Skip to content

feat(release): Windows MSIX + App Installer auto-update — pipeline (ADR 0034, 1/2)#92

Merged
Kyle-Falconer merged 2 commits into
mainfrom
feat/windows-msix-autoupdate
Jun 25, 2026
Merged

feat(release): Windows MSIX + App Installer auto-update — pipeline (ADR 0034, 1/2)#92
Kyle-Falconer merged 2 commits into
mainfrom
feat/windows-msix-autoupdate

Conversation

@Kyle-Falconer

Copy link
Copy Markdown
Member

Slice 1 of 2 of the Windows auto-update work (ADR 0034): the MSIX packaging pipeline. Pivots the Windows artifact from cargo-packager NSIS .exe to an MSIX that auto-updates via Windows' built-in App Installer, signed by the existing Azure Trusted Signing cert — no second/minisign key.

⚠️ This PR also carries the ADR 0034 commit (d83ae94), which was committed to main locally but never pushed. Basing this branch on it means the ADR lands via this review rather than a separate main push (which was deferred to you). Review/merge brings both to origin/main together.

What's in it

  • .github/workflows/release.ymlwindows job rewritten: build exe → assemble pack layout → makeappx pack → Trusted-Sign the .msix (filter msix) → upload .msix + .appinstaller. The verify-version gate, WINDOWS_SIGNING_ENABLED skip-gate, OIDC federation, draft-Release flow, and every Linux/macOS job are untouched.
  • janitor-gui/msix/AppxManifest.xml + Janitor.appinstaller (new) — full-trust win32 MSIX. Publisher hardcoded to the Trusted Signing cert Subject (load-bearing — must match exactly or signing rejects). Version templated @VERSION@X.Y.Z.0 in CI. The .appinstaller omits all automatic UpdateSettings: manual-only, zero background egress (ADR 0034 Decisions 3 + 6).
  • janitor-gui/Cargo.toml — drop [package.metadata.packager.nsis] (superseded on Windows).
  • docs/RELEASING.md / docs/THREAT-MODEL.md — the MSIX update model, the 0.1.3-NSIS bootstrap gap (users must open the .appinstaller, not the bare .msix, or updates never wire up), and the new manual-only network-update / remote-code-install surface.
  • .gitignoredist/.

Verification

  • makeappx pack run locally against the real Publisher CN + the real release binary → schema-validates the manifest (element ordering, namespaces, logo/exe references, Publisher DN). Exit 0.
  • ✅ TOML / YAML / XML parse; @VERSION@ substitution renders valid XML (0.1.3 → 0.1.3.0).
  • ⚠️ Not yet exercised in CI — the windows job is if: WINDOWS_SIGNING_ENABLED == 'true', so workflow_dispatch skips it until the Azure vars + gate are set. The first gated run is the first CI exercise of the sign step.
  • ⚠️ End-to-end auto-update is unproven — only provable by publishing two real signed MSIX releases and upgrading on a Windows box (ADR 0034 live checklist).
  • No Rust source touched; no tests changed.

To turn it on (maintainer)

Set the AZURE_* repo Variables + WINDOWS_SIGNING_ENABLED=true (see docs/RELEASING.md). The cert Subject is already baked into the manifests.

Not in this PR

Slice 2/2 — the in-app "Check for updates" button (the sole manual update trigger, a #[cfg(windows)] WinRT wrapper + Slint control) — follows as a separate PR.

🤖 Generated with Claude Code

Kyle-Falconer and others added 2 commits June 25, 2026 15:23
…no phone-home)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… 0034)

Pivot the Windows artifact from cargo-packager NSIS .exe to an MSIX that
auto-updates via Windows App Installer, signed by the existing Azure Trusted
Signing cert (no second key). Slice (a) of two: the packaging pipeline. The
in-app "Check for updates" button (the sole, manual-only update trigger) is
slice (b), a follow-up PR.

- release.yml: rewrite the `windows` job - build exe, assemble the pack layout,
  `makeappx pack`, Trusted-Sign the .msix, upload .msix + .appinstaller. The
  verify-version gate, WINDOWS_SIGNING_ENABLED skip-gate, OIDC federation,
  draft-Release flow, and all Linux/macOS jobs are unchanged.
- janitor-gui/msix/AppxManifest.xml + Janitor.appinstaller: new. Publisher
  hardcoded to the Trusted Signing cert Subject (load-bearing); version
  templated @Version@ -> X.Y.Z.0 in CI. The .appinstaller omits all automatic
  UpdateSettings - manual-only, zero background egress (ADR 0034 Decisions 3+6).
- janitor-gui/Cargo.toml: drop [package.metadata.packager.nsis].
- docs/RELEASING.md, docs/THREAT-MODEL.md: document the MSIX update model, the
  0.1.3-NSIS bootstrap gap (open the .appinstaller), and the new manual-only
  network update / remote-code-install surface.
- .gitignore: dist/.

Locally validated: makeappx pack succeeds against the real Publisher + built
exe (schema-validates the manifest). Not yet exercised in CI (the windows job is
skip-gated) and end-to-end update is unproven pending two live signed releases.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Kyle-Falconer Kyle-Falconer merged commit eaf4199 into main Jun 25, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant