Updated both macOS packaging steps to pass BUNDLE_PREFIX with a trailing slash (.../stage/<arch>/).
Replaced cp -a with rsync -aL when staging enchant so symlinks are dereferenced into the staged tree (avoids Homebrew opt symlink pitfalls).
Adjusted osx/makebundle.sh to preserve a caller-provided trailing slash when writing the XML default prefix (instead of stripping it), matching the CI fix for malformed x86_64locale path concatenation.
Refactor macOS build workflow to support arm64 and x86_64 architectures. Add steps for staging dependencies and packaging unsigned apps for both architectures.
Updated the macOS GitHub Actions workflow to build both architectures (build-macos-arm64 + build-macos-x86_64), then package a universal app by passing both binaries into osx/makebundle.sh.
Documented the universal build invocation in osx/DEBUGGING.md so local builds can reproduce Intel + Apple Silicon compatibility packaging.
Added a Check signing secrets availability step that inspects all required Apple signing/notarization secrets and emits a ready output for downstream gating.
Added an explicit skip message step when secrets are missing, and gated all signing/notarization/artifact-upload steps behind steps.signing_secrets.outputs.ready == 'true' so the workflow remains valid while preserving intended behavior.
Implemented the build-only unsigned macOS phase on macos-latest: installs Meson/Ninja/GTK tooling via Homebrew, configures/builds with Meson, installs for bundling, generates the .app zip via the existing macOS bundle script, and uploads the unsigned artifact with retention (14 days).
Implemented the release-grade gated phase: job is gated to push on master and only runs when required Apple signing/notarization secrets are present; it downloads the unsigned artifact, imports Developer ID cert, codesigns, notarizes with Apple API key credentials, staples the ticket, and uploads a signed artifact with retention (30 days).
Added a conditional GHCR login step (docker/login-action@v3) that runs when the selected image is under ghcr.io/*, using ${{ github.actor }} and ${{ github.token }} before docker pull.
Left the existing build/pull flow intact after authentication, so behavior is unchanged except for fixing anonymous-pull denial cases.
Replaced the previous direct Meson configure/build/test/install steps with a Debian package build step using dpkg-buildpackage -us -uc -b.
Added artifact upload for generated Debian package outputs (*.deb, *.changes, *.buildinfo).
Switched hardcoded DLL names to wildcard patterns (ex: atk-1.0-0.dll → *atk-1.0-0.dll, iconv.dll → *iconv*.dll, etc.) so it correctly picks up lib* prefixed builds.
Made Enchant provider copying resilient by copying lib\enchant\*.dll instead of a single hardcoded libenchant_myspell.dll.
Added optional copy support for LuaJIT DLLs (luajit*.dll) alongside lua51.dll.
win32/installer/zoitechat.iss.tt
Updated DLL Source: entries to match real-world names from dependency bundles using wildcards (*glib-2*.dll, *gtk-3*.dll, etc.).
Added optional LuaJIT inclusion (skip if missing) and wildcarded girepository.
win32/zoitechat.props
Added env overrides so CI (and humans) can actually control paths:
ZOITECHAT_DEPS_PATH
ZOITECHAT_PYTHON3_PATH
already supported ISCC_EXE and now it actually matters.
Fixed glib-genmarshal handling to prefer glib-genmarshal.exe if present (and only use Python script path if needed).
Added library-name auto-detection for MSVC import libs (gtk-3.lib vs gtk-3.0.lib vs libgtk-3.lib, etc.) so linking doesn’t die just because the bundle names differ.
Ensured InstallerEnabled gets re-evaluated after IsccPath is resolved (GTK3 had the order wrong, so installer builds could be silently disabled).
.github/workflows/windows-build.yml
Made artifact collection and plugin validation tolerate win32 vs Win32 output directory naming, instead of assuming humans are consistent (they aren’t).
Preserved the existing Win32 alias junction logic, but now gate it on both the win32 matrix target and the presence of C:\gtk-build\gtk\x86 from the extracted archive.
