yazses 0.4.1__tar.gz

yazses-0.4.1/.github/workflows/apt-repo.yml

@@ -0,0 +1,91 @@
+name: APT Repository
+
+on:
+  workflow_run:
+    workflows: ["Release"]
+    types: [completed]
+  workflow_dispatch:
+    inputs:
+      run_id:
+        description: "Release workflow run ID (optional, uses latest if empty)"
+        required: false
+        default: ""
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+concurrency:
+  group: apt-repo-${{ github.repository }}
+  cancel-in-progress: false
+
+jobs:
+  update-apt-repo:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
+    permissions:
+      contents: write
+      actions: read
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Determine release run ID
+        id: run_id
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          MANUAL_ID="${{ github.event.inputs.run_id }}"
+          EVENT_ID="${{ github.event.workflow_run.id }}"
+          if [ -n "$MANUAL_ID" ]; then
+            echo "id=$MANUAL_ID" >> $GITHUB_OUTPUT
+          elif [ -n "$EVENT_ID" ]; then
+            echo "id=$EVENT_ID" >> $GITHUB_OUTPUT
+          else
+            # Auto-detect: find latest successful Release run that has a deb-package artifact
+            RUN_ID=$(gh api "repos/$GITHUB_REPOSITORY/actions/workflows/release.yml/runs?status=completed&per_page=10" \
+              --jq '.workflow_runs[] | select(.conclusion=="success" or .conclusion=="failure") | .id' \
+              | head -1)
+            echo "id=$RUN_ID" >> $GITHUB_OUTPUT
+            echo "Auto-detected release run ID: $RUN_ID"
+          fi
+
+      - name: Download .deb artifact from release workflow
+        uses: actions/download-artifact@v4
+        with:
+          name: deb-package
+          path: /tmp/debs
+          run-id: ${{ steps.run_id.outputs.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Import GPG signing key
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.APT_REPO_GPG_PRIVATE_KEY }}
+          GPG_KEY_ID: ${{ secrets.APT_REPO_GPG_KEY_ID }}
+        run: |
+          set -euo pipefail
+
+          test -n "$GPG_PRIVATE_KEY" || { echo "::error::APT_REPO_GPG_PRIVATE_KEY secret is empty or missing"; exit 1; }
+          test -n "$GPG_KEY_ID"      || { echo "::error::APT_REPO_GPG_KEY_ID secret is empty or missing"; exit 1; }
+
+          mkdir -p ~/.gnupg
+          chmod 700 ~/.gnupg
+          printf 'allow-loopback-pinentry\n' > ~/.gnupg/gpg-agent.conf
+          gpgconf --kill gpg-agent || true
+
+          printf '%s\n' "$GPG_PRIVATE_KEY" | gpg --batch --yes --import
+          echo "$GPG_KEY_ID:6:" | gpg --import-ownertrust
+          gpg --list-secret-keys "$GPG_KEY_ID"
+
+          echo "" > /tmp/gpg-passphrase
+
+      - name: Update apt repository
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GPG_KEY_ID: ${{ secrets.APT_REPO_GPG_KEY_ID }}
+        run: |
+          debs=(/tmp/debs/*.deb)
+          [[ ${#debs[@]} -eq 1 ]] || { echo "Expected 1 .deb, got ${#debs[@]}"; exit 1; }
+          bash scripts/update-apt-repo.sh "${debs[0]}" "$GPG_KEY_ID"

yazses-0.4.1/.github/workflows/build-macos.yml

@@ -0,0 +1,160 @@
+name: build-macos
+
+on:
+  push:
+    tags: ['v*']
+  pull_request:
+    paths:
+      - 'src/yazses/platform/macos/**'
+      - 'src/yazses/__main__.py'
+      - 'src/yazses/tray/**'
+      - 'packaging/macos/**'
+      - 'scripts/build-macos.sh'
+      - '.github/workflows/build-macos.yml'
+      - 'pyproject.toml'
+  workflow_dispatch:
+
+permissions:
+  contents: write   # needed by softprops/action-gh-release to attach .dmg to the Release
+
+jobs:
+  build:
+    runs-on: macos-latest
+    timeout-minutes: 30
+
+    env:
+      # Apple Developer Program signing + notarisation. All four secrets must
+      # be set for the signing path to fire. Otherwise the workflow ships an
+      # unsigned dev preview (the v0 default).
+      #   MACOS_CERTIFICATE        — base64 of the Developer ID .p12 keystore
+      #   MACOS_CERTIFICATE_PWD    — password for the .p12
+      #   MACOS_NOTARY_APPLE_ID    — Apple ID email used for notarytool
+      #   MACOS_NOTARY_PASSWORD    — app-specific password from appleid.apple.com
+      #   MACOS_NOTARY_TEAM_ID     — 10-char team ID (Apple Developer Membership)
+      #   MACOS_SIGNING_IDENTITY   — exact "Developer ID Application: <Name> (<Team>)" string
+      MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+      MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+      MACOS_NOTARY_APPLE_ID: ${{ secrets.MACOS_NOTARY_APPLE_ID }}
+      MACOS_NOTARY_PASSWORD: ${{ secrets.MACOS_NOTARY_PASSWORD }}
+      MACOS_NOTARY_TEAM_ID: ${{ secrets.MACOS_NOTARY_TEAM_ID }}
+      MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: '0.5.x'
+
+      - name: Set up Python
+        run: uv python install 3.12
+
+      - name: Install create-dmg
+        run: brew install create-dmg
+
+      - name: Detect signing presence
+        id: sign
+        shell: bash
+        run: |
+          if [[ -n "${MACOS_CERTIFICATE}" \
+              && -n "${MACOS_CERTIFICATE_PWD}" \
+              && -n "${MACOS_NOTARY_APPLE_ID}" \
+              && -n "${MACOS_NOTARY_PASSWORD}" \
+              && -n "${MACOS_NOTARY_TEAM_ID}" \
+              && -n "${MACOS_SIGNING_IDENTITY}" ]]; then
+            echo "sign=true" >> "${GITHUB_OUTPUT}"
+            echo "Signing + notarisation will run."
+          else
+            echo "sign=false" >> "${GITHUB_OUTPUT}"
+            echo "Signing secrets not all present; producing unsigned dev preview."
+          fi
+
+      - name: Import signing certificate into keychain
+        if: steps.sign.outputs.sign == 'true'
+        shell: bash
+        run: |
+          KEYCHAIN=yazses-build.keychain-db
+          KEYCHAIN_PWD=$(uuidgen)
+          security create-keychain -p "${KEYCHAIN_PWD}" "${KEYCHAIN}"
+          security set-keychain-settings -lut 21600 "${KEYCHAIN}"
+          security unlock-keychain -p "${KEYCHAIN_PWD}" "${KEYCHAIN}"
+
+          # Decode the base64-encoded .p12 and import it.
+          echo -n "${MACOS_CERTIFICATE}" | base64 --decode > /tmp/cert.p12
+          security import /tmp/cert.p12 \
+              -k "${KEYCHAIN}" \
+              -P "${MACOS_CERTIFICATE_PWD}" \
+              -T /usr/bin/codesign \
+              -T /usr/bin/security
+          rm -f /tmp/cert.p12
+
+          # Allow codesign to use the imported key without a UI prompt.
+          security set-key-partition-list \
+              -S apple-tool:,apple:,codesign: \
+              -s -k "${KEYCHAIN_PWD}" "${KEYCHAIN}" >/dev/null
+          security list-keychains -d user -s "${KEYCHAIN}" $(security list-keychains -d user | tr -d '"' | xargs)
+          echo "KEYCHAIN_PWD=${KEYCHAIN_PWD}" >> "${GITHUB_ENV}"
+          echo "Keychain ready."
+
+      - name: Build .dmg
+        run: ./scripts/build-macos.sh
+
+      - name: Codesign .app and .dmg (Developer ID)
+        if: steps.sign.outputs.sign == 'true'
+        shell: bash
+        run: |
+          set -euo pipefail
+          APP="dist/YazSes.app"
+          DMG=$(ls dist/YazSes-*.dmg | head -1)
+          ENTITLEMENTS=packaging/macos/entitlements.plist
+
+          echo "==> codesign --deep on the app bundle"
+          /usr/bin/codesign \
+              --force --deep --options runtime \
+              --timestamp \
+              --entitlements "${ENTITLEMENTS}" \
+              --sign "${MACOS_SIGNING_IDENTITY}" \
+              "${APP}"
+
+          echo "==> codesign on the .dmg itself"
+          /usr/bin/codesign \
+              --force --timestamp \
+              --sign "${MACOS_SIGNING_IDENTITY}" \
+              "${DMG}"
+
+          echo "==> verify"
+          /usr/bin/codesign --verify --deep --strict --verbose=2 "${APP}"
+          /usr/bin/codesign --verify --verbose=2 "${DMG}"
+
+      - name: Notarise .dmg with Apple
+        if: steps.sign.outputs.sign == 'true'
+        shell: bash
+        run: |
+          set -euo pipefail
+          DMG=$(ls dist/YazSes-*.dmg | head -1)
+          xcrun notarytool submit "${DMG}" \
+              --apple-id "${MACOS_NOTARY_APPLE_ID}" \
+              --password "${MACOS_NOTARY_PASSWORD}" \
+              --team-id "${MACOS_NOTARY_TEAM_ID}" \
+              --wait
+          xcrun stapler staple "${DMG}"
+          xcrun stapler validate "${DMG}"
+
+      - name: Show build artefacts
+        run: ls -lh dist/
+
+      - name: Upload .dmg (signed if applicable)
+        uses: actions/upload-artifact@v4
+        with:
+          name: yazses-macos-${{ steps.sign.outputs.sign == 'true' && 'signed' || 'unsigned' }}-${{ github.sha }}
+          path: dist/YazSes-*.dmg
+          if-no-files-found: error
+          retention-days: 14
+
+      - name: Attach to release (tag builds only)
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: softprops/action-gh-release@v2
+        with:
+          files: dist/YazSes-*.dmg
+          fail_on_unmatched_files: true

yazses-0.4.1/.github/workflows/build-windows.yml

@@ -0,0 +1,141 @@
+name: build-windows
+
+on:
+  push:
+    tags: ['v*']
+  pull_request:
+    paths:
+      - 'src/yazses/platform/windows/**'
+      - 'src/yazses/__main__.py'
+      - 'src/yazses/tray/**'
+      - 'packaging/windows/**'
+      - 'scripts/build-windows.ps1'
+      - '.github/workflows/build-windows.yml'
+      - 'pyproject.toml'
+  workflow_dispatch:
+
+permissions:
+  id-token: write   # needed by SignPath's OIDC-based authentication
+  contents: write   # needed by softprops/action-gh-release to attach .exe
+
+jobs:
+  build:
+    runs-on: windows-latest
+    timeout-minutes: 30
+
+    env:
+      # SignPath.io signing (free for OSS). All four must be set for the
+      # sign step to fire; otherwise the workflow ships an unsigned dev
+      # preview (the v0 default).
+      #   SIGNPATH_API_TOKEN          — API token from SignPath account
+      #   SIGNPATH_ORGANIZATION_ID    — UUID of your SignPath organisation
+      #   SIGNPATH_PROJECT_SLUG       — e.g. "yazses"
+      #   SIGNPATH_SIGNING_POLICY     — e.g. "release-signing"
+      SIGNPATH_API_TOKEN: ${{ secrets.SIGNPATH_API_TOKEN }}
+      SIGNPATH_ORGANIZATION_ID: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
+      SIGNPATH_PROJECT_SLUG: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
+      SIGNPATH_SIGNING_POLICY: ${{ secrets.SIGNPATH_SIGNING_POLICY }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: '0.5.x'
+
+      - name: Set up Python
+        run: uv python install 3.12
+
+      - name: Confirm Inno Setup is available
+        shell: pwsh
+        run: |
+          $cands = @(
+            "${env:ProgramFiles(x86)}\Inno Setup 6\ISCC.exe",
+            "${env:ProgramFiles}\Inno Setup 6\ISCC.exe"
+          )
+          $iscc = $cands | Where-Object { Test-Path $_ } | Select-Object -First 1
+          if (-not $iscc) {
+            Write-Host "Inno Setup not preinstalled; installing via choco"
+            choco install innosetup -y --no-progress
+          } else {
+            Write-Host "Found Inno Setup at $iscc"
+          }
+
+      - name: Detect signing presence
+        id: sign
+        shell: pwsh
+        run: |
+          if ($env:SIGNPATH_API_TOKEN -and $env:SIGNPATH_ORGANIZATION_ID -and $env:SIGNPATH_PROJECT_SLUG -and $env:SIGNPATH_SIGNING_POLICY) {
+            Write-Host "Signing via SignPath will run."
+            echo "sign=true" >> $env:GITHUB_OUTPUT
+          } else {
+            Write-Host "SignPath secrets not all present; producing unsigned dev preview."
+            echo "sign=false" >> $env:GITHUB_OUTPUT
+          }
+
+      - name: Build installer
+        shell: pwsh
+        run: ./scripts/build-windows.ps1
+
+      - name: Locate .exe
+        id: locate
+        shell: pwsh
+        run: |
+          $exe = Get-ChildItem "dist\YazSes-*-windows-x64.exe" | Select-Object -First 1
+          if (-not $exe) { throw "No installer produced" }
+          echo "path=$($exe.FullName)" >> $env:GITHUB_OUTPUT
+          echo "name=$($exe.Name)" >> $env:GITHUB_OUTPUT
+
+      # Upload the unsigned .exe to SignPath, which signs it and returns the
+      # signed binary as a separate artefact named "$name.signed".
+      - name: Upload to SignPath for signing
+        if: steps.sign.outputs.sign == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: unsigned-installer
+          path: ${{ steps.locate.outputs.path }}
+          if-no-files-found: error
+
+      - name: Sign with SignPath
+        if: steps.sign.outputs.sign == 'true'
+        uses: signpath/github-action-submit-signing-request@v1
+        with:
+          api-token: ${{ env.SIGNPATH_API_TOKEN }}
+          organization-id: ${{ env.SIGNPATH_ORGANIZATION_ID }}
+          project-slug: ${{ env.SIGNPATH_PROJECT_SLUG }}
+          signing-policy-slug: ${{ env.SIGNPATH_SIGNING_POLICY }}
+          github-artifact-id: ${{ github.run_id }}
+          wait-for-completion: true
+          output-artifact-directory: dist-signed
+          parameters: |
+            Version: ${{ github.ref_name }}
+
+      - name: Replace unsigned installer with signed one
+        if: steps.sign.outputs.sign == 'true'
+        shell: pwsh
+        run: |
+          $signed = Get-ChildItem "dist-signed\*.exe" | Select-Object -First 1
+          if (-not $signed) { throw "SignPath returned no signed exe" }
+          Copy-Item -Force $signed.FullName "${{ steps.locate.outputs.path }}"
+          Write-Host "Replaced unsigned installer with signed version: $($signed.Name)"
+          Get-AuthenticodeSignature "${{ steps.locate.outputs.path }}" | Format-List
+
+      - name: Show build artefacts
+        shell: pwsh
+        run: Get-ChildItem dist | Format-Table Name, Length, LastWriteTime
+
+      - name: Upload installer (signed if applicable)
+        uses: actions/upload-artifact@v4
+        with:
+          name: yazses-windows-${{ steps.sign.outputs.sign == 'true' && 'signed' || 'unsigned' }}-${{ github.sha }}
+          path: dist/YazSes-*-windows-x64.exe
+          if-no-files-found: error
+          retention-days: 14
+
+      - name: Attach to release (tag builds only)
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: softprops/action-gh-release@v2
+        with:
+          files: dist/YazSes-*-windows-x64.exe
+          fail_on_unmatched_files: true

yazses-0.4.1/.github/workflows/ppa.yml

@@ -0,0 +1,51 @@
+name: Launchpad PPA
+
+on:
+  push:
+    tags:
+      - "v*"
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  upload-ppa:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Debian packaging tools
+        run: |
+          sudo apt-get install -y -q devscripts debhelper dput gpg
+
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.PPA_GPG_PRIVATE_KEY }}
+          passphrase: ""
+          git_user_signingkey: true
+
+      - name: Configure dput
+        run: |
+          cat > ~/.dput.cf <<'EOF'
+          [yazses-ppa]
+          fqdn = ppa.launchpad.net
+          method = ftp
+          incoming = ~novafabric/ubuntu/yazses/
+          login = anonymous
+          allow_unsigned_uploads = 0
+          EOF
+
+      - name: Upload to PPA
+        env:
+          DEBEMAIL: mohsen.seyedkazemi@gmail.com
+          DEBFULLNAME: Mohsen Seyedkazemi Moghadam
+          GPG_KEY_ID: ${{ secrets.PPA_GPG_KEY_ID }}
+        run: |
+          VERSION=${GITHUB_REF_NAME#v}
+          chmod +x scripts/upload-ppa.sh
+          bash scripts/upload-ppa.sh \
+            "$VERSION" \
+            "$GPG_KEY_ID" \
+            "yazses-ppa"

yazses-0.4.1/.github/workflows/release.yml

@@ -0,0 +1,148 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install system dependencies
+        run: sudo apt-get install -y libportaudio2
+
+      - uses: astral-sh/setup-uv@v5
+        with:
+          version: "latest"
+          python-version: "3.12"
+
+      - run: uv sync
+
+      - run: uv run pytest tests/ -v
+
+  publish-pypi:
+    runs-on: ubuntu-latest
+    needs: test
+    environment: pypi
+    permissions:
+      id-token: write  # required for OIDC trusted publishing
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: astral-sh/setup-uv@v5
+        with:
+          version: "latest"
+          python-version: "3.12"
+
+      - name: Build wheel and sdist
+        run: uv build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  release-linux:
+    # Builds the .deb, creates the GitHub Release, and uploads the artifact
+    # so the APT repo workflow can download it.
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install build tools
+        run: sudo apt-get install -y dpkg-dev
+
+      - name: Build .deb
+        run: |
+          chmod +x scripts/build-deb.sh
+          bash scripts/build-deb.sh
+
+      - name: Upload .deb artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: deb-package
+          path: "*.deb"
+          if-no-files-found: error
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: "*.deb"
+          generate_release_notes: true
+          body: |
+            Local, offline voice dictation. **Hold a key, speak, release.** No cloud, no GPU.
+
+            ## macOS
+
+            Download `YazSes-<version>.dmg` from the Assets below, open it, drag
+            **YazSes.app** into **Applications**.
+
+            On first launch, **right-click → Open** (the v0 build is unsigned;
+            signing is coming). Grant **Accessibility** + **Microphone** when prompted.
+            Default hotkey: **Right Option**. Full guide: `docs/macos-install.md`.
+
+            ## Windows
+
+            Download `YazSes-<version>-windows-x64.exe` from the Assets and run it.
+
+            SmartScreen may say *"unrecognized app"* — click **More info → Run anyway**
+            (the v0 build is unsigned; signing is coming). Default hotkey: **Right
+            Ctrl**. Full guide: `docs/windows-install.md`.
+
+            ## Linux
+
+            **One-line installer (Debian/Ubuntu):**
+            ```bash
+            bash <(curl -fsSL https://raw.githubusercontent.com/novafabric/yazses/main/install.sh)
+            ```
+
+            **APT repository:**
+            ```bash
+            curl -fsSL https://novafabric.github.io/yazses/apt/KEY.gpg \
+              | sudo gpg --dearmor --yes -o /usr/share/keyrings/yazses.gpg
+            echo "deb [signed-by=/usr/share/keyrings/yazses.gpg] https://novafabric.github.io/yazses/apt ./" \
+              | sudo tee /etc/apt/sources.list.d/yazses.list
+            sudo apt update && sudo apt install yazses
+            sudo usermod -aG input $USER && logout
+            systemctl --user enable --now yazses.service
+            ```
+
+            **Launchpad PPA (Ubuntu):**
+            ```bash
+            sudo add-apt-repository ppa:novafabric/yazses
+            sudo apt update && sudo apt install yazses
+            sudo usermod -aG input $USER && logout
+            systemctl --user enable --now yazses.service
+            ```
+
+            **Snap:**
+            ```bash
+            sudo snap install yazses --classic
+            sudo usermod -aG input $USER && logout
+            ```
+
+            **pipx (any Linux):**
+            ```bash
+            sudo apt install pipx libportaudio2 xdotool xclip
+            sudo usermod -aG input $USER && logout
+            pipx install yazses && pipx ensurepath
+            systemctl --user enable --now yazses.service
+            ```
+
+            **.deb package:**
+            ```bash
+            sudo apt install ./yazses_*.deb
+            sudo usermod -aG input $USER && logout
+            systemctl --user enable --now yazses.service
+            ```
+
+            Default hotkey on Linux: **Space** (configurable). Default config lives
+            at `~/.config/yazses/config.toml`.

yazses-0.4.1/.github/workflows/snap.yml

@@ -0,0 +1,74 @@
+name: Snap
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to build (without 'v' prefix). Defaults to current snapcraft.yaml value."
+        required: false
+        type: string
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  snap:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set version
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" && -n "${{ inputs.version }}" ]]; then
+            VERSION="${{ inputs.version }}"
+          elif [[ "${GITHUB_REF}" == refs/tags/v* ]]; then
+            VERSION=${GITHUB_REF_NAME#v}
+          else
+            VERSION=$(grep -E '^version:' snap/snapcraft.yaml | head -1 | sed -E 's/version:\s*"([^"]+)".*/\1/')
+          fi
+          sed -i "s/^version:.*/version: \"$VERSION\"/" snap/snapcraft.yaml
+          echo "Building snap version $VERSION"
+
+      - name: Build snap
+        uses: snapcore/action-build@v1
+        id: snap-build
+        # Default mode uses an LXD container, which has root and can refresh
+        # the apt cache. --destructive-mode runs as the runner user without
+        # root, which leaves the package list stale and triggers 404s when
+        # Ubuntu rolls forward.
+
+      - name: Show built artefact
+        run: ls -lh "${{ steps.snap-build.outputs.snap }}"
+
+      - name: Upload .snap as workflow artefact
+        uses: actions/upload-artifact@v4
+        with:
+          name: yazses-snap-${{ github.sha }}
+          path: ${{ steps.snap-build.outputs.snap }}
+          if-no-files-found: error
+          retention-days: 14
+
+      - name: Check Snap Store credentials presence
+        id: check-snap-creds
+        env:
+          CREDS: ${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }}
+        run: |
+          if [[ -z "${CREDS}" ]]; then
+            echo "Snap Store credentials not configured; skipping publish."
+            echo "have_creds=false" >> "${GITHUB_OUTPUT}"
+          else
+            echo "have_creds=true" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: Publish to Snap Store
+        if: steps.check-snap-creds.outputs.have_creds == 'true'
+        uses: snapcore/action-publish@v1
+        env:
+          SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }}
+        with:
+          snap: ${{ steps.snap-build.outputs.snap }}
+          release: stable