feat: Command Line SDK 20.2.0-rc.1

[ChiragAgg5k]

This PR contains updates to the SDK for version 20.2.0-rc.1.

What's Changed

• Added: Code-signed Windows release binaries (appwrite-cli-win-x64.exe and appwrite-cli-win-arm64.exe) via SignPath

Notes

• Release candidate. Tag/release should be marked as pre-release; npm publish should use a dist-tag (e.g., next or rc) rather than latest so existing appwrite-cli users aren't auto-upgraded.
• Generated against the public appwrite/specs:main/specs/1.9.x/swagger2-1.9.x-console.json (info.version 1.9.3). No API surface change vs 20.1.0.

[greptile-apps]

Greptile Summary

This PR bumps the CLI SDK from 20.1.0 to 20.2.0-rc.1 and introduces Windows binary code-signing via SignPath as the primary new feature. Version strings, install scripts, and lockfiles are updated consistently across all relevant files, and several source files receive formatting-only touches.

• Windows code signing: The publish workflow now uploads unsigned .exe artifacts, submits them to SignPath for signing, replaces the originals with the signed outputs, and verifies the signatures with osslsigncode before continuing the release pipeline.
• Dependency updates: @appwrite.io/console moves from 12.0.0 to 12.1.0 (runtime), and several @typescript-eslint/* dev dependencies are bumped from 8.59.1 to 8.59.2.
• Build script: The windows-arm64 pkg invocation gains --fallback-to-source, and the pkg step now has osslsigncode available in the runner environment.

Confidence Score: 4/5

Safe to merge — the signing pipeline is well-structured with explicit error checking, and all version strings are updated consistently.

The core changes (version bump, install scripts, lockfile, formatting) are mechanical and low-risk. The new SignPath signing workflow is carefully implemented with set -euo pipefail, file-existence checks, and an osslsigncode verify gate. The two open points — the Scoop manifest lacking hash fields and the signature verification not being pinned to the specific SignPath certificate — are hardening improvements rather than blockers for this release.

scoop/appwrite.config.json (missing hash values) and .github/workflows/publish.yml (signature verification breadth) deserve a second look if stronger supply-chain guarantees are desired.

Important Files Changed

Filename	Overview
.github/workflows/publish.yml	Adds Windows binary code-signing pipeline via SignPath: uploads unsigned artifacts, submits for signing, replaces originals, and verifies signatures with osslsigncode. Also adds actions: read permission and default signing environment variables.
scoop/appwrite.config.json	URLs updated to 20.2.0-rc.1 release, but no hash fields are present for the Windows binaries — Scoop will warn and skip integrity verification.
lib/constants.ts	SDK_VERSION bumped from 20.1.0 to 20.2.0-rc.1.
package.json	Version bumped to 20.2.0-rc.1, @appwrite.io/console bumped to 12.1.0, and --fallback-to-source added to windows-arm64 pkg command.
install.sh	GITHUB_LATEST_VERSION hardcoded to 20.2.0-rc.1; routine version bump for the RC release.
install.ps1	Download URLs updated to point to 20.2.0-rc.1 release assets; routine version bump.
lib/commands/init.ts	Formatting-only change: collapsed multi-line console.log call to a single line.
lib/commands/push.ts	Formatting-only changes: collapsed ternary and function signature formatting.
lib/config.ts	Formatting-only changes: function signatures split across multiple lines for readability.
CHANGELOG.md	Added 20.2.0-rc.1 changelog entry noting code-signed Windows binaries via SignPath.
README.md	Example version output updated to 20.2.0-rc.1 in two places.
bun.lock	Lockfile updated: @appwrite.io/console 12.0.0→12.1.0, @typescript-eslint/* 8.59.1→8.59.2, and several other minor transitive bumps.
package-lock.json	Lockfile updated to match package.json version and dependency bumps.

_{Reviews (1): Last reviewed commit: "chore: update Command Line SDK to 20.2.0..." | Re-trigger Greptile}

[greptile-apps]

Missing hash fields for Scoop manifest entries

The Scoop manifest has no hash fields for either the 64-bit or arm64 download URLs. Without hashes, Scoop skips integrity verification and simply trusts HTTPS — a hash per architecture (e.g. "hash": "sha256:<hex>") lets Scoop catch a corrupted or substituted download before execution. Now that the binaries are code-signed via SignPath, computing and committing SHA-256 hashes for both appwrite-cli-win-x64.exe and appwrite-cli-win-arm64.exe would give Scoop users a second, independent integrity check.