fix: wire Winget automation into release pipeline

[pascalandr]

Summary

• wire Winget submission into the stable release pipeline instead of relying on a separate release.published workflow
• keep the existing release asset resolution and Komac-backed submission flow
• document the new trigger model and manual fallback path

Validation

• git diff --check origin/dev...HEAD
• node --check scripts/winget/resolve-release-asset.cjs
• node scripts/winget/resolve-release-asset.cjs --help
• live release metadata and asset-resolution dry-run against stable v0.17.0

Notes

• this fixes the case where a release created by GitHub Actions with the default GITHUB_TOKEN does not fan out into a second workflow run
• assumes the existing Winget repo secret/variables remain configured
• refs Update winget whenever new version is released #462

[github-actions]

PR builds are available as GitHub Actions artifacts:

https://github.com/NeuralNomadsAI/CodeNomad/actions/runs/27435600072

Artifacts expire in 7 days.
Artifacts: (none found on this run)

[github-actions]

PR builds are available as GitHub Actions artifacts:

https://github.com/NeuralNomadsAI/CodeNomad/actions/runs/27435791473

Artifacts expire in 7 days.
Artifacts:

• pr-551-7194ca609f31ccff71e62882561ad6269014c7c0-tauri-macos
• pr-551-7194ca609f31ccff71e62882561ad6269014c7c0-tauri-windows
• pr-551-7194ca609f31ccff71e62882561ad6269014c7c0-tauri-linux
• pr-551-7194ca609f31ccff71e62882561ad6269014c7c0-tauri-macos-arm64
• pr-551-7194ca609f31ccff71e62882561ad6269014c7c0-electron-macos
• pr-551-7194ca609f31ccff71e62882561ad6269014c7c0-electron-windows
• pr-551-7194ca609f31ccff71e62882561ad6269014c7c0-electron-linux

[github-actions]

PR builds are available as GitHub Actions artifacts:

https://github.com/NeuralNomadsAI/CodeNomad/actions/runs/27435791473

Artifacts expire in 7 days.
Artifacts:

• pr-551-7194ca609f31ccff71e62882561ad6269014c7c0-tauri-macos
• pr-551-7194ca609f31ccff71e62882561ad6269014c7c0-tauri-windows
• pr-551-7194ca609f31ccff71e62882561ad6269014c7c0-tauri-linux
• pr-551-7194ca609f31ccff71e62882561ad6269014c7c0-tauri-macos-arm64
• pr-551-7194ca609f31ccff71e62882561ad6269014c7c0-electron-macos
• pr-551-7194ca609f31ccff71e62882561ad6269014c7c0-electron-windows
• pr-551-7194ca609f31ccff71e62882561ad6269014c7c0-electron-linux

[shantur]

@pascalandr - Unwanted files in the PR

[github-actions]

PR builds are available as GitHub Actions artifacts:

https://github.com/NeuralNomadsAI/CodeNomad/actions/runs/27450668970

Artifacts expire in 7 days.
Artifacts:

• pr-551-ef129fd50bcc7d87e1cdc1ae60d986e1765e1529-tauri-macos
• pr-551-ef129fd50bcc7d87e1cdc1ae60d986e1765e1529-tauri-linux
• pr-551-ef129fd50bcc7d87e1cdc1ae60d986e1765e1529-tauri-windows
• pr-551-ef129fd50bcc7d87e1cdc1ae60d986e1765e1529-electron-macos
• pr-551-ef129fd50bcc7d87e1cdc1ae60d986e1765e1529-tauri-macos-arm64
• pr-551-ef129fd50bcc7d87e1cdc1ae60d986e1765e1529-electron-windows
• pr-551-ef129fd50bcc7d87e1cdc1ae60d986e1765e1529-electron-linux

[pascalandr]

@pascalandr - Unwanted files in the PR

sorry...

[pascalandr]

@CodeNomadBot

I want you to perform the gatekeeper checks for latest PR state

check for regressions
check for better possible implementations
Be the PR gatekeeper
Be ruthless about code quality

[codenomadbot]

Gatekeeper review for latest PR state complete.

Findings

No blocking regressions found.

What I checked

• Confirmed the PR now only touches the expected release/Winget automation files:
  • .github/workflows/reusable-release.yml
  • .github/workflows/update-winget.yml
  • docs/guides/winget-release-automation.md
• Reviewed the trigger migration from release.published to workflow_call from the stable release pipeline.
• Verified update-winget now waits on build-and-upload, so the Winget submission runs only after release asset upload jobs finish.
• Verified prerelease/dev releases are still excluded through if: ${{ !inputs.prerelease }} in the caller and draft/prerelease metadata checks in the called workflow.
• Verified the old resolver and Komac submission path are preserved: same asset template, same release asset resolver, same fork validation, same winget-releaser@v2 submission.
• Checked manual fallback remains available through workflow_dispatch with release_tag and optional release_id.

Validation run

• git diff --check origin/dev...HEAD passed.
• node --check scripts/winget/resolve-release-asset.cjs passed.
• node scripts/winget/resolve-release-asset.cjs --help passed.
• YAML parse check passed for the changed workflow files.
• Worktree remained clean after review.

Non-blocking quality notes

• .github/workflows/update-winget.yml calls gh api "$release_api" four times for the same release metadata. This is correct but not ideal. A tighter implementation would fetch once and derive id, tag_name, draft, and prerelease from the single response to reduce API calls and avoid theoretically inconsistent reads.
• actionlint is not installed in this environment, so I could not run a true GitHub Actions semantic lint. Static YAML parsing passed, but that is weaker than actionlint.
• I attempted a live resolver smoke test against v0.17.0, but the numeric release id available to me was not reliable and the public release API returned 404 for that id. I am not counting that as a PR failure because the changed workflow resolves the id dynamically by tag before invoking the resolver.

Gatekeeper verdict

Approved from a regression/code-quality standpoint. The implementation is scoped, fixes the GITHUB_TOKEN release event fan-out trap, preserves the existing Winget submission behavior, and documents the new trigger/manual fallback model. I would not block merge on the non-blocking cleanup suggestions above.

--
Yours,
CodeNomadBot