct MainView: View {
     @State private var selectedServerID: UUID?
 
     var body: some View {
-            
+        var mainContent: some View {
-        NavigationSplitView {
+            NavigationSplitView {
-            List(selection: $selectedServerID) {
+                List(selection: $selectedServerID) {
                 ForEach(servers) { server in
                     HStack {
                         Image(systemName: "dot.circle.fill")
@@ -61,6 +60,14 @@ struct MainView: View {
                     }
                     .help("Add Host")
                 }
+                ToolbarItem {
+                    Button {
+                        sparkleUpdater.checkForUpdates()
+                    } label: {
+                        Image(systemName: "square.and.arrow.down")
+                    }
+                    .help("Check for Updates")
+                }
             }
             .navigationTitle("Servers")
             .onChange(of: selectedServerID) {
@@ -76,7 +83,9 @@ struct MainView: View {
             } else {
                 ContentUnavailableView("No Server Selected", systemImage: "server.rack")
             }
+            }
         }
+        return mainContent
         .sheet(isPresented: $showAddServerSheet) {
             ServerFormView(
                 mode: .add,
@@ -130,7 +139,6 @@ struct MainView: View {
             }
         }
         .frame(minWidth: 800, minHeight: 450)
-
     }
     
     private func fetchServerInfo(for id: UUID) {
@@ -261,4 +269,5 @@ struct MainView: View {
 
 #Preview {
     MainView()
+        .environmentObject(SparkleUpdater())
 }

Sources/Views/PreferencesView.swift

@@ -2,13 +2,14 @@ import SwiftUI
 
 struct PreferencesView: View {
     private enum Tab: CaseIterable {
-        case monitor, notifications, alerts
+        case monitor, notifications, alerts, updates
 
         var title: String {
             switch self {
             case .monitor: return "Monitor"
             case .notifications: return "Notifications"
             case .alerts: return "Alerts"
+            case .updates: return "Updates"
             }
         }
 
@@ -17,9 +18,11 @@ struct PreferencesView: View {
             case .monitor: return "waveform.path.ecg"
             case .notifications: return "bell.badge"
             case .alerts: return "exclamationmark.triangle"
+            case .updates: return "square.and.arrow.down"
             }
         }
     }
+    @EnvironmentObject private var sparkleUpdater: SparkleUpdater
 
     @AppStorage("pingInterval") private var storedPingInterval: Int = 10
     @AppStorage("refreshInterval") private var storedRefreshInterval: Int = 60
@@ -77,14 +80,14 @@ struct PreferencesView: View {
                     .padding(.vertical, 8)
                     .padding(.horizontal, 10)
                     .frame(maxWidth: .infinity, alignment: .leading)
+                    .background(
+                        Capsule(style: .continuous)
+                            .fill(backgroundColor(for: tab))
+                    )
                 }
                 .buttonStyle(.plain)
                 .focusable(false)
                 .contentShape(Capsule())
-                .background(
-                    Capsule(style: .continuous)
-                        .fill(backgroundColor(for: tab))
-                )
                 .foregroundColor(selection == tab ? .white : .primary)
                 .onHover { isHovering in
                     hoveredTab = isHovering ? tab : (hoveredTab == tab ? nil : hoveredTab)
@@ -120,6 +123,9 @@ struct PreferencesView: View {
                 NotificationsPreferencesView()
             case .alerts:
                 AlertsPreferencesView()
+            case .updates:
+                UpdatesPreferencesView()
+                    .environmentObject(sparkleUpdater)
             }
         }
     }
@@ -220,6 +226,44 @@ private struct MonitorPreferencesView: View {
     }
 }
 
+private struct UpdatesPreferencesView: View {
+    @EnvironmentObject var sparkleUpdater: SparkleUpdater
+
+    private var automaticallyChecksBinding: Binding<Bool> {
+        Binding(
+            get: { sparkleUpdater.automaticallyChecksForUpdates },
+            set: { sparkleUpdater.automaticallyChecksForUpdates = $0 }
+        )
+    }
+
+    private var automaticallyDownloadsBinding: Binding<Bool> {
+        Binding(
+            get: { sparkleUpdater.automaticallyDownloadsUpdates },
+            set: { sparkleUpdater.automaticallyDownloadsUpdates = $0 }
+        )
+    }
+
+    var body: some View {
+        VStack(alignment: .leading, spacing: 18) {
+            Toggle("Automatically check for updates", isOn: automaticallyChecksBinding)
+            Toggle("Automatically download updates", isOn: automaticallyDownloadsBinding)
+
+            Button(action: sparkleUpdater.checkForUpdates) {
+                Label("Check for Updates Now", systemImage: "sparkles")
+            }
+
+            Text("Updates are delivered via Sparkle. Configure your appcast URL and public EdDSA key in Info.plist (keys `SUFeedURL` and `SUPublicEDKey`).")
+                .font(.caption)
+                .foregroundColor(.secondary)
+                .padding(.top, 4)
+
+            Spacer()
+        }
+        .toggleStyle(.switch)
+        .frame(maxWidth: .infinity, alignment: .leading)
+    }
+}
+
 private struct NotificationsPreferencesView: View {
     var body: some View {
         VStack(alignment: .leading, spacing: 12) {

Sources/Views/Tabs/GeneralView.swift

@@ -59,10 +59,11 @@ struct GeneralView: View {
                                 var description = os.label.trimmingCharacters(in: .whitespacesAndNewlines)
                                 if description.isEmpty {
                                     description = distro
-                                } else if !distro.isEmpty && distro.caseInsensitiveCompare(description) != .orderedSame {
+                                } else if !distro.isEmpty && description.range(of: distro, options: [.caseInsensitive]) == nil {
                                     description += " • \(distro)"
                                 }
-                                if !os.architecture.isEmpty {
+                                if !os.architecture.isEmpty &&
+                                    description.range(of: os.architecture, options: [.caseInsensitive]) == nil {
                                     description += " (\(os.architecture))"
                                 }
                                 if !description.isEmpty {

Sources/iKeyMonApp.swift

@@ -12,6 +12,8 @@ import AppKit
 
 @main
 struct iKeyMonApp: App {
+    @StateObject private var sparkleUpdater = SparkleUpdater()
+
     init() {
         #if os(macOS)
         if let customIcon = NSImage(named: "AppIcon") {
@@ -23,6 +25,7 @@ struct iKeyMonApp: App {
     var body: some Scene {
         WindowGroup {
             MainView()
+                .environmentObject(sparkleUpdater)
                 .onDisappear {
                     NSApp.terminate(nil)
                 }
@@ -32,6 +35,7 @@ struct iKeyMonApp: App {
         Settings {
             PreferencesView()
                 .padding()
+                .environmentObject(sparkleUpdater)
         }
     }
 }

Sparkle/appcast.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" standalone="yes"?>
+<rss xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle" version="2.0">
+    <channel>
+        <title>iKeyMon</title>
+        <item>
+            <title>26.0.16</title>
+            <pubDate>Tue, 25 Nov 2025 18:34:19 +0100</pubDate>
+            <sparkle:version>39</sparkle:version>
+            <sparkle:shortVersionString>26.0.16</sparkle:shortVersionString>
+            <sparkle:minimumSystemVersion>15.2</sparkle:minimumSystemVersion>
+            <enclosure url="https://git.24unix.net/tracer/iKeyMon/releases/download/v26.0.16/iKeyMon-26.0.16.zip" length="4801351" type="application/octet-stream" sparkle:edSignature="lbQEpxEElRxwyRdm0LQIxsnfh8o8Kt66wQlcl4PBs68lBmjkq0b/5EsVCElWQb0Nei/GCk6I/m2mSNL7mA3wBQ=="/>
+        </item>
+        <item>
+            <title>26.0.15</title>
+            <pubDate>Tue, 25 Nov 2025 18:11:17 +0100</pubDate>
+            <sparkle:version>35</sparkle:version>
+            <sparkle:shortVersionString>26.0.15</sparkle:shortVersionString>
+            <sparkle:minimumSystemVersion>15.2</sparkle:minimumSystemVersion>
+            <enclosure url="https://git.24unix.net/tracer/iKeyMon/releases/download/v26.0.15/iKeyMon-26.0.15.zip" length="4801128" type="application/octet-stream" sparkle:edSignature="T16+tX44yN2UqIUsMJeZAxydOuLC6lcQQrlRElTkJlSWPheWLy9xPjP4T45mNSOcWTax0gRCnI50ab3geL9XAA=="/>
+        </item>
+        <item>
+            <title>26.0.15</title>
+            <pubDate>Tue, 25 Nov 2025 17:42:56 +0100</pubDate>
+            <sparkle:version>34</sparkle:version>
+            <sparkle:shortVersionString>26.0.15</sparkle:shortVersionString>
+            <sparkle:minimumSystemVersion>15.2</sparkle:minimumSystemVersion>
+            <enclosure url="https://git.24unix.net/tracer/iKeyMon/releases/download/v26.0.15/iKeyMon-26.0.15.zip" length="4800821" type="application/octet-stream" sparkle:edSignature="bojJ638CY0n+34POoJX3OBrXRAiPOYPiDTfgJOS9fCslw8YGKZLviJvcExC2PKh1HDt0Raabo0FJUJrAFUMmBQ=="/>
+        </item>
+    </channel>
+</rss>

hooks/pre-push

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+REMOTE_NAME="${1:-origin}"
+
+if [[ -n "${SKIP_RELEASE:-}" ]]; then
+  echo "⚙️  SKIP_RELEASE set — skipping automated release build."
+  exit 0
+fi
+
+should_release=false
+release_local_ref=""
+release_remote_ref=""
+while read -r local_ref local_sha remote_ref remote_sha; do
+  [[ -z "${local_ref:-}" ]] && continue
+  if [[ "$local_ref" == "refs/heads/master" || "$remote_ref" == "refs/heads/master" ]]; then
+    should_release=true
+    release_local_ref="$local_ref"
+    release_remote_ref="${remote_ref:-refs/heads/master}"
+  fi
+done
+
+if [[ "$should_release" != true ]]; then
+  current_branch="$(git -C "$ROOT_DIR" symbolic-ref --short -q HEAD || true)"
+  if [[ "$current_branch" == "master" ]]; then
+    should_release=true
+    release_local_ref="refs/heads/master"
+    release_remote_ref="refs/heads/master"
+  fi
+fi
+
+if [[ "$should_release" != true ]]; then
+  exit 0
+fi
+
+echo "🚀 Detected push to master — bumping version and building release..."
+NEW_VERSION="$("$ROOT_DIR/scripts/bump_version.sh")"
+echo "🔢 marketing_version -> ${NEW_VERSION}"
+"$ROOT_DIR/scripts/sync_version.sh"
+
+git -C "$ROOT_DIR" add "$ROOT_DIR/version.json" "$ROOT_DIR/iKeyMon.xcodeproj/project.pbxproj"
+
+"$ROOT_DIR/scripts/build_release.sh"
+
+git -C "$ROOT_DIR" add "$ROOT_DIR/version.json" "$ROOT_DIR/iKeyMon.xcodeproj/project.pbxproj" "$ROOT_DIR/Sparkle/appcast.xml"
+
+if git -C "$ROOT_DIR" diff --cached --quiet; then
+  echo "⚠️ No release changes detected; skipping release commit."
+else
+  git -C "$ROOT_DIR" commit -m "chore: release ${NEW_VERSION}"
+  echo "📝 Committed release ${NEW_VERSION}."
+fi
+
+echo "📤 Pushing release commit..."
+if SKIP_RELEASE=1 git -C "$ROOT_DIR" push "$REMOTE_NAME" "${release_local_ref:-refs/heads/master}:${release_remote_ref:-refs/heads/master}"; then
+  echo "✅ Release ${NEW_VERSION} pushed. Original push cancelled (already done)."
+  exit 1
+else
+  echo "❌ Failed to push release ${NEW_VERSION}. Please resolve manually."
+  exit 1
+fi

iKeyMon-Info.plist

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>SUFeedURL</key>
+	<string>https://git.24unix.net/tracer/iKeyMon/raw/branch/master/Sparkle/appcast.xml</string>
+	<key>SUPublicEDKey</key>
+	<string>EgJgrOGQ79L5me616jA7kDCEOgx+Rg11uYLYLLIyzTI=</string>
+</dict>
+</plist>

iKeyMon.xcodeproj/project.pbxproj

@@ -10,8 +10,22 @@
 		52A9B79F2EC8E7EE004DD4A2 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 52A9B7872EC8E7EE004DD4A2 /* Assets.xcassets */; };
 		52A9B8222EC8FA8A004DD4A2 /* CHANGELOG.md in Resources */ = {isa = PBXBuildFile; fileRef = 52A9B8212EC8FA8A004DD4A2 /* CHANGELOG.md */; };
 		52A9B9722ECF751C004DD4A2 /* signing.env.example in Resources */ = {isa = PBXBuildFile; fileRef = 52A9B9712ECF751C004DD4A2 /* signing.env.example */; };
+		52A9BD112ED377F7004DD4A2 /* Sparkle in Frameworks */ = {isa = PBXBuildFile; productRef = 52A9BD102ED377F7004DD4A2 /* Sparkle */; };
+		52A9BECA2ED3874F004DD4A2 /* README.md in Resources */ = {isa = PBXBuildFile; fileRef = 52A9BEC92ED3874F004DD4A2 /* README.md */; };
 /* End PBXBuildFile section */
 
+/* Begin PBXCopyFilesBuildPhase section */
+		52A9BD152ED37BD8004DD4A2 /* CopyFiles */ = {
+			isa = PBXCopyFilesBuildPhase;
+			buildActionMask = 2147483647;
+			dstPath = "";
+			dstSubfolderSpec = 6;
+			files = (
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+/* End PBXCopyFilesBuildPhase section */
+
 /* Begin PBXFileReference section */
 		5203C24D2D997D2800576D4A /* iKeyMon.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = iKeyMon.app; sourceTree = BUILT_PRODUCTS_DIR; };
 		52A9B7872EC8E7EE004DD4A2 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = "<group>"; };
@@ -19,6 +33,8 @@
 		52A9B8212EC8FA8A004DD4A2 /* CHANGELOG.md */ = {isa = PBXFileReference; lastKnownFileType = net.daringfireball.markdown; path = CHANGELOG.md; sourceTree = "<group>"; };
 		52A9B8BA2ECA35FB004DD4A2 /* NOTES.md */ = {isa = PBXFileReference; lastKnownFileType = net.daringfireball.markdown; path = NOTES.md; sourceTree = "<group>"; };
 		52A9B9712ECF751C004DD4A2 /* signing.env.example */ = {isa = PBXFileReference; lastKnownFileType = text; path = signing.env.example; sourceTree = "<group>"; };
+		52A9BEC92ED3874F004DD4A2 /* README.md */ = {isa = PBXFileReference; lastKnownFileType = net.daringfireball.markdown; path = README.md; sourceTree = "<group>"; };
+		52A9C38F2ED4D753004DD4A2 /* iKeyMon-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist; path = "iKeyMon-Info.plist"; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFileSystemSynchronizedRootGroup section */
@@ -39,6 +55,7 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				52A9BD112ED377F7004DD4A2 /* Sparkle in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -48,6 +65,7 @@
 		5203C2442D997D2800576D4A = {
 			isa = PBXGroup;
 			children = (
+				52A9C38F2ED4D753004DD4A2 /* iKeyMon-Info.plist */,
 				52A9B8BE2ECB68B5004DD4A2 /* Sources */,
 				52A9B7872EC8E7EE004DD4A2 /* Assets.xcassets */,
 				52A9B7882EC8E7EE004DD4A2 /* iKeyMon.entitlements */,
@@ -56,6 +74,8 @@
 				52A9B8212EC8FA8A004DD4A2 /* CHANGELOG.md */,
 				52A9B8BA2ECA35FB004DD4A2 /* NOTES.md */,
 				52A9B9712ECF751C004DD4A2 /* signing.env.example */,
+				52A9BEC92ED3874F004DD4A2 /* README.md */,
+				52A9BD122ED37E08004DD4A2 /* Frameworks */,
 			);
 			sourceTree = "<group>";
 		};
@@ -67,6 +87,13 @@
 			name = Products;
 			sourceTree = "<group>";
 		};
+		52A9BD122ED37E08004DD4A2 /* Frameworks */ = {
+			isa = PBXGroup;
+			children = (
+			);
+			name = Frameworks;
+			sourceTree = "<group>";
+		};
 /* End PBXGroup section */
 
 /* Begin PBXNativeTarget section */
@@ -77,6 +104,7 @@
 				5203C2492D997D2800576D4A /* Sources */,
 				5203C24A2D997D2800576D4A /* Frameworks */,
 				5203C24B2D997D2800576D4A /* Resources */,
+				52A9BD152ED37BD8004DD4A2 /* CopyFiles */,
 			);
 			buildRules = (
 			);
@@ -88,6 +116,7 @@
 			);
 			name = iKeyMon;
 			packageProductDependencies = (
+				52A9BD102ED377F7004DD4A2 /* Sparkle */,
 			);
 			productName = iKeyMon;
 			productReference = 5203C24D2D997D2800576D4A /* iKeyMon.app */;
@@ -117,6 +146,9 @@
 			);
 			mainGroup = 5203C2442D997D2800576D4A;
 			minimizedProjectReferenceProxies = 1;
+			packageReferences = (
+				52A9BD0F2ED377F7004DD4A2 /* XCRemoteSwiftPackageReference "Sparkle" */,
+			);
 			preferredProjectObjectVersion = 77;
 			productRefGroup = 5203C24E2D997D2800576D4A /* Products */;
 			projectDirPath = "";
@@ -133,6 +165,7 @@
 			buildActionMask = 2147483647;
 			files = (
 				52A9B8222EC8FA8A004DD4A2 /* CHANGELOG.md in Resources */,
+				52A9BECA2ED3874F004DD4A2 /* README.md in Resources */,
 				52A9B79F2EC8E7EE004DD4A2 /* Assets.xcassets in Resources */,
 				52A9B9722ECF751C004DD4A2 /* signing.env.example in Resources */,
 			);
@@ -277,19 +310,22 @@
 				CODE_SIGN_ENTITLEMENTS = iKeyMon.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 1;
+				CURRENT_PROJECT_VERSION = 45;
 				DEVELOPMENT_ASSET_PATHS = "\"Preview Content\"";
 				DEVELOPMENT_TEAM = Q5486ZVAFT;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_PREVIEWS = YES;
 				GENERATE_INFOPLIST_FILE = YES;
+				INFOPLIST_FILE = "iKeyMon-Info.plist";
 				INFOPLIST_KEY_CFBundleIconName = AppIcon;
 				INFOPLIST_KEY_NSHumanReadableCopyright = "";
+				INFOPLIST_KEY_SUFeedURL = "https://git.24unix.net/tracer/iKeyMon/releases/appcast.xml";
+				INFOPLIST_KEY_SUPublicEDKey = "EgJgrOGQ79L5me616jA7kDCEOgx+Rg11uYLYLLIyzTI=";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MARKETING_VERSION = 1.0;
+				MARKETING_VERSION = 26.0.19;
 				PRODUCT_BUNDLE_IDENTIFIER = net.24unix.iKeyMon;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_EMIT_LOC_STRINGS = YES;
@@ -305,19 +341,22 @@
 				CODE_SIGN_ENTITLEMENTS = iKeyMon.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 1;
+				CURRENT_PROJECT_VERSION = 45;
 				DEVELOPMENT_ASSET_PATHS = "\"Preview Content\"";
 				DEVELOPMENT_TEAM = Q5486ZVAFT;
 				ENABLE_HARDENED_RUNTIME = YES;
 				ENABLE_PREVIEWS = YES;
 				GENERATE_INFOPLIST_FILE = YES;
+				INFOPLIST_FILE = "iKeyMon-Info.plist";
 				INFOPLIST_KEY_CFBundleIconName = AppIcon;
 				INFOPLIST_KEY_NSHumanReadableCopyright = "";
+				INFOPLIST_KEY_SUFeedURL = "https://git.24unix.net/tracer/iKeyMon/releases/appcast.xml";
+				INFOPLIST_KEY_SUPublicEDKey = "EgJgrOGQ79L5me616jA7kDCEOgx+Rg11uYLYLLIyzTI=";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MARKETING_VERSION = 1.0;
+				MARKETING_VERSION = 26.0.19;
 				PRODUCT_BUNDLE_IDENTIFIER = net.24unix.iKeyMon;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_EMIT_LOC_STRINGS = YES;
@@ -347,6 +386,25 @@
 			defaultConfigurationName = Release;
 		};
 /* End XCConfigurationList section */
+
+/* Begin XCRemoteSwiftPackageReference section */
+		52A9BD0F2ED377F7004DD4A2 /* XCRemoteSwiftPackageReference "Sparkle" */ = {
+			isa = XCRemoteSwiftPackageReference;
+			repositoryURL = "https://github.com/sparkle-project/Sparkle";
+			requirement = {
+				kind = upToNextMajorVersion;
+				minimumVersion = 2.8.1;
+			};
+		};
+/* End XCRemoteSwiftPackageReference section */
+
+/* Begin XCSwiftPackageProductDependency section */
+		52A9BD102ED377F7004DD4A2 /* Sparkle */ = {
+			isa = XCSwiftPackageProductDependency;
+			package = 52A9BD0F2ED377F7004DD4A2 /* XCRemoteSwiftPackageReference "Sparkle" */;
+			productName = Sparkle;
+		};
+/* End XCSwiftPackageProductDependency section */
 	};
 	rootObject = 5203C2452D997D2800576D4A /* Project object */;
 }

iKeyMon.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved

@@ -0,0 +1,15 @@
+{
+  "originHash" : "e721da7f9826abdffcb6185e886155efa2514bd6234475f1afa893e29eb258d6",
+  "pins" : [
+    {
+      "identity" : "sparkle",
+      "kind" : "remoteSourceControl",
+      "location" : "https://github.com/sparkle-project/Sparkle",
+      "state" : {
+        "revision" : "5581748cef2bae787496fe6d61139aebe0a451f6",
+        "version" : "2.8.1"
+      }
+    }
+  ],
+  "version" : 3
+}

scripts/build_release.sh

@@ -7,12 +7,154 @@ ARTIFACTS_DIR="$ROOT_DIR/dist"
 SCHEME="iKeyMon"
 PROJECT="iKeyMon.xcodeproj"
 CREDENTIALS_FILE="$ROOT_DIR/.signing.env"
+VERSION_FILE="$ROOT_DIR/version.json"
+DERIVED_DATA_ROOT="${DERIVED_DATA_ROOT:-$HOME/Library/Developer/Xcode/DerivedData}"
+
+find_generate_appcast() {
+  if [[ -n "${SPARKLE_GENERATE_APPCAST:-}" && -x "${SPARKLE_GENERATE_APPCAST}" ]]; then
+    echo "$SPARKLE_GENERATE_APPCAST"
+    return
+  fi
+
+  if [[ -d "$DERIVED_DATA_ROOT" ]]; then
+    local candidate
+    candidate="$(find "$DERIVED_DATA_ROOT" -path "*/SourcePackages/artifacts/sparkle/Sparkle/bin/generate_appcast" -type f 2>/dev/null | head -n 1 || true)"
+    if [[ -n "$candidate" ]]; then
+      echo "$candidate"
+      return
+    fi
+  fi
+}
+
+generate_appcast() {
+  local generator
+  generator="$(find_generate_appcast)"
+  local download_prefix="${SPARKLE_DOWNLOAD_BASE_URL:-}"
+  local subdir_template="${SPARKLE_DOWNLOAD_SUBDIR_TEMPLATE:-}"
+
+  if [[ -z "$generator" || -z "${SPARKLE_EDDSA_KEY_FILE:-}" || -z "$download_prefix" ]]; then
+    echo "ℹ️ Skipping Sparkle appcast generation (generator/key/download prefix not configured)."
+    return
+  fi
+
+  download_prefix="${download_prefix%/}"
+  local output="$SPARKLE_APPCAST_OUTPUT"
+  mkdir -p "$(dirname "$output")"
+
+  local staging_dir
+  staging_dir="$(mktemp -d)"
+  local zip_found=false
+  shopt -s nullglob
+  for zip_path in "$ARTIFACTS_DIR"/*.zip; do
+    zip_found=true
+    local filename version_guess target_dir subdir
+    filename="$(basename "$zip_path")"
+    if [[ "$filename" =~ ([0-9]+\.[0-9]+\.[0-9]+) ]]; then
+      version_guess="${BASH_REMATCH[1]}"
+    else
+      version_guess="$VERSION"
+    fi
+
+    target_dir="$staging_dir"
+    if [[ -n "$subdir_template" ]]; then
+      subdir="$subdir_template"
+      subdir="${subdir//\{\{VERSION\}\}/$version_guess}"
+      subdir="${subdir//\{\{SHORT_VERSION\}\}/$version_guess}"
+      subdir="${subdir//\{\{TAG\}\}/v$version_guess}"
+      subdir="${subdir#/}"
+      subdir="${subdir%/}"
+      if [[ -n "$subdir" ]]; then
+        target_dir="$staging_dir/$subdir"
+        mkdir -p "$target_dir"
+      fi
+    fi
+
+    cp "$zip_path" "$target_dir/"
+  done
+  shopt -u nullglob
+
+  if [[ "$zip_found" != true ]]; then
+    echo "ℹ️ Skipping Sparkle appcast generation (no ZIP archives found)."
+    rm -rf "$staging_dir"
+    return
+  fi
+
+  echo "🧾 Generating Sparkle appcast at $output"
+  if ! "$generator" \
+    --download-url-prefix "$download_prefix" \
+    --ed-key-file "$SPARKLE_EDDSA_KEY_FILE" \
+    -o "$output" \
+    "$staging_dir"; then
+    echo "⚠️ Sparkle appcast generation failed."
+  fi
+  rm -rf "$staging_dir"
+}
+
+sign_update_artifacts() {
+  local signer
+  signer="$(find "$DERIVED_DATA_ROOT" -path "*/SourcePackages/artifacts/sparkle/Sparkle/bin/sign_update" -type f 2>/dev/null | head -n 1 || true)"
+  if [[ -z "$signer" || -z "${SPARKLE_EDDSA_KEY_FILE:-}" ]]; then
+    echo "ℹ️ Skipping Sparkle signing (sign_update or SPARKLE_EDDSA_KEY_FILE missing)."
+    return
+  fi
+  echo "🔑 Signing ${ZIP_NAME} for Sparkle feed"
+  if ! "$signer" "${ARTIFACTS_DIR}/${ZIP_NAME}" --ed-key-file "${SPARKLE_EDDSA_KEY_FILE}"; then
+    echo "⚠️ sign_update failed (continuing without signature)"
+  fi
+}
+
+submit_for_notarization() {
+  local target="$1"
+  local label="$2"
+  echo "📝 Submitting ${label} for notarization..."
+  xcrun notarytool submit "$target" \
+    --apple-id "$NOTARY_APPLE_ID" \
+    --team-id "$NOTARY_TEAM_ID" \
+    --password "$NOTARY_PASSWORD" \
+    --wait
+}
+
+notarize_app_bundle() {
+  local bundle="$1"
+  local label="$2"
+  if [[ -z "${NOTARY_APPLE_ID:-}" || -z "${NOTARY_TEAM_ID:-}" || -z "${NOTARY_PASSWORD:-}" ]]; then
+    echo "ℹ️ Skipping notarization for ${label} (NOTARY_* variables not set)."
+    return 1
+  fi
+
+  local tmp_dir
+  tmp_dir="$(mktemp -d)"
+  local archive="$tmp_dir/$(basename "$bundle").zip"
+  ditto -c -k --keepParent "$bundle" "$archive"
+
+  submit_for_notarization "$archive" "$label"
+  xcrun stapler staple "$bundle"
+  rm -rf "$tmp_dir"
+}
+
+notarize_artifact() {
+  local artifact="$1"
+  local label="$2"
+  if [[ -z "${NOTARY_APPLE_ID:-}" || -z "${NOTARY_TEAM_ID:-}" || -z "${NOTARY_PASSWORD:-}" ]]; then
+    echo "ℹ️ Skipping notarization for ${label} (NOTARY_* variables not set)."
+    return 1
+  fi
+  submit_for_notarization "$artifact" "$label"
+  xcrun stapler staple "$artifact"
+}
 
 if [[ -f "$CREDENTIALS_FILE" ]]; then
+  set -a
   # shellcheck disable=SC1090
   source "$CREDENTIALS_FILE"
+  set +a
 fi
 
+: "${SPARKLE_APPCAST_OUTPUT:=$ROOT_DIR/Sparkle/appcast.xml}"
+export SPARKLE_APPCAST_OUTPUT
+
+"$ROOT_DIR/scripts/sync_version.sh"
+
 rm -rf "$BUILD_DIR" "$ARTIFACTS_DIR"
 mkdir -p "$ARTIFACTS_DIR"
 
@@ -44,6 +186,8 @@ else
   echo "⚠️ Skipping codesign (CODESIGN_IDENTITY not set)."
 fi
 
+notarize_app_bundle "$APP_PATH" "iKeyMon.app"
+
 STAGING_DIR=$(mktemp -d)
 mkdir -p "$STAGING_DIR"
 cp -R "$APP_PATH" "$STAGING_DIR/"
@@ -51,14 +195,13 @@ ln -s /Applications "$STAGING_DIR/Applications"
 mkdir -p "$STAGING_DIR/.background"
 cp "$ROOT_DIR/Assets/dmg_background.png" "$STAGING_DIR/.background/background.png"
 
-VERSION=$(xcodebuild \
+VERSION="$(python3 - <<'PY' "$VERSION_FILE"
-  -project "$ROOT_DIR/$PROJECT" \
+import json, sys
-  -scheme "$SCHEME" \
+with open(sys.argv[1], "r", encoding="utf-8") as handle:
-  -configuration Release \
+    data = json.load(handle)
-  -showBuildSettings | awk '/MARKETING_VERSION/ {print $3; exit}')
+print(data.get("marketing_version", "dev"))
-if [[ -z "$VERSION" ]]; then
+PY
-  VERSION="dev"
+)"
-fi
 ZIP_NAME="iKeyMon-${VERSION}.zip"
 pushd "$(dirname "$APP_PATH")" >/dev/null
 zip -r "$ARTIFACTS_DIR/$ZIP_NAME" "$(basename "$APP_PATH")"
@@ -67,19 +210,23 @@ popd >/dev/null
 DMG_NAME="iKeyMon-${VERSION}.dmg"
 hdiutil create -volname "iKeyMon" -srcfolder "$STAGING_DIR" -ov -format UDZO "$ARTIFACTS_DIR/$DMG_NAME"
 
+sign_update_artifacts
+
 if [[ -n "${NOTARY_APPLE_ID:-}" && -n "${NOTARY_TEAM_ID:-}" && -n "${NOTARY_PASSWORD:-}" ]]; then
-  echo "📝 Submitting DMG for notarization..."
+  notarize_artifact "$ARTIFACTS_DIR/$DMG_NAME" "$DMG_NAME"
-  xcrun notarytool submit "$ARTIFACTS_DIR/$DMG_NAME" \
-    --apple-id "$NOTARY_APPLE_ID" \
-    --team-id "$NOTARY_TEAM_ID" \
-    --password "$NOTARY_PASSWORD" \
-    --wait
-  xcrun stapler staple "$ARTIFACTS_DIR/$DMG_NAME"
 else
-  echo "⚠️ Skipping notarization (NOTARY_* variables not set)."
+  echo "⚠️ Skipping DMG notarization (NOTARY_* variables not set)."
 fi
 rm -rf "$STAGING_DIR"
 
+generate_appcast
+
+if [[ -n "${GITEA_TOKEN:-}" && -n "${GITEA_OWNER:-}" && -n "${GITEA_REPO:-}" ]]; then
+  "$ROOT_DIR/scripts/publish_release.sh" "$VERSION" "$ARTIFACTS_DIR/$ZIP_NAME" "$ARTIFACTS_DIR/$DMG_NAME"
+else
+  echo "ℹ️ Skipping Gitea release publishing (GITEA_* variables not fully set)."
+fi
+
 echo "✅ Build complete. Artifacts:"
 echo "   - $ARTIFACTS_DIR/$ZIP_NAME"
 echo "   - $ARTIFACTS_DIR/$DMG_NAME"

scripts/bump_version.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+VERSION_FILE="$ROOT_DIR/version.json"
+
+new_version="$(python3 - "$VERSION_FILE" <<'PY'
+import json, sys, pathlib
+path = pathlib.Path(sys.argv[1])
+data = json.loads(path.read_text())
+current = data.get("marketing_version")
+if not current:
+    raise SystemExit("marketing_version missing in version.json")
+parts = current.split(".")
+if len(parts) != 3 or not all(part.isdigit() for part in parts):
+    raise SystemExit(f"Invalid marketing_version format: {current}")
+parts[-1] = str(int(parts[-1]) + 1)
+data["marketing_version"] = ".".join(parts)
+path.write_text(json.dumps(data, indent=2) + "\n")
+print(data["marketing_version"])
+PY
+)"
+
+echo "$new_version"

scripts/publish_release.sh

@@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+VERSION="$1"
+ZIP_PATH="$2"
+DMG_PATH="$3"
+
+: "${GITEA_TOKEN:?Set GITEA_TOKEN in .signing.env}"
+: "${GITEA_OWNER:?Set GITEA_OWNER in .signing.env}"
+: "${GITEA_REPO:?Set GITEA_REPO in .signing.env}"
+
+TARGET_COMMIT="${GITEA_TARGET_COMMIT:-$(git -C "$ROOT_DIR" rev-parse HEAD)}"
+API_BASE="${GITEA_API_BASE:-https://git.24unix.net/api/v1}"
+API_BASE="${API_BASE%/}"
+RELEASE_TAG="v${VERSION}"
+API_URL="${API_BASE}/repos/${GITEA_OWNER}/${GITEA_REPO}"
+
+if ! command -v jq >/dev/null 2>&1; then
+  echo "❌ jq is required to parse Gitea responses." >&2
+  exit 1
+fi
+
+PRERELEASE_FLAG="${GITEA_PRERELEASE:-true}"
+
+create_payload="$(jq -n \
+  --arg tag "$RELEASE_TAG" \
+  --arg name "iKeyMon ${VERSION}" \
+  --arg target "$TARGET_COMMIT" \
+  --argjson prerelease "$PRERELEASE_FLAG" \
+  '{ tag_name: $tag, name: $name, target_commitish: $target, draft: false, prerelease: $prerelease }')"
+
+response_file="$(mktemp)"
+http_code=$(curl -sS -w "%{http_code}" -o "$response_file" \
+  -H "Authorization: token ${GITEA_TOKEN}" \
+  -H "Content-Type: application/json" \
+  -X POST \
+  -d "$create_payload" \
+  "${API_URL}/releases")
+
+if [[ "$http_code" == "201" ]]; then
+  echo "✅ Created release ${RELEASE_TAG}"
+elif [[ "$http_code" == "409" ]]; then
+  echo "ℹ️ Release ${RELEASE_TAG} already exists, fetching existing ID."
+else
+  echo "❌ Failed to create release (HTTP ${http_code}):"
+  cat "$response_file"
+  rm -f "$response_file"
+  exit 1
+fi
+
+if [[ "$http_code" == "409" ]]; then
+  curl -sS \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    "${API_URL}/releases/tags/${RELEASE_TAG}" >"$response_file"
+fi
+
+release_id=$(jq -r '.id' "$response_file")
+rm -f "$response_file"
+
+if [[ -z "$release_id" || "$release_id" == "null" ]]; then
+  echo "❌ Could not determine release ID for ${RELEASE_TAG}"
+  exit 1
+fi
+
+delete_existing_asset() {
+  local filename="$1"
+  local asset_id
+  asset_id="$(curl -sS \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    "${API_URL}/releases/${release_id}/assets" | jq -r --arg name "$filename" '.[] | select(.name == $name) | .id' | head -n 1)"
+  if [[ -n "$asset_id" && "$asset_id" != "null" ]]; then
+    echo "🗑️  Removing existing asset ${filename}"
+    curl -sS \
+      -H "Authorization: token ${GITEA_TOKEN}" \
+      -X DELETE \
+      "${API_URL}/releases/${release_id}/assets/${asset_id}" >/dev/null
+  fi
+}
+
+upload_asset() {
+  local file="$1"
+  local filename
+  filename="$(basename "$file")"
+
+  delete_existing_asset "$filename"
+
+  echo "⬆️  Uploading ${filename}"
+  curl -sS \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    -F "attachment=@${file}" \
+    "${API_URL}/releases/${release_id}/assets" >/dev/null
+}
+
+upload_asset "$ZIP_PATH"
+upload_asset "$DMG_PATH"
+
+echo "🎉 Release ${RELEASE_TAG} assets uploaded."

scripts/sync_version.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+VERSION_FILE="$ROOT_DIR/version.json"
+PROJECT_FILE="$ROOT_DIR/iKeyMon.xcodeproj/project.pbxproj"
+
+if [[ ! -f "$VERSION_FILE" ]]; then
+  echo "❌ version.json not found at $VERSION_FILE" >&2
+  exit 1
+fi
+
+if ! command -v jq >/dev/null 2>&1; then
+  echo "❌ jq is required but not found in PATH" >&2
+  exit 1
+fi
+
+MARKETING_VERSION="$(jq -r '.marketing_version // empty' "$VERSION_FILE")"
+if [[ -z "$MARKETING_VERSION" ]]; then
+  echo "❌ marketing_version missing in $VERSION_FILE" >&2
+  exit 1
+fi
+
+if [[ ! "$MARKETING_VERSION" =~ ^[0-9]{2}\.[0-9]+\.[0-9]+$ ]]; then
+  echo "❌ marketing_version '$MARKETING_VERSION' must follow YY.major.minor (e.g. 26.1.2)" >&2
+  exit 1
+fi
+
+BUILD_NUMBER="${BUILD_NUMBER:-$(git -C "$ROOT_DIR" rev-list --count HEAD)}"
+if [[ -z "$BUILD_NUMBER" ]]; then
+  echo "❌ Unable to derive BUILD_NUMBER" >&2
+  exit 1
+fi
+
+update_setting() {
+  local key="$1"
+  local value="$2"
+  local tmp
+  tmp="$(mktemp)"
+  LC_ALL=C sed -E "s/(${key}[[:space:]]*=[[:space:]]*)[^;]+;/\\1${value};/g" "$PROJECT_FILE" >"$tmp"
+  if cmp -s "$tmp" "$PROJECT_FILE"; then
+    if ! grep -q "${key} = ${value};" "$PROJECT_FILE"; then
+      rm -f "$tmp"
+      echo "❌ Failed to update ${key} in $PROJECT_FILE" >&2
+      exit 1
+    fi
+    rm -f "$tmp"
+    return
+  fi
+  mv "$tmp" "$PROJECT_FILE"
+}
+
+update_setting "MARKETING_VERSION" "$MARKETING_VERSION"
+update_setting "CURRENT_PROJECT_VERSION" "$BUILD_NUMBER"
+
+echo "✅ Synced marketing version $MARKETING_VERSION and build $BUILD_NUMBER into Xcode project."

signing.env.example

@@ -2,3 +2,16 @@ CODESIGN_IDENTITY="Developer ID Application: Your Name (TEAMID1234)"
 NOTARY_APPLE_ID="appleid@example.com"
 NOTARY_TEAM_ID="TEAMID1234"
 NOTARY_PASSWORD="app-specific-password"
+GITEA_TOKEN="personal-access-token"
+GITEA_OWNER="tracer"
+GITEA_REPO="iKeyMon"
+# GITEA_API_BASE="https://git.24unix.net/api/v1"
+# GITEA_TARGET_COMMIT="master"
+# GITEA_PRERELEASE="false"
+
+# Sparkle appcast generation (optional)
+# SPARKLE_EDDSA_KEY_FILE="$HOME/.config/Sparkle/iKeyMon.key"
+# SPARKLE_DOWNLOAD_BASE_URL="https://git.24unix.net/tracer/iKeyMon/releases/download"
+# SPARKLE_DOWNLOAD_SUBDIR_TEMPLATE="v{{VERSION}}"
+# SPARKLE_APPCAST_OUTPUT="$ROOT_DIR/Sparkle/appcast.xml"  # defaults to this path
+# SPARKLE_GENERATE_APPCAST="/path/to/generate_appcast"  # auto-detected if unset

version.json

@@ -0,0 +1,3 @@
+{
+  "marketing_version": "26.0.19"
+}