release: v0.7.17 #36
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*.*.*' | |
| permissions: | |
| contents: write | |
| jobs: | |
| # Create the GitHub Release first so build jobs don't race each other | |
| create-release: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Create GitHub Release | |
| uses: softprops/action-gh-release@v3 | |
| with: | |
| draft: false | |
| prerelease: false | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| build: | |
| needs: create-release | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: macos-latest | |
| platform: mac | |
| build_cmd: npm run build && npx electron-builder --mac --x64 --arm64 --publish always | |
| - os: windows-latest | |
| platform: win | |
| build_cmd: npm run build && npx electron-builder --win --publish always | |
| - os: ubuntu-latest | |
| platform: linux | |
| build_cmd: npm run build && npx electron-builder --linux --publish always | |
| runs-on: ${{ matrix.os }} | |
| name: ${{ matrix.os }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: 24 | |
| cache: npm | |
| # Linux — native build dependencies | |
| - name: Install Linux build deps | |
| if: matrix.platform == 'linux' | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| libudev-dev \ | |
| libusb-1.0-0-dev \ | |
| build-essential \ | |
| python3 \ | |
| libarchive-tools \ | |
| rpm \ | |
| fakeroot \ | |
| libopenjp2-tools \ | |
| libsecret-1-dev | |
| - name: Install dependencies | |
| run: npm ci | |
| # ── macOS code signing ──────────────────────────────────────────────────── | |
| # Requires repository secrets: | |
| # APPLE_CERTIFICATE — base64-encoded .p12 certificate | |
| # APPLE_CERTIFICATE_PASSWORD — password for the .p12 | |
| # APPLE_TEAM_ID — your Apple Developer Team ID | |
| # APPLE_ID — Apple ID for notarization | |
| # APPLE_APP_SPECIFIC_PASSWORD — app-specific password for notarization | |
| - name: Import macOS signing certificate | |
| if: matrix.platform == 'mac' | |
| shell: bash | |
| env: | |
| _APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} | |
| _APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| run: | | |
| if [ -n "$_APPLE_CERTIFICATE" ]; then | |
| echo "$_APPLE_CERTIFICATE" | base64 --decode > certificate.p12 | |
| security create-keychain -p "temp-keychain-password" build.keychain | |
| security import certificate.p12 -k build.keychain \ | |
| -P "$_APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign | |
| security list-keychains -s build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p "temp-keychain-password" build.keychain | |
| security set-key-partition-list \ | |
| -S apple-tool:,apple:,codesign: -s -k "temp-keychain-password" build.keychain | |
| rm certificate.p12 | |
| echo "CSC_IDENTITY_AUTO_DISCOVERY=true" >> $GITHUB_ENV | |
| echo "✓ Developer ID certificate imported — full signing enabled." | |
| else | |
| echo "CSC_IDENTITY=-" >> $GITHUB_ENV | |
| echo "CSC_IDENTITY_AUTO_DISCOVERY=false" >> $GITHUB_ENV | |
| echo "✓ No certificate — using ad-hoc signing." | |
| fi | |
| # Set Windows signing env only when the cert secret is actually configured. | |
| # Passing an empty WIN_CSC_LINK causes electron-builder to resolve it as | |
| # a relative path (the workspace root), which breaks the build. | |
| # Note: 'secrets' context cannot be used in step 'if:' expressions, | |
| # so we pass secrets as env vars and check them inside the script. | |
| - name: Configure Windows code signing | |
| if: matrix.platform == 'win' | |
| shell: pwsh | |
| env: | |
| _WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }} | |
| _WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }} | |
| run: | | |
| if (-not [string]::IsNullOrEmpty($env:_WIN_CSC_LINK)) { | |
| "WIN_CSC_LINK=$($env:_WIN_CSC_LINK)" | Out-File -FilePath $env:GITHUB_ENV -Append | |
| "WIN_CSC_KEY_PASSWORD=$($env:_WIN_CSC_KEY_PASSWORD)" | Out-File -FilePath $env:GITHUB_ENV -Append | |
| Write-Host "Windows code signing configured." | |
| } else { | |
| Write-Host "No Windows certificate found — building unsigned." | |
| } | |
| - name: Build, package & publish | |
| env: | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ${{ matrix.build_cmd }} |