Win-CodexBar CI/CD

May 24, 2026 ยท View on GitHub

Win-CodexBar release builds use CircleCI hosted Windows first. Buildkite is kept ready for a future non-AWS self-hosted Windows runner. Cloudflare R2 mirrors the release artifacts after the Windows smoke test passes.

Current Model

  • Primary release CI: CircleCI hosted Windows.
  • Artifact mirror: Cloudflare R2.
  • Future self-hosted CI: Buildkite queue windows-release.
  • Not used for automated release builds: GitHub Actions, AWS EC2, or an always-on FSOS runner.

The canonical Windows build path remains:

powershell.exe -File scripts\release-doctor.ps1 -SkipGitHub
powershell.exe -File scripts\windows-release-build.ps1 -Ref v0.30.0 -SmokeInstall

CI wrappers must call those scripts instead of duplicating the release logic.

CircleCI

CircleCI builds tagged releases with the Windows executor from .circleci/config.yml. The tag workflow runs for tags matching v*.

Manual release checks can be started from CircleCI with pipeline parameters:

  • run_windows_release=true
  • upload_cloudflare=false for dry/manual validation
  • upload_cloudflare=true only when Cloudflare R2 secrets are configured

Required CircleCI project environment variables for Cloudflare upload:

  • CLOUDFLARE_ACCOUNT_ID
  • CLOUDFLARE_R2_BUCKET
  • CLOUDFLARE_R2_ACCESS_KEY_ID
  • CLOUDFLARE_R2_SECRET_ACCESS_KEY

GITHUB_TOKEN is not required by default. CircleCI should not upload to GitHub Releases unless that behavior is explicitly added and reviewed later.

Cloudflare R2

Cloudflare R2 is a mirror/proof layer, not the source of truth for publishing. The upload script uses R2's S3-compatible API directly:

powershell.exe -File scripts\ci\upload-cloudflare-r2.ps1 -Version 0.30.0 -DryRun
powershell.exe -File scripts\ci\upload-cloudflare-r2.ps1 -Version 0.30.0

Object layout:

releases/v0.30.0/CodexBar-0.30.0-Setup.exe
releases/v0.30.0/CodexBar-0.30.0-Setup.exe.sha256
releases/v0.30.0/CodexBar-0.30.0-portable.exe
releases/v0.30.0/CodexBar-0.30.0-portable.exe.sha256
releases/v0.30.0/release-manifest.json
releases/v0.30.0/smoke-test-log.txt

smoke-test-log.txt is uploaded only when the Windows smoke test produced it.

Buildkite

.buildkite/pipeline.yml is a future-runner skeleton. It requires a Windows agent attached to the windows-release queue and does not start, stop, or manage AWS instances.

The Buildkite release path requires BUILDKITE_TAG and runs:

powershell.exe -File scripts\ci\buildkite-release.ps1

Do not make Buildkite mandatory until a non-AWS Windows host is attached.

Release Flow

  1. Tag the release, for example v0.30.0.
  2. CircleCI hosted Windows builds the installer and portable exe.
  3. scripts\windows-smoke-install.ps1 installs, verifies, and uninstalls the app.
  4. CircleCI stores release assets and SHA-256 sidecars.
  5. Cloudflare R2 mirrors the assets when secrets are configured.
  6. Publish or update the GitHub release with the verified assets.
  7. Submit the Winget manifest update after the GitHub installer URL is stable.