release: v0.7.6 #26
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*.*.*' | |
| permissions: | |
| contents: write | |
| env: | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | |
| jobs: | |
| build: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: macos-latest # Apple Silicon (arm64) | |
| platform: mac | |
| arch: arm64 | |
| - os: macos-13 # Intel (x64) | |
| platform: mac | |
| arch: x64 | |
| - os: windows-latest # Windows x64 | |
| platform: win | |
| - os: ubuntu-latest # Linux x64 | |
| platform: linux | |
| runs-on: ${{ matrix.os }} | |
| name: ${{ matrix.os }} ${{ matrix.arch || '' }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 24 | |
| cache: npm | |
| # Linux — native build dependencies | |
| - name: Install Linux build deps | |
| if: matrix.platform == 'linux' | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| libudev-dev \ | |
| libusb-1.0-0-dev \ | |
| build-essential \ | |
| python3 \ | |
| libarchive-tools \ | |
| rpm \ | |
| fakeroot \ | |
| libopenjp2-tools \ | |
| libsecret-1-dev | |
| - name: Install dependencies | |
| run: npm ci | |
| # ── macOS code signing ──────────────────────────────────────────────────── | |
| # Requires repository secrets: | |
| # APPLE_CERTIFICATE — base64-encoded .p12 certificate | |
| # APPLE_CERTIFICATE_PASSWORD — password for the .p12 | |
| # APPLE_TEAM_ID — your Apple Developer Team ID | |
| # APPLE_ID — Apple ID for notarization | |
| # APPLE_APP_SPECIFIC_PASSWORD — app-specific password for notarization | |
| - name: Import macOS signing certificate | |
| if: matrix.platform == 'mac' && env.APPLE_CERTIFICATE != '' | |
| env: | |
| APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} | |
| APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| run: | | |
| echo "$APPLE_CERTIFICATE" | base64 --decode > certificate.p12 | |
| security create-keychain -p "temp-keychain-password" build.keychain | |
| security import certificate.p12 -k build.keychain \ | |
| -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign | |
| security list-keychains -s build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p "temp-keychain-password" build.keychain | |
| security set-key-partition-list \ | |
| -S apple-tool:,apple:,codesign: -s -k "temp-keychain-password" build.keychain | |
| rm certificate.p12 | |
| # Set Windows signing env only when the cert secret is actually configured. | |
| # Passing an empty WIN_CSC_LINK causes electron-builder to resolve it as | |
| # a relative path (the workspace root), which breaks the build. | |
| # Note: 'secrets' context cannot be used in step 'if:' expressions, | |
| # so we pass secrets as env vars and check them inside the script. | |
| - name: Configure Windows code signing | |
| if: matrix.platform == 'win' | |
| shell: pwsh | |
| env: | |
| _WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }} | |
| _WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }} | |
| run: | | |
| if (-not [string]::IsNullOrEmpty($env:_WIN_CSC_LINK)) { | |
| "WIN_CSC_LINK=$($env:_WIN_CSC_LINK)" | Out-File -FilePath $env:GITHUB_ENV -Append | |
| "WIN_CSC_KEY_PASSWORD=$($env:_WIN_CSC_KEY_PASSWORD)" | Out-File -FilePath $env:GITHUB_ENV -Append | |
| Write-Host "Windows code signing configured." | |
| } else { | |
| Write-Host "No Windows certificate found — building unsigned." | |
| } | |
| - name: Build & package | |
| env: | |
| # macOS signing (no-op if secrets absent) | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} | |
| CSC_IDENTITY_AUTO_DISCOVERY: ${{ secrets.APPLE_CERTIFICATE != '' && 'true' || 'false' }} | |
| # GitHub token for electron-updater publish | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: npm run build:${{ matrix.platform }} | |
| - name: Upload to GitHub Release | |
| uses: softprops/action-gh-release@v2.3.2 | |
| with: | |
| draft: false | |
| prerelease: false | |
| fail_on_unmatched_files: false | |
| files: | | |
| dist/*.dmg | |
| dist/*.zip | |
| dist/*.exe | |
| dist/*.AppImage | |
| dist/*.deb | |
| dist/*.yml | |
| token: ${{ secrets.GITHUB_TOKEN }} |