feat: restructure accounts and prep release flow #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| permissions: | |
| contents: write | |
| env: | |
| MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} | |
| MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }} | |
| MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }} | |
| jobs: | |
| # ── Build frontend once, share across platform jobs ────────────────────── | |
| build-frontend: | |
| name: Build H5 | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: npm | |
| cache-dependency-path: frontend/package-lock.json | |
| - run: npm ci | |
| working-directory: frontend | |
| - run: npm run build | |
| env: | |
| VITE_VERSION: ${{ github.ref_name }} | |
| working-directory: frontend | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: frontend-dist | |
| path: frontend/dist/ | |
| # ── Platform matrix ─────────────────────────────────────────────────────── | |
| build: | |
| name: Build ${{ matrix.os-name }} | |
| needs: build-frontend | |
| runs-on: ${{ matrix.runner }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - runner: macos-latest | |
| os-name: macOS | |
| goos: darwin | |
| goarch: universal | |
| wails-platform: darwin/universal | |
| package-ext: dmg | |
| asset-name: GetTokens_darwin_universal.dmg | |
| updater-asset-name: GetTokens_darwin_universal.tar.gz | |
| - runner: windows-latest | |
| os-name: Windows | |
| goos: windows | |
| goarch: amd64 | |
| wails-platform: windows/amd64 | |
| wails-extra: -nsis | |
| package-ext: exe | |
| asset-name: GetTokens_windows_amd64_installer.exe | |
| updater-asset-name: GetTokens_windows_amd64.tar.gz | |
| - runner: ubuntu-latest | |
| os-name: Linux | |
| goos: linux | |
| goarch: amd64 | |
| wails-platform: linux/amd64 | |
| package-ext: AppImage | |
| asset-name: GetTokens_linux_amd64.AppImage | |
| updater-asset-name: GetTokens_linux_amd64.tar.gz | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # ── Go ──────────────────────────────────────────────────────────────── | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.23' | |
| # ── Node ────────────────────────────────────────────────────────────── | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| # ── Restore built frontend ──────────────────────────────────────────── | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: frontend-dist | |
| path: frontend/dist/ | |
| # ── Wails ──────────────────────────────────────────────────────────── | |
| - name: Install Wails | |
| run: go install github.com/wailsapp/wails/v2/cmd/wails@latest | |
| # ── Fetch sidecar binary ────────────────────────────────────────────── | |
| - name: Fetch CLIProxyAPI sidecar (macOS/Linux) | |
| if: runner.os != 'Windows' | |
| run: | | |
| chmod +x scripts/fetch-sidecar.sh | |
| ./scripts/fetch-sidecar.sh ${{ matrix.goos }} ${{ matrix.goarch == 'universal' && 'arm64' || matrix.goarch }} latest build/bin | |
| # For darwin/universal also fetch amd64 | |
| if [ "${{ matrix.goos }}" = "darwin" ]; then | |
| ./scripts/fetch-sidecar.sh darwin amd64 latest build/bin/amd64 | |
| fi | |
| - name: Fetch CLIProxyAPI sidecar (Windows) | |
| if: runner.os == 'Windows' | |
| shell: bash | |
| run: | | |
| chmod +x scripts/fetch-sidecar.sh | |
| ./scripts/fetch-sidecar.sh windows amd64 latest build/bin | |
| # ── Platform-specific dependencies ─────────────────────────────────── | |
| - name: Install macOS packaging tools | |
| if: runner.os == 'macOS' | |
| run: brew install create-dmg | |
| - name: Prepare macOS signing materials | |
| if: runner.os == 'macOS' | |
| env: | |
| MACOS_DEVELOPER_ID_P12_BASE64: ${{ secrets.MACOS_DEVELOPER_ID_P12_BASE64 }} | |
| MACOS_DEVELOPER_ID_P12_PASSWORD: ${{ secrets.MACOS_DEVELOPER_ID_P12_PASSWORD }} | |
| MACOS_NOTARY_API_KEY_BASE64: ${{ secrets.MACOS_NOTARY_API_KEY_BASE64 }} | |
| run: | | |
| test -n "$MACOS_SIGNING_IDENTITY" | |
| test -n "$MACOS_NOTARY_KEY_ID" | |
| test -n "$MACOS_NOTARY_ISSUER_ID" | |
| test -n "$MACOS_DEVELOPER_ID_P12_BASE64" | |
| test -n "$MACOS_DEVELOPER_ID_P12_PASSWORD" | |
| test -n "$MACOS_NOTARY_API_KEY_BASE64" | |
| export CI_KEYCHAIN_PATH="$RUNNER_TEMP/gettokens-signing.keychain-db" | |
| export CI_KEYCHAIN_PASSWORD="$(uuidgen)" | |
| export MACOS_NOTARY_KEY_PATH="$RUNNER_TEMP/AuthKey_${MACOS_NOTARY_KEY_ID}.p8" | |
| python3 -c 'import base64, os, pathlib; pathlib.Path(os.environ["RUNNER_TEMP"], "developer-id.p12").write_bytes(base64.b64decode(os.environ["MACOS_DEVELOPER_ID_P12_BASE64"]))' | |
| python3 -c 'import base64, os, pathlib; pathlib.Path(os.environ["MACOS_NOTARY_KEY_PATH"]).write_bytes(base64.b64decode(os.environ["MACOS_NOTARY_API_KEY_BASE64"]))' | |
| security create-keychain -p "$CI_KEYCHAIN_PASSWORD" "$CI_KEYCHAIN_PATH" | |
| security set-keychain-settings -lut 21600 "$CI_KEYCHAIN_PATH" | |
| security unlock-keychain -p "$CI_KEYCHAIN_PASSWORD" "$CI_KEYCHAIN_PATH" | |
| security import "$RUNNER_TEMP/developer-id.p12" \ | |
| -k "$CI_KEYCHAIN_PATH" \ | |
| -P "$MACOS_DEVELOPER_ID_P12_PASSWORD" \ | |
| -T /usr/bin/codesign \ | |
| -T /usr/bin/security | |
| security list-keychains -d user -s "$CI_KEYCHAIN_PATH" | |
| security default-keychain -d user -s "$CI_KEYCHAIN_PATH" | |
| security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$CI_KEYCHAIN_PASSWORD" "$CI_KEYCHAIN_PATH" | |
| echo "CI_KEYCHAIN_PATH=$CI_KEYCHAIN_PATH" >> "$GITHUB_ENV" | |
| echo "CI_KEYCHAIN_PASSWORD=$CI_KEYCHAIN_PASSWORD" >> "$GITHUB_ENV" | |
| echo "MACOS_NOTARY_KEY_PATH=$MACOS_NOTARY_KEY_PATH" >> "$GITHUB_ENV" | |
| - name: Install Linux dependencies | |
| if: runner.os == 'Linux' | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.0-dev | |
| - name: Compute release label | |
| shell: bash | |
| run: | | |
| echo "RELEASE_LABEL=$(TZ=Asia/Shanghai date +'%Y.%m.%d.%H')" >> "$GITHUB_ENV" | |
| # ── Build ───────────────────────────────────────────────────────────── | |
| - name: Wails build | |
| run: | | |
| wails build \ | |
| -platform ${{ matrix.wails-platform }} \ | |
| ${{ matrix.wails-extra || '' }} \ | |
| -ldflags "-X main.Version=${{ github.ref_name }} -X main.ReleaseLabel=${RELEASE_LABEL}" | |
| - name: Package updater asset | |
| if: runner.os != 'macOS' | |
| shell: bash | |
| run: | | |
| chmod +x scripts/package-updater-asset.sh | |
| ./scripts/package-updater-asset.sh ${{ matrix.goos }} ${{ matrix.goarch }} | |
| # ── Package ─────────────────────────────────────────────────────────── | |
| - name: Sign and notarize macOS app | |
| if: runner.os == 'macOS' | |
| run: | | |
| chmod +x scripts/sign-notarize-macos-release.sh scripts/package-updater-asset.sh | |
| scripts/sign-notarize-macos-release.sh app "build/bin/GetTokens.app" | |
| - name: Package DMG (macOS) | |
| if: runner.os == 'macOS' | |
| run: | | |
| mkdir -p dist/release | |
| create-dmg \ | |
| --volname "GetTokens" \ | |
| --window-size 660 400 \ | |
| --icon-size 100 \ | |
| "dist/release/${{ matrix.asset-name }}" \ | |
| "build/bin/GetTokens.app" | |
| - name: Sign and notarize macOS DMG | |
| if: runner.os == 'macOS' | |
| run: | | |
| chmod +x scripts/sign-notarize-macos-release.sh scripts/package-updater-asset.sh | |
| scripts/sign-notarize-macos-release.sh dmg "dist/release/${{ matrix.asset-name }}" | |
| scripts/package-updater-asset.sh ${{ matrix.goos }} ${{ matrix.goarch }} | |
| - name: Copy Windows installer | |
| if: runner.os == 'Windows' | |
| shell: bash | |
| run: | | |
| mkdir -p dist/release | |
| cp build/bin/GetTokens-*-installer.exe "dist/release/${{ matrix.asset-name }}" | |
| - name: Package AppImage (Linux) | |
| if: runner.os == 'Linux' | |
| run: | | |
| mkdir -p dist/release | |
| # Minimal AppImage packaging — replace with appimagetool for production | |
| cp build/bin/GetTokens "dist/release/${{ matrix.asset-name }}" | |
| # ── Upload artifact ─────────────────────────────────────────────────── | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: release-${{ matrix.goos }} | |
| path: | | |
| dist/release/${{ matrix.asset-name }} | |
| dist/release/${{ matrix.updater-asset-name }} | |
| - name: Cleanup macOS signing materials | |
| if: runner.os == 'macOS' && always() | |
| run: | | |
| if [[ -n "${CI_KEYCHAIN_PATH:-}" ]]; then | |
| security delete-keychain "$CI_KEYCHAIN_PATH" || true | |
| fi | |
| rm -f "$RUNNER_TEMP/developer-id.p12" "${MACOS_NOTARY_KEY_PATH:-}" | |
| # ── Publish GitHub Release ──────────────────────────────────────────────── | |
| release: | |
| name: Publish Release | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| path: dist/release/ | |
| merge-multiple: true | |
| - name: Generate checksums | |
| run: | | |
| chmod +x scripts/gen-checksums.sh | |
| ./scripts/gen-checksums.sh dist/release | |
| - name: Create GitHub Release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: | | |
| dist/release/GetTokens_darwin_universal.dmg | |
| dist/release/GetTokens_darwin_universal.tar.gz | |
| dist/release/GetTokens_windows_amd64_installer.exe | |
| dist/release/GetTokens_windows_amd64.tar.gz | |
| dist/release/GetTokens_linux_amd64.AppImage | |
| dist/release/GetTokens_linux_amd64.tar.gz | |
| dist/release/checksums.txt | |
| generate_release_notes: true |