Packaging & Releases
Kangentic uses electron-builder to create platform-specific installers. Configuration lives in electron-builder.yml at the project root.
Platform Targets
Section titled “Platform Targets”| Platform | Format | Installer Type |
|---|---|---|
| Windows | .exe | NSIS (Nullsoft Scriptable Install System) |
| macOS | .dmg | Disk image with drag-to-install |
| Linux | .deb, .rpm | Native package manager formats |
Native Module Handling
Section titled “Native Module Handling”Several native modules require special handling during packaging:
| Module | Strategy |
|---|---|
| better-sqlite3 | Rebuilt for the target Electron version via electron-builder rebuild |
| node-pty | Uses prebuilt binaries; falls back to rebuild if prebuilds unavailable |
| Bridge script | Selectively unpacked from ASAR to allow process spawning |
ASAR Packaging
Section titled “ASAR Packaging”The app is packaged as an ASAR archive for faster loading and to prevent casual modification. Selective unpacking is configured for:
- Native
.nodemodules that require filesystem access - The bridge script used for process spawning
Security Fuses
Section titled “Security Fuses”Production builds set Electron security fuses to harden the application:
| Fuse | Setting | Purpose |
|---|---|---|
| RunAsNode | Disabled | Prevents ELECTRON_RUN_AS_NODE environment variable |
| NodeOptions | Disabled | Prevents NODE_OPTIONS injection |
| Inspection | Disabled | Prevents --inspect debugging in production |
| Cookie Encryption | Enabled | Encrypts cookies at rest |
| ASAR Integrity | Enabled | Validates ASAR archive integrity on load |
Code Signing
Section titled “Code Signing”Windows
Section titled “Windows”Windows builds are signed using Azure Trusted Signing. The CI pipeline authenticates with Azure credentials and signs the NSIS installer during the build step.
macOS builds use:
- Hardened runtime — required for notarization
- Apple notarization — the DMG is submitted to Apple’s notary service and stapled before release
Release Workflow
Section titled “Release Workflow”Releases follow a structured process:
- Trigger: Run
/release patch|minor|majorin the repo — this bumps the version and pushes a git tag - CI Build: The tag push triggers GitHub Actions, which builds on all three platforms (ubuntu, windows, macos)
- Draft Release: CI creates a draft GitHub Release with all platform artifacts attached
- Manual Review: A maintainer reviews the draft release and the build artifacts
- Publish: The maintainer publishes the release — this makes it visible to the auto-updater
- npm Publish: The launcher package is published to npm so
npx kangenticdownloads the new version
Environment Protection
Section titled “Environment Protection”The release workflow uses GitHub environment protection rules:
- Required reviewers must approve the deployment
- The
productionenvironment is protected with branch restrictions
CI Build Matrix
Section titled “CI Build Matrix”| Runner | Platform | Artifact |
|---|---|---|
ubuntu-latest | Linux | .deb, .rpm |
windows-latest | Windows | NSIS .exe |
macos-latest | macOS | .dmg |
Local Testing
Section titled “Local Testing”# Build the app without creating an installernpm run package
# Create distributable installers locallynpm run make
# Test the full publish pipeline (dry run)npm run publish -- --dry-run