|
| 1 | +name: Desktop testing build |
| 2 | + |
| 3 | +# Builds UNSIGNED desktop artifacts on a `0.0.0-testing-<sha>` tag and attaches |
| 4 | +# them to a GitHub prerelease, so the packaging pipeline can be exercised |
| 5 | +# end-to-end before any signing/notarization secrets exist. |
| 6 | +# |
| 7 | +# Per OS the current electron-forge makers produce: |
| 8 | +# - macOS → .zip (the .dmg maker is a follow-up) |
| 9 | +# - Windows → Setup.exe + .nupkg + RELEASES (Squirrel) |
| 10 | +# - Linux → .deb and .rpm |
| 11 | +# |
| 12 | +# Each OS builds on its own native runner because build-daemon.mjs compiles the |
| 13 | +# bundled `ao` daemon for the build host's platform; cross-OS packaging would |
| 14 | +# ship the wrong daemon (issues #235/#256). The macOS runner is arm64, so the |
| 15 | +# macOS artifact is arm64-only until per-arch builds are wired. |
| 16 | +# |
| 17 | +# Signing is intentionally OFF (no CSC_LINK / APPLE_ID / Windows cert), so these |
| 18 | +# builds do NOT pass Gatekeeper/SmartScreen. They are for pipeline validation, |
| 19 | +# not distribution. |
| 20 | + |
| 21 | +on: |
| 22 | + push: |
| 23 | + tags: |
| 24 | + - "0.0.0-testing-*" |
| 25 | + |
| 26 | +jobs: |
| 27 | + build: |
| 28 | + strategy: |
| 29 | + fail-fast: false |
| 30 | + matrix: |
| 31 | + os: [macos-latest, windows-latest, ubuntu-latest] |
| 32 | + runs-on: ${{ matrix.os }} |
| 33 | + permissions: |
| 34 | + contents: write |
| 35 | + defaults: |
| 36 | + run: |
| 37 | + working-directory: frontend |
| 38 | + steps: |
| 39 | + - uses: actions/checkout@v4 |
| 40 | + - uses: actions/setup-node@v4 |
| 41 | + with: |
| 42 | + node-version: 20 |
| 43 | + cache: npm |
| 44 | + cache-dependency-path: frontend/package-lock.json |
| 45 | + # The daemon is compiled by build-daemon.mjs during premake, so the Go |
| 46 | + # toolchain must be present and pinned on every runner. |
| 47 | + - uses: actions/setup-go@v5 |
| 48 | + with: |
| 49 | + go-version-file: backend/go.mod |
| 50 | + cache-dependency-path: backend/go.sum |
| 51 | + # The Linux rpm maker needs rpmbuild, which ubuntu-latest does not ship. |
| 52 | + - name: Install rpm tooling (Linux) |
| 53 | + if: runner.os == 'Linux' |
| 54 | + run: sudo apt-get update && sudo apt-get install -y rpm |
| 55 | + - run: npm ci |
| 56 | + - name: Build artifacts (unsigned) |
| 57 | + run: npm run make |
| 58 | + - name: Publish artifacts to the tag's GitHub release |
| 59 | + shell: bash |
| 60 | + env: |
| 61 | + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 62 | + TAG: ${{ github.ref_name }} |
| 63 | + run: | |
| 64 | + set -euo pipefail |
| 65 | + # Create the prerelease once. Parallel matrix jobs race here, so a |
| 66 | + # second job's "already exists" failure is expected and ignored. |
| 67 | + gh release create "$TAG" --prerelease --title "$TAG" \ |
| 68 | + --notes "Unsigned desktop testing build (pipeline validation only — not signed or notarized)." \ |
| 69 | + || true |
| 70 | + # Upload every maker output. NUL-delimited to survive spaces in the |
| 71 | + # app name ("Agent Orchestrator-..."); --clobber makes re-runs idempotent. |
| 72 | + find out/make -type f -print0 | while IFS= read -r -d '' f; do |
| 73 | + echo "uploading: $f" |
| 74 | + gh release upload "$TAG" "$f" --clobber |
| 75 | + done |
0 commit comments