fix(ci): resolve macOS cargo check and Windows release build failures

- Always provide hwnd field in PlatformConfig (None on non-Windows) to
  fix missing field error on macOS cargo check
- Export RUSTUP_TOOLCHAIN and prepend ~/.cargo/bin to PATH in Windows CI
  setup to ensure nightly toolchain takes precedence over chocolatey
- Add explicit frontend build step in Windows release job to avoid
  beforeBuildCommand relative path resolution issues
- Use structured { cmd, args } signCommand format to handle spaces in
  signtool.exe path
- Update docs/builds.md to reflect CI pipeline changes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: pythoninthegrass

.github/actions/setup-tauri-build/action.yml

@@ -58,9 +58,13 @@ runs:
         # Refresh PATH to pick up choco-installed rustup
         Import-Module $env:ChocolateyInstall\helpers\chocolateyProfile.psm1
         refreshenv
-        rustup toolchain install nightly-2026-02-09
+        # Ensure rustup-managed binaries take precedence over chocolatey
+        $cargobin = Join-Path $env:USERPROFILE '.cargo\bin'
+        echo $cargobin >> $env:GITHUB_PATH
+        # Pin nightly toolchain via env var (overrides any default)
+        echo "RUSTUP_TOOLCHAIN=nightly-2026-02-09" >> $env:GITHUB_ENV
+        rustup toolchain install nightly-2026-02-09 --no-self-update --target x86_64-pc-windows-msvc
         rustup default nightly-2026-02-09
-        rustup target add x86_64-pc-windows-msvc --toolchain nightly-2026-02-09
         rustc --version
         cargo --version
 

.github/workflows/release.yml

@@ -145,13 +145,26 @@ jobs:
           Export-PfxCertificate -Cert $cert -FilePath "${{ runner.temp }}\mt-cert.pfx" -Password $password
           echo "CERT_PATH=${{ runner.temp }}\mt-cert.pfx" >> $env:GITHUB_ENV
 
+      - name: Build frontend
+        shell: pwsh
+        working-directory: ./app/frontend
+        run: |
+          npm run build
+
       - name: Write signing config override
         shell: pwsh
         env:
           WINDOWS_CERT_PASSWORD: ${{ secrets.WINDOWS_CERT_PASSWORD }}
         run: |
-          $signCmd = "$env:SIGNTOOL_PATH sign /f $env:CERT_PATH /p $env:WINDOWS_CERT_PASSWORD /t http://timestamp.digicert.com /fd SHA256"
-          $config = @{ bundle = @{ windows = @{ signCommand = $signCmd } } } | ConvertTo-Json -Depth 5
+          # Use structured signCommand to handle spaces in signtool path
+          $signCmd = @{
+            cmd = $env:SIGNTOOL_PATH
+            args = @("sign", "/f", $env:CERT_PATH, "/p", $env:WINDOWS_CERT_PASSWORD, "/t", "http://timestamp.digicert.com", "/fd", "SHA256")
+          }
+          $config = @{
+            build = @{ beforeBuildCommand = "" }
+            bundle = @{ windows = @{ signCommand = $signCmd } }
+          } | ConvertTo-Json -Depth 5
           $configPath = "${{ runner.temp }}\sign-override.json"
           $config | Out-File -FilePath $configPath -Encoding utf8
           echo "SIGN_CONFIG_PATH=$configPath" >> $env:GITHUB_ENV

crates/mt-tauri/src/media_keys.rs

@@ -39,8 +39,12 @@ impl MediaKeyManager {
         let config = PlatformConfig {
             dbus_name: "mt_music_player",
             display_name: "mt",
-            #[cfg(target_os = "windows")]
-            hwnd,
+            hwnd: {
+                #[cfg(target_os = "windows")]
+                { hwnd }
+                #[cfg(not(target_os = "windows"))]
+                { None }
+            },
         };
 
         let mut controls = MediaControls::new(config)

docs/builds.md

@@ -442,7 +442,7 @@ The signing flow:
 1. Install Windows SDK (provides `signtool.exe`)
 2. Generate a `CodeSigningCert` with subject `CN=MT`
 3. Export to PFX with password from `WINDOWS_CERT_PASSWORD` secret
-4. Tauri calls `signtool sign` via `bundle.windows.signCommand` (passed as a `--config` override)
+4. Tauri calls `signtool.exe` via `bundle.windows.signCommand` using structured `{ cmd, args }` format to handle spaces in the signtool path (passed as a `--config` override that also disables `beforeBuildCommand`)
 5. Both the application binary and NSIS installer are signed
 6. DigiCert timestamp server ensures signatures remain valid after cert expiry
 
@@ -515,13 +515,14 @@ Runs on `ubuntu-latest`:
 
 Runs on a self-hosted `[self-hosted, Windows, X64]` runner:
 
-1. Sets up the Tauri build environment (Chocolatey installs cmake)
+1. Sets up the Tauri build environment (Chocolatey installs cmake and rustup; `RUSTUP_TOOLCHAIN=nightly-2026-02-09` is exported to `GITHUB_ENV` and `~/.cargo/bin` is prepended to `GITHUB_PATH` to ensure the nightly toolchain takes precedence)
 2. Installs Windows SDK for `signtool.exe`
 3. Generates a self-signed `CodeSigningCert` and exports to PFX
-4. Writes a config override with `bundle.windows.signCommand` pointing to signtool
-5. Builds with `tauri-action` which calls the sign command for both the binary and NSIS installer
-6. Attaches the signed `.exe` to the same draft GitHub Release
-7. Cleans up the certificate and config override (runs in `always()` step)
+4. Builds the frontend explicitly (`npm run build` in `app/frontend/`)
+5. Writes a config override that disables `beforeBuildCommand` (frontend already built) and sets `bundle.windows.signCommand` using structured `{ cmd, args }` format (handles spaces in `signtool.exe` path)
+6. Builds with `tauri-action` which calls the sign command for both the binary and NSIS installer
+7. Attaches the signed `.exe` to the same draft GitHub Release
+8. Cleans up the certificate and config override (runs in `always()` step)
 
 ## Linux System Dependencies