-
Notifications
You must be signed in to change notification settings - Fork 0
230 lines (203 loc) · 7.5 KB
/
Copy pathbuild.yml
File metadata and controls
230 lines (203 loc) · 7.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
name: Build
on:
push:
branches: [main]
tags:
- 'v*'
- '[0-9]*.[0-9]*.[0-9]*'
pull_request:
branches: [main]
workflow_dispatch:
permissions:
contents: read
# A new push to a branch / PR cancels the in-flight CI run for the same ref.
# Tag builds keep their own concurrency group so a re-tag does not cancel a
# running release build.
concurrency:
group: build-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
ci:
name: CI checks (Linux)
if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Tauri Linux dependencies
run: |
sudo apt-get update
sudo apt-get install -y \
libwebkit2gtk-4.1-dev \
libgtk-3-dev \
libayatana-appindicator3-dev \
librsvg2-dev \
libsoup-3.0-dev
- uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
with:
workspaces: 'src-tauri'
- run: npm ci
- name: Type-check front-end
run: npx tsc --noEmit
- name: Check for hardcoded version literals in HTML
run: npm run version:check
- name: cargo check (lib)
run: cargo check --manifest-path src-tauri/Cargo.toml --lib
- name: cargo test (lib)
run: cargo test --manifest-path src-tauri/Cargo.toml --lib
build:
name: Build ${{ matrix.label }}
if: |
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) ||
github.event_name == 'workflow_dispatch'
strategy:
fail-fast: false
matrix:
include:
- label: macos-arm64
os: macos-14
target: aarch64-apple-darwin
tauri_script: tauri:build:macos-release
artifacts: |
dist/*.dmg
dist/*.pkg
- label: macos-x64
os: macos-15-intel
target: x86_64-apple-darwin
tauri_script: tauri:build:macos-release
artifacts: |
dist/*.dmg
dist/*.pkg
- label: windows-x86_64
os: windows-latest
target: x86_64-pc-windows-msvc
tauri_script: tauri:build:windows
artifacts: |
src-tauri/target/x86_64-pc-windows-msvc/release/bundle/nsis/*.exe
- label: linux-x86_64
os: ubuntu-22.04
target: x86_64-unknown-linux-gnu
tauri_script: tauri:build:linux
artifacts: |
src-tauri/target/x86_64-unknown-linux-gnu/release/bundle/deb/*.deb
src-tauri/target/x86_64-unknown-linux-gnu/release/bundle/appimage/*.AppImage
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- name: Install Tauri Linux dependencies
if: runner.os == 'Linux'
run: |
sudo apt-get update
sudo apt-get install -y \
libwebkit2gtk-4.1-dev \
libgtk-3-dev \
libayatana-appindicator3-dev \
librsvg2-dev \
libsoup-3.0-dev
- uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
- uses: actions/setup-go@v5
with:
go-version: '1.22'
cache: false
- uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}
- uses: Swatinem/rust-cache@v2
with:
workspaces: 'src-tauri'
key: ${{ matrix.target }}
- name: Install npm dependencies
run: npm ci
- name: Prepare release version
shell: bash
run: |
if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
version="${GITHUB_REF_NAME#v}"
else
version="$(node -p "require('./package.json').version")"
fi
mkdir -p src-tauri/target/release
printf '%s\n' "${version}" > src-tauri/target/release/version.md
npm run version:set -- "${version}"
- name: Build (${{ matrix.tauri_script }})
shell: bash
env:
APPLE_SIGNING_IDENTITY_RAW: ${{ secrets.APPLE_SIGNING_IDENTITY }}
run: |
# macOS: sign the bundle so Gatekeeper doesn't reject downloads as
# "damaged". A completely unsigned .app (the old --no-sign) is
# refused outright on macOS Sequoia 15+ with NO "Open anyway" path;
# an ad-hoc signature (codesign --sign -) restores the open option.
# Use a real Developer ID when the APPLE_SIGNING_IDENTITY secret is
# configured, otherwise fall back to ad-hoc "-". (Mirrors the
# codex-app-transfer release.yml signing path.)
if [[ "${{ runner.os }}" == "macOS" ]]; then
if [[ -n "$APPLE_SIGNING_IDENTITY_RAW" ]]; then
export APPLE_SIGNING_IDENTITY="$APPLE_SIGNING_IDENTITY_RAW"
else
export APPLE_SIGNING_IDENTITY="-"
echo "::notice::macOS: no APPLE_SIGNING_IDENTITY secret — using ad-hoc identity (-)"
fi
fi
npm run ${{ matrix.tauri_script }}
- name: Verify macOS .app inside dmg is codesigned
if: runner.os == 'macOS'
shell: bash
run: |
# Verify the app INSIDE the dmg — the release finalize step
# (macos:artifacts:finalize:release) removes the standalone .app and
# keeps only the dmg/pkg, so that's what users actually download. An
# unsigned/mismatched bundle is exactly what shows "is damaged" on
# Sequoia. Mirrors codex-app-transfer's codesign sanity check.
dmg="$(find src-tauri/target dist -name '*.dmg' -print -quit 2>/dev/null)"
if [[ -z "$dmg" ]]; then echo "::error::no dmg found to verify"; exit 1; fi
echo "verifying app inside: $dmg"
hdiutil attach "$dmg" -nobrowse -mountpoint /tmp/verify-dmg
app="$(find /tmp/verify-dmg -maxdepth 2 -name '*.app' -print -quit)"
rc=1
if [[ -n "$app" ]]; then
codesign --verify --deep --strict --verbose=2 "$app"; rc=$?
else
echo "::error::no .app inside dmg"
fi
hdiutil detach /tmp/verify-dmg >/dev/null 2>&1 || true
[[ $rc -eq 0 ]] || { echo "::error::dmg app failed codesign verify"; exit 1; }
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: codex-switch-${{ matrix.label }}
path: ${{ matrix.artifacts }}
if-no-files-found: error
retention-days: 30
release:
name: Attach to GitHub Release
needs: build
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Download all build artifacts
uses: actions/download-artifact@v4
with:
path: artifacts
- name: List collected artifacts
run: |
find artifacts -type f -maxdepth 4 | sort
- name: Create draft release with artifacts
uses: softprops/action-gh-release@v2
with:
draft: true
generate_release_notes: true
files: |
artifacts/codex-switch-macos-arm64/**/*
artifacts/codex-switch-macos-x64/**/*
artifacts/codex-switch-windows-x86_64/**/*
artifacts/codex-switch-linux-x86_64/**/*