ci: remove unused remote_contract job from build-and-release workflow (#71)

The remote_contract job was effectively dead code — it only ran on
workflow_dispatch (excluded push and pull_request events) and was
configured with continue-on-error, so it never blocked releases.

Removing it simplifies the pipeline and eliminates the always()
workaround in the release job's if-condition.

Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>

.github/workflows/build-and-release.yml

@@ -35,6 +35,10 @@ on:
         description: "Build & upload TestFlight (macOS/iOS App Store) artifacts"
         type: boolean
         default: false
+      enable_github_release:
+        description: "Upload assets to GitHub Release"
+        type: boolean
+        default: true
 
 permissions:
   contents: read
@@ -54,6 +58,7 @@ jobs:
       contents: write
     outputs:
       should_release: ${{ steps.flags.outputs.should_release }}
+      github_release_enabled: ${{ steps.flags.outputs.github_release_enabled }}
       testflight_enabled: ${{ steps.flags.outputs.testflight_enabled }}
       release_tag: ${{ steps.meta.outputs.release_tag }}
       release_title: ${{ steps.meta.outputs.release_title }}
@@ -68,6 +73,7 @@ jobs:
         id: flags
         shell: bash
         env:
+          ENABLE_GITHUB_RELEASE_INPUT: ${{ github.event.inputs.enable_github_release }}
           ENABLE_TESTFLIGHT_INPUT: ${{ github.event.inputs.enable_testflight }}
           ENABLE_TESTFLIGHT_VAR: ${{ vars.ENABLE_TESTFLIGHT }}
         run: |
@@ -77,6 +83,12 @@ jobs:
             echo "should_release=false" >> "$GITHUB_OUTPUT"
           fi
 
+          if [[ "${GITHUB_EVENT_NAME:-}" == "workflow_dispatch" && "${ENABLE_GITHUB_RELEASE_INPUT:-}" == "false" ]]; then
+            echo "github_release_enabled=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "github_release_enabled=true" >> "$GITHUB_OUTPUT"
+          fi
+
           # TestFlight is opt-in (default OFF). Enabled only when explicitly
           # requested via the workflow_dispatch input or the ENABLE_TESTFLIGHT
           # repo/org variable. Keeps missing Apple signing secrets from failing
@@ -292,46 +304,9 @@ jobs:
           path: ${{ matrix.artifact_paths }}
           if-no-files-found: error
 
-  remote_contract:
-    name: Test - remote provider contract
-    runs-on: ubuntu-22.04
-    needs:
-      - build
-    # Test-stage quality gate: runs between build and release.
-    # continue-on-error keeps it skippable so a failure never blocks release.
-    continue-on-error: true
-    if: ${{ github.event_name != 'push' && github.event_name != 'pull_request' }}
-    steps:
-      - name: Checkout source
-        uses: actions/checkout@v7
-
-      - name: Load Vault secrets
-        id: vault
-        uses: hashicorp/vault-action@v4
-        with:
-          url: ${{ env.VAULT_ADDR }}
-          method: jwt
-          role: github-actions-xworkmate-app
-          jwtGithubAudience: vault
-          ignoreNotFound: true
-          secrets: |
-            kv/data/github-actions/xworkmate-app REVIEW_ACCOUNT_LOGIN_PASSWORD | REVIEW_ACCOUNT_LOGIN_PASSWORD
-
-      - name: Export remote contract secrets
-        run: echo "REVIEW_ACCOUNT_LOGIN_PASSWORD=${{ steps.vault.outputs.REVIEW_ACCOUNT_LOGIN_PASSWORD }}" >> "$GITHUB_ENV"
-
-      - name: Verify accounts to bridge provider contract
-        shell: bash
-        env:
-          REVIEW_ACCOUNT_BASE_URL: ${{ vars.REVIEW_ACCOUNT_BASE_URL }}
-          REVIEW_ACCOUNT_LOGIN_NAME: ${{ vars.REVIEW_ACCOUNT_LOGIN_NAME }}
-        run: bash ./scripts/ci/verify_remote_provider_contract.sh
 
   release:
-    # always() so release waits for the remote_contract gate to finish but is
-    # never blocked by it being skipped (e.g. push events) or failing.
-    # build/prepare must still genuinely succeed.
-    if: ${{ always() && needs.prepare.outputs.should_release == 'true' && needs.prepare.result == 'success' && needs.build.result == 'success' }}
+    if: ${{ needs.prepare.outputs.should_release == 'true' && needs.prepare.result == 'success' && needs.build.result == 'success' }}
     strategy:
       fail-fast: false
       matrix:
@@ -354,7 +329,6 @@ jobs:
     needs:
       - prepare
       - build
-      - remote_contract
     steps:
       - name: Checkout source
         uses: actions/checkout@v7

pubspec.yaml

@@ -4,7 +4,7 @@ publish_to: 'none'
 
 version: 1.1.5+2
 build-date: 2026-06-30
-build-id: a876e3b
+build-id: a876e3b0
 
 environment:
   sdk: ^3.11.0

scripts/ensure-framework-dsyms.sh

@@ -1,8 +1,9 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-# Generate the dSYM that App Store validation expects for the vendored
-# objective_c native-asset framework after Xcode/CocoaPods embed it.
+# Generate dSYMs that App Store validation expects for embedded frameworks.
+# Some prebuilt dependencies, including WebRTC, do not ship a dSYM even though
+# their Mach-O binaries contain UUIDs that App Store Connect requires.
 if [[ "${CONFIGURATION:-}" != "Release" && "${CONFIGURATION:-}" != "Profile" ]]; then
   exit 0
 fi
@@ -22,6 +23,22 @@ fi
 
 mkdir -p "${DWARF_DSYM_FOLDER_PATH}"
 
+dsym_matches_binary() {
+  local binary_path="$1"
+  local dsym_path="$2"
+  local binary_uuids dsym_uuids uuid
+
+  [[ -d "${dsym_path}" ]] || return 1
+
+  binary_uuids="$(xcrun dwarfdump --uuid "${binary_path}" 2>/dev/null || true)"
+  dsym_uuids="$(xcrun dwarfdump --uuid "${dsym_path}" 2>/dev/null || true)"
+  [[ -n "${binary_uuids}" && -n "${dsym_uuids}" ]] || return 1
+
+  while read -r uuid; do
+    [[ -z "${uuid}" ]] || grep -Fq "${uuid}" <<<"${dsym_uuids}" || return 1
+  done < <(awk '/^UUID:/ { print $2 }' <<<"${binary_uuids}")
+}
+
 for framework_path in "${frameworks_dir}"/*.framework; do
   [[ -d "${framework_path}" ]] || continue
 
@@ -29,10 +46,8 @@ for framework_path in "${frameworks_dir}"/*.framework; do
   binary_path="${framework_path}/${framework_name}"
   [[ -f "${binary_path}" ]] || continue
 
-  [[ "${framework_name}" == "objective_c" ]] || continue
-
   dsym_path="${DWARF_DSYM_FOLDER_PATH}/${framework_name}.framework.dSYM"
-  if [[ -d "${dsym_path}" ]]; then
+  if dsym_matches_binary "${binary_path}" "${dsym_path}"; then
     continue
   fi
 
@@ -40,17 +55,10 @@ for framework_path in "${frameworks_dir}"/*.framework; do
     continue
   fi
 
-  echo "Generating missing dSYM for ${framework_name}.framework"
+  echo "Generating missing or mismatched dSYM for ${framework_name}.framework"
+  rm -rf "${dsym_path}"
   if ! xcrun dsymutil "${binary_path}" -o "${dsym_path}" >/dev/null 2>&1; then
     echo "warning: Failed to generate dSYM for ${framework_name}.framework" >&2
     rm -rf "${dsym_path}" || true
   fi
 done
-
-# Workaround for App Store Connect bug where it expects the DWARF file for App.framework to be named "A"
-# because the binary is located at App.framework/Versions/A/App.
-app_dwarf_dir="${DWARF_DSYM_FOLDER_PATH}/App.framework.dSYM/Contents/Resources/DWARF"
-if [[ -d "${app_dwarf_dir}" && -f "${app_dwarf_dir}/App" && ! -f "${app_dwarf_dir}/A" ]]; then
-  echo "Applying workaround: Copying App DWARF file to A for App Store Connect validation"
-  cp "${app_dwarf_dir}/App" "${app_dwarf_dir}/A"
-fi

scripts/package-macos-app-store-pkg.sh

@@ -40,7 +40,10 @@ app_build_commit="${GIT_BUILD_COMMIT:-${BUILD_ID_LINE:-unknown}}"
 
 tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-macos-app-store.XXXXXX")"
 cleanup() {
+  local status=$?
   rm -rf "$tmp_dir"
+  apple_run_cleanup
+  return "$status"
 }
 trap cleanup EXIT
 
@@ -80,12 +83,15 @@ xcodebuild archive \
   -scheme Runner \
   -configuration Release \
   -archivePath "$archive_path" \
+  -allowProvisioningUpdates \
+  -allowProvisioningDeviceRegistration \
   DEVELOPMENT_TEAM="N3G9T67W78"
 
 xcodebuild -exportArchive \
   -archivePath "$archive_path" \
   -exportPath "$DIST_DIR" \
-  -exportOptionsPlist "$export_options_path"
+  -exportOptionsPlist "$export_options_path" \
+  -allowProvisioningUpdates
 
 if ! compgen -G "$DIST_DIR/*.pkg" >/dev/null; then
   echo "No macOS TestFlight pkg was produced under $DIST_DIR" >&2