pear/.github/workflows/release.yml at main · AgentWorkforce/pear · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: Release (macOS)

# Manual trigger: Actions tab → "Release (macOS)" → Run workflow.
on:
  workflow_dispatch:

permissions:
  contents: write # needed for electron-builder to create the GitHub Release

jobs:
  release:
    runs-on: macos-latest
    timeout-minutes: 120 # backstop for the notarization retry loop below
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: npm

      - name: Install dependencies
        run: npm ci

      - name: Compute date-based version
        id: version
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          YEAR="$(date +%Y)"
          # 10# forces base-10 so "08"/"09" don't fail as invalid octal, and
          # strips the leading zero so the version stays valid semver (2026.6.1,
          # not 2026.06.1 — leading zeros are not valid semver).
          MONTH="$((10#$(date +%m)))"
          # Count this month's releases (drafts included) so re-running before
          # publishing a draft doesn't reuse its version.
          COUNT="$(gh api --paginate "repos/${GITHUB_REPOSITORY}/releases" \
            --jq '.[].tag_name' | grep -Ec "^v${YEAR}\.${MONTH}\." || true)"
          N="$((COUNT + 1))"
          VERSION="${YEAR}.${MONTH}.${N}"
          echo "Release #${N} for ${YEAR}-$(date +%m) -> v${VERSION}"
          # Set transiently (not committed); electron-builder bakes this into the
          # app, latest-mac.yml, and the GitHub release tag (v${version}).
          npm version "$VERSION" --no-git-tag-version --allow-same-version
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"

      - name: Generate changelog
        id: changelog
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          VERSION="$(node -p "require('./package.json').version")"
          TAG="v${VERSION}"
          PREVIOUS_TAG="$(git tag --sort=-version:refname | grep -E '^v[0-9]' | grep -v "^${TAG}$" | head -n 1 || true)"
          NOTES_FILE="${RUNNER_TEMP}/release-notes.md"

          args=(
            -f "tag_name=${TAG}"
            -f "target_commitish=${GITHUB_SHA}"
          )
          if [ -n "${PREVIOUS_TAG}" ]; then
            args+=(-f "previous_tag_name=${PREVIOUS_TAG}")
          fi

          gh api "repos/${GITHUB_REPOSITORY}/releases/generate-notes" \
            "${args[@]}" \
            --jq ".body" > "${NOTES_FILE}"

          {
            echo "version=${VERSION}"
            echo "tag=${TAG}"
            echo "previous_tag=${PREVIOUS_TAG}"
            echo "notes_file=${NOTES_FILE}"
          } >> "${GITHUB_OUTPUT}"

      - name: Decode App Store Connect API key (.p8)
        env:
          APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
        run: |
          mkdir -p "$HOME/private_keys"
          node -e "require('fs').writeFileSync(process.argv[1], Buffer.from(process.env.APPLE_API_KEY_BASE64 || '', 'base64'))" "$HOME/private_keys/AuthKey.p8"
          echo "APPLE_API_KEY=$HOME/private_keys/AuthKey.p8" >> "$GITHUB_ENV"

      - name: Build, sign, notarize & publish
        env:
          # Code-signing certificate (Developer ID Application .p12, base64)
          CSC_LINK: ${{ secrets.CSC_LINK }}
          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
          # Notarization (App Store Connect API key) — APPLE_API_KEY set above
          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
          # Publishing the GitHub Release
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        # electron-builder notarizes internally and has no per-attempt retry,
        # so Apple's transient notary drops (-1009) can fail an otherwise-good
        # build. Retry the whole build a few times; notarization runs before
        # publishing, so a failed attempt leaves nothing half-published.
        run: |
          for attempt in 1 2 3; do
            if npm run release:mac; then
              exit 0
            fi
            echo "release attempt ${attempt} failed; retrying in 60s..."
            sleep 60
          done
          echo "release failed after 3 attempts"
          exit 1

      # electron-builder uploads to a DRAFT (releaseType: draft) so all assets
      # land atomically. Set the notes/title and then flip it live in one go:
      # marking it the latest published release is what makes
      # releases/latest/download/pear-arm64.dmg (the /pear/download target) and
      # electron-updater pick it up — drafts are invisible to both.
      - name: Publish GitHub Release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh release edit "${{ steps.changelog.outputs.tag }}" \
            --repo "${GITHUB_REPOSITORY}" \
            --title "${{ steps.changelog.outputs.version }}" \
            --notes-file "${{ steps.changelog.outputs.notes_file }}" \
            --draft=false \
            --latest

      - name: Upload macOS build artifacts
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: pear-macos-${{ github.run_id }}
          path: |
            dist/*.dmg
            dist/*.zip
          if-no-files-found: warn
          retention-days: 30