chaitin
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 12 additions & 7 deletions b/‎.github/workflows/build.yml‎
Lines changed: 12 additions & 7 deletions
diff --git a/‎.github/workflows/electron-release.yml‎
Lines changed: 176 additions & 2 deletions b/‎.github/workflows/electron-release.yml‎
Lines changed: 176 additions & 2 deletions
@@ -1,14 +1,9 @@
-name: Build and Push
+name: Service Images
 
 on:
   push:
     branches:
       - main
-      - dev
-  pull_request:
-    branches:
-      - main
-      - dev
 
 env:
   NODE_VERSION: "20"
@@ -58,7 +53,6 @@ jobs:
   docker:
     needs: build
     runs-on: ubuntu-latest
-    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev')
     steps:
       - uses: actions/checkout@v4
 
@@ -100,3 +94,14 @@ jobs:
             ghcr.io/${{ github.repository_owner }}/monkeycode-frontend:${{ github.sha }}
             ghcr.io/${{ github.repository_owner }}/monkeycode-frontend:latest
           platforms: linux/amd64
+
+      - name: Build and push backend image
+        uses: docker/build-push-action@v6
+        with:
+          context: backend
+          file: backend/build/Dockerfile
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/monkeycode-backend:${{ github.sha }}
+            ghcr.io/${{ github.repository_owner }}/monkeycode-backend:latest
+          platforms: linux/amd64
@@ -3,7 +3,7 @@
 # Android 产物为 release APK，需在仓库 Secrets 配置签名密钥：
 #   ANDROID_KEYSTORE_BASE64 / ANDROID_KEY_ALIAS / ANDROID_KEY_PASSWORD / ANDROID_STORE_PASSWORD
 
-name: Desktop & Android Release
+name: Client Release
 
 on:
   push:
@@ -22,7 +22,9 @@ concurrency:
 
 env:
   NODE_VERSION: "20"
+  RUBY_VERSION: "3.3"
   CSC_IDENTITY_AUTO_DISCOVERY: false
+  IOS_BUNDLE_ID: "com.monkeycode.mobile"
 
 jobs:
   electron-windows:
@@ -248,8 +250,128 @@ jobs:
           path: mobile/release-apk/*.apk
           if-no-files-found: error
 
+  capacitor-ios:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: pnpm
+          cache-dependency-path: |
+            frontend/pnpm-lock.yaml
+            mobile/pnpm-lock.yaml
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ env.RUBY_VERSION }}
+
+      - name: Install fastlane gems
+        working-directory: mobile/ios
+        run: bundle install --jobs 4 --retry 3
+
+      - name: Set versions (tag / CI)
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            V="${GITHUB_REF_NAME#v}"
+          else
+            V="0.0.0-ci.${{ github.run_number }}"
+          fi
+          if [[ "$V" =~ ^[0-9]+\.[0-9]+$ ]]; then
+            V="${V}.0"
+          fi
+          BUILD_NUMBER="${{ github.run_number }}"
+          echo "APP_VERSION=$V" >> "$GITHUB_ENV"
+          echo "BUILD_NUMBER=$BUILD_NUMBER" >> "$GITHUB_ENV"
+          echo "IPA_NAME=MonkeyCode-${V}-ios-release.ipa" >> "$GITHUB_ENV"
+          node -e "const fs=require('fs');const p='mobile/package.json';const j=JSON.parse(fs.readFileSync(p,'utf8'));j.version=process.argv[1];fs.writeFileSync(p,JSON.stringify(j,null,2)+'\n');" "$V"
+          perl -0pi -e "s/MARKETING_VERSION = [^;]+;/MARKETING_VERSION = ${V};/g; s/CURRENT_PROJECT_VERSION = [^;]+;/CURRENT_PROJECT_VERSION = ${BUILD_NUMBER};/g" mobile/ios/App/App.xcodeproj/project.pbxproj
+
+      - name: Install frontend deps
+        working-directory: frontend
+        run: pnpm install --frozen-lockfile
+
+      - name: Install mobile deps
+        working-directory: mobile
+        run: pnpm install --frozen-lockfile
+
+      - name: Build frontend
+        working-directory: frontend
+        run: pnpm run build
+
+      - name: Capacitor sync iOS
+        working-directory: mobile
+        run: pnpm exec cap sync ios
+
+      - name: Install signing assets
+        shell: bash
+        env:
+          IOS_CERTIFICATE_BASE64: ${{ secrets.IOS_CERTIFICATE_BASE64 }}
+          IOS_CERTIFICATE_PASSWORD: ${{ secrets.IOS_CERTIFICATE_PASSWORD }}
+          IOS_PROVISIONING_PROFILE_BASE64: ${{ secrets.IOS_PROVISIONING_PROFILE_BASE64 }}
+        run: |
+          set -euo pipefail
+          : "${IOS_CERTIFICATE_BASE64:?Missing IOS_CERTIFICATE_BASE64}"
+          : "${IOS_CERTIFICATE_PASSWORD:?Missing IOS_CERTIFICATE_PASSWORD}"
+          : "${IOS_PROVISIONING_PROFILE_BASE64:?Missing IOS_PROVISIONING_PROFILE_BASE64}"
+          CERT_PATH="$RUNNER_TEMP/build_certificate.p12"
+          PROFILE_PATH="$RUNNER_TEMP/build_profile.mobileprovision"
+          KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
+          KEYCHAIN_PASSWORD="$(openssl rand -base64 24)"
+          echo "$IOS_CERTIFICATE_BASE64" | base64 -D > "$CERT_PATH"
+          echo "$IOS_PROVISIONING_PROFILE_BASE64" | base64 -D > "$PROFILE_PATH"
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security import "$CERT_PATH" -P "$IOS_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+          security list-keychains -d user -s "$KEYCHAIN_PATH"
+          security default-keychain -s "$KEYCHAIN_PATH"
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          mkdir -p "$HOME/Library/MobileDevice/Provisioning Profiles"
+          security cms -D -i "$PROFILE_PATH" > "$RUNNER_TEMP/profile.plist"
+          PROFILE_UUID=$(/usr/libexec/PlistBuddy -c "Print UUID" "$RUNNER_TEMP/profile.plist")
+          PROFILE_NAME=$(/usr/libexec/PlistBuddy -c "Print Name" "$RUNNER_TEMP/profile.plist")
+          cp "$PROFILE_PATH" "$HOME/Library/MobileDevice/Provisioning Profiles/$PROFILE_UUID.mobileprovision"
+          echo "IOS_KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
+          echo "IOS_PROFILE_NAME=$PROFILE_NAME" >> "$GITHUB_ENV"
+
+      - name: Build iOS IPA
+        working-directory: mobile/ios
+        env:
+          IOS_TEAM_ID: ${{ secrets.IOS_TEAM_ID }}
+          IOS_BUNDLE_ID: ${{ env.IOS_BUNDLE_ID }}
+          IOS_PROFILE_NAME: ${{ env.IOS_PROFILE_NAME }}
+          IOS_OUTPUT_NAME: ${{ env.IPA_NAME }}
+        run: bundle exec fastlane ios build_release
+
+      - name: Stage IPA for artifact / release
+        shell: bash
+        run: |
+          test -f "mobile/ios/App/output/${IPA_NAME}"
+          mkdir -p mobile/release-ios
+          cp "mobile/ios/App/output/${IPA_NAME}" "mobile/release-ios/${IPA_NAME}"
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: capacitor-ios-ipa
+          path: mobile/release-ios/*.ipa
+          if-no-files-found: error
+
+      - name: Cleanup signing keychain
+        if: always() && env.IOS_KEYCHAIN_PATH != ''
+        shell: bash
+        run: |
+          security delete-keychain "$IOS_KEYCHAIN_PATH" || true
+
   publish-release:
-    needs: [electron-windows, electron-macos, capacitor-android]
+    needs: [electron-windows, electron-macos, capacitor-android, capacitor-ios]
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
     steps:
@@ -268,6 +390,11 @@ jobs:
           name: capacitor-android-apk
           path: release-assets/android
 
+      - uses: actions/download-artifact@v4
+        with:
+          name: capacitor-ios-ipa
+          path: release-assets/ios
+
       - name: List release files
         run: find release-assets -type f -exec ls -lh {} \;
 
@@ -281,5 +408,52 @@ jobs:
             release-assets/windows/*
             release-assets/macos/*
             release-assets/android/*
+            release-assets/ios/*
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  ios-distribute:
+    needs: [capacitor-ios, publish-release]
+    if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ env.RUBY_VERSION }}
+
+      - name: Install fastlane gems
+        working-directory: mobile/ios
+        run: bundle install --jobs 4 --retry 3
+
+      - uses: actions/download-artifact@v4
+        with:
+          name: capacitor-ios-ipa
+          path: mobile/release-ios
+
+      - name: Resolve IPA path
+        shell: bash
+        run: |
+          set -euo pipefail
+          IPA_PATH="$(find mobile/release-ios -name '*.ipa' | head -1)"
+          test -n "$IPA_PATH"
+          echo "IOS_IPA_PATH=$IPA_PATH" >> "$GITHUB_ENV"
+
+      - name: Upload to TestFlight
+        working-directory: mobile/ios
+        env:
+          IOS_IPA_PATH: ${{ env.IOS_IPA_PATH }}
+          APP_STORE_CONNECT_KEY_ID: ${{ secrets.APP_STORE_CONNECT_KEY_ID }}
+          APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
+          APP_STORE_CONNECT_PRIVATE_KEY_BASE64: ${{ secrets.APP_STORE_CONNECT_PRIVATE_KEY_BASE64 }}
+        run: bundle exec fastlane ios upload_testflight ipa:"$IOS_IPA_PATH"
+
+      - name: Submit to App Store
+        working-directory: mobile/ios
+        env:
+          IOS_IPA_PATH: ${{ env.IOS_IPA_PATH }}
+          APP_STORE_CONNECT_KEY_ID: ${{ secrets.APP_STORE_CONNECT_KEY_ID }}
+          APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
+          APP_STORE_CONNECT_PRIVATE_KEY_BASE64: ${{ secrets.APP_STORE_CONNECT_PRIVATE_KEY_BASE64 }}
+        run: bundle exec fastlane ios submit_app_store ipa:"$IOS_IPA_PATH"