ci: GitHub Actions for CI checks and cross-platform releases

[proofofprints]

Summary

Adds two GitHub Actions workflows so every PR gets type-checked and every release tag automatically builds installers for Windows, macOS (ARM + Intel), and Linux. Also updates the README installation section to list all platforms.

This PR is independent of PRs #4 and #5 — merge order doesn't matter.

Workflows

ci.yml — PR checks

• Triggers on every pull request to main
• Runs npx tsc --noEmit + cargo check on windows-latest
• Once your branch ruleset is active (after repo goes public), you can add this as a required status check

release.yml — Cross-platform release builds

• Triggers on push of any v* tag (e.g. git tag v1.0.0 && git push --tags)
• Builds on 4 targets in parallel:

Platform	Runner	Output
Windows x64	windows-latest	.msi installer
macOS Apple Silicon	macos-latest	.dmg (aarch64)
macOS Intel	macos-latest	.dmg (x64)
Linux x64	ubuntu-22.04	.deb + .AppImage

• Uses tauri-apps/tauri-action@v0 which handles:
  • Building the Tauri app for each platform
  • Signing update artifacts with TAURI_SIGNING_PRIVATE_KEY
  • Creating a draft GitHub release with all platform artifacts attached
  • Generating and attaching latest.json for the in-app updater
• Release is created as a draft so you can review the artifacts before publishing
• Release body includes an installation table and first-launch notes for Windows (SmartScreen, firewall)

Linux build dependencies

Ubuntu 22.04 runner installs webkit2gtk-4.1-dev, libsoup-3.0-dev, libjavascriptcoregtk-4.1-dev, and related libraries required by Tauri 2.

Required GitHub secrets

Before pushing the first v* tag, set these in Settings → Secrets and variables → Actions → Repository secrets:

Secret	Value
TAURI_SIGNING_PRIVATE_KEY	Your Tauri updater signing private key (generated with `npm run tauri signer generate`)
TAURI_SIGNING_PRIVATE_KEY_PASSWORD	Password for the key (use an empty string if no password was set)

`GITHUB_TOKEN` is provided automatically by GitHub Actions — no manual setup needed.

If you've lost the private key, you can regenerate with `npm run tauri signer generate` and update the `pubkey` in `tauri.conf.json` to match. Existing installed copies won't be able to verify updates signed with the new key, but v1.0.0 is the first public release so there's no installed base to worry about.

README update

Installation section replaced the Windows-only instructions with a platform table:

Platform	Format	Notes
Windows (x64)	`.msi`	Fully tested
macOS (Apple Silicon)	`.dmg` (aarch64)	Community-tested
macOS (Intel)	`.dmg` (x64)	Community-tested
Linux (x64)	`.deb` / `.AppImage`	Community-tested

Includes a note that Windows is the primary platform and macOS/Linux should work but haven't been as extensively tested.

Release process after merge

1. Merge this PR (and PRs v1 release prep: docs, zero-state, error handling, defaults #4, release: bump version to 1.0.0 #5 if not already merged)
2. Set the two GitHub secrets listed above
3. Flip repo to public
4. Tag and push: `git tag v1.0.0 && git push --tags`
5. Wait ~15 minutes for all 4 builds to complete
6. Go to Releases → find the draft → review artifacts → publish
7. The in-app updater will automatically find the `latest.json` from that point on

Files changed

```
.github/workflows/ci.yml | 26 +++ NEW
.github/workflows/release.yml | 96 +++ NEW
README.md | +4/-4
3 files changed, 126 insertions(+), 4 deletions(-)
```