From 2c668bb139016577ed2797ba4697256de33d1f8f Mon Sep 17 00:00:00 2001 From: Matt Jenkinson <75292329+mattdjenkinson@users.noreply.github.com> Date: Thu, 14 May 2026 16:27:52 +0100 Subject: [PATCH 1/5] ci(macos): resolve .app path for dSYM, Sentry, and DMG copy Dioxus may emit release/macos/*.app under target/dx with a non-Datum segment. Prefer ui/dist/Datum.app after DMG prep, fall back to find, and read CFBundleExecutable for dsymutil. Align Sentry upload with the same layout. Harden DMG copy in workflows and build-dmg.sh. Co-authored-by: Cursor --- .github/workflows/bundle.yml | 37 ++++++++++++++++++++++++---- .github/workflows/manual-release.yml | 11 +++++++-- ui/packaging/dmg/build-dmg.sh | 14 ++++++++--- 3 files changed, 52 insertions(+), 10 deletions(-) diff --git a/.github/workflows/bundle.yml b/.github/workflows/bundle.yml index e81c3ec..80ecd8c 100644 --- a/.github/workflows/bundle.yml +++ b/.github/workflows/bundle.yml @@ -167,8 +167,15 @@ jobs: APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} run: | mkdir -p ui/dist - if [ ! -d ui/dist/Datum.app ] && [ -d ui/target/dx/Datum/release/macos/Datum.app ]; then - cp -R ui/target/dx/Datum/release/macos/Datum.app ui/dist/ + if [ ! -d ui/dist/Datum.app ]; then + if [ -d ui/target/dx/Datum/release/macos/Datum.app ]; then + cp -R ui/target/dx/Datum/release/macos/Datum.app ui/dist/ + else + APP=$(find ui/target/dx -path '*/release/macos/*.app' -type d 2>/dev/null | head -1) + if [ -n "$APP" ]; then + cp -R "$APP" ui/dist/Datum.app + fi + fi fi test -d ui/dist/Datum.app ./ui/packaging/dmg/mk-dmg-icns-from-linux-png.sh @@ -197,11 +204,22 @@ jobs: # sentry-cli has nothing to symbolicate against on macOS, so we run # dsymutil manually and stage the result outside the .app bundle so # it doesn't get packaged into the DMG. - BIN="ui/target/dx/Datum/release/macos/Datum.app/Contents/MacOS/Datum" + APP="ui/dist/Datum.app" + if [ ! -d "$APP" ]; then + APP=$(find ui/target/dx -path '*/release/macos/*.app' -type d 2>/dev/null | head -1) + fi + if [ -z "$APP" ] || [ ! -d "$APP" ]; then + echo "macOS .app not found (expected ui/dist/Datum.app after DMG step)" >&2 + find ui/target/dx -type d -name '*.app' 2>/dev/null | head -20 >&2 || true + exit 1 + fi + EXEC=$(/usr/libexec/PlistBuddy -c 'Print :CFBundleExecutable' "$APP/Contents/Info.plist") + BIN="$APP/Contents/MacOS/$EXEC" DSYM_DIR="$RUNNER_TEMP/dsyms" mkdir -p "$DSYM_DIR" if [ ! -f "$BIN" ]; then - echo "Bundled binary not found at $BIN" >&2 + echo "Bundled binary not found at $BIN (app: $APP)" >&2 + ls -la "$APP/Contents/MacOS" >&2 || true exit 1 fi dsymutil "$BIN" -o "$DSYM_DIR/Datum.dSYM" @@ -221,9 +239,18 @@ jobs: mkdir -p "$INSTALL_DIR" export PATH="$INSTALL_DIR:$PATH" curl -sL https://sentry.io/get-cli/ | SENTRY_CLI_VERSION=3.2.3 sh + MACOS_BIN_DIR="ui/dist/Datum.app/Contents/MacOS" + if [ ! -d "$MACOS_BIN_DIR" ]; then + APP=$(find ui/target/dx -path '*/release/macos/*.app' -type d 2>/dev/null | head -1) + MACOS_BIN_DIR="${APP}/Contents/MacOS" + fi + if [ ! -d "$MACOS_BIN_DIR" ]; then + echo "Sentry: macOS Contents/MacOS not found under ui/dist or ui/target/dx" >&2 + exit 1 + fi sentry-cli debug-files upload --include-sources \ "$RUNNER_TEMP/dsyms" \ - ui/target/dx/Datum/release/macos/Datum.app/Contents/MacOS/ + "$MACOS_BIN_DIR" else echo "SENTRY_AUTH_TOKEN not set, skipping debug symbol upload" fi diff --git a/.github/workflows/manual-release.yml b/.github/workflows/manual-release.yml index dade4df..3bfe647 100644 --- a/.github/workflows/manual-release.yml +++ b/.github/workflows/manual-release.yml @@ -153,8 +153,15 @@ jobs: APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} run: | mkdir -p ui/dist - if [ ! -d ui/dist/Datum.app ] && [ -d ui/target/dx/Datum/release/macos/Datum.app ]; then - cp -R ui/target/dx/Datum/release/macos/Datum.app ui/dist/ + if [ ! -d ui/dist/Datum.app ]; then + if [ -d ui/target/dx/Datum/release/macos/Datum.app ]; then + cp -R ui/target/dx/Datum/release/macos/Datum.app ui/dist/ + else + APP=$(find ui/target/dx -path '*/release/macos/*.app' -type d 2>/dev/null | head -1) + if [ -n "$APP" ]; then + cp -R "$APP" ui/dist/Datum.app + fi + fi fi test -d ui/dist/Datum.app ./ui/packaging/dmg/mk-dmg-icns-from-linux-png.sh diff --git a/ui/packaging/dmg/build-dmg.sh b/ui/packaging/dmg/build-dmg.sh index 7f94021..6fcd24d 100755 --- a/ui/packaging/dmg/build-dmg.sh +++ b/ui/packaging/dmg/build-dmg.sh @@ -57,9 +57,17 @@ if [[ "$DO_BUNDLE" == true ]]; then fi mkdir -p "$UI_ROOT/dist" -if [[ ! -d "$UI_ROOT/dist/Datum.app" ]] && [[ -d "$UI_ROOT/target/dx/Datum/release/macos/Datum.app" ]]; then - echo "Copying Datum.app from target/dx → dist/" - cp -R "$UI_ROOT/target/dx/Datum/release/macos/Datum.app" "$UI_ROOT/dist/" +if [[ ! -d "$UI_ROOT/dist/Datum.app" ]]; then + if [[ -d "$UI_ROOT/target/dx/Datum/release/macos/Datum.app" ]]; then + echo "Copying Datum.app from target/dx → dist/" + cp -R "$UI_ROOT/target/dx/Datum/release/macos/Datum.app" "$UI_ROOT/dist/" + else + APP=$(find "$UI_ROOT/target/dx" -path '*/release/macos/*.app' -type d 2>/dev/null | head -1) + if [[ -n "$APP" ]]; then + echo "Copying $APP → dist/Datum.app" + cp -R "$APP" "$UI_ROOT/dist/Datum.app" + fi + fi fi if [[ ! -d "$UI_ROOT/dist/Datum.app" ]]; then From bbaa78e3bc1bfcb12650526c5c54a5d35e7bbe1f Mon Sep 17 00:00:00 2001 From: Matt Jenkinson <75292329+mattdjenkinson@users.noreply.github.com> Date: Thu, 14 May 2026 16:35:55 +0100 Subject: [PATCH 2/5] fix: remove cargo install --- .github/workflows/ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f6035cb..5a1ddfd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,8 +18,6 @@ jobs: - uses: dtolnay/rust-toolchain@stable - - uses: cargo-bins/cargo-binstall@main - - uses: Swatinem/rust-cache@v2 - name: Install system dependencies (Linux) From 9325367e9d1ba27fa845d54d4c24e8aab6bfca4a Mon Sep 17 00:00:00 2001 From: Matt Jenkinson <75292329+mattdjenkinson@users.noreply.github.com> Date: Thu, 14 May 2026 16:40:59 +0100 Subject: [PATCH 3/5] fix: cargo install fix --- .github/workflows/bundle.yml | 9 ++++----- .github/workflows/manual-release.yml | 9 ++++----- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/.github/workflows/bundle.yml b/.github/workflows/bundle.yml index 80ecd8c..c23b509 100644 --- a/.github/workflows/bundle.yml +++ b/.github/workflows/bundle.yml @@ -28,8 +28,6 @@ jobs: - uses: dtolnay/rust-toolchain@stable - - uses: cargo-bins/cargo-binstall@main - - uses: Swatinem/rust-cache@v2 - name: Install system dependencies (Linux) @@ -51,9 +49,10 @@ jobs: # and the upstream fix is still open: # https://github.com/DioxusLabs/dioxus/issues/5233 # Bump in lockstep with the lib once that issue is resolved. - run: cargo binstall dioxus-cli@0.7.2 --disable-telemetry --locked --force -y - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # + # Use `cargo install` instead of cargo-binstall: `cargo-bins/cargo-binstall@main` + # has broken `cargo` on GHA runners (invokes rustup-init for subcommands). + run: cargo install dioxus-cli --version 0.7.2 --locked - uses: actions/setup-node@v4 if: runner.os == 'macOS' diff --git a/.github/workflows/manual-release.yml b/.github/workflows/manual-release.yml index 3bfe647..c5cb9ae 100644 --- a/.github/workflows/manual-release.yml +++ b/.github/workflows/manual-release.yml @@ -32,8 +32,6 @@ jobs: - uses: dtolnay/rust-toolchain@stable - - uses: cargo-bins/cargo-binstall@main - - uses: Swatinem/rust-cache@v2 - name: Install system dependencies (Linux) @@ -55,9 +53,10 @@ jobs: # and the upstream fix is still open: # https://github.com/DioxusLabs/dioxus/issues/5233 # Bump in lockstep with the lib once that issue is resolved. - run: cargo binstall dioxus-cli@0.7.2 --disable-telemetry --locked --force -y - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # + # Use `cargo install` instead of cargo-binstall: `cargo-bins/cargo-binstall@main` + # has broken `cargo` on GHA runners (invokes rustup-init for subcommands). + run: cargo install dioxus-cli --version 0.7.2 --locked - uses: actions/setup-node@v4 if: runner.os == 'macOS' From 06894ecb8ae3ef5ded8dc19fd2a974136ea2a006 Mon Sep 17 00:00:00 2001 From: Matt Jenkinson <75292329+mattdjenkinson@users.noreply.github.com> Date: Thu, 14 May 2026 17:08:46 +0100 Subject: [PATCH 4/5] ci: speed up bundle and CI (prebuilt dx, stable cache key, smaller PR matrix) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Download prebuilt `dx` binary from Dioxus releases instead of building dioxus-cli from source. Saves ~5–10 min per matrix leg. - Pin Swatinem/rust-cache to a stable shared-key per OS so the in-place version bump + `cargo generate-lockfile` no longer evict the dep cache every run. Skip saving the cache on PRs to avoid pollution. - Limit PR matrix in bundle.yml to ubuntu-latest as a smoke check; full three-OS matrix still runs on main, tag pushes, and manual dispatch. - Add a `paths` filter so PRs that don't touch Cargo/UI/lib/cli skip the bundle entirely. - In ci.yml run cargo test/clippy/fmt only on Linux; cargo check still runs on all three OSes to catch platform-specific compile errors. Co-authored-by: Cursor --- .github/workflows/bundle.yml | 66 +++++++++++++++++++++++----- .github/workflows/ci.yml | 13 +++++- .github/workflows/manual-release.yml | 48 +++++++++++++++----- 3 files changed, 105 insertions(+), 22 deletions(-) diff --git a/.github/workflows/bundle.yml b/.github/workflows/bundle.yml index c23b509..8bf0d09 100644 --- a/.github/workflows/bundle.yml +++ b/.github/workflows/bundle.yml @@ -7,6 +7,15 @@ on: - "v*" pull_request: branches: [main] + # PRs only re-bundle when something that affects the output changed. + # Doc / workflow / other changes get a free pass. + paths: + - "**/Cargo.toml" + - "Cargo.lock" + - "cli/**" + - "lib/**" + - "ui/**" + - ".github/workflows/bundle.yml" workflow_dispatch: jobs: @@ -15,7 +24,8 @@ jobs: strategy: fail-fast: false matrix: - os: [macos-latest, ubuntu-latest, windows-latest] + # PRs run linux only as a smoke check; main/tag/manual runs cover all three OSes. + os: ${{ fromJSON(github.event_name == 'pull_request' && '["ubuntu-latest"]' || '["macos-latest","ubuntu-latest","windows-latest"]') }} env: BUILD_N0DES_API_SECRET: ${{ secrets.N0DES_API_SECRET }} @@ -28,7 +38,14 @@ jobs: - uses: dtolnay/rust-toolchain@stable + # Use a stable shared-key per OS instead of the default Cargo.toml/Cargo.lock hash. + # `cargo generate-lockfile` and the in-place version bump otherwise rotate the + # default cache key on every run, throwing away dep compile artefacts. + # Only save the cache from main / tag / manual runs so PRs don't pollute it. - uses: Swatinem/rust-cache@v2 + with: + shared-key: bundle-${{ matrix.os }} + save-if: ${{ github.event_name != 'pull_request' }} - name: Install system dependencies (Linux) if: runner.os == 'Linux' @@ -43,16 +60,43 @@ jobs: libfuse2 \ libxdo-dev - - name: Install Dioxus CLI - # Library deps in ui/Cargo.toml are pinned to dioxus =0.7.9, but the CLI is - # held back at 0.7.2 because dx bundle path resolution regressed in 0.7.3+ - # and the upstream fix is still open: - # https://github.com/DioxusLabs/dioxus/issues/5233 - # Bump in lockstep with the lib once that issue is resolved. - # - # Use `cargo install` instead of cargo-binstall: `cargo-bins/cargo-binstall@main` - # has broken `cargo` on GHA runners (invokes rustup-init for subcommands). - run: cargo install dioxus-cli --version 0.7.2 --locked + # Library deps in ui/Cargo.toml are pinned to dioxus =0.7.9, but the CLI is + # held back at 0.7.2 because dx bundle path resolution regressed in 0.7.3+ + # and the upstream fix is still open: + # https://github.com/DioxusLabs/dioxus/issues/5233 + # Bump in lockstep with the lib once that issue is resolved. + # + # Download the prebuilt `dx` binary from GitHub releases rather than + # `cargo install dioxus-cli`, which compiles the whole CLI from source + # (5–10 min per matrix leg, every run). + - name: Install Dioxus CLI (Unix) + if: runner.os != 'Windows' + shell: bash + run: | + set -euo pipefail + DX_VER=0.7.2 + TRIPLE=$(rustc -Vv | awk '/^host:/{print $2}') + URL="https://github.com/DioxusLabs/dioxus/releases/download/v${DX_VER}/dx-${TRIPLE}.tar.gz" + echo "Downloading $URL" + mkdir -p "$HOME/.cargo/bin" + curl -fsSL "$URL" | tar -xz -C "$HOME/.cargo/bin" + chmod +x "$HOME/.cargo/bin/dx" + "$HOME/.cargo/bin/dx" --version + + - name: Install Dioxus CLI (Windows) + if: runner.os == 'Windows' + shell: pwsh + run: | + $DX_VER = '0.7.2' + $TRIPLE = ((rustc -Vv | Select-String '^host: ').ToString() -replace '^host: ','').Trim() + $URL = "https://github.com/DioxusLabs/dioxus/releases/download/v$DX_VER/dx-$TRIPLE.zip" + Write-Host "Downloading $URL" + $tmp = Join-Path $env:RUNNER_TEMP 'dx.zip' + Invoke-WebRequest -Uri $URL -OutFile $tmp -UseBasicParsing + $dst = Join-Path $env:USERPROFILE '.cargo\bin' + New-Item -ItemType Directory -Force -Path $dst | Out-Null + Expand-Archive -Path $tmp -DestinationPath $dst -Force + & (Join-Path $dst 'dx.exe') --version - uses: actions/setup-node@v4 if: runner.os == 'macOS' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5a1ddfd..256b894 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,6 +10,7 @@ jobs: ci: runs-on: ${{ matrix.os }} strategy: + fail-fast: false matrix: os: [macos-latest, ubuntu-latest, windows-latest] @@ -19,7 +20,9 @@ jobs: - uses: dtolnay/rust-toolchain@stable - uses: Swatinem/rust-cache@v2 - + with: + shared-key: ci-${{ matrix.os }} + - name: Install system dependencies (Linux) if: runner.os == 'Linux' run: | @@ -28,16 +31,24 @@ jobs: libwebkit2gtk-4.1-dev \ libgtk-3-dev + # cargo check runs everywhere — catches OS-specific compile errors + # (objc2 on macOS, winapi on Windows, gtk on Linux). - name: Cargo check run: cargo check --locked + # The remaining steps only need one OS: lib has no OS-specific code paths, + # clippy lints are portable, and rustfmt is OS-agnostic. Running on Linux + # only saves ~5 min per CI run. - name: Cargo test + if: runner.os == 'Linux' env: RUST_LOG: warn,lib=trace,iroh_proxy_utils=trace run: cargo test -p lib --locked - name: Cargo clippy + if: runner.os == 'Linux' run: cargo clippy --workspace --all-features --all-targets --lib --bins --tests --benches --examples - name: Cargo fmt + if: runner.os == 'Linux' run: cargo fmt --check --all diff --git a/.github/workflows/manual-release.yml b/.github/workflows/manual-release.yml index c5cb9ae..a5b0134 100644 --- a/.github/workflows/manual-release.yml +++ b/.github/workflows/manual-release.yml @@ -32,7 +32,10 @@ jobs: - uses: dtolnay/rust-toolchain@stable + # Stable shared-key per OS — see bundle.yml for rationale. - uses: Swatinem/rust-cache@v2 + with: + shared-key: bundle-${{ matrix.os }} - name: Install system dependencies (Linux) if: runner.os == 'Linux' @@ -47,16 +50,41 @@ jobs: libfuse2 \ libxdo-dev - - name: Install Dioxus CLI - # Library deps in ui/Cargo.toml are pinned to dioxus =0.7.9, but the CLI is - # held back at 0.7.2 because dx bundle path resolution regressed in 0.7.3+ - # and the upstream fix is still open: - # https://github.com/DioxusLabs/dioxus/issues/5233 - # Bump in lockstep with the lib once that issue is resolved. - # - # Use `cargo install` instead of cargo-binstall: `cargo-bins/cargo-binstall@main` - # has broken `cargo` on GHA runners (invokes rustup-init for subcommands). - run: cargo install dioxus-cli --version 0.7.2 --locked + # Library deps in ui/Cargo.toml are pinned to dioxus =0.7.9, but the CLI is + # held back at 0.7.2 because dx bundle path resolution regressed in 0.7.3+ + # and the upstream fix is still open: + # https://github.com/DioxusLabs/dioxus/issues/5233 + # Bump in lockstep with the lib once that issue is resolved. + # + # Download the prebuilt `dx` binary; see bundle.yml for rationale. + - name: Install Dioxus CLI (Unix) + if: runner.os != 'Windows' + shell: bash + run: | + set -euo pipefail + DX_VER=0.7.2 + TRIPLE=$(rustc -Vv | awk '/^host:/{print $2}') + URL="https://github.com/DioxusLabs/dioxus/releases/download/v${DX_VER}/dx-${TRIPLE}.tar.gz" + echo "Downloading $URL" + mkdir -p "$HOME/.cargo/bin" + curl -fsSL "$URL" | tar -xz -C "$HOME/.cargo/bin" + chmod +x "$HOME/.cargo/bin/dx" + "$HOME/.cargo/bin/dx" --version + + - name: Install Dioxus CLI (Windows) + if: runner.os == 'Windows' + shell: pwsh + run: | + $DX_VER = '0.7.2' + $TRIPLE = ((rustc -Vv | Select-String '^host: ').ToString() -replace '^host: ','').Trim() + $URL = "https://github.com/DioxusLabs/dioxus/releases/download/v$DX_VER/dx-$TRIPLE.zip" + Write-Host "Downloading $URL" + $tmp = Join-Path $env:RUNNER_TEMP 'dx.zip' + Invoke-WebRequest -Uri $URL -OutFile $tmp -UseBasicParsing + $dst = Join-Path $env:USERPROFILE '.cargo\bin' + New-Item -ItemType Directory -Force -Path $dst | Out-Null + Expand-Archive -Path $tmp -DestinationPath $dst -Force + & (Join-Path $dst 'dx.exe') --version - uses: actions/setup-node@v4 if: runner.os == 'macOS' From 2ea89be2957388fdc4a5a959567fb913ecf71d7a Mon Sep 17 00:00:00 2001 From: Matt Jenkinson <75292329+mattdjenkinson@users.noreply.github.com> Date: Thu, 14 May 2026 17:11:35 +0100 Subject: [PATCH 5/5] ci(windows): pin to windows-2022 to dodge VS18 cmake/aws-lc-sys breakage windows-latest currently aliases to the windows-2025 image, which ships Visual Studio 2026 preview (VS18 / MSVC 14.50). cmake-rs (used by aws-lc-sys, pulled in transitively via rustls -> aws-lc-rs) can't resolve a generator for VS18, and MSVC 14.50's vcruntime_c11_stdatomic.h demands /std:c11 which the aws-lc-sys build script doesn't pass. The result is a deterministic failure at `dx bundle` on windows-latest. Pin all three workflows to windows-2022 (VS17) until the toolchain catches up. Co-authored-by: Cursor --- .github/workflows/bundle.yml | 5 ++++- .github/workflows/ci.yml | 4 +++- .github/workflows/manual-release.yml | 4 +++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/bundle.yml b/.github/workflows/bundle.yml index 8bf0d09..16b5e94 100644 --- a/.github/workflows/bundle.yml +++ b/.github/workflows/bundle.yml @@ -25,7 +25,10 @@ jobs: fail-fast: false matrix: # PRs run linux only as a smoke check; main/tag/manual runs cover all three OSes. - os: ${{ fromJSON(github.event_name == 'pull_request' && '["ubuntu-latest"]' || '["macos-latest","ubuntu-latest","windows-latest"]') }} + # windows-2022 (not windows-latest): windows-latest aliases to VS18 preview, + # whose MSVC 14.50 headers + cmake-rs can't resolve a Visual Studio generator + # for aws-lc-sys, breaking `dx bundle`. Revisit once the ecosystem catches up. + os: ${{ fromJSON(github.event_name == 'pull_request' && '["ubuntu-latest"]' || '["macos-latest","ubuntu-latest","windows-2022"]') }} env: BUILD_N0DES_API_SECRET: ${{ secrets.N0DES_API_SECRET }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 256b894..5aae9f3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,7 +12,9 @@ jobs: strategy: fail-fast: false matrix: - os: [macos-latest, ubuntu-latest, windows-latest] + # windows-2022 (not windows-latest) — see bundle.yml: windows-latest's VS18 + # preview breaks the aws-lc-sys cmake build via rustls. + os: [macos-latest, ubuntu-latest, windows-2022] steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/manual-release.yml b/.github/workflows/manual-release.yml index a5b0134..4041e12 100644 --- a/.github/workflows/manual-release.yml +++ b/.github/workflows/manual-release.yml @@ -19,7 +19,9 @@ jobs: strategy: fail-fast: false matrix: - os: [macos-latest, ubuntu-latest, windows-latest] + # windows-2022 (not windows-latest) — see bundle.yml: windows-latest's VS18 + # preview breaks the aws-lc-sys cmake build via rustls. + os: [macos-latest, ubuntu-latest, windows-2022] env: BUILD_N0DES_API_SECRET: ${{ secrets.N0DES_API_SECRET }}