teamsiso/docs/RELEASING.md

# Releasing TeamsISO

The release workflow at `.forgejo/workflows/release.yml` runs on **annotated tag pushes
matching `v*.*.*`**. It builds, tests, publishes, packages an MSI, and uploads the
MSI as a release asset.

## Prerequisites

- A **Windows runner** registered to this Forgejo instance. WiX MSI builds require
  Windows; the existing CI runs on Linux for unit tests, but releases need a
  separate Windows runner. Register one with `forgejo-runner register` against a
  Windows host that has the .NET 8 SDK + WiX SDK access (the WiX SDK pulls itself
  via NuGet at build time, so no separate install).
- The repository's **Create release on tag push** setting on (default), or skip it —
  the workflow will create the release if one doesn't exist.

## Cutting a release

```sh
# Bump the version in Directory.Build.props if you haven't already.
git tag -a v1.0.0 -m "TeamsISO 1.0.0"
git push origin v1.0.0
```

The workflow will:

1. Restore + build `TeamsISO.Windows.slnf` in Release with the tag's version.
2. Run unit tests (the `requires=ndi` integration tier is skipped — it needs a
   real NDI runtime which a CI runner won't have).
3. Publish `TeamsISO.App` and `TeamsISO.Console` for `win-x64`,
   framework-dependent (.NET 8 Desktop runtime is the user's responsibility).
4. Build `installer/TeamsISO.Installer.wixproj`, producing
   `TeamsISO-Setup-<version>.msi`.
5. Upload the MSI as a workflow artifact (downloadable from the run page).
6. Attach the MSI to the GitHub-style Release for the tag, creating the release
   first if it doesn't exist. Pre-release flag is set automatically when the
   tag contains `-alpha`, `-beta`, or `-rc`.

## Code signing (TODO)

The `wixproj` has a `SignOutput` property hook but no actual cert wiring. For a
v1.0 release, sign the MSI with an EV cert before publishing:

1. Add a `SIGNING_CERT_BASE64` and `SIGNING_CERT_PASSWORD` to repo Secrets.
2. Decode the cert into the runner's cert store at the start of the workflow.
3. Set `/p:SignOutput=true` on the `dotnet build` of the wixproj and configure
   `signtool` invocation (the installer project will need a custom target).

Until that lands, downstream users will see the standard Windows SmartScreen
warning on first launch — annoying but not blocking for early adopters.
ci(forgejo): release workflow on tag push -> MSI artifact + release asset .forgejo/workflows/release.yml triggers on annotated tag pushes matching v..*. The workflow runs on a Windows runner (required for WiX MSI), restores and builds the Windows solution filter, runs unit tests (skipping the requires=ndi tier — CI runners don't have NDI), publishes TeamsISO.App + TeamsISO.Console for win-x64 framework-dependent, builds the WiX MSI scaffold, and uploads the MSI both as a workflow artifact (downloadable from the run page) and as an asset on the auto-created Release for the tag. Tag version is parsed from refs/tags/vX.Y.Z and threaded into /p:Version on every dotnet build invocation so the publish output, the assembly metadata, and the MSI ProductVersion all agree. Release-asset upload uses the Forgejo REST API directly via curl + Invoke-RestMethod rather than depending on a third-party action; if the auto-create-release-on-tag-push setting is off, the workflow creates the release itself. Pre-release flag is set when the tag contains -alpha/-beta/-rc. docs/RELEASING.md walks through cutting a release and flags the code-signing TODO (SignOutput property is wired but no cert; SmartScreen will warn on first launch until that lands). 2026-05-08 00:48:57 -04:00			`# Releasing TeamsISO`

			The release workflow at `.forgejo/workflows/release.yml` runs on **annotated tag pushes
			matching `v..`*. It builds, tests, publishes, packages an MSI, and uploads the
			`MSI as a release asset.`

			`## Prerequisites`

			`- A Windows runner registered to this Forgejo instance. WiX MSI builds require`
			`Windows; the existing CI runs on Linux for unit tests, but releases need a`
			separate Windows runner. Register one with `forgejo-runner register` against a
			`Windows host that has the .NET 8 SDK + WiX SDK access (the WiX SDK pulls itself`
			`via NuGet at build time, so no separate install).`
			`- The repository's Create release on tag push setting on (default), or skip it —`
			`the workflow will create the release if one doesn't exist.`

			`## Cutting a release`

			```sh
			`# Bump the version in Directory.Build.props if you haven't already.`
			`git tag -a v1.0.0 -m "TeamsISO 1.0.0"`
			`git push origin v1.0.0`
			```

			`The workflow will:`

			1. Restore + build `TeamsISO.Windows.slnf` in Release with the tag's version.
			2. Run unit tests (the `requires=ndi` integration tier is skipped — it needs a
			`real NDI runtime which a CI runner won't have).`
			3. Publish `TeamsISO.App` and `TeamsISO.Console` for `win-x64`,
			`framework-dependent (.NET 8 Desktop runtime is the user's responsibility).`
			4. Build `installer/TeamsISO.Installer.wixproj`, producing
			`TeamsISO-Setup-<version>.msi`.
			`5. Upload the MSI as a workflow artifact (downloadable from the run page).`
			`6. Attach the MSI to the GitHub-style Release for the tag, creating the release`
			`first if it doesn't exist. Pre-release flag is set automatically when the`
			tag contains `-alpha`, `-beta`, or `-rc`.

			`## Code signing (TODO)`

			The `wixproj` has a `SignOutput` property hook but no actual cert wiring. For a
			`v1.0 release, sign the MSI with an EV cert before publishing:`

			1. Add a `SIGNING_CERT_BASE64` and `SIGNING_CERT_PASSWORD` to repo Secrets.
			`2. Decode the cert into the runner's cert store at the start of the workflow.`
			3. Set `/p:SignOutput=true` on the `dotnet build` of the wixproj and configure
			`signtool` invocation (the installer project will need a custom target).

			`Until that lands, downstream users will see the standard Windows SmartScreen`
			`warning on first launch — annoying but not blocking for early adopters.`