-
Notifications
You must be signed in to change notification settings - Fork 0
372 lines (322 loc) · 14.6 KB
/
Copy pathbuild.yml
File metadata and controls
372 lines (322 loc) · 14.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
name: Build & Release
on:
push:
branches: [main]
tags:
- 'v*'
workflow_dispatch:
jobs:
# The nightly release is a rolling "latest main" build, but uploads only
# ever ADDED assets — versioned filenames never collided across pushes,
# so artifacts from every old version accumulated forever (and a second
# push on the same version failed with already_exists). Wipe the release
# and its tag before building so tauri-action recreates both fresh at
# the current commit. Runs as a no-op gate on tag pushes so `needs:`
# stays simple.
reset-nightly:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Delete previous nightly release and tag
if: github.ref_type != 'tag'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release delete nightly --repo "${{ github.repository }}" --cleanup-tag --yes || echo "no nightly release to delete"
# Fast fail gate: runs the Rust + JS test/lint suites on a cheap Linux
# runner in parallel with the reset-nightly gate, and the build matrix
# waits on it so a formatting slip, clippy warning, or failing test
# blocks the release artifacts rather than being discovered mid-build.
lint:
needs: reset-nightly
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v5
# Tauri's Linux backend (tao/wry -> gtk/webkit2gtk/gobject) needs
# system headers + pkg-config files to compile even for clippy/test.
# The Windows/macOS build jobs use native backends and don't need
# these; the ubuntu lint job does. This is Tauri's documented set.
- name: Install Tauri Linux system dependencies
run: |
sudo apt-get update
sudo apt-get install -y libwebkit2gtk-4.1-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev libglib2.0-dev libssl-dev
- name: Install Rust stable (with fmt + clippy)
uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt, clippy
- name: Rust cache
uses: swatinem/rust-cache@v2
with:
workspaces: src-tauri -> target
- name: cargo fmt --check
working-directory: src-tauri
run: cargo fmt --check
- name: cargo clippy (-D warnings)
working-directory: src-tauri
run: cargo clippy --all-targets -- -D warnings
- name: cargo test
working-directory: src-tauri
run: cargo test
- name: Install Node.js
uses: actions/setup-node@v5
with:
node-version: 22
- name: node --test (JS url helpers)
run: node --test "js/**/*.test.mjs"
build:
needs: [reset-nightly, lint]
permissions:
contents: write
strategy:
fail-fast: false
matrix:
include:
- platform: windows-latest
args: ''
- platform: macos-latest
args: '--target universal-apple-darwin'
runs-on: ${{ matrix.platform }}
steps:
- name: Checkout
uses: actions/checkout@v5
- name: Install Rust stable
uses: dtolnay/rust-toolchain@stable
- name: Install macOS Rust targets
if: matrix.platform == 'macos-latest'
run: rustup target add aarch64-apple-darwin x86_64-apple-darwin
- name: Rust cache
uses: swatinem/rust-cache@v2
with:
workspaces: src-tauri -> target
- name: Install Node.js
uses: actions/setup-node@v5
with:
node-version: 22
- name: Install npm dependencies
run: npm ci
- name: Import Apple certificate
if: matrix.platform == 'macos-latest'
env:
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
run: |
CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
# Decode certificate
echo "$APPLE_CERTIFICATE" | base64 --decode > "$CERTIFICATE_PATH"
# Create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Import certificate
security import "$CERTIFICATE_PATH" -P "$APPLE_CERTIFICATE_PASSWORD" \
-A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
security set-key-partition-list -S apple-tool:,apple: \
-k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Add to search list
security list-keychain -d user -s "$KEYCHAIN_PATH"
- name: Verify network connectivity (macOS notarization needs it)
if: matrix.platform == 'macos-latest'
run: curl -sf --max-time 10 https://appstoreconnect.apple.com > /dev/null
- name: Build Tauri app
id: tauri-build
timeout-minutes: 30
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
with:
tagName: ${{ github.ref_type == 'tag' && github.ref_name || 'nightly' }}
releaseName: ${{ github.ref_type == 'tag' && format('FloatView {0}', github.ref_name) || 'FloatView Nightly' }}
releaseBody: |
${{ github.ref_type == 'tag' && 'Download the installer for your platform below.' || 'Rolling nightly build from the latest commit on main. This pre-release is overwritten on every push.' }}
**Windows:** `.msi` installer or portable `.exe`. Requires Windows 10 or 11. WebView2 Runtime is installed automatically if missing.
**macOS:** `.dmg` universal binary (Apple Silicon + Intel).
releaseDraft: false
prerelease: ${{ github.ref_type != 'tag' }}
includeUpdaterJson: true
args: ${{ matrix.args }}
- name: Notarize macOS app
if: matrix.platform == 'macos-latest'
timeout-minutes: 360
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
TAG="${{ github.ref_type == 'tag' && github.ref_name || 'nightly' }}"
BUNDLE="src-tauri/target/universal-apple-darwin/release/bundle"
APP="$BUNDLE/macos/FloatView.app"
# Submit for notarization, poll for status, fetch log on failure
notarize() {
local FILE="$1" LABEL="$2"
echo "Submitting $LABEL for notarization..."
local SUB_ID
SUB_ID=$(xcrun notarytool submit "$FILE" \
--apple-id "$APPLE_ID" --password "$APPLE_PASSWORD" --team-id "$APPLE_TEAM_ID" \
--output-format json | jq -r '.id')
echo "$LABEL submission ID: $SUB_ID"
local STATUS="In Progress"
for i in $(seq 1 360); do
sleep 30
STATUS=$(xcrun notarytool info "$SUB_ID" \
--apple-id "$APPLE_ID" --password "$APPLE_PASSWORD" --team-id "$APPLE_TEAM_ID" \
--output-format json 2>/dev/null | jq -r '.status' 2>/dev/null) || STATUS="polling-error"
echo " [$LABEL] Poll $i/360 ($((i / 2))m$((i % 2 * 30))s): $STATUS"
case "$STATUS" in
Accepted) echo "$LABEL notarized successfully!"; return 0 ;;
Invalid)
echo "::error::$LABEL notarization rejected by Apple"
echo "--- Notarization Log ---"
xcrun notarytool log "$SUB_ID" \
--apple-id "$APPLE_ID" --password "$APPLE_PASSWORD" --team-id "$APPLE_TEAM_ID" 2>&1 || true
return 1 ;;
*) ;; # In Progress, polling-error, or anything else: keep waiting
esac
done
echo "::error::$LABEL notarization timed out after 3 hours (last status: $STATUS)"
echo "Submission ID: $SUB_ID"
echo "--- Notarization Log ---"
xcrun notarytool log "$SUB_ID" \
--apple-id "$APPLE_ID" --password "$APPLE_PASSWORD" --team-id "$APPLE_TEAM_ID" 2>&1 || true
return 1
}
echo "::group::Notarize .app"
ditto -c -k --keepParent "$APP" /tmp/FloatView.zip
notarize /tmp/FloatView.zip ".app"
echo "::endgroup::"
echo "::group::Staple .app"
xcrun stapler staple "$APP"
echo "::endgroup::"
echo "::group::Re-package .app.tar.gz"
tar czf "$BUNDLE/macos/FloatView.app.tar.gz" -C "$BUNDLE/macos" FloatView.app
echo "::endgroup::"
echo "::group::Re-sign for updater"
npx tauri signer sign "$BUNDLE/macos/FloatView.app.tar.gz"
echo "::endgroup::"
echo "::group::Notarize .dmg"
DMG=$(ls "$BUNDLE/dmg/"*.dmg)
notarize "$DMG" ".dmg"
xcrun stapler staple "$DMG"
echo "::endgroup::"
echo "::group::Upload notarized artifacts"
gh release upload "$TAG" \
"$BUNDLE/macos/FloatView.app.tar.gz" \
"$BUNDLE/macos/FloatView.app.tar.gz.sig" \
"$DMG" \
--clobber
echo "::endgroup::"
- name: Rename Windows portable exe
if: matrix.platform == 'windows-latest'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
TAG="${{ github.ref_type == 'tag' && github.ref_name || 'nightly' }}"
OLD_NAME=$(gh release view "$TAG" --json assets --jq '.assets[].name' | grep 'x64-setup\.exe$' || true)
if [ -n "$OLD_NAME" ]; then
NEW_NAME="${OLD_NAME/x64-setup/x64-portable}"
# Rename the exe
gh release download "$TAG" --pattern "$OLD_NAME" --dir /tmp
mv "/tmp/$OLD_NAME" "/tmp/$NEW_NAME"
gh release delete-asset "$TAG" "$OLD_NAME" --yes
gh release upload "$TAG" "/tmp/$NEW_NAME" --clobber
# Rename the .sig file if it exists
OLD_SIG="${OLD_NAME}.sig"
NEW_SIG="${NEW_NAME}.sig"
if gh release download "$TAG" --pattern "$OLD_SIG" --dir /tmp 2>/dev/null; then
mv "/tmp/$OLD_SIG" "/tmp/$NEW_SIG"
gh release delete-asset "$TAG" "$OLD_SIG" --yes
gh release upload "$TAG" "/tmp/$NEW_SIG" --clobber
fi
# Update latest.json URLs to use the new filename
if gh release download "$TAG" --pattern "latest.json" --dir /tmp 2>/dev/null; then
sed -i "s/x64-setup\.exe/x64-portable.exe/g" /tmp/latest.json
gh release delete-asset "$TAG" "latest.json" --yes
gh release upload "$TAG" "/tmp/latest.json" --clobber
fi
fi
shell: bash
- name: Clean up Apple certificate
if: matrix.platform == 'macos-latest' && always()
run: |
security delete-keychain $RUNNER_TEMP/app-signing.keychain-db 2>/dev/null || true
rm -f $RUNNER_TEMP/certificate.p12
updater:
needs: build
runs-on: ubuntu-latest
if: github.ref_type == 'tag'
permissions:
contents: write
steps:
- name: Generate updater JSON if missing
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
TAG="${{ github.ref_name }}"
VERSION="${TAG#v}"
REPO="${{ github.repository }}"
# Check if latest.json already exists
if gh release download "$TAG" --pattern "latest.json" --dir /tmp --repo "$REPO" 2>/dev/null; then
echo "latest.json already exists, skipping generation"
exit 0
fi
echo "latest.json not found, generating manually..."
# Download signature files from release
mkdir -p /tmp/sigs
gh release download "$TAG" --pattern "*.sig" --dir /tmp/sigs --repo "$REPO" 2>/dev/null || true
ls -la /tmp/sigs/
# Read Windows exe signature
WIN_SIG=""
WIN_SIG_FILE=$(ls /tmp/sigs/*portable.exe.sig /tmp/sigs/*setup.exe.sig 2>/dev/null | head -1)
if [ -n "$WIN_SIG_FILE" ]; then
WIN_SIG=$(cat "$WIN_SIG_FILE")
fi
# Read macOS signature
MAC_SIG=""
MAC_SIG_FILE=$(ls /tmp/sigs/*.app.tar.gz.sig 2>/dev/null | head -1)
if [ -n "$MAC_SIG_FILE" ]; then
MAC_SIG=$(cat "$MAC_SIG_FILE")
fi
# Windows: find the exe (portable or setup)
WIN_EXE=$(gh release view "$TAG" --repo "$REPO" --json assets --jq '.assets[].name' | grep 'x64-portable\.exe$' || true)
if [ -z "$WIN_EXE" ]; then
WIN_EXE=$(gh release view "$TAG" --repo "$REPO" --json assets --jq '.assets[].name' | grep 'x64-setup\.exe$' || true)
fi
WIN_URL="https://github.com/${REPO}/releases/download/${TAG}/${WIN_EXE}"
# macOS: find the .app.tar.gz
MAC_TAR=$(gh release view "$TAG" --repo "$REPO" --json assets --jq '.assets[].name' | grep '\.app\.tar\.gz$' || true)
MAC_URL="https://github.com/${REPO}/releases/download/${TAG}/${MAC_TAR}"
PUB_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
# Build latest.json using jq for proper JSON encoding
jq -n \
--arg version "$VERSION" \
--arg notes "FloatView ${TAG}" \
--arg pub_date "$PUB_DATE" \
--arg win_sig "$WIN_SIG" \
--arg win_url "$WIN_URL" \
--arg mac_sig "$MAC_SIG" \
--arg mac_url "$MAC_URL" \
'{
version: $version,
notes: $notes,
pub_date: $pub_date,
platforms: {
"windows-x86_64": { signature: $win_sig, url: $win_url },
"darwin-universal": { signature: $mac_sig, url: $mac_url },
"darwin-x86_64": { signature: $mac_sig, url: $mac_url },
"darwin-aarch64": { signature: $mac_sig, url: $mac_url }
}
}' > /tmp/latest.json
echo "Generated latest.json:"
cat /tmp/latest.json
gh release upload "$TAG" /tmp/latest.json --repo "$REPO" --clobber
echo "Uploaded latest.json to release ${TAG}"