Our link checker `lychee` doesn't appear to de-duplicate requests to the
same URL which causes 429 errors with GitHub. To workaround this, we
reduce the concurrency to 1 and activate `lychee`'s cache. This cache is
just a file on disk. We don't need to actually save this in GitHub
actions' cache because all we want is for lychee to not make a request
to same URL again in the same session.
Related: https://github.com/lycheeverse/lychee-action/issues/289
The current `rust/` directory is a bit of a wild-west in terms of how
the crates are organised. Most of them are simply at the top-level when
in reality, they are all `connlib`-related. The Apple and Android FFI
crates - which are entrypoints in the Rust code are defined several
layers deep.
To improve the situation, we move around and rename several crates. The
end result is that all top-level crates / directories are:
- Either entrypoints into the Rust code, i.e. applications such as
Gateway, Relay or a Client
- Or crates shared across all those entrypoints, such as `telemetry` or
`logging`
In order to experiment with alternative GUI libraries, we extracted a
`gui-client-common` crate that would hold GUI-library agnostic code.
We've since upgraded to Tauri v2 and settled on that as the GUI
framework for the Windows and Linux Firezone Clients. Therefore this
abstraction is unnecessary and can be removed again.
This makes it easier to work on the GUI client and also allows the
compiler to flag unused code more easily.
Running `clippy` first is more useful because it provides better
feedback around compile-errors. When working with cross-platform code,
it is often the case that one needs to push to CI to ensure everything
builds. Therefore, getting fast feedback is important.
GitHub's Windows runners are very slow. In order to not prolong CI runs
too much, we set the number of _additional_ proptest cases for Windows
to 0. This means we still run all the regression seeds that we've
accumulated in `proptest-regressions/tests.txt` and simply don't
generate any new ones on top of it.
This is also a good benchmark to ensure that our regression seeds cover
all cases that we are testing further down below using the coverage
grepping.
Related: #8948
By default, proptest runs all regression cases + 256 new ones. Given
that we run the tests on 3 different operating systems in various
versions each and that on each PR, we are likely hitting enough
different cases to detect any bugs.
Related: #8948
These take a long time and there is not really any benefit. We already
run smoke-tests on both Windows and Linux runners which ensures that the
GUI and IPC service compile and start. In addition, we run clippy across
the entire Rust codebase.
The only thing that doesn't get tested in CI if we remove this is the
bundling of the applications. This however rarely changes and one can
always trigger the Tauri workflow manually for a PR to see if certain
changes are working.
Related: #8948
Instead of explicitly listing every package we want to compile, attempt
to compile the entire workspace and exclude the ones we know won't work
on Windows.
The debug build is good enough if one wants to test a particular PR on a
real device. When necessary, a release build can be trigger explicitly
for a particular branch.
Related: #8948
Our GitHub actions packages are not being updated. This may be a reason
why.
Edit: Looks like it's not applying to our composite actions in
.github/actions. Will see if this fixes it.
Bumps
[actions/download-artifact](https://github.com/actions/download-artifact)
from 4.2.1 to 4.3.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/download-artifact/releases">actions/download-artifact's
releases</a>.</em></p>
<blockquote>
<h2>v4.3.0</h2>
<h2>What's Changed</h2>
<ul>
<li>feat: implement new <code>artifact-ids</code> input by <a
href="https://github.com/GrantBirki"><code>@GrantBirki</code></a> in <a
href="https://redirect.github.com/actions/download-artifact/pull/401">actions/download-artifact#401</a></li>
<li>Fix workflow example for downloading by artifact ID by <a
href="https://github.com/joshmgross"><code>@joshmgross</code></a> in <a
href="https://redirect.github.com/actions/download-artifact/pull/402">actions/download-artifact#402</a></li>
<li>Prep for v4.3.0 release by <a
href="https://github.com/robherley"><code>@robherley</code></a> in <a
href="https://redirect.github.com/actions/download-artifact/pull/404">actions/download-artifact#404</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/GrantBirki"><code>@GrantBirki</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/download-artifact/pull/401">actions/download-artifact#401</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/download-artifact/compare/v4.2.1...v4.3.0">https://github.com/actions/download-artifact/compare/v4.2.1...v4.3.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d3f86a106a"><code>d3f86a1</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/download-artifact/issues/404">#404</a>
from actions/robherley/v4.3.0</li>
<li><a
href="fc02353415"><code>fc02353</code></a>
prep for v4.3.0 release</li>
<li><a
href="77454371a4"><code>7745437</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/download-artifact/issues/402">#402</a>
from actions/joshmgross/download-by-id-example</li>
<li><a
href="84fc7a0a35"><code>84fc7a0</code></a>
Remove path filters from Check dist workflow</li>
<li><a
href="67f2bc382f"><code>67f2bc3</code></a>
Fix workflow example for downloading by artifact ID</li>
<li><a
href="8ea3c2c174"><code>8ea3c2c</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/download-artifact/issues/401">#401</a>
from actions/download-by-id</li>
<li><a
href="d219c630f6"><code>d219c63</code></a>
add supporting unit tests for artifact downloads with ids</li>
<li><a
href="54124fbd88"><code>54124fb</code></a>
revert <code>getArtifact()</code> changes - for now we have to list and
filter by artifa...</li>
<li><a
href="b83057b90d"><code>b83057b</code></a>
bundle</li>
<li><a
href="171183c7dc"><code>171183c</code></a>
use the same <code>artifactClient.getArtifact</code> structure as seen
above in `isSingl...</li>
<li>Additional commits viewable in <a
href="95815c38cf...d3f86a106a">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[taiki-e/install-action](https://github.com/taiki-e/install-action) from
2.49.50 to 2.50.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/taiki-e/install-action/releases">taiki-e/install-action's
releases</a>.</em></p>
<blockquote>
<h2>2.50.4</h2>
<ul>
<li>
<p>Update <code>typos@latest</code> to 1.31.2.</p>
</li>
<li>
<p>Update <code>osv-scanner@latest</code> to 2.0.2.</p>
</li>
<li>
<p>Update <code>cargo-nextest@latest</code> to 0.9.95.</p>
</li>
</ul>
<h2>2.50.3</h2>
<ul>
<li>Update <code>cargo-zigbuild@latest</code> to 0.20.0.</li>
</ul>
<h2>2.50.2</h2>
<ul>
<li>
<p>Update <code>cargo-lambda@latest</code> to 1.8.4.</p>
</li>
<li>
<p>Update <code>syft@latest</code> to 1.23.1.</p>
</li>
</ul>
<h2>2.50.1</h2>
<ul>
<li>
<p>Update <code>syft@latest</code> to 1.23.0.</p>
</li>
<li>
<p>Update <code>cargo-semver-checks@latest</code> to 0.41.0.</p>
</li>
</ul>
<h2>2.50.0</h2>
<ul>
<li>
<p>Support <code>taplo</code>. (<a
href="https://redirect.github.com/taiki-e/install-action/pull/944">#944</a>,
thanks <a
href="https://github.com/vivienm"><code>@vivienm</code></a>)</p>
</li>
<li>
<p>Update <code>wasmtime@latest</code> to 32.0.0.</p>
</li>
<li>
<p>Update <code>release-plz@latest</code> to 0.3.133.</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md">taiki-e/install-action's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<p>All notable changes to this project will be documented in this
file.</p>
<p>This project adheres to <a href="https://semver.org">Semantic
Versioning</a>.</p>
<!-- raw HTML omitted -->
<h2>[Unreleased]</h2>
<h2>[2.50.4] - 2025-05-01</h2>
<ul>
<li>
<p>Update <code>typos@latest</code> to 1.31.2.</p>
</li>
<li>
<p>Update <code>osv-scanner@latest</code> to 2.0.2.</p>
</li>
<li>
<p>Update <code>cargo-nextest@latest</code> to 0.9.95.</p>
</li>
</ul>
<h2>[2.50.3] - 2025-04-26</h2>
<ul>
<li>Update <code>cargo-zigbuild@latest</code> to 0.20.0.</li>
</ul>
<h2>[2.50.2] - 2025-04-26</h2>
<ul>
<li>
<p>Update <code>cargo-lambda@latest</code> to 1.8.4.</p>
</li>
<li>
<p>Update <code>syft@latest</code> to 1.23.1.</p>
</li>
</ul>
<h2>[2.50.1] - 2025-04-25</h2>
<ul>
<li>
<p>Update <code>syft@latest</code> to 1.23.0.</p>
</li>
<li>
<p>Update <code>cargo-semver-checks@latest</code> to 0.41.0.</p>
</li>
</ul>
<h2>[2.50.0] - 2025-04-21</h2>
<ul>
<li>
<p>Support <code>taplo</code>. (<a
href="https://redirect.github.com/taiki-e/install-action/pull/944">#944</a>,
thanks <a
href="https://github.com/vivienm"><code>@vivienm</code></a>)</p>
</li>
<li>
<p>Update <code>wasmtime@latest</code> to 32.0.0.</p>
</li>
<li>
<p>Update <code>release-plz@latest</code> to 0.3.133.</p>
</li>
</ul>
<h2>[2.49.50] - 2025-04-16</h2>
<ul>
<li>Update <code>grcov@latest</code> to 0.9.1.</li>
</ul>
<h2>[2.49.49] - 2025-04-13</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="33734a1186"><code>33734a1</code></a>
Release 2.50.4</li>
<li><a
href="014b96a1bb"><code>014b96a</code></a>
Update <code>typos@latest</code> to 1.31.2</li>
<li><a
href="35a81c61b8"><code>35a81c6</code></a>
Update <code>osv-scanner@latest</code> to 2.0.2</li>
<li><a
href="f3c9944420"><code>f3c9944</code></a>
Update <code>cargo-nextest@latest</code> to 0.9.95</li>
<li><a
href="ab3728c7ba"><code>ab3728c</code></a>
Release 2.50.3</li>
<li><a
href="6d5ef845d7"><code>6d5ef84</code></a>
Update <code>cargo-zigbuild@latest</code> to 0.20.0</li>
<li><a
href="52d0e7adc5"><code>52d0e7a</code></a>
Release 2.50.2</li>
<li><a
href="a69f86f003"><code>a69f86f</code></a>
Update <code>cargo-lambda@latest</code> to 1.8.4</li>
<li><a
href="b790d400b3"><code>b790d40</code></a>
Update <code>syft@latest</code> to 1.23.1</li>
<li><a
href="067268f3aa"><code>067268f</code></a>
Release 2.50.1</li>
<li>Additional commits viewable in <a
href="09dc018eee...33734a1186">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This tunnel throughput benchmark isn't a very useful benchmark and it is
very flaky. Remove it entirely until we can replace it with something
more robust and useful.
Resolves: #8172
Firezone's control plane is a realtime, distributed system that relies
on a broadcast/subscribe system to function. In many cases, these events
are broadcasted whenever relevant data in the DB changes, such as an
actor losing access to a policy, a membership being deleted, and so
forth.
Today, this is handled in the application layer, typically happening at
the place where the relevant DB call is made (i.e. in an
`after_commit`). While this approach has worked thus far, it has several
issues:
1. We have no guarantee that the DB change will issue a broadcast. If
the application is deployed or the process crashes after the DB changes
are made but before the broadcast happens, we will have potentially
failed to update any connected clients or gateways with the changes.
2. We have no guarantee that the order of DB updates will be maintained
in order for broadcasts. In other words, app server A could win its DB
operation against app server B, but then proceed to lose being the first
to broadcast.
3. If the cluster is in a bad state where broadcasts may return an error
(i.e. https://github.com/firezone/firezone/issues/8660), we will never
retry the broadcast.
To fix the above issues, we introduce a WAL logical decoder that process
the event stream one message at a time and performs any needed work.
Serializability is guaranteed since we only process the WAL in a single,
cluster-global process, `ReplicationConnection`. Durability is also
guaranteed since we only ACK WAL segments after we've successfully
ingested the event.
This means we will only advance the position of our WAL stream after
successfully broadcasting the event.
This PR only introduces the WAL stream processing system but does not
introduce any changes to our current broadcasting behavior - that's
saved for another PR.
When working on the Rust code of Firezone from a MacOS computer, it is
useful to have pretty much all of the code at least compile to ensure
detect problems early. Eventually, once we target features like a
headless MacOS client, some of these stubs will actually be filled in an
be functional.
Turns out that the standard `pgoutput` plugin shipped with Postgres will
do everything we need it to, and there are good examples of prior art
decoding its binary output in Elixir (in production).
So to avoid adding a dependency on `wal2json` here, we'll go with that.
In order to develop and test WAL replication, we need the wal2json
module installed in our dev postgres image. The module itself builds
very quickly, but I thought it would be better to have this
automatically built and pushed as part of a nightly job so that CI and
developers can make use of it.
In #8795 we added an additional path to the artifact upload which
appeared to have broken it. The action cannot seem to handle multiple
direct paths that lead to files. It tries to but fails:
```
Multiple search paths detected. Calculating the least common ancestor of all paths
The least common ancestor is /Users/runner/work/firezone/firezone/"/Users/runner/work/_temp. This will be the root directory of the artifact
Warning: No files were found with the provided path: "/Users/runner/work/_temp/firezone-macos-client-1.4.12.dmg"
"/Users/runner/work/_temp/firezone-macos-client-1.4.12.pkg". No artifacts will be uploaded.
```
Source:
https://github.com/firezone/firezone/actions/runs/14571295945/job/40868936348#step:7:31
Splitting this step into two and creating one artifact each fixes this
as can be seen in the following job (which I triggered for this PR):
https://github.com/firezone/firezone/actions/runs/14572176039/job/40871304453
Bumps
[taiki-e/install-action](https://github.com/taiki-e/install-action) from
2.49.46 to 2.49.50.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/taiki-e/install-action/releases">taiki-e/install-action's
releases</a>.</em></p>
<blockquote>
<h2>2.49.50</h2>
<ul>
<li>Update <code>grcov@latest</code> to 0.9.1.</li>
</ul>
<h2>2.49.49</h2>
<ul>
<li>Update <code>release-plz@latest</code> to 0.3.132.</li>
</ul>
<h2>2.49.48</h2>
<ul>
<li>
<p>Update <code>release-plz@latest</code> to 0.3.131.</p>
</li>
<li>
<p>Update <code>cargo-nextest@latest</code> to 0.9.94.</p>
</li>
<li>
<p>Update <code>cargo-lambda@latest</code> to 1.8.3.</p>
</li>
</ul>
<h2>2.49.47</h2>
<ul>
<li>Update <code>grcov@latest</code> to 0.9.0.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md">taiki-e/install-action's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<p>All notable changes to this project will be documented in this
file.</p>
<p>This project adheres to <a href="https://semver.org">Semantic
Versioning</a>.</p>
<!-- raw HTML omitted -->
<h2>[Unreleased]</h2>
<ul>
<li>Update <code>release-plz@latest</code> to 0.3.133.</li>
</ul>
<h2>[2.49.50] - 2025-04-16</h2>
<ul>
<li>Update <code>grcov@latest</code> to 0.9.1.</li>
</ul>
<h2>[2.49.49] - 2025-04-13</h2>
<ul>
<li>Update <code>release-plz@latest</code> to 0.3.132.</li>
</ul>
<h2>[2.49.48] - 2025-04-11</h2>
<ul>
<li>
<p>Update <code>release-plz@latest</code> to 0.3.131.</p>
</li>
<li>
<p>Update <code>cargo-nextest@latest</code> to 0.9.94.</p>
</li>
<li>
<p>Update <code>cargo-lambda@latest</code> to 1.8.3.</p>
</li>
</ul>
<h2>[2.49.47] - 2025-04-09</h2>
<ul>
<li>Update <code>grcov@latest</code> to 0.9.0.</li>
</ul>
<h2>[2.49.46] - 2025-04-08</h2>
<ul>
<li>
<p>Update <code>espup@latest</code> to 0.15.0.</p>
</li>
<li>
<p>Update <code>trunk@latest</code> to 0.21.13.</p>
</li>
</ul>
<h2>[2.49.45] - 2025-04-06</h2>
<ul>
<li>
<p>Update <code>knope@latest</code> to 0.19.2.</p>
</li>
<li>
<p>Update <code>cargo-binstall@latest</code> to 1.12.3.</p>
</li>
</ul>
<h2>[2.49.44] - 2025-04-03</h2>
<ul>
<li>Update <code>grcov@latest</code> to 0.8.24.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="09dc018eee"><code>09dc018</code></a>
Release 2.49.50</li>
<li><a
href="2cd02413f6"><code>2cd0241</code></a>
Update <code>grcov@latest</code> to 0.9.1</li>
<li><a
href="be7c31b674"><code>be7c31b</code></a>
Release 2.49.49</li>
<li><a
href="a5bc3ba681"><code>a5bc3ba</code></a>
Update <code>release-plz@latest</code> to 0.3.132</li>
<li><a
href="5e434d4644"><code>5e434d4</code></a>
Release 2.49.48</li>
<li><a
href="e4c4a414ab"><code>e4c4a41</code></a>
Update <code>release-plz@latest</code> to 0.3.131</li>
<li><a
href="80a9f78f16"><code>80a9f78</code></a>
Update <code>cargo-nextest@latest</code> to 0.9.94</li>
<li><a
href="7722c176d5"><code>7722c17</code></a>
Update <code>cargo-lambda@latest</code> to 1.8.3</li>
<li><a
href="a48a50298f"><code>a48a502</code></a>
Release 2.49.47</li>
<li><a
href="63533c4988"><code>63533c4</code></a>
Update <code>grcov@latest</code> to 0.9.0</li>
<li>See full diff in <a
href="2db346588e...09dc018eee">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Microsoft Intune's DMG provisioner currently fails unexpectedly when
trying to provision our published DMG file with the error:
> The DMG file couldn't be mounted for installation. Check the DMG file
if the error persists. (0x87D30139)
I ran the following verification commands locally, which all passed:
```
hdiutil verify -verbose <dmg>
hdiutil imageinfo -verbose <dmg>
hdiutil hfsanalyze -verbose <dmg>
hdiutil checksum -type SHA256 -verbose <dmg>
hdiutil info -verbose
hdiutil pmap -verbose <dmg>
```
So the issue appears to be most likely that Intune doens't like the
`/Applications` shortcut in the DMG. This is a UX feature to make it
easy to drag the application the /Applications folder upon opening the
DMG.
So we're publishing an PKG in addition to the DMG, which should be a
more reliable artifact for MDMs to use.
---------
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
When testing certain PRs, it's helpful to have signed release builds for
various platforms.
These can be built by manually triggering their respective workflow from
the GitHub UI. In these cases, we want to upload the artifacts to the
workflow run, but _not_ upload the artifacts to the release.
We only want to upload artifacts to the release if the `github.ref_name`
is `main`.
