netcopilot/.github/workflows/release.yml at main · AnasProgrammer2/netcopilot · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: Build & Release

on:
  push:
    tags:
      - 'v*.*.*'

permissions:
  contents: write

jobs:
  # Create the GitHub Release first so build jobs don't race each other
  create-release:
    runs-on: ubuntu-latest
    steps:
      - name: Create GitHub Release
        uses: softprops/action-gh-release@v3
        with:
          draft: false
          prerelease: false
          token: ${{ secrets.GITHUB_TOKEN }}

  build:
    needs: create-release
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: macos-latest
            platform: mac
            build_cmd: npm run build && npx electron-builder --mac --x64 --arm64 --publish always
          - os: windows-latest
            platform: win
            build_cmd: npm run build && npx electron-builder --win --publish always
          - os: ubuntu-latest
            platform: linux
            build_cmd: npm run build && npx electron-builder --linux --publish always

    runs-on: ${{ matrix.os }}
    name: ${{ matrix.os }}

    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: npm

      # Linux — native build dependencies
      - name: Install Linux build deps
        if: matrix.platform == 'linux'
        run: |
          sudo apt-get update
          sudo apt-get install -y \
            libudev-dev \
            libusb-1.0-0-dev \
            build-essential \
            python3 \
            libarchive-tools \
            rpm \
            fakeroot \
            libopenjp2-tools \
            libsecret-1-dev

      - name: Install dependencies
        run: npm ci

      # ── macOS code signing ────────────────────────────────────────────────────
      # Requires repository secrets:
      #   APPLE_CERTIFICATE          — base64-encoded .p12 certificate
      #   APPLE_CERTIFICATE_PASSWORD — password for the .p12
      #   APPLE_TEAM_ID              — your Apple Developer Team ID
      #   APPLE_ID                   — Apple ID for notarization
      #   APPLE_APP_SPECIFIC_PASSWORD — app-specific password for notarization
      - name: Import macOS signing certificate
        if: matrix.platform == 'mac'
        shell: bash
        env:
          _APPLE_CERTIFICATE:          ${{ secrets.APPLE_CERTIFICATE }}
          _APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
        run: |
          if [ -n "$_APPLE_CERTIFICATE" ]; then
            echo "$_APPLE_CERTIFICATE" | base64 --decode > certificate.p12
            security create-keychain -p "temp-keychain-password" build.keychain
            security import certificate.p12 -k build.keychain \
              -P "$_APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
            security list-keychains -s build.keychain
            security default-keychain -s build.keychain
            security unlock-keychain -p "temp-keychain-password" build.keychain
            security set-key-partition-list \
              -S apple-tool:,apple:,codesign: -s -k "temp-keychain-password" build.keychain
            rm certificate.p12
            echo "CSC_IDENTITY_AUTO_DISCOVERY=true" >> $GITHUB_ENV
            echo "✓ Developer ID certificate imported — full signing enabled."
          else
            echo "CSC_IDENTITY=-"                    >> $GITHUB_ENV
            echo "CSC_IDENTITY_AUTO_DISCOVERY=false" >> $GITHUB_ENV
            echo "✓ No certificate — using ad-hoc signing."
          fi

      # Set Windows signing env only when the cert secret is actually configured.
      # Passing an empty WIN_CSC_LINK causes electron-builder to resolve it as
      # a relative path (the workspace root), which breaks the build.
      # Note: 'secrets' context cannot be used in step 'if:' expressions,
      # so we pass secrets as env vars and check them inside the script.
      - name: Configure Windows code signing
        if: matrix.platform == 'win'
        shell: pwsh
        env:
          _WIN_CSC_LINK:         ${{ secrets.WIN_CSC_LINK }}
          _WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
        run: |
          if (-not [string]::IsNullOrEmpty($env:_WIN_CSC_LINK)) {
            "WIN_CSC_LINK=$($env:_WIN_CSC_LINK)" | Out-File -FilePath $env:GITHUB_ENV -Append
            "WIN_CSC_KEY_PASSWORD=$($env:_WIN_CSC_KEY_PASSWORD)" | Out-File -FilePath $env:GITHUB_ENV -Append
            Write-Host "Windows code signing configured."
          } else {
            Write-Host "No Windows certificate found — building unsigned."
          }

      - name: Build, package & publish
        env:
          APPLE_TEAM_ID:               ${{ secrets.APPLE_TEAM_ID }}
          APPLE_ID:                    ${{ secrets.APPLE_ID }}
          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: ${{ matrix.build_cmd }}