ci: make GitHub Release upload optional but default on

- Increase sync loop timeout in thread workspace binding test to avoid flakiness
- Mock device_info and package_info plugins for gateway runtime tests
- Update pubspec.yaml version

.github/workflows/build-and-release.yml

@@ -31,14 +31,14 @@ on:
       - ".github/workflows/build-and-release.yml"
   workflow_dispatch:
     inputs:
-      enable_testflight:
-        description: "Build & upload TestFlight (macOS/iOS App Store) artifacts"
-        type: boolean
-        default: false
       enable_github_release:
         description: "Upload assets to GitHub Release"
         type: boolean
         default: true
+      enable_testflight:
+        description: "Build & upload TestFlight (macOS/iOS App Store) artifacts"
+        type: boolean
+        default: false
 
 permissions:
   contents: read
@@ -58,8 +58,8 @@ jobs:
       contents: write
     outputs:
       should_release: ${{ steps.flags.outputs.should_release }}
-      github_release_enabled: ${{ steps.flags.outputs.github_release_enabled }}
       testflight_enabled: ${{ steps.flags.outputs.testflight_enabled }}
+      github_release_enabled: ${{ steps.flags.outputs.github_release_enabled }}
       release_tag: ${{ steps.meta.outputs.release_tag }}
       release_title: ${{ steps.meta.outputs.release_title }}
       release_notes: ${{ steps.meta.outputs.release_notes }}
@@ -73,9 +73,9 @@ jobs:
         id: flags
         shell: bash
         env:
-          ENABLE_GITHUB_RELEASE_INPUT: ${{ github.event.inputs.enable_github_release }}
           ENABLE_TESTFLIGHT_INPUT: ${{ github.event.inputs.enable_testflight }}
           ENABLE_TESTFLIGHT_VAR: ${{ vars.ENABLE_TESTFLIGHT }}
+          ENABLE_GITHUB_RELEASE_INPUT: ${{ github.event.inputs.enable_github_release }}
         run: |
           if [[ "${GITHUB_REF:-}" == refs/tags/v* || "${GITHUB_EVENT_NAME:-}" == "workflow_dispatch" || "${GITHUB_REF:-}" == "refs/heads/main" ]]; then
             echo "should_release=true" >> "$GITHUB_OUTPUT"
@@ -83,12 +83,6 @@ jobs:
             echo "should_release=false" >> "$GITHUB_OUTPUT"
           fi
 
-          if [[ "${GITHUB_EVENT_NAME:-}" == "workflow_dispatch" && "${ENABLE_GITHUB_RELEASE_INPUT:-}" == "false" ]]; then
-            echo "github_release_enabled=false" >> "$GITHUB_OUTPUT"
-          else
-            echo "github_release_enabled=true" >> "$GITHUB_OUTPUT"
-          fi
-
           # TestFlight is opt-in (default OFF). Enabled only when explicitly
           # requested via the workflow_dispatch input or the ENABLE_TESTFLIGHT
           # repo/org variable. Keeps missing Apple signing secrets from failing
@@ -99,6 +93,12 @@ jobs:
             echo "testflight_enabled=false" >> "$GITHUB_OUTPUT"
           fi
 
+          if [[ "${GITHUB_EVENT_NAME:-}" == "workflow_dispatch" && "${ENABLE_GITHUB_RELEASE_INPUT:-}" == "false" ]]; then
+            echo "github_release_enabled=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "github_release_enabled=true" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Compute release metadata
         id: meta
         shell: bash
@@ -304,9 +304,46 @@ jobs:
           path: ${{ matrix.artifact_paths }}
           if-no-files-found: error
 
+  remote_contract:
+    name: Test - remote provider contract
+    runs-on: ubuntu-22.04
+    needs:
+      - build
+    # Test-stage quality gate: runs between build and release.
+    # continue-on-error keeps it skippable so a failure never blocks release.
+    continue-on-error: true
+    if: ${{ github.event_name != 'push' && github.event_name != 'pull_request' }}
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v7
+
+      - name: Load Vault secrets
+        id: vault
+        uses: hashicorp/vault-action@v4
+        with:
+          url: ${{ env.VAULT_ADDR }}
+          method: jwt
+          role: github-actions-xworkmate-app
+          jwtGithubAudience: vault
+          ignoreNotFound: true
+          secrets: |
+            kv/data/github-actions/xworkmate-app REVIEW_ACCOUNT_LOGIN_PASSWORD | REVIEW_ACCOUNT_LOGIN_PASSWORD
+
+      - name: Export remote contract secrets
+        run: echo "REVIEW_ACCOUNT_LOGIN_PASSWORD=${{ steps.vault.outputs.REVIEW_ACCOUNT_LOGIN_PASSWORD }}" >> "$GITHUB_ENV"
+
+      - name: Verify accounts to bridge provider contract
+        shell: bash
+        env:
+          REVIEW_ACCOUNT_BASE_URL: ${{ vars.REVIEW_ACCOUNT_BASE_URL }}
+          REVIEW_ACCOUNT_LOGIN_NAME: ${{ vars.REVIEW_ACCOUNT_LOGIN_NAME }}
+        run: bash ./scripts/ci/verify_remote_provider_contract.sh
 
   release:
-    if: ${{ needs.prepare.outputs.should_release == 'true' && needs.prepare.result == 'success' && needs.build.result == 'success' }}
+    # always() so release waits for the remote_contract gate to finish but is
+    # never blocked by it being skipped (e.g. push events) or failing.
+    # build/prepare must still genuinely succeed.
+    if: ${{ always() && needs.prepare.outputs.should_release == 'true' && needs.prepare.result == 'success' && needs.build.result == 'success' }}
     strategy:
       fail-fast: false
       matrix:
@@ -329,6 +366,7 @@ jobs:
     needs:
       - prepare
       - build
+      - remote_contract
     steps:
       - name: Checkout source
         uses: actions/checkout@v7
@@ -366,13 +404,13 @@ jobs:
           } >> "$GITHUB_ENV"
 
       - name: Download all artifacts
-        if: ${{ matrix.target == 'github_release' }}
+        if: ${{ matrix.target == 'github_release' && needs.prepare.outputs.github_release_enabled == 'true' }}
         uses: actions/download-artifact@v8
         with:
           path: release-artifacts
 
       - name: Upload assets to GitHub Release
-        if: ${{ matrix.target == 'github_release' }}
+        if: ${{ matrix.target == 'github_release' && needs.prepare.outputs.github_release_enabled == 'true' }}
         shell: bash
         run: bash ./scripts/ci/github_release_upload.sh release-artifacts
         env:

pubspec.yaml

@@ -4,7 +4,7 @@ publish_to: 'none'
 
 version: 1.1.5+2
 build-date: 2026-06-30
-build-id: a876e3b0
+build-id: a876e3b
 
 environment:
   sdk: ^3.11.0

scripts/ensure-framework-dsyms.sh

@@ -1,9 +1,8 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-# Generate dSYMs that App Store validation expects for embedded frameworks.
-# Some prebuilt dependencies, including WebRTC, do not ship a dSYM even though
-# their Mach-O binaries contain UUIDs that App Store Connect requires.
+# Generate the dSYM that App Store validation expects for the vendored
+# objective_c native-asset framework after Xcode/CocoaPods embed it.
 if [[ "${CONFIGURATION:-}" != "Release" && "${CONFIGURATION:-}" != "Profile" ]]; then
   exit 0
 fi
@@ -23,22 +22,6 @@ fi
 
 mkdir -p "${DWARF_DSYM_FOLDER_PATH}"
 
-dsym_matches_binary() {
-  local binary_path="$1"
-  local dsym_path="$2"
-  local binary_uuids dsym_uuids uuid
-
-  [[ -d "${dsym_path}" ]] || return 1
-
-  binary_uuids="$(xcrun dwarfdump --uuid "${binary_path}" 2>/dev/null || true)"
-  dsym_uuids="$(xcrun dwarfdump --uuid "${dsym_path}" 2>/dev/null || true)"
-  [[ -n "${binary_uuids}" && -n "${dsym_uuids}" ]] || return 1
-
-  while read -r uuid; do
-    [[ -z "${uuid}" ]] || grep -Fq "${uuid}" <<<"${dsym_uuids}" || return 1
-  done < <(awk '/^UUID:/ { print $2 }' <<<"${binary_uuids}")
-}
-
 for framework_path in "${frameworks_dir}"/*.framework; do
   [[ -d "${framework_path}" ]] || continue
 
@@ -46,8 +29,10 @@ for framework_path in "${frameworks_dir}"/*.framework; do
   binary_path="${framework_path}/${framework_name}"
   [[ -f "${binary_path}" ]] || continue
 
+  [[ "${framework_name}" == "objective_c" ]] || continue
+
   dsym_path="${DWARF_DSYM_FOLDER_PATH}/${framework_name}.framework.dSYM"
-  if dsym_matches_binary "${binary_path}" "${dsym_path}"; then
+  if [[ -d "${dsym_path}" ]]; then
     continue
   fi
 
@@ -55,10 +40,17 @@ for framework_path in "${frameworks_dir}"/*.framework; do
     continue
   fi
 
-  echo "Generating missing or mismatched dSYM for ${framework_name}.framework"
-  rm -rf "${dsym_path}"
+  echo "Generating missing dSYM for ${framework_name}.framework"
   if ! xcrun dsymutil "${binary_path}" -o "${dsym_path}" >/dev/null 2>&1; then
     echo "warning: Failed to generate dSYM for ${framework_name}.framework" >&2
     rm -rf "${dsym_path}" || true
   fi
 done
+
+# Workaround for App Store Connect bug where it expects the DWARF file for App.framework to be named "A"
+# because the binary is located at App.framework/Versions/A/App.
+app_dwarf_dir="${DWARF_DSYM_FOLDER_PATH}/App.framework.dSYM/Contents/Resources/DWARF"
+if [[ -d "${app_dwarf_dir}" && -f "${app_dwarf_dir}/App" && ! -f "${app_dwarf_dir}/A" ]]; then
+  echo "Applying workaround: Copying App DWARF file to A for App Store Connect validation"
+  cp "${app_dwarf_dir}/App" "${app_dwarf_dir}/A"
+fi

scripts/package-macos-app-store-pkg.sh

@@ -40,10 +40,7 @@ app_build_commit="${GIT_BUILD_COMMIT:-${BUILD_ID_LINE:-unknown}}"
 
 tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-macos-app-store.XXXXXX")"
 cleanup() {
-  local status=$?
   rm -rf "$tmp_dir"
-  apple_run_cleanup
-  return "$status"
 }
 trap cleanup EXIT
 
@@ -83,15 +80,12 @@ xcodebuild archive \
   -scheme Runner \
   -configuration Release \
   -archivePath "$archive_path" \
-  -allowProvisioningUpdates \
-  -allowProvisioningDeviceRegistration \
   DEVELOPMENT_TEAM="N3G9T67W78"
 
 xcodebuild -exportArchive \
   -archivePath "$archive_path" \
   -exportPath "$DIST_DIR" \
-  -exportOptionsPlist "$export_options_path" \
-  -allowProvisioningUpdates
+  -exportOptionsPlist "$export_options_path"
 
 if ! compgen -G "$DIST_DIR/*.pkg" >/dev/null; then
   echo "No macOS TestFlight pkg was produced under $DIST_DIR" >&2