tftsr-devops_investigation/.gitea/workflows/release-beta.yml

name: Release Beta

# Runs on every merge to beta — creates a v{CARGO_VERSION}-beta.N pre-release tag,
# builds all four platforms, and uploads artifacts.  Wiki sync is intentionally
# omitted here; it only runs from master via auto-tag.yml.

on:
  push:
    branches:
      - beta
  workflow_dispatch:

concurrency:
  group: auto-tag-beta
  cancel-in-progress: false

jobs:
  autotag:
    runs-on: linux-amd64
    container:
      image: alpine:latest
    outputs:
      release_tag: ${{ steps.bump.outputs.release_tag }}
    steps:
      - name: Create beta tag
        id: bump
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
          set -eu
          apk add --no-cache curl jq git

          API="http://172.0.0.29:3000/api/v1/repos/$GITHUB_REPOSITORY"

          git init
          git remote add origin "http://oauth2:${RELEASE_TOKEN}@172.0.0.29:3000/${GITHUB_REPOSITORY}.git"
          git fetch --depth=1 origin "$GITHUB_SHA"
          git checkout FETCH_HEAD
          git config user.name "gitea-actions[bot]"
          git config user.email "gitea-actions@local"

          CARGO_VERSION=$(grep '^version' src-tauri/Cargo.toml | head -1 | sed 's/version = "//;s/"//')
          echo "Cargo.toml declares: $CARGO_VERSION"

          # Find the highest existing beta.N for this Cargo version
          LATEST_BETA=$(curl -s "$API/tags?limit=100" \
            -H "Authorization: token $RELEASE_TOKEN" | \
            jq -r '.[].name' | \
            grep -E "^v${CARGO_VERSION}-beta\.[0-9]+$" | \
            sort -t. -k4 -n | tail -1 || true)
          echo "Latest beta tag: ${LATEST_BETA:-none}"

          if [ -z "$LATEST_BETA" ]; then
            NEXT="v${CARGO_VERSION}-beta.1"
          else
            N=$(echo "$LATEST_BETA" | sed "s/v${CARGO_VERSION}-beta\\.//")
            NEXT="v${CARGO_VERSION}-beta.$((N + 1))"
          fi

          echo "Next beta tag: $NEXT"

          if git ls-remote --exit-code --tags origin "refs/tags/$NEXT" >/dev/null 2>&1; then
            echo "Tag $NEXT already exists; builds will target this tag."
          else
            git tag -a "$NEXT" -m "Pre-release $NEXT"
            git push origin "refs/tags/$NEXT"
            echo "Tag $NEXT pushed successfully"
          fi

          echo "release_tag=$NEXT" >> "$GITHUB_OUTPUT"          

  changelog:
    needs: autotag
    runs-on: linux-amd64
    container:
      image: alpine:latest
    steps:
      - name: Install dependencies
        run: apk add --no-cache git curl jq

      - name: Checkout (full history + all tags)
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
          set -eu
          git init
          git remote add origin \
            "http://oauth2:${RELEASE_TOKEN}@172.0.0.29:3000/${GITHUB_REPOSITORY}.git"
          git fetch --unshallow origin || git fetch --depth=2147483647 origin || true
          git fetch --tags origin
          git checkout "$GITHUB_SHA" 2>/dev/null || git checkout FETCH_HEAD
          git config user.name "gitea-actions[bot]"
          git config user.email "gitea-actions@local"          

      - name: Install git-cliff
        run: |
          set -eu
          CLIFF_VER="2.7.0"
          curl -fsSL \
            "https://github.com/orhun/git-cliff/releases/download/v${CLIFF_VER}/git-cliff-${CLIFF_VER}-x86_64-unknown-linux-musl.tar.gz" \
            | tar -xz --strip-components=1 -C /usr/local/bin \
              "git-cliff-${CLIFF_VER}/git-cliff"          

      - name: Generate changelog
        env:
          RELEASE_TAG: ${{ needs.autotag.outputs.release_tag }}
        run: |
          set -eu
          CURRENT_TAG="${RELEASE_TAG}"
          echo "Building changelog for $CURRENT_TAG"

          if ! git rev-parse "refs/tags/${CURRENT_TAG}" >/dev/null 2>&1; then
            echo "ERROR: tag ${CURRENT_TAG} not found locally after fetch"
            exit 1
          fi

          # Include all tag types (stable + beta) for a proper diff range
          PREV_TAG=$(git tag --sort=-version:refname | grep -v "^${CURRENT_TAG}$" | head -1 || echo "")
          if [ -n "$PREV_TAG" ]; then
            git-cliff --config cliff.toml "${PREV_TAG}..${CURRENT_TAG}" > /tmp/release_body.md || true
          else
            git log --pretty=format:"- %s" > /tmp/release_body.md || true
          fi
          echo "=== Release body preview ==="
          cat /tmp/release_body.md          

      - name: Create or update Gitea pre-release
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
          RELEASE_TAG: ${{ needs.autotag.outputs.release_tag }}
        run: |
          set -eu
          TAG="${RELEASE_TAG}"
          API="http://172.0.0.29:3000/api/v1/repos/$GITHUB_REPOSITORY"

          RELEASE_ID=$(curl -s "$API/releases/tags/$TAG" \
            -H "Authorization: token $RELEASE_TOKEN" | jq -r '.id // empty')

          if [ -z "$RELEASE_ID" ]; then
            echo "Creating pre-release $TAG..."
            RELEASE_ID=$(jq -n \
              --arg tag "$TAG" \
              --arg name "TFTSR $TAG" \
              --rawfile body /tmp/release_body.md \
              '{tag_name: $tag, name: $name, body: $body, draft: true, prerelease: true}' \
              | curl -sf -X POST "$API/releases" \
                  -H "Authorization: token $RELEASE_TOKEN" \
                  -H "Content-Type: application/json" \
                  --data @- \
              | jq -r '.id')
            echo "✓ Pre-release created (id=$RELEASE_ID)"
          else
            echo "Updating existing release $TAG (id=$RELEASE_ID)..."
            jq -n --rawfile body /tmp/release_body.md '{body: $body}' \
              | curl -sf -X PATCH "$API/releases/$RELEASE_ID" \
                  -H "Authorization: token $RELEASE_TOKEN" \
                  -H "Content-Type: application/json" \
                  --data @-
            echo "✓ Release body updated"
          fi

          if [ -z "$RELEASE_ID" ] || [ "$RELEASE_ID" = "null" ]; then
            echo "ERROR: Failed to create or locate release for $TAG"
            exit 1
          fi          

      - name: Upload CHANGELOG.md as release asset
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
          RELEASE_TAG: ${{ needs.autotag.outputs.release_tag }}
        run: |
          set -eu
          TAG="${RELEASE_TAG}"
          API="http://172.0.0.29:3000/api/v1/repos/$GITHUB_REPOSITORY"
          RELEASE_ID=$(curl -sf "$API/releases/tags/$TAG" \
            -H "Authorization: token $RELEASE_TOKEN" | jq -r '.id')
          if [ -z "$RELEASE_ID" ] || [ "$RELEASE_ID" = "null" ]; then
            echo "ERROR: Could not find release for tag $TAG"
            exit 1
          fi
          # Generate a minimal changelog file for the asset
          git log --pretty=format:"- %s" -20 > CHANGELOG.md || true
          EXISTING_ID=$(curl -sf "$API/releases/$RELEASE_ID" \
            -H "Authorization: token $RELEASE_TOKEN" \
            | jq -r '.assets[]? | select(.name == "CHANGELOG.md") | .id')
          if [ -n "$EXISTING_ID" ]; then
            curl -sf -X DELETE "$API/releases/$RELEASE_ID/assets/$EXISTING_ID" \
              -H "Authorization: token $RELEASE_TOKEN"
          fi
          curl -sf -X POST "$API/releases/$RELEASE_ID/assets" \
            -H "Authorization: token $RELEASE_TOKEN" \
            -F "attachment=@CHANGELOG.md;filename=CHANGELOG.md"
          echo "✓ CHANGELOG.md uploaded"          

  build-linux-amd64:
    needs: autotag
    runs-on: linux-amd64
    container:
      image: 172.0.0.29:3000/sarman/tftsr-linux-amd64:rust1.88-node22
    steps:
      - name: Checkout
        run: |
          git init
          git remote add origin http://172.0.0.29:3000/sarman/tftsr-devops_investigation.git
          git fetch --depth=1 origin "$GITHUB_SHA"
          git checkout FETCH_HEAD          
      - name: Cache cargo registry
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry/index
            ~/.cargo/registry/cache
            ~/.cargo/git/db            
          key: ${{ runner.os }}-cargo-linux-amd64-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-linux-amd64-            
      - name: Cache npm
        uses: actions/cache@v4
        with:
          path: ~/.npm
          key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-npm-            
      - name: Build
        env:
          APPIMAGE_EXTRACT_AND_RUN: "1"
        run: |
          npm ci --legacy-peer-deps
          CI=true npx tauri build --target x86_64-unknown-linux-gnu          
      - name: Upload artifacts
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
          RELEASE_TAG: ${{ needs.autotag.outputs.release_tag }}
        run: |
          set -eu
          API="http://172.0.0.29:3000/api/v1/repos/$GITHUB_REPOSITORY"
          TAG="${RELEASE_TAG}"
          echo "Uploading artifacts for $TAG..."
          curl -sf -X POST "$API/releases" \
            -H "Authorization: token $RELEASE_TOKEN" \
            -H "Content-Type: application/json" \
            -d "{\"tag_name\":\"$TAG\",\"name\":\"TFTSR $TAG\",\"body\":\"Pre-release $TAG\",\"draft\":false,\"prerelease\":true}" || true
          RELEASE_ID=$(curl -sf "$API/releases/tags/$TAG" \
            -H "Authorization: token $RELEASE_TOKEN" | jq -r '.id')
          if [ -z "$RELEASE_ID" ] || [ "$RELEASE_ID" = "null" ]; then
            echo "ERROR: Failed to get release ID for $TAG"
            exit 1
          fi
          echo "Release ID: $RELEASE_ID"
          ARTIFACTS=$(find src-tauri/target/x86_64-unknown-linux-gnu/release/bundle -type f \
            \( -name "*.deb" -o -name "*.rpm" \))
          if [ -z "$ARTIFACTS" ]; then
            echo "ERROR: No Linux amd64 artifacts were found to upload."
            exit 1
          fi
          printf '%s\n' "$ARTIFACTS" | while IFS= read -r f; do
            NAME=$(basename "$f")
            UPLOAD_NAME="linux-amd64-$NAME"
            echo "Uploading $UPLOAD_NAME..."
            EXISTING_IDS=$(curl -sf "$API/releases/$RELEASE_ID" \
              -H "Authorization: token $RELEASE_TOKEN" \
              | jq -r --arg name "$UPLOAD_NAME" '.assets[]? | select(.name == $name) | .id')
            if [ -n "$EXISTING_IDS" ]; then
              printf '%s\n' "$EXISTING_IDS" | while IFS= read -r id; do
                [ -n "$id" ] || continue
                curl -sf -X DELETE "$API/releases/$RELEASE_ID/assets/$id" \
                  -H "Authorization: token $RELEASE_TOKEN"
              done
            fi
            RESP_FILE=$(mktemp)
            HTTP_CODE=$(curl -sS -o "$RESP_FILE" -w "%{http_code}" -X POST "$API/releases/$RELEASE_ID/assets" \
              -H "Authorization: token $RELEASE_TOKEN" \
              -F "attachment=@$f;filename=$UPLOAD_NAME")
            if [ "$HTTP_CODE" -ge 200 ] && [ "$HTTP_CODE" -lt 300 ]; then
              echo "✓ Uploaded $UPLOAD_NAME"
            else
              echo "✗ Upload failed for $UPLOAD_NAME (HTTP $HTTP_CODE)"
              python -c 'import pathlib,sys;print(pathlib.Path(sys.argv[1]).read_text(errors="replace")[:2000])' "$RESP_FILE"
              exit 1
            fi
          done          

  build-windows-amd64:
    needs: autotag
    runs-on: linux-amd64
    container:
      image: 172.0.0.29:3000/sarman/tftsr-windows-cross:rust1.88-node22
    steps:
      - name: Checkout
        run: |
          git init
          git remote add origin http://172.0.0.29:3000/sarman/tftsr-devops_investigation.git
          git fetch --depth=1 origin "$GITHUB_SHA"
          git checkout FETCH_HEAD          
      - name: Cache cargo registry
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry/index
            ~/.cargo/registry/cache
            ~/.cargo/git/db            
          key: ${{ runner.os }}-cargo-windows-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-windows-            
      - name: Cache npm
        uses: actions/cache@v4
        with:
          path: ~/.npm
          key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-npm-            
      - name: Build
        env:
          CC_x86_64_pc_windows_gnu: x86_64-w64-mingw32-gcc
          CXX_x86_64_pc_windows_gnu: x86_64-w64-mingw32-g++
          AR_x86_64_pc_windows_gnu: x86_64-w64-mingw32-ar
          CARGO_TARGET_X86_64_PC_WINDOWS_GNU_LINKER: x86_64-w64-mingw32-gcc
          OPENSSL_NO_VENDOR: "0"
          OPENSSL_STATIC: "1"
          SODIUM_LIB_DIR: /usr/x86_64-w64-mingw32/lib
          SODIUM_STATIC: "1"
          SODIUM_USE_PKG_CONFIG: "no"
        run: |
          npm ci --legacy-peer-deps
          CI=true npx tauri build --target x86_64-pc-windows-gnu          
      - name: Upload artifacts
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
          RELEASE_TAG: ${{ needs.autotag.outputs.release_tag }}
        run: |
          set -eu
          API="http://172.0.0.29:3000/api/v1/repos/$GITHUB_REPOSITORY"
          TAG="${RELEASE_TAG}"
          echo "Uploading artifacts for $TAG..."
          curl -sf -X POST "$API/releases" \
            -H "Authorization: token $RELEASE_TOKEN" \
            -H "Content-Type: application/json" \
            -d "{\"tag_name\":\"$TAG\",\"name\":\"TFTSR $TAG\",\"body\":\"Pre-release $TAG\",\"draft\":false,\"prerelease\":true}" || true
          RELEASE_ID=$(curl -sf "$API/releases/tags/$TAG" \
            -H "Authorization: token $RELEASE_TOKEN" | jq -r '.id')
          if [ -z "$RELEASE_ID" ] || [ "$RELEASE_ID" = "null" ]; then
            echo "ERROR: Failed to get release ID for $TAG"
            exit 1
          fi
          echo "Release ID: $RELEASE_ID"
          ARTIFACTS=$(find src-tauri/target/x86_64-pc-windows-gnu/release/bundle -type f \
            \( -name "*.exe" -o -name "*.msi" \) 2>/dev/null)
          if [ -z "$ARTIFACTS" ]; then
            echo "ERROR: No Windows amd64 artifacts were found to upload."
            exit 1
          fi
          printf '%s\n' "$ARTIFACTS" | while IFS= read -r f; do
            NAME=$(basename "$f")
            echo "Uploading $NAME..."
            EXISTING_IDS=$(curl -sf "$API/releases/$RELEASE_ID" \
              -H "Authorization: token $RELEASE_TOKEN" \
              | jq -r --arg name "$NAME" '.assets[]? | select(.name == $name) | .id')
            if [ -n "$EXISTING_IDS" ]; then
              printf '%s\n' "$EXISTING_IDS" | while IFS= read -r id; do
                [ -n "$id" ] || continue
                curl -sf -X DELETE "$API/releases/$RELEASE_ID/assets/$id" \
                  -H "Authorization: token $RELEASE_TOKEN"
              done
            fi
            RESP_FILE=$(mktemp)
            HTTP_CODE=$(curl -sS -o "$RESP_FILE" -w "%{http_code}" -X POST "$API/releases/$RELEASE_ID/assets" \
              -H "Authorization: token $RELEASE_TOKEN" \
              -F "attachment=@$f;filename=$NAME")
            if [ "$HTTP_CODE" -ge 200 ] && [ "$HTTP_CODE" -lt 300 ]; then
              echo "✓ Uploaded $NAME"
            else
              echo "✗ Upload failed for $NAME (HTTP $HTTP_CODE)"
              python -c 'import pathlib,sys;print(pathlib.Path(sys.argv[1]).read_text(errors="replace")[:2000])' "$RESP_FILE"
              exit 1
            fi
          done          

  build-macos-arm64:
    needs: autotag
    runs-on: macos-arm64
    steps:
      - name: Checkout
        run: |
          git init
          git remote add origin http://172.0.0.29:3000/sarman/tftsr-devops_investigation.git
          git fetch --depth=1 origin "$GITHUB_SHA"
          git checkout FETCH_HEAD          
      - name: Build
        env:
          MACOSX_DEPLOYMENT_TARGET: "11.0"
        run: |
          npm ci --legacy-peer-deps
          rustup target add aarch64-apple-darwin
          CI=true npx tauri build --target aarch64-apple-darwin --bundles app
          APP=$(find src-tauri/target/aarch64-apple-darwin/release/bundle/macos -maxdepth 1 -type d -name "*.app" | head -n 1)
          if [ -z "$APP" ]; then
            echo "ERROR: Could not find macOS app bundle"
            exit 1
          fi
          APP_NAME=$(basename "$APP" .app)
          codesign --deep --force --sign - "$APP"
          mkdir -p src-tauri/target/aarch64-apple-darwin/release/bundle/dmg
          DMG=src-tauri/target/aarch64-apple-darwin/release/bundle/dmg/${APP_NAME}.dmg
          hdiutil create -volname "$APP_NAME" -srcfolder "$APP" -ov -format UDZO "$DMG"          
      - name: Upload artifacts
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
          RELEASE_TAG: ${{ needs.autotag.outputs.release_tag }}
        run: |
          set -eu
          API="http://172.0.0.29:3000/api/v1/repos/$GITHUB_REPOSITORY"
          TAG="${RELEASE_TAG}"
          echo "Uploading artifacts for $TAG..."
          curl -sf -X POST "$API/releases" \
            -H "Authorization: token $RELEASE_TOKEN" \
            -H "Content-Type: application/json" \
            -d "{\"tag_name\":\"$TAG\",\"name\":\"TFTSR $TAG\",\"body\":\"Pre-release $TAG\",\"draft\":false,\"prerelease\":true}" || true
          RELEASE_ID=$(curl -sf "$API/releases/tags/$TAG" \
            -H "Authorization: token $RELEASE_TOKEN" | jq -r '.id')
          if [ -z "$RELEASE_ID" ] || [ "$RELEASE_ID" = "null" ]; then
            echo "ERROR: Failed to get release ID for $TAG"
            exit 1
          fi
          echo "Release ID: $RELEASE_ID"
          ARTIFACTS=$(find src-tauri/target/aarch64-apple-darwin/release/bundle -type f -name "*.dmg")
          if [ -z "$ARTIFACTS" ]; then
            echo "ERROR: No macOS arm64 DMG artifacts were found to upload."
            exit 1
          fi
          printf '%s\n' "$ARTIFACTS" | while IFS= read -r f; do
            NAME=$(basename "$f")
            echo "Uploading $NAME..."
            EXISTING_IDS=$(curl -sf "$API/releases/$RELEASE_ID" \
              -H "Authorization: token $RELEASE_TOKEN" \
              | jq -r --arg name "$NAME" '.assets[]? | select(.name == $name) | .id')
            if [ -n "$EXISTING_IDS" ]; then
              printf '%s\n' "$EXISTING_IDS" | while IFS= read -r id; do
                [ -n "$id" ] || continue
                curl -sf -X DELETE "$API/releases/$RELEASE_ID/assets/$id" \
                  -H "Authorization: token $RELEASE_TOKEN"
              done
            fi
            RESP_FILE=$(mktemp)
            HTTP_CODE=$(curl -sS -o "$RESP_FILE" -w "%{http_code}" -X POST "$API/releases/$RELEASE_ID/assets" \
              -H "Authorization: token $RELEASE_TOKEN" \
              -F "attachment=@$f;filename=$NAME")
            if [ "$HTTP_CODE" -ge 200 ] && [ "$HTTP_CODE" -lt 300 ]; then
              echo "✓ Uploaded $NAME"
            else
              echo "✗ Upload failed for $NAME (HTTP $HTTP_CODE)"
              python -c 'import pathlib,sys;print(pathlib.Path(sys.argv[1]).read_text(errors="replace")[:2000])' "$RESP_FILE"
              exit 1
            fi
          done          

  build-linux-arm64:
    needs: autotag
    runs-on: linux-amd64
    container:
      image: 172.0.0.29:3000/sarman/tftsr-linux-arm64:rust1.88-node22
    steps:
      - name: Checkout
        run: |
          git init
          git remote add origin http://172.0.0.29:3000/sarman/tftsr-devops_investigation.git
          git fetch --depth=1 origin "$GITHUB_SHA"
          git checkout FETCH_HEAD          
      - name: Cache cargo registry
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry/index
            ~/.cargo/registry/cache
            ~/.cargo/git/db            
          key: ${{ runner.os }}-cargo-arm64-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-arm64-            
      - name: Cache npm
        uses: actions/cache@v4
        with:
          path: ~/.npm
          key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-npm-            
      - name: Build
        env:
          CC_aarch64_unknown_linux_gnu: aarch64-linux-gnu-gcc
          CXX_aarch64_unknown_linux_gnu: aarch64-linux-gnu-g++
          AR_aarch64_unknown_linux_gnu: aarch64-linux-gnu-ar
          CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc
          PKG_CONFIG_SYSROOT_DIR: /usr/aarch64-linux-gnu
          PKG_CONFIG_PATH: /usr/lib/aarch64-linux-gnu/pkgconfig:/usr/aarch64-linux-gnu/lib/pkgconfig
          PKG_CONFIG_ALLOW_CROSS: "1"
          OPENSSL_NO_VENDOR: "0"
          OPENSSL_STATIC: "1"
          APPIMAGE_EXTRACT_AND_RUN: "1"
        run: |
          npm ci --legacy-peer-deps
          CI=true npx tauri build --target aarch64-unknown-linux-gnu --bundles deb,rpm          
      - name: Upload artifacts
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
          RELEASE_TAG: ${{ needs.autotag.outputs.release_tag }}
        run: |
          set -eu
          API="http://172.0.0.29:3000/api/v1/repos/$GITHUB_REPOSITORY"
          TAG="${RELEASE_TAG}"
          echo "Uploading artifacts for $TAG..."
          curl -sf -X POST "$API/releases" \
            -H "Authorization: token $RELEASE_TOKEN" \
            -H "Content-Type: application/json" \
            -d "{\"tag_name\":\"$TAG\",\"name\":\"TFTSR $TAG\",\"body\":\"Pre-release $TAG\",\"draft\":false,\"prerelease\":true}" || true
          RELEASE_ID=$(curl -sf "$API/releases/tags/$TAG" \
            -H "Authorization: token $RELEASE_TOKEN" | jq -r '.id')
          if [ -z "$RELEASE_ID" ] || [ "$RELEASE_ID" = "null" ]; then
            echo "ERROR: Failed to get release ID for $TAG"
            exit 1
          fi
          echo "Release ID: $RELEASE_ID"
          ARTIFACTS=$(find src-tauri/target/aarch64-unknown-linux-gnu/release/bundle -type f \
            \( -name "*.deb" -o -name "*.rpm" -o -name "*.AppImage" \))
          if [ -z "$ARTIFACTS" ]; then
            echo "ERROR: No Linux arm64 artifacts were found to upload."
            exit 1
          fi
          printf '%s\n' "$ARTIFACTS" | while IFS= read -r f; do
            NAME=$(basename "$f")
            UPLOAD_NAME="linux-arm64-$NAME"
            echo "Uploading $UPLOAD_NAME..."
            EXISTING_IDS=$(curl -sf "$API/releases/$RELEASE_ID" \
              -H "Authorization: token $RELEASE_TOKEN" \
              | jq -r --arg name "$UPLOAD_NAME" '.assets[]? | select(.name == $name) | .id')
            if [ -n "$EXISTING_IDS" ]; then
              printf '%s\n' "$EXISTING_IDS" | while IFS= read -r id; do
                [ -n "$id" ] || continue
                curl -sf -X DELETE "$API/releases/$RELEASE_ID/assets/$id" \
                  -H "Authorization: token $RELEASE_TOKEN"
              done
            fi
            RESP_FILE=$(mktemp)
            HTTP_CODE=$(curl -sS -o "$RESP_FILE" -w "%{http_code}" -X POST "$API/releases/$RELEASE_ID/assets" \
              -H "Authorization: token $RELEASE_TOKEN" \
              -F "attachment=@$f;filename=$UPLOAD_NAME")
            if [ "$HTTP_CODE" -ge 200 ] && [ "$HTTP_CODE" -lt 300 ]; then
              echo "✓ Uploaded $UPLOAD_NAME"
            else
              echo "✗ Upload failed for $UPLOAD_NAME (HTTP $HTTP_CODE)"
              python -c 'import pathlib,sys;print(pathlib.Path(sys.argv[1]).read_text(errors="replace")[:2000])' "$RESP_FILE"
              exit 1
            fi
          done