Windows port PR 1: compile + launch + unsigned CI#517
Closed
ldstreet wants to merge 3 commits into
Closed
Conversation
Three minimum-viable changes to unblock building Maple on Windows. Atomic migration, keyring storage, signing, TTS DLL shipping, and the CI matrix job are deferred to follow-up epics. tauri.conf.json (MPLR-uyqowcnn / 1a): - bundle.targets switched from "all" to an explicit list excluding "msi". Tauri's WiX template hard-codes HKLM + perMachine install, which would shadow the HKCU keys we rely on for cloud.opensecret.maple deep links. - bundle.windows.nsis.installMode = "currentUser" so the NSIS installer is per-user (no UAC) and writes deep-link registration under HKCU. - bundle.windows.webviewInstallMode.type = "downloadBootstrapper" set explicitly to avoid surprise behavior if the Tauri default changes. capabilities/default.json (MPLR-zivybmgl / 1b): - Dropped $HOME/.config/maple/** scope entries from every fs:allow-* permission. The path tokens don't resolve to anything meaningful on Windows, no JS code touches them via the Tauri fs plugin, and proxy.rs writes via raw std::fs which bypasses the capability system entirely. $APPCONFIG/** entries are kept. src/proxy.rs (MPLR-oshibkah / 1c): - get_config_path now takes &AppHandle and resolves to %APPDATA%\cloud.opensecret.maple\ on Windows via Tauri's path resolver. macOS and Linux behavior is byte-identical (still ~/.config/maple/). - AppHandle is plumbed through save_proxy_config, load_saved_proxy_config, start_proxy, load_proxy_config, save_proxy_settings, and the auto-start initializer. Frontend invoke() calls are unchanged — Tauri auto-injects AppHandle on commands. - USERPROFILE fallback removed; Windows now uses the proper Tauri path. cargo check + cargo clippy -D warnings + cargo fmt --check all pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirrors the existing macOS/Linux unsigned PR build jobs in desktop-build.yml. Produces an x64 Windows NSIS installer on every PR and push to master. What the job does: - Runs on windows-latest (x64 Windows Server 2022 — note this differs from ARM64 Windows VMs that some developers use locally; matches the artifact most users will install). - Installs Rust stable (default target x86_64-pc-windows-msvc on the runner). - Installs sccache via choco and caches it across runs keyed on Cargo.lock. - Provides ONNX Runtime by downloading the prebuilt Windows x64 zip from Microsoft and pointing ORT_LIB_LOCATION + ORT_SKIP_DOWNLOAD at it, mirroring the Linux job's pattern. This keeps the ort crate from re-downloading and works around any flaky download-binaries paths. - Sets up Bun for the frontend bundle (Bun has Windows-x64 builds; only the ARM64 Windows local dev path lacks a native Bun and must fall back to npm). - Runs tauri-action with --bundles nsis. The tauri.conf.json bundle.targets array set in subtask 1a already excludes msi, so NSIS is the only Windows bundler invoked. - Provides TAURI_SIGNING_PRIVATE_KEY (existing repo secret) so the minisign updater artifact step succeeds. Authenticode signing of the .exe itself is out of scope here — that's Epic 6 (PR 7). - Uploads the NSIS .exe as workflow artifact maple-windows-x64. Same env vars as the macOS/Linux jobs (VITE_OPEN_SECRET_API_URL switches on pull_request vs push, VITE_MAPLE_BILLING_API_URL same pattern, VITE_CLIENT_ID constant). Out of scope (deferred to later epics): - release.yml integration (Epic 6 / PR 7) - Code signing secrets and signCommand (Epic 6 / PR 7) - latest.json windows-x86_64 entry for auto-updater (Epic 6 / PR 7) - MSI bundler (deferred indefinitely; WiX template shadows the HKCU deep-link keys we rely on) Closes MPLR-hzehaxpp (1e). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Collaborator
Author
|
@AnthonyRonning Looks like I'll need workflow approval here. Keeping as draft for now since I'm expecting some iteration getting the CI correct |
Match the pattern landing in OpenSecretCloud#519 for the macOS and Linux jobs: detect when TAURI_SIGNING_PRIVATE_KEY is absent (fork PR) and pass an unsigned config overlay so tauri-action does not attempt updater artifact signing after producing the NSIS installer. Without this, the windows job goes red on fork PRs the same way the existing Linux job did. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Collaborator
Author
|
Superseded by #520 (same branch pushed to upstream now that I have org write access — gets us proper CI with secrets available). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
First of several PRs porting Maple to Windows. Lands the minimum needed to compile and launch on a clean Windows host plus a
windows-latestCI job that produces an unsigned NSIS installer on every PR.Why these changes
tauri.conf.json— explicitbundle.targets, NSIS per-user, WebView2 bootstrapper. Tauri's WiX/msi template hard-codes HKLM + per-machine install, which would shadow the HKCU keys we rely on forcloud.opensecret.maple://deep-link handlers. Switchingbundle.targetsfrom"all"to an explicit list excludes msi from future Windows builds without affecting mac/linux output.installMode: "currentUser"keeps the installer UAC-free and consistent with HKCU registration.webviewInstallMode: "downloadBootstrapper"pins behavior so a future Tauri default change doesn't surprise users.capabilities/default.json— drop dead$HOME/.config/maple/**entries. Those scope tokens don't resolve to anything meaningful on Windows and aren't used anywhere today — the JS never invokes the Tauri fs plugin andproxy.rswrites via rawstd::fs, which bypasses capabilities entirely. Removing them everywhere is cleaner than gating per-OS.proxy.rs— Windows path arm via Tauri's path resolver. The old code hardcoded$USERPROFILE/.config/maple/proxy_config.jsonon Windows, which is the wrong path convention. Plumbing&AppHandlethrough the helpers lets us useapp_config_dir()for the canonical%APPDATA%\cloud.opensecret.maple\. macOS/Linux behavior is byte-identical — atomic migration + keyring storage is deliberately deferred to keep this PR small.desktop-build.yml—windows-latestjob. Mirrors the existing Linux job: pre-fetches ONNX Runtime so the ort crate skips its own download, runstauri-actionwith--bundles nsis, uploads the.exe. Authenticode signing is deliberately out of scope here — adding it would block on certificate provisioning. Updater minisigning uses the existing repo secret so the build doesn't error out after producing the installer.Manual smoke
Built and launched natively on a Parallels Win11 ARM64 VM (not the CI x64 artifact, but proves the same milestone). Installer ran per-user, no UAC. App launched, login screen rendered.
One gotcha worth flagging for future contributors: a missing
frontend/.env.localproduces a silent white-screen because Vite bakes env vars into the bundle at build time. Captured for a follow-up.Out of scope (later PRs)
Code signing, proxy keyring + atomic config migration, TTS DLL bundling, deep-link install-mode hardening, UI/downloads copy,
release.yml+ auto-updater Windows entry, full acceptance test pass.Test plan
build-windowsjob uploads NSIS artifactproxy.rsAppHandleplumbing orbundle.targetschange)🤖 Generated with Claude Code