chore: release 26.0.19

NOTES.md

@@ -4,3 +4,6 @@
     static Data
 
 add a marker for "reboot required"
+
+dummy2
+                    

README.md

@@ -59,26 +59,41 @@ GITEA_REPO="iKeyMon"
 # optional: GITEA_PRERELEASE="false"   # defaults to true until preferences are done
 # optional Sparkle feed helpers:
 # SPARKLE_EDDSA_KEY_FILE="$HOME/.config/Sparkle/iKeyMon.key"
-# SPARKLE_DOWNLOAD_BASE_TEMPLATE="https://git.24unix.net/tracer/iKeyMon/releases/download/v{{VERSION}}"
+# SPARKLE_DOWNLOAD_BASE_URL="https://git.24unix.net/tracer/iKeyMon/releases/download"
+# SPARKLE_DOWNLOAD_SUBDIR_TEMPLATE="v{{VERSION}}"
 # SPARKLE_APPCAST_OUTPUT="$ROOT_DIR/Sparkle/appcast.xml"  # default
 ```
 
 `GITEA_TARGET_COMMIT` defaults to the current `HEAD` commit, so overriding it lets you publish from another branch if needed. Whenever those variables are set, the script will create (or reuse) tag `v<version>` and upload both ZIP and DMG as release assets automatically.
 
+If you re-run the release script for the same version, it removes any existing assets with the same filenames before uploading, so you never end up with duplicate ZIP/DMG files on the release page.
+
 ### Sparkle updates
 
 iKeyMon uses [Sparkle](https://sparkle-project.org/) for macOS-safe updates.
 
 1. Generate an EdDSA key pair once (`./Packages/Sparkle/bin/generate_keys`). Store the private key on-disk (for example `~/.config/Sparkle/iKeyMon.key`, which the build script expects) and copy the public key into the `SUPublicEDKey` entry (see Info.plist notes below).
-2. `./scripts/build_release.sh` signs the ZIP with Sparkle’s `sign_update` tool and invokes `generate_appcast` automatically when the Sparkle variables are present. The generated feed is written to `Sparkle/appcast.xml`, so commit that file after every release. Point `SPARKLE_DOWNLOAD_BASE_TEMPLATE` at your release download prefix to ensure the feed URLs resolve correctly.
+2. `./scripts/build_release.sh` signs the ZIP with Sparkle’s `sign_update` tool and invokes `generate_appcast` automatically when the Sparkle variables are present. The generated feed is written to `Sparkle/appcast.xml`, so commit that file after every release. Set `SPARKLE_DOWNLOAD_BASE_URL` to the static portion of your release-download endpoint (e.g. `https://…/releases/download`) and `SPARKLE_DOWNLOAD_SUBDIR_TEMPLATE` to the path segment that should be inserted before each asset (default `v{{VERSION}}` mirrors how Gitea exposes assets). The feed stays inside the repo (it is not uploaded as a release asset).
 3. Set `SUFeedURL` in Info.plist (or the corresponding build setting) to the raw URL of `Sparkle/appcast.xml` inside this repo (e.g. `https://git.24unix.net/tracer/iKeyMon/raw/branch/master/Sparkle/appcast.xml`).
 
 Preferences expose Sparkle’s built-in toggles for “Automatically check” and “Automatically download”, and the toolbar button simply calls Sparkle’s “Check for Updates…” sheet.
 
-> `./scripts/build_release.sh` will call `generate_appcast` for you when `SPARKLE_EDDSA_KEY_FILE` and either `SPARKLE_DOWNLOAD_BASE_TEMPLATE` (with `{{VERSION}}` placeholder) or `SPARKLE_DOWNLOAD_BASE_URL` are set. It tries to locate Sparkle’s CLI in DerivedData automatically, but you can override the path via `SPARKLE_GENERATE_APPCAST`. The resulting feed is written to `SPARKLE_APPCAST_OUTPUT` (defaults to `Sparkle/appcast.xml`).
+> `./scripts/build_release.sh` will call `generate_appcast` for you when `SPARKLE_EDDSA_KEY_FILE`, `SPARKLE_DOWNLOAD_BASE_URL`, and (optionally) `SPARKLE_DOWNLOAD_SUBDIR_TEMPLATE` are set. It tries to locate Sparkle’s CLI in DerivedData automatically, but you can override the path via `SPARKLE_GENERATE_APPCAST`. The resulting feed is written to `SPARKLE_APPCAST_OUTPUT` (defaults to `Sparkle/appcast.xml`).
 
 > Build settings include `INFOPLIST_KEY_SUFeedURL` and `INFOPLIST_KEY_SUPublicEDKey`. Make sure to fill both before shipping a build so Sparkle knows where to fetch updates and how to verify them.
 
+### Automated release push
+
+If you want `git push origin master` to build/sign/notarize/upload automatically, enable the provided pre-push hook:
+
+```bash
+git config core.hooksPath hooks
+```
+
+The hook (see `hooks/pre-push`) watches for pushes that include `refs/heads/master`, automatically bumps `marketing_version` (incrementing the last component), runs `scripts/build_release.sh`, stages `version.json`, `iKeyMon.xcodeproj/project.pbxproj`, and `Sparkle/appcast.xml`, then creates a commit `chore: release <version>`. It performs its own `git push` behind the scenes and cancels the original push command so you don't upload the same refs twice—once you see “Release … pushed. Original push cancelled”, you're done (Git will report the original push failed; that's expected). To skip the automation temporarily, prepend `SKIP_RELEASE=1` to your `git push` command.
+
+The bumping logic lives in `scripts/bump_version.sh` (feel free to run it manually if you need to create a release without pushing).
+
 ### Versioning workflow
 
 - The canonical marketing version lives in `version.json` and follows the format `YY.major.minor` (example: `26.1.2`). Update that file manually whenever you cut a new release branch.

Sparkle/appcast.xml

@@ -3,12 +3,28 @@
     <channel>
         <title>iKeyMon</title>
         <item>
-            <title>26.0.13</title>
-            <pubDate>Tue, 25 Nov 2025 00:05:46 +0100</pubDate>
-            <sparkle:version>32</sparkle:version>
-            <sparkle:shortVersionString>26.0.13</sparkle:shortVersionString>
+            <title>26.0.16</title>
+            <pubDate>Tue, 25 Nov 2025 18:34:19 +0100</pubDate>
+            <sparkle:version>39</sparkle:version>
+            <sparkle:shortVersionString>26.0.16</sparkle:shortVersionString>
             <sparkle:minimumSystemVersion>15.2</sparkle:minimumSystemVersion>
-            <enclosure url="https://git.24unix.net/tracer/iKeyMon/releases/download/v26.0.13/iKeyMon-26.0.13.zip" length="4800781" type="application/octet-stream" sparkle:edSignature="KIGsFaFftWzENTEOHnpPEtk/WaUicS0xK9yMh7e98OKBxlsBkxfghoTu2xU8ZKlEqM6Ndhr5UQwZJE4uBsELAA=="/>
+            <enclosure url="https://git.24unix.net/tracer/iKeyMon/releases/download/v26.0.16/iKeyMon-26.0.16.zip" length="4801351" type="application/octet-stream" sparkle:edSignature="lbQEpxEElRxwyRdm0LQIxsnfh8o8Kt66wQlcl4PBs68lBmjkq0b/5EsVCElWQb0Nei/GCk6I/m2mSNL7mA3wBQ=="/>
+        </item>
+        <item>
+            <title>26.0.15</title>
+            <pubDate>Tue, 25 Nov 2025 18:11:17 +0100</pubDate>
+            <sparkle:version>35</sparkle:version>
+            <sparkle:shortVersionString>26.0.15</sparkle:shortVersionString>
+            <sparkle:minimumSystemVersion>15.2</sparkle:minimumSystemVersion>
+            <enclosure url="https://git.24unix.net/tracer/iKeyMon/releases/download/v26.0.15/iKeyMon-26.0.15.zip" length="4801128" type="application/octet-stream" sparkle:edSignature="T16+tX44yN2UqIUsMJeZAxydOuLC6lcQQrlRElTkJlSWPheWLy9xPjP4T45mNSOcWTax0gRCnI50ab3geL9XAA=="/>
+        </item>
+        <item>
+            <title>26.0.15</title>
+            <pubDate>Tue, 25 Nov 2025 17:42:56 +0100</pubDate>
+            <sparkle:version>34</sparkle:version>
+            <sparkle:shortVersionString>26.0.15</sparkle:shortVersionString>
+            <sparkle:minimumSystemVersion>15.2</sparkle:minimumSystemVersion>
+            <enclosure url="https://git.24unix.net/tracer/iKeyMon/releases/download/v26.0.15/iKeyMon-26.0.15.zip" length="4800821" type="application/octet-stream" sparkle:edSignature="bojJ638CY0n+34POoJX3OBrXRAiPOYPiDTfgJOS9fCslw8YGKZLviJvcExC2PKh1HDt0Raabo0FJUJrAFUMmBQ=="/>
         </item>
     </channel>
 </rss>

hooks/pre-push

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+REMOTE_NAME="${1:-origin}"
+
+if [[ -n "${SKIP_RELEASE:-}" ]]; then
+  echo "⚙️  SKIP_RELEASE set — skipping automated release build."
+  exit 0
+fi
+
+should_release=false
+release_local_ref=""
+release_remote_ref=""
+while read -r local_ref local_sha remote_ref remote_sha; do
+  [[ -z "${local_ref:-}" ]] && continue
+  if [[ "$local_ref" == "refs/heads/master" || "$remote_ref" == "refs/heads/master" ]]; then
+    should_release=true
+    release_local_ref="$local_ref"
+    release_remote_ref="${remote_ref:-refs/heads/master}"
+  fi
+done
+
+if [[ "$should_release" != true ]]; then
+  current_branch="$(git -C "$ROOT_DIR" symbolic-ref --short -q HEAD || true)"
+  if [[ "$current_branch" == "master" ]]; then
+    should_release=true
+    release_local_ref="refs/heads/master"
+    release_remote_ref="refs/heads/master"
+  fi
+fi
+
+if [[ "$should_release" != true ]]; then
+  exit 0
+fi
+
+echo "🚀 Detected push to master — bumping version and building release..."
+NEW_VERSION="$("$ROOT_DIR/scripts/bump_version.sh")"
+echo "🔢 marketing_version -> ${NEW_VERSION}"
+"$ROOT_DIR/scripts/sync_version.sh"
+
+git -C "$ROOT_DIR" add "$ROOT_DIR/version.json" "$ROOT_DIR/iKeyMon.xcodeproj/project.pbxproj"
+
+"$ROOT_DIR/scripts/build_release.sh"
+
+git -C "$ROOT_DIR" add "$ROOT_DIR/version.json" "$ROOT_DIR/iKeyMon.xcodeproj/project.pbxproj" "$ROOT_DIR/Sparkle/appcast.xml"
+
+if git -C "$ROOT_DIR" diff --cached --quiet; then
+  echo "⚠️ No release changes detected; skipping release commit."
+else
+  git -C "$ROOT_DIR" commit -m "chore: release ${NEW_VERSION}"
+  echo "📝 Committed release ${NEW_VERSION}."
+fi
+
+echo "📤 Pushing release commit..."
+if SKIP_RELEASE=1 git -C "$ROOT_DIR" push "$REMOTE_NAME" "${release_local_ref:-refs/heads/master}:${release_remote_ref:-refs/heads/master}"; then
+  echo "✅ Release ${NEW_VERSION} pushed. Original push cancelled (already done)."
+  exit 1
+else
+  echo "❌ Failed to push release ${NEW_VERSION}. Please resolve manually."
+  exit 1
+fi

iKeyMon.xcodeproj/project.pbxproj

@@ -310,7 +310,7 @@
 				CODE_SIGN_ENTITLEMENTS = iKeyMon.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 32;
+				CURRENT_PROJECT_VERSION = 45;
 				DEVELOPMENT_ASSET_PATHS = "\"Preview Content\"";
 				DEVELOPMENT_TEAM = Q5486ZVAFT;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -325,7 +325,7 @@
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MARKETING_VERSION = 26.0.13;
+				MARKETING_VERSION = 26.0.19;
 				PRODUCT_BUNDLE_IDENTIFIER = net.24unix.iKeyMon;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_EMIT_LOC_STRINGS = YES;
@@ -341,7 +341,7 @@
 				CODE_SIGN_ENTITLEMENTS = iKeyMon.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 32;
+				CURRENT_PROJECT_VERSION = 45;
 				DEVELOPMENT_ASSET_PATHS = "\"Preview Content\"";
 				DEVELOPMENT_TEAM = Q5486ZVAFT;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -356,7 +356,7 @@
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MARKETING_VERSION = 26.0.13;
+				MARKETING_VERSION = 26.0.19;
 				PRODUCT_BUNDLE_IDENTIFIER = net.24unix.iKeyMon;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_EMIT_LOC_STRINGS = YES;

scripts/build_release.sh

@@ -29,23 +29,56 @@ find_generate_appcast() {
 generate_appcast() {
   local generator
   generator="$(find_generate_appcast)"
-  local download_prefix=""
-  if [[ -n "${SPARKLE_DOWNLOAD_BASE_TEMPLATE:-}" ]]; then
-    download_prefix="${SPARKLE_DOWNLOAD_BASE_TEMPLATE//\{\{VERSION\}\}/$VERSION}"
-  else
-    download_prefix="${SPARKLE_DOWNLOAD_BASE_URL:-}"
-  fi
+  local download_prefix="${SPARKLE_DOWNLOAD_BASE_URL:-}"
+  local subdir_template="${SPARKLE_DOWNLOAD_SUBDIR_TEMPLATE:-}"
 
   if [[ -z "$generator" || -z "${SPARKLE_EDDSA_KEY_FILE:-}" || -z "$download_prefix" ]]; then
     echo "ℹ️ Skipping Sparkle appcast generation (generator/key/download prefix not configured)."
     return
   fi
 
+  download_prefix="${download_prefix%/}"
   local output="$SPARKLE_APPCAST_OUTPUT"
   mkdir -p "$(dirname "$output")"
+
   local staging_dir
   staging_dir="$(mktemp -d)"
-  cp "$ARTIFACTS_DIR"/*.zip "$staging_dir"/ 2>/dev/null || true
+  local zip_found=false
+  shopt -s nullglob
+  for zip_path in "$ARTIFACTS_DIR"/*.zip; do
+    zip_found=true
+    local filename version_guess target_dir subdir
+    filename="$(basename "$zip_path")"
+    if [[ "$filename" =~ ([0-9]+\.[0-9]+\.[0-9]+) ]]; then
+      version_guess="${BASH_REMATCH[1]}"
+    else
+      version_guess="$VERSION"
+    fi
+
+    target_dir="$staging_dir"
+    if [[ -n "$subdir_template" ]]; then
+      subdir="$subdir_template"
+      subdir="${subdir//\{\{VERSION\}\}/$version_guess}"
+      subdir="${subdir//\{\{SHORT_VERSION\}\}/$version_guess}"
+      subdir="${subdir//\{\{TAG\}\}/v$version_guess}"
+      subdir="${subdir#/}"
+      subdir="${subdir%/}"
+      if [[ -n "$subdir" ]]; then
+        target_dir="$staging_dir/$subdir"
+        mkdir -p "$target_dir"
+      fi
+    fi
+
+    cp "$zip_path" "$target_dir/"
+  done
+  shopt -u nullglob
+
+  if [[ "$zip_found" != true ]]; then
+    echo "ℹ️ Skipping Sparkle appcast generation (no ZIP archives found)."
+    rm -rf "$staging_dir"
+    return
+  fi
+
   echo "🧾 Generating Sparkle appcast at $output"
   if ! "$generator" \
     --download-url-prefix "$download_prefix" \
@@ -70,6 +103,46 @@ sign_update_artifacts() {
   fi
 }
 
+submit_for_notarization() {
+  local target="$1"
+  local label="$2"
+  echo "📝 Submitting ${label} for notarization..."
+  xcrun notarytool submit "$target" \
+    --apple-id "$NOTARY_APPLE_ID" \
+    --team-id "$NOTARY_TEAM_ID" \
+    --password "$NOTARY_PASSWORD" \
+    --wait
+}
+
+notarize_app_bundle() {
+  local bundle="$1"
+  local label="$2"
+  if [[ -z "${NOTARY_APPLE_ID:-}" || -z "${NOTARY_TEAM_ID:-}" || -z "${NOTARY_PASSWORD:-}" ]]; then
+    echo "ℹ️ Skipping notarization for ${label} (NOTARY_* variables not set)."
+    return 1
+  fi
+
+  local tmp_dir
+  tmp_dir="$(mktemp -d)"
+  local archive="$tmp_dir/$(basename "$bundle").zip"
+  ditto -c -k --keepParent "$bundle" "$archive"
+
+  submit_for_notarization "$archive" "$label"
+  xcrun stapler staple "$bundle"
+  rm -rf "$tmp_dir"
+}
+
+notarize_artifact() {
+  local artifact="$1"
+  local label="$2"
+  if [[ -z "${NOTARY_APPLE_ID:-}" || -z "${NOTARY_TEAM_ID:-}" || -z "${NOTARY_PASSWORD:-}" ]]; then
+    echo "ℹ️ Skipping notarization for ${label} (NOTARY_* variables not set)."
+    return 1
+  fi
+  submit_for_notarization "$artifact" "$label"
+  xcrun stapler staple "$artifact"
+}
+
 if [[ -f "$CREDENTIALS_FILE" ]]; then
   set -a
   # shellcheck disable=SC1090
@@ -113,6 +186,8 @@ else
   echo "⚠️ Skipping codesign (CODESIGN_IDENTITY not set)."
 fi
 
+notarize_app_bundle "$APP_PATH" "iKeyMon.app"
+
 STAGING_DIR=$(mktemp -d)
 mkdir -p "$STAGING_DIR"
 cp -R "$APP_PATH" "$STAGING_DIR/"
@@ -138,15 +213,9 @@ hdiutil create -volname "iKeyMon" -srcfolder "$STAGING_DIR" -ov -format UDZO "$A
 sign_update_artifacts
 
 if [[ -n "${NOTARY_APPLE_ID:-}" && -n "${NOTARY_TEAM_ID:-}" && -n "${NOTARY_PASSWORD:-}" ]]; then
-  echo "📝 Submitting DMG for notarization..."
-  xcrun notarytool submit "$ARTIFACTS_DIR/$DMG_NAME" \
-    --apple-id "$NOTARY_APPLE_ID" \
-    --team-id "$NOTARY_TEAM_ID" \
-    --password "$NOTARY_PASSWORD" \
-    --wait
-  xcrun stapler staple "$ARTIFACTS_DIR/$DMG_NAME"
+  notarize_artifact "$ARTIFACTS_DIR/$DMG_NAME" "$DMG_NAME"
 else
-  echo "⚠️ Skipping notarization (NOTARY_* variables not set)."
+  echo "⚠️ Skipping DMG notarization (NOTARY_* variables not set)."
 fi
 rm -rf "$STAGING_DIR"
 

scripts/bump_version.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+VERSION_FILE="$ROOT_DIR/version.json"
+
+new_version="$(python3 - "$VERSION_FILE" <<'PY'
+import json, sys, pathlib
+path = pathlib.Path(sys.argv[1])
+data = json.loads(path.read_text())
+current = data.get("marketing_version")
+if not current:
+    raise SystemExit("marketing_version missing in version.json")
+parts = current.split(".")
+if len(parts) != 3 or not all(part.isdigit() for part in parts):
+    raise SystemExit(f"Invalid marketing_version format: {current}")
+parts[-1] = str(int(parts[-1]) + 1)
+data["marketing_version"] = ".".join(parts)
+path.write_text(json.dumps(data, indent=2) + "\n")
+print(data["marketing_version"])
+PY
+)"
+
+echo "$new_version"

scripts/publish_release.sh

@@ -63,11 +63,28 @@ if [[ -z "$release_id" || "$release_id" == "null" ]]; then
   exit 1
 fi
 
+delete_existing_asset() {
+  local filename="$1"
+  local asset_id
+  asset_id="$(curl -sS \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    "${API_URL}/releases/${release_id}/assets" | jq -r --arg name "$filename" '.[] | select(.name == $name) | .id' | head -n 1)"
+  if [[ -n "$asset_id" && "$asset_id" != "null" ]]; then
+    echo "🗑️  Removing existing asset ${filename}"
+    curl -sS \
+      -H "Authorization: token ${GITEA_TOKEN}" \
+      -X DELETE \
+      "${API_URL}/releases/${release_id}/assets/${asset_id}" >/dev/null
+  fi
+}
+
 upload_asset() {
   local file="$1"
   local filename
   filename="$(basename "$file")"
 
+  delete_existing_asset "$filename"
+
   echo "⬆️  Uploading ${filename}"
   curl -sS \
     -H "Authorization: token ${GITEA_TOKEN}" \
@@ -78,8 +95,4 @@ upload_asset() {
 upload_asset "$ZIP_PATH"
 upload_asset "$DMG_PATH"
 
-if [[ -n "${SPARKLE_APPCAST_OUTPUT:-}" && -f "${SPARKLE_APPCAST_OUTPUT}" ]]; then
-  upload_asset "$SPARKLE_APPCAST_OUTPUT"
-fi
-
 echo "🎉 Release ${RELEASE_TAG} assets uploaded."

signing.env.example

@@ -11,6 +11,7 @@ GITEA_REPO="iKeyMon"
 
 # Sparkle appcast generation (optional)
 # SPARKLE_EDDSA_KEY_FILE="$HOME/.config/Sparkle/iKeyMon.key"
-# SPARKLE_DOWNLOAD_BASE_TEMPLATE="https://git.24unix.net/tracer/iKeyMon/releases/download/v{{VERSION}}"
+# SPARKLE_DOWNLOAD_BASE_URL="https://git.24unix.net/tracer/iKeyMon/releases/download"
+# SPARKLE_DOWNLOAD_SUBDIR_TEMPLATE="v{{VERSION}}"
 # SPARKLE_APPCAST_OUTPUT="$ROOT_DIR/Sparkle/appcast.xml"  # defaults to this path
 # SPARKLE_GENERATE_APPCAST="/path/to/generate_appcast"  # auto-detected if unset

version.json

@@ -1,3 +1,3 @@
 {
-  "marketing_version": "26.0.13"
+  "marketing_version": "26.0.19"
 }