will/flynn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3f6232d1fbdb48136f256fadbc8b157f2f682389
flynn/docs/operations/COMPANION_RELEASE_BUNDLE.md
T
William Valentin 30cf5c5ea6 ci(companion): add bundle build-verify-upload workflow
2026-02-26 19:40:53 -08:00

132 lines
3.2 KiB
Markdown
Raw Blame History

# Companion Release Bundle Runbook
This runbook covers generating, verifying, and launching Flynn companion shell bundles.
## Generate Bundle
From a Flynn host:
```bash
flynn companion \
--platform macos \
--node-id companion-macbook \
--app-version 1.0.0 \
--export-release-bundle ./dist/companion-macos
```
Generated files:
- `companion.bootstrap.json`
- `run-companion.sh`
- `README.md`
- `CHECKSUMS.sha256`
- `RELEASE_MANIFEST.json`
Optional signed export:
```bash
flynn companion \
--platform macos \
--node-id companion-macbook \
--export-release-bundle ./dist/companion-macos \
--signing-key ./keys/release-private.pem \
--signing-key-id team-k1
```
Additional file:
- `CHECKSUMS.sha256.sig`
One-command automation:
```bash
pnpm companion:bundle -- \
--output ./dist/companion-macos \
--platform macos \
--signing-key ./keys/release-private.pem \
--signing-key-id team-k1
```
This script builds the bundle and immediately verifies checksums/signatures before returning success.
Reference app starters can be regenerated in-repo with:
```bash
pnpm companion:reference-apps -- --output ./apps/companion
```
CI automation:
- `.github/workflows/companion-release-bundle.yml` provides a manual-dispatch workflow that generates an ephemeral signing key, builds/verifies a bundle with `pnpm companion:bundle`, and uploads artifacts.
## Generate Platform Starter Shell Template
For native app bootstrapping (without launcher/checksum artifacts), export a platform template:
```bash
flynn companion \
--platform ios \
--node-id companion-ios \
--export-shell-template ./dist/companion-ios-template
```
Generated files:
- `companion.bootstrap.json`
- platform starter file (`CompanionBootstrap.swift`, `CompanionBootstrap.kt`, or `MenuBarCompanion.swift`)
- `README.md`
## Verify Bundle Integrity
On the target host (before launch), verify checksums:
```bash
cd ./dist/companion-macos
sha256sum --check CHECKSUMS.sha256
```
Expected result:
- all bundle files report `OK`
If signature is present, verify `CHECKSUMS.sha256.sig` with your org signing key policy before launch.
Automated CLI verification mode:
```bash
flynn companion \
--verify-release-bundle ./dist/companion-macos \
--verify-signing-key ./keys/release-public.pem \
--verify-signing-key-id team-k1 \
--require-signature
```
## Launch
```bash
./run-companion.sh
```
Launcher behavior:
- verifies `CHECKSUMS.sha256` before invoking `flynn companion`
- aborts launch on checksum mismatch or missing checksum tooling
Optional handoff smoke test:
```bash
./run-companion.sh --handoff "status check"
```
## Platform Notes
- `ios` and `macos` default push provider to `apns` when `--push-token` is set.
- `android` defaults push provider to `fcm` when `--push-token` is set.
- For `linux`, `windows`, or `unknown` platforms, specify `--push-provider` explicitly when using `--push-token`.
## Distribution Guidance
- Treat `companion.bootstrap.json` as sensitive if it includes gateway tokens or push tokens.
- Remove or rotate secrets before sharing bundles externally.
- For signed releases, sign the bundle directory or tarball with your standard org release-signing process after checksum verification.
Reference in New Issue View Git Blame Copy Permalink