Skip to content

Commit d9dde92

Browse files
ci: build unsigned desktop artifacts on 0.0.0-testing-* tags (#347)
Add a tag-triggered workflow that builds the Electron desktop app (with the bundled Go daemon) on macOS, Windows, and Linux runners and attaches the unsigned artifacts to a GitHub prerelease for end-to-end pipeline validation. Signing/notarization is intentionally off until the certs and secrets exist, so these builds are for validating packaging, not distribution. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 83091ce commit d9dde92

1 file changed

Lines changed: 75 additions & 0 deletions

File tree

Lines changed: 75 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,75 @@
1+
name: Desktop testing build
2+
3+
# Builds UNSIGNED desktop artifacts on a `0.0.0-testing-<sha>` tag and attaches
4+
# them to a GitHub prerelease, so the packaging pipeline can be exercised
5+
# end-to-end before any signing/notarization secrets exist.
6+
#
7+
# Per OS the current electron-forge makers produce:
8+
# - macOS → .zip (the .dmg maker is a follow-up)
9+
# - Windows → Setup.exe + .nupkg + RELEASES (Squirrel)
10+
# - Linux → .deb and .rpm
11+
#
12+
# Each OS builds on its own native runner because build-daemon.mjs compiles the
13+
# bundled `ao` daemon for the build host's platform; cross-OS packaging would
14+
# ship the wrong daemon (issues #235/#256). The macOS runner is arm64, so the
15+
# macOS artifact is arm64-only until per-arch builds are wired.
16+
#
17+
# Signing is intentionally OFF (no CSC_LINK / APPLE_ID / Windows cert), so these
18+
# builds do NOT pass Gatekeeper/SmartScreen. They are for pipeline validation,
19+
# not distribution.
20+
21+
on:
22+
push:
23+
tags:
24+
- "0.0.0-testing-*"
25+
26+
jobs:
27+
build:
28+
strategy:
29+
fail-fast: false
30+
matrix:
31+
os: [macos-latest, windows-latest, ubuntu-latest]
32+
runs-on: ${{ matrix.os }}
33+
permissions:
34+
contents: write
35+
defaults:
36+
run:
37+
working-directory: frontend
38+
steps:
39+
- uses: actions/checkout@v4
40+
- uses: actions/setup-node@v4
41+
with:
42+
node-version: 20
43+
cache: npm
44+
cache-dependency-path: frontend/package-lock.json
45+
# The daemon is compiled by build-daemon.mjs during premake, so the Go
46+
# toolchain must be present and pinned on every runner.
47+
- uses: actions/setup-go@v5
48+
with:
49+
go-version-file: backend/go.mod
50+
cache-dependency-path: backend/go.sum
51+
# The Linux rpm maker needs rpmbuild, which ubuntu-latest does not ship.
52+
- name: Install rpm tooling (Linux)
53+
if: runner.os == 'Linux'
54+
run: sudo apt-get update && sudo apt-get install -y rpm
55+
- run: npm ci
56+
- name: Build artifacts (unsigned)
57+
run: npm run make
58+
- name: Publish artifacts to the tag's GitHub release
59+
shell: bash
60+
env:
61+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
62+
TAG: ${{ github.ref_name }}
63+
run: |
64+
set -euo pipefail
65+
# Create the prerelease once. Parallel matrix jobs race here, so a
66+
# second job's "already exists" failure is expected and ignored.
67+
gh release create "$TAG" --prerelease --title "$TAG" \
68+
--notes "Unsigned desktop testing build (pipeline validation only — not signed or notarized)." \
69+
|| true
70+
# Upload every maker output. NUL-delimited to survive spaces in the
71+
# app name ("Agent Orchestrator-..."); --clobber makes re-runs idempotent.
72+
find out/make -type f -print0 | while IFS= read -r -d '' f; do
73+
echo "uploading: $f"
74+
gh release upload "$TAG" "$f" --clobber
75+
done

0 commit comments

Comments
 (0)