Wire Forge-native release infrastructure
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s

This commit is contained in:
Conrad Kramer 2026-06-07 05:51:12 -07:00
parent 97c569fb35
commit 002bd382e9
199 changed files with 14268 additions and 185 deletions

View file

@ -0,0 +1,22 @@
# Android Store Metadata
This directory is the repo-owned home for Android distribution metadata.
Current state:
- Kotlin app shell exists under `Android/app`.
- Rust core FFI exists under `crates/burrow-mobile-ffi`.
- full VPN support is not enabled yet.
Before Play Store upload:
- implement Android `VpnService`
- complete the Play VPN service declaration
- complete data-safety review
- wire signing through the release signing lane
Before F-Droid upload:
- add reproducible metadata
- keep a source-built flavor without proprietary Play dependencies
- document Rust core build inputs and target ABIs

View file

@ -0,0 +1,18 @@
# App Store Connect Metadata
This directory is the repo-owned home for Burrow App Store Connect metadata.
The release upload lane expects dedicated App Store Connect API credentials
sealed with agenix:
- `secrets/apple/appstore-connect.env.age`
That single secret contains the key ID, issuer ID, and base64-encoded `.p8`.
CI decrypts it into a temporary App Store Connect key file, syncs provisioning
profiles from App Store Connect, and then uploads `.ipa`/`.pkg` artifacts.
Forgejo secrets should only provide the runner age identity fallback, not the
App Store key itself.
The initial release pipeline can upload `.ipa` and `.pkg` artifacts once the
Apple build lane produces signed outputs. TestFlight external distribution must
remain explicit until review metadata, groups, and tester policy are complete.

View file

@ -0,0 +1 @@
Burrow is a VPN client for infrastructure operated by the Burrow project.

View file

@ -0,0 +1 @@
contact@burrow.net

View file

@ -0,0 +1 @@
contact@burrow.net

View file

@ -0,0 +1 @@
Operator

View file

@ -0,0 +1 @@
Use the dedicated Burrow test account supplied out of band for review. The app talks to the local Burrow daemon over its gRPC boundary.

View file

@ -0,0 +1,8 @@
# Flatpak Metadata
Flatpak is a desktop GUI distribution lane for Burrow.
The Flatpak package should not be considered a complete VPN backend unless a
host daemon or privileged helper is installed and verified. The GUI can manage
configuration and status through a constrained local API, while TUN, routes,
DNS, and firewall state remain outside the sandbox.

View file

@ -0,0 +1,30 @@
# Sparkle Release Channel
Burrow stages Sparkle files under `dist/builds/<build>/sparkle/<channel>/` and
publishes them through `.forgejo/workflows/publish-store-uploads.yml`.
The current implementation prepares the channel and public pointer layout:
- `sparkle/<channel>/appcast.xml`
- `sparkle/appcast.xml`
- `sparkle/default/`
- `sparkle/main-channel.txt`
Sparkle enclosure signatures can be produced with the non-exportable
`sparkle-ed25519` Google KMS key:
```sh
Scripts/sparkle/sign-appcast-kms.py \
--appcast dist/builds/<build>/sparkle/<channel>/appcast.xml \
--artifact-dir dist/builds/<build>/sparkle/<channel>
```
The public EdDSA key embedded in macOS release builds is:
```text
Myv9ZNZT6YGKMtMezh52ra4WqaeEKc4VlvVU0evhJeI=
```
The build lane only signs appcasts when `BURROW_SPARKLE_SIGN_WITH_KMS=true`.
The live Google KMS key uses `EC_SIGN_ED25519` with software protection because
Google KMS rejects Ed25519 for HSM protection level.