Summary
The v0.2.83 release is half-complete and stuck. crates.io publish, the git tag, and the draft GitHub release all succeeded, but the macOS DMG notarization failed with an Apple account agreement error (HTTP 403), which hard-blocks the attach-to-release job. As a result the GitHub release is still a draft with 0 assets, and the downstream cascade (gateway-update, release-announce) never fired. Gateways remain on 0.2.82.
This requires a manual account action by the Apple Developer account holder (@sanity) — no code/CI change can fix it.
What succeeded
What failed
cross-compile.yml run 28194173535, job "Build Freenet.dmg (universal, signed + notarized)", step "Build signed + notarized Freenet.dmg":
>> Notarizing Freenet.app
Conducting pre-submission checks ... initiating connection to the Apple notary service...
Error: HTTP status code: 403. A required agreement is missing or has expired.
This request requires an in-effect agreement that has not been signed or has expired.
Ensure your team has signed the necessary legal agreements and that they are not expired.
The signing cert imported fine and the app signed fine — only the notary submission was rejected. This is an Apple Developer Program legal-agreement expiry on the account (team R55ZESJCXG, Ian CLARKE).
Because attach-to-release has needs: [...all builds..., build-macos-dmg] and hard-downloads the DMG artifact, the DMG failure skipped the attach + --draft=false undraft, so the release.published cascade (gateway-update.yml, release-announce.yml) never ran.
Current state
- GitHub release v0.2.83: draft, 0 assets
- nova + vega gateways: still 0.2.82
- gateway-update.yml / release-announce.yml for 0.2.83: 0 runs
Recovery (after the agreement is signed)
- @sanity: sign in to https://developer.apple.com/account and accept the updated Apple Developer Program License Agreement (and any pending App Store Connect agreements). The 403 clears once the in-effect agreement is signed.
- Re-run only the failed DMG + attach jobs:
gh run rerun --failed 28194173535 --repo freenet/freenet-core. The attach job will then download all artifacts, upload them, and undraft the release.
- If the build-artifacts have expired by then, re-trigger the whole tag build:
gh workflow run cross-compile.yml --repo freenet/freenet-core --ref v0.2.83 (it runs on tag refs).
- On undraft,
gateway-update.yml + release-announce.yml should auto-fire (RELEASE_PAT is configured). If they don't:
gh workflow run gateway-update.yml --repo freenet/freenet-core --field version=0.2.83 --field gateways=allgh workflow run release-announce.yml --repo freenet/freenet-core --field version=0.2.83
- Verify: release published with the full asset set (musl Linux x2, macOS x2 tarballs, Windows, DMG, fdev variants, SHA256SUMS), nova + vega report 0.2.83, Matrix + River announcements posted.
Follow-up hardening (optional)
Consider making the DMG a non-blocking part of the release: let attach-to-release proceed with the non-macOS-DMG assets if the DMG job fails (it already iterates over whatever *.dmg files exist), so an Apple-side agreement lapse can't strand an otherwise-complete release in draft with the network unable to auto-update. The macOS DMG could attach in a follow-up step. (Tradeoff: macOS DMG users wouldn't get the release until the DMG lands.)
crates.io is already published at 0.2.83, so the version is consumed — recovery must complete this release, not bump to 0.2.84.
[AI-assisted - Claude]
Summary
The v0.2.83 release is half-complete and stuck. crates.io publish, the git tag, and the draft GitHub release all succeeded, but the macOS DMG notarization failed with an Apple account agreement error (HTTP 403), which hard-blocks the
attach-to-releasejob. As a result the GitHub release is still a draft with 0 assets, and the downstream cascade (gateway-update, release-announce) never fired. Gateways remain on 0.2.82.This requires a manual account action by the Apple Developer account holder (@sanity) — no code/CI change can fix it.
What succeeded
release.ymlrun 28065786747: success (after re-running the failedwait_for_prstep — the original run timed out at the merge wait; bump PR build: release 0.2.83 #4569 had since merged).f341830d(current main HEAD, includes refactor(hosted): zeroize the per-user token in memory #4578 + fix(hosted): dark-mode + dismiss account popover on outside click #4579).What failed
cross-compile.ymlrun 28194173535, job "Build Freenet.dmg (universal, signed + notarized)", step "Build signed + notarized Freenet.dmg":The signing cert imported fine and the app signed fine — only the notary submission was rejected. This is an Apple Developer Program legal-agreement expiry on the account (team
R55ZESJCXG, Ian CLARKE).Because
attach-to-releasehasneeds: [...all builds..., build-macos-dmg]and hard-downloads the DMG artifact, the DMG failure skipped the attach +--draft=falseundraft, so therelease.publishedcascade (gateway-update.yml, release-announce.yml) never ran.Current state
Recovery (after the agreement is signed)
gh run rerun --failed 28194173535 --repo freenet/freenet-core. The attach job will then download all artifacts, upload them, and undraft the release.gh workflow run cross-compile.yml --repo freenet/freenet-core --ref v0.2.83(it runs on tag refs).gateway-update.yml+release-announce.ymlshould auto-fire (RELEASE_PAT is configured). If they don't:gh workflow run gateway-update.yml --repo freenet/freenet-core --field version=0.2.83 --field gateways=allgh workflow run release-announce.yml --repo freenet/freenet-core --field version=0.2.83Follow-up hardening (optional)
Consider making the DMG a non-blocking part of the release: let
attach-to-releaseproceed with the non-macOS-DMG assets if the DMG job fails (it already iterates over whatever*.dmgfiles exist), so an Apple-side agreement lapse can't strand an otherwise-complete release in draft with the network unable to auto-update. The macOS DMG could attach in a follow-up step. (Tradeoff: macOS DMG users wouldn't get the release until the DMG lands.)crates.io is already published at 0.2.83, so the version is consumed — recovery must complete this release, not bump to 0.2.84.
[AI-assisted - Claude]