phpantom_lsp/.github/workflows/release.yml at 10252dbf957b3d58504d1de483546fb7e4a01436 · PHPantom-dev/phpantom_lsp · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
name: Release

on:
  release:
    types: [created]

permissions:
  contents: write

env:
  CARGO_TERM_COLOR: always

jobs:
  build:
    name: Build ${{ matrix.target }}
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        include:
          - target: x86_64-unknown-linux-gnu
            os: ubuntu-latest
            archive: tar.gz
          - target: aarch64-unknown-linux-gnu
            os: ubuntu-latest
            archive: tar.gz
          - target: x86_64-apple-darwin
            os: macos-latest
            archive: tar.gz
            macos_sign: true
          - target: aarch64-apple-darwin
            os: macos-latest
            archive: tar.gz
            macos_sign: true
          - target: x86_64-pc-windows-msvc
            os: windows-latest
            archive: zip
          - target: aarch64-pc-windows-msvc
            os: windows-latest
            archive: zip

    steps:
      - uses: actions/checkout@v4

      - uses: dtolnay/rust-toolchain@stable
        with:
          targets: ${{ matrix.target }}

      - name: Install cross-compilation tools
        if: matrix.target == 'aarch64-unknown-linux-gnu'
        run: |
          sudo apt-get update
          sudo apt-get install -y gcc-aarch64-linux-gnu
          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc" >> $GITHUB_ENV

      - uses: Swatinem/rust-cache@v2
        with:
          key: ${{ matrix.target }}

      - name: Build
        run: cargo build --release --target ${{ matrix.target }}

      # --- macOS: import certificate and sign the binary ---

      - name: Import Apple Developer ID certificate
        if: matrix.macos_sign
        env:
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
        run: |
          # Write the .p12 to disk
          echo "$APPLE_CERTIFICATE" | base64 --decode > certificate.p12

          # Create a temporary keychain so we don't touch the login keychain
          security create-keychain -p actions-keychain phpantom.keychain
          security set-keychain-settings -lut 21600 phpantom.keychain
          security unlock-keychain -p actions-keychain phpantom.keychain

          # Import the certificate + private key
          security import certificate.p12 \
            -k phpantom.keychain \
            -P "$APPLE_CERTIFICATE_PASSWORD" \
            -T /usr/bin/codesign
          security list-keychain -d user -s phpantom.keychain

          # Allow codesign to use the key without a UI prompt
          security set-key-partition-list \
            -S apple-tool:,apple: \
            -k actions-keychain \
            phpantom.keychain

          rm certificate.p12

      - name: Sign binary (macOS)
        if: matrix.macos_sign
        env:
          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
        run: |
          codesign \
            --keychain phpantom.keychain \
            --sign "$APPLE_SIGNING_IDENTITY" \
            --options runtime \
            --timestamp \
            --force \
            target/${{ matrix.target }}/release/phpantom_lsp

      - name: Notarize binary (macOS)
        if: matrix.macos_sign
        env:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        run: |
          # Zip just for submission — notarytool requires an archive
          ditto -c -k --keepParent \
            target/${{ matrix.target }}/release/phpantom_lsp \
            phpantom_lsp-notarize.zip

          xcrun notarytool submit phpantom_lsp-notarize.zip \
            --apple-id "$APPLE_ID" \
            --password "$APPLE_ID_PASSWORD" \
            --team-id "$APPLE_TEAM_ID" \
            --wait

          rm phpantom_lsp-notarize.zip

          # Staple the notarization ticket onto the binary itself
          xcrun stapler staple target/${{ matrix.target }}/release/phpantom_lsp

      - name: Delete temporary keychain
        if: matrix.macos_sign && always()
        run: |
          security delete-keychain phpantom.keychain || true

      # --- Package ---

      - name: Package (unix)
        if: matrix.archive == 'tar.gz'
        run: |
          cd target/${{ matrix.target }}/release
          tar czf ../../../phpantom_lsp-${{ matrix.target }}.tar.gz phpantom_lsp
          cd ../../..

      - name: Package (windows)
        if: matrix.archive == 'zip'
        shell: pwsh
        run: |
          Compress-Archive `
            -Path "target/${{ matrix.target }}/release/phpantom_lsp.exe" `
            -DestinationPath "phpantom_lsp-${{ matrix.target }}.zip"

      - name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
          name: phpantom_lsp-${{ matrix.target }}
          path: phpantom_lsp-${{ matrix.target }}.${{ matrix.archive }}

  release:
    name: Create Release
    needs: build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Download all artifacts
        uses: actions/download-artifact@v4
        with:
          path: artifacts
          merge-multiple: true

      - name: Upload assets to release
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          for file in artifacts/*; do
            gh release upload "${{ github.event.release.tag_name }}" "$file" --clobber
          done