fix: use Tauri bundler for NSIS — runner now under ActRunner account

Re-enable Tauri NSIS bundler (embeds frontend in exe). Runner
runs as ActRunner service account with proper user profile,
so Tauri's downloaded NSIS/tools should work. Removed manual
NSIS step and template file from workflow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/build-release.yml

@@ -56,28 +56,9 @@ jobs:
         shell: powershell
         run: |
           $env:Path = "$env:EXTRA_PATH;$env:Path"
-          cargo tauri build --no-bundle
+          cargo tauri build
-          Get-ChildItem src-tauri\target\release\Wraith.exe
+          Write-Host "=== Build output ==="
-
+          Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
-      - name: Build NSIS installer
-        shell: powershell
-        run: |
-          $env:Path = "$env:EXTRA_PATH;$env:Path"
-          $ver = ("${{ github.ref_name }}" -replace '^v','')
-          $outExe = "Wraith_" + $ver + "_x64-setup.exe"
-
-          New-Item -ItemType Directory -Force -Path dist-pkg | Out-Null
-          Copy-Item src-tauri\target\release\Wraith.exe dist-pkg\
-          Copy-Item src-tauri\icons\icon.ico dist-pkg\wraith.ico -ErrorAction SilentlyContinue
-
-          $nsi = Get-Content src-tauri\installer.nsi.template -Raw
-          $nsi = $nsi.Replace("OUTFILE_PLACEHOLDER", $outExe).Replace("VER_PLACEHOLDER", $ver)
-          [System.IO.File]::WriteAllText((Join-Path (Get-Location) "dist-pkg\installer.nsi"), $nsi)
-
-          & makensis (Join-Path (Get-Location) "dist-pkg\installer.nsi")
-          Move-Item "dist-pkg\$outExe" .
-          Write-Host "=== Installer built ==="
-          Get-ChildItem $outExe
 
       - name: Download jsign
         shell: powershell
@@ -85,7 +66,6 @@ jobs:
           Invoke-WebRequest -Uri "https://github.com/ebourg/jsign/releases/download/7.0/jsign-7.0.jar" -OutFile jsign.jar
 
       - name: Get Azure token
-        id: azure-token
         shell: powershell
         run: |
           $body = @{
@@ -103,21 +83,12 @@ jobs:
         shell: powershell
         run: |
           $env:Path = "$env:EXTRA_PATH;$env:Path"
-          $ver = ("${{ github.ref_name }}" -replace '^v','')
           $token = [System.IO.File]::ReadAllText("$env:TEMP\aztoken.txt")
-          $installer = "Wraith_" + $ver + "_x64-setup.exe"
+          $binaries = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
-          Write-Host "Looking for installer: $installer"
+          foreach ($binary in $binaries) {
-          Write-Host "Current dir: $(Get-Location)"
+            Write-Host "Signing: $($binary.FullName)"
-          Get-ChildItem *.exe -ErrorAction SilentlyContinue
+            java -jar jsign.jar --storetype AZUREKEYVAULT --keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" --storepass $token --alias "${{ secrets.AZURE_CERT_NAME }}" --tsaurl http://timestamp.digicert.com --tsmode RFC3161 $binary.FullName
-          $binaries = @("src-tauri\target\release\Wraith.exe", $installer)
+            Write-Host "Signed: $($binary.Name)"
-          foreach ($path in $binaries) {
-            if (Test-Path $path) {
-              Write-Host "Signing: $path"
-              java -jar jsign.jar --storetype AZUREKEYVAULT --keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" --storepass $token --alias "${{ secrets.AZURE_CERT_NAME }}" --tsaurl http://timestamp.digicert.com --tsmode RFC3161 $path
-              Write-Host "Signed."
-            } else {
-              Write-Host "NOT FOUND: $path"
-            }
           }
           Remove-Item "$env:TEMP\aztoken.txt" -ErrorAction SilentlyContinue
 
@@ -125,19 +96,20 @@ jobs:
         shell: powershell
         run: |
           $ver = ("${{ github.ref_name }}" -replace '^v','')
-          $installer = "Wraith_" + $ver + "_x64-setup.exe"
           $giteaUrl = "https://git.command.vigilcyber.com"
           $headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" }
 
-          # Version JSON
+          $installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
-          $hash = (Get-FileHash $installer -Algorithm SHA256).Hash.ToLower()
+          foreach ($file in $installers) {
-          @{ version = $ver; filename = $installer; sha256 = $hash; platform = "windows"; architecture = "amd64"; released = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"); signed = $true } | ConvertTo-Json | Out-File version.json -Encoding utf8
+            $hash = (Get-FileHash $file.FullName -Algorithm SHA256).Hash.ToLower()
+            @{ version = $ver; filename = $file.Name; sha256 = $hash; platform = "windows"; architecture = "amd64"; released = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"); signed = $true } | ConvertTo-Json | Out-File version.json -Encoding utf8
 
-          Write-Host "Uploading $installer"
+            Write-Host "Uploading: $($file.Name)"
-          Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/$installer" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile $installer
+            Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/$($file.Name)" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile $file.FullName
 
-          Write-Host "Uploading version.json"
+            Write-Host "Uploading: version.json"
             Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/version.json" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile version.json
+          }
 
           Write-Host "=== Upload complete ==="
 

src-tauri/tauri.conf.json

@@ -26,7 +26,7 @@
   },
   "bundle": {
     "active": true,
-    "targets": [],
+    "targets": ["nsis"],
     "icon": [
       "icons/32x32.png",
       "icons/128x128.png",