Feature: Workflow to update desktop downloads

[infeo]

This PR adds a new workflow to the repository to update the desktop download information automatically.

The workflow is triggered by a repository_dispatch event (basically a POST request). The event payload is expected to contain a version and the github release object

{
    "version": "1.19.0 or other version",
    "release": {
        "name": "1.19.0 Hotfix"
        "assets": []
        ...more
    }
}

The information is parsed with jq und then params.yaml is updated with yq.
Afterwards, the changes are commited in a new branch and a pull request is created.

Note: If the branch is pushed, reruns of the workflow will fail when pushing/creating the pull request.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 418eb5dc-b2e5-4388-9370-cc89bb2750a5

📥 Commits

Reviewing files that changed from the base of the PR and between acd8bd8 and 691b9aa.

📒 Files selected for processing (1)

• .github/workflows/update-desktop.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/update-desktop.yml

---

Walkthrough

Adds a new GitHub Actions workflow .github/workflows/update-desktop.yml triggered on repository_dispatch events of type desktop-release. It validates github.event.client_payload.version against a semantic-version-like regex, creates branch feature/desktop-<version>, parses client_payload.release.assets into ASSETS_JSON and uses jq to extract download URLs and sha256 digests for supported artifacts (Windows .exe/.msi, macOS .dmg for x64/arm64, Linux AppImage for x86_64/aarch64). It uses yq to update config/_default/params.yaml (version, filenames, downloadUrl, signatureUrl as <downloadUrl>.asc, checksum without sha256:), fails if no supported assets found, commits/pushes only if changes exist, creates a PR with gh pr create using secrets.CRYPTOBOT_PR_TOKEN, and sends a Slack notification via rtCamp/action-slack-notify with secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a new workflow to update desktop downloads automatically via repository_dispatch events.
Description check	✅ Passed	The description is directly related to the changeset, providing context about the workflow trigger mechanism, expected payload structure, and implementation approach.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/update-desktop-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/update-desktop.yml:
- Line 20: Replace the overly broad git config command "git config --global
safe.directory '*'" with a command that only trusts the specific workspace/repo
paths; e.g. add the workspace or repo path(s) explicitly using "git config
--global --add safe.directory <path>" (use $GITHUB_WORKSPACE or the checked-out
repo path) so you only mark the intended directory safe rather than all
directories.
- Around line 72-85: Before committing and creating the PR, check whether there
are any staged or unstaged changes and skip the commit/push and gh pr create
steps if there are none; update the "Commit and push" step (the block that runs
git config / git stage / git commit / git push) to detect no-op (e.g., use git
diff --cached --quiet or git status --porcelain) and only run git commit/git
push when changes exist, and update the following "Create pull request" step
(the block that writes pr_body.md and calls gh pr create) to be conditional on
the commit/push having actually happened (or on the same no-op check) so you
don't attempt to create a PR when params.yaml was unchanged.
- Around line 88-89: The "Slack Notification" step's condition uses if:
github.event_name == 'release', which never matches because this workflow is
triggered by repository_dispatch; update the condition on the "Slack
Notification" step (referenced as the job/step name "Slack Notification" and the
current if: github.event_name == 'release') to check the correct event (e.g.,
github.event_name == 'repository_dispatch') or remove the if entirely if you
always want the notification to run; ensure any branch or action-specific
filters (like github.event.action or github.event.client_payload keys) are used
if you only want notifications for specific repository_dispatch payloads.
- Around line 19-21: Replace the fragile git checkout -b
"feature/desktop-${DESKTOP_VERSION}" step with a replay-safe create-or-reset and
add version validation: validate DESKTOP_VERSION against a strict regex (e.g.,
semantic version like ^\d+\.\d+\.\d+$ or your agreed format) and exit with error
if it doesn't match, sanitize DESKTOP_VERSION into a safe branch segment
(replace/strip unsafe chars), then create/switch using a safe command such as
git switch -C "feature/desktop-${SAFE_VERSION}" (or test for existence with git
rev-parse --verify and git switch to it) so repeated dispatches won’t fail;
refer to DESKTOP_VERSION and the current git checkout -b line to locate where to
change this.
- Around line 45-56: The workflow currently always sets
.releases.${key}.checksum using RELEASE_DIGEST even when digest is empty,
producing an invalid checksum; modify the script so the checksum field is only
written when digest is non-empty/non-null (e.g., check the shell variable digest
or RELEASE_DIGEST before calling yq or construct the yq expression to include
the checksum assignment conditionally). Locate the block that computes
RELEASE_DIGEST="${digest#sha256:}" and the yq update that sets
.releases.${key}.checksum and ensure you skip adding the checksum assignment
when digest is empty or "null", leaving the checksum field untouched in
params.yaml in that case.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9986f79f-ddb6-4a35-b4b1-905e88014e87

📥 Commits

Reviewing files that changed from the base of the PR and between 2090db7 and dcedf03.

📒 Files selected for processing (1)

• .github/workflows/update-desktop.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Make branch creation replay-safe and validate the version format.

A repeated dispatch for the same version will fail on git checkout -b, and malformed versions can produce invalid branch names.

🔧 Suggested fix

       - name: Create new branch
         run: |
-          git config --global safe.directory '*'
-          git checkout -b "feature/desktop-${DESKTOP_VERSION}"
+          [[ "$DESKTOP_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z]+)*$ ]] || {
+            echo "Invalid DESKTOP_VERSION: $DESKTOP_VERSION" >&2
+            exit 1
+          }
+          git checkout -B "feature/desktop-${DESKTOP_VERSION}"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	run: |
	git config --global safe.directory '*'
	git checkout -b "feature/desktop-${DESKTOP_VERSION}"
	run: |
	[[ "$DESKTOP_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z]+)*$ ]] || {
	echo "Invalid DESKTOP_VERSION: $DESKTOP_VERSION" >&2
	exit 1
	}
	git checkout -B "feature/desktop-${DESKTOP_VERSION}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/update-desktop.yml around lines 19 - 21, Replace the
fragile git checkout -b "feature/desktop-${DESKTOP_VERSION}" step with a
replay-safe create-or-reset and add version validation: validate DESKTOP_VERSION
against a strict regex (e.g., semantic version like ^\d+\.\d+\.\d+$ or your
agreed format) and exit with error if it doesn't match, sanitize DESKTOP_VERSION
into a safe branch segment (replace/strip unsafe chars), then create/switch
using a safe command such as git switch -C "feature/desktop-${SAFE_VERSION}" (or
test for existence with git rev-parse --verify and git switch to it) so repeated
dispatches won’t fail; refer to DESKTOP_VERSION and the current git checkout -b
line to locate where to change this.