This repository was archived by the owner on Apr 28, 2026. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
143 lines (125 loc) · 5.45 KB
/
release.yml
File metadata and controls
143 lines (125 loc) · 5.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: Release
on:
push:
tags:
- "v*"
workflow_dispatch:
permissions:
contents: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false
jobs:
release:
runs-on: macos-latest
steps:
- uses: actions/checkout@v4
- name: Resolve release version
id: release_meta
run: |
version="$(node -e "console.log(JSON.parse(require('fs').readFileSync('package.json', 'utf8')).version)")"
echo "version=$version" >> "$GITHUB_OUTPUT"
if [ "${GITHUB_REF_TYPE}" = "tag" ]; then
echo "tag=${GITHUB_REF_NAME}" >> "$GITHUB_OUTPUT"
else
echo "tag=v$version" >> "$GITHUB_OUTPUT"
fi
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: "1.3.9"
- name: Setup Rust
uses: dtolnay/rust-toolchain@stable
with:
targets: aarch64-apple-darwin
- name: Rust cache
uses: swatinem/rust-cache@v2
with:
workspaces: src-tauri -> target
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Import Apple certificate
env:
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
python3 - <<'PY'
import base64
import os
certificate = os.environ["APPLE_CERTIFICATE"]
with open("certificate.p12", "wb") as handle:
handle.write(base64.b64decode(certificate))
PY
security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
security set-keychain-settings -t 3600 -u build.keychain
security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
security find-identity -v -p codesigning build.keychain
- name: Resolve signing identity
id: signing_identity
run: |
cert_info="$(
security find-identity -v -p codesigning build.keychain | grep "Developer ID Application" | head -n 1
)"
if [ -z "$cert_info" ]; then
cert_info="$(
security find-identity -v -p codesigning build.keychain | grep "Apple Development" | head -n 1
)"
fi
if [ -z "$cert_info" ]; then
echo "No signing identity found in build.keychain" >&2
exit 1
fi
cert_id="$(echo "$cert_info" | awk -F'"' '{print $2}')"
echo "identity=$cert_id" >> "$GITHUB_OUTPUT"
- name: Reset SwiftPM artifacts
run: |
rm -rf "$HOME/Library/Caches/org.swift.swiftpm/artifacts"
rm -rf src-tauri/swift-permissions/.build
- name: Build signed release bundles
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD || secrets.APPLE_ID_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_SIGNING_IDENTITY: ${{ steps.signing_identity.outputs.identity }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
TAURI_SIGNING_PRIVATE_KEY_SECRET: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD_SECRET: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
run: |
printf '%s' "$TAURI_SIGNING_PRIVATE_KEY_SECRET" > updater.key
export TAURI_SIGNING_PRIVATE_KEY="$PWD/updater.key"
export TAURI_SIGNING_PRIVATE_KEY_PASSWORD="$TAURI_SIGNING_PRIVATE_KEY_PASSWORD_SECRET"
bun run tauri build --target aarch64-apple-darwin
- name: Ensure GitHub release exists
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release view "${{ steps.release_meta.outputs.tag }}" >/dev/null 2>&1 || \
gh release create "${{ steps.release_meta.outputs.tag }}" \
--title "unsigned Char v${{ steps.release_meta.outputs.version }}" \
--notes-file release-notes.md
- name: Generate updater manifest
env:
GITHUB_REPOSITORY: ${{ github.repository }}
run: node scripts/build-updater-manifest.mjs "${{ steps.release_meta.outputs.version }}"
- name: Upload updater assets and manifest
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
dmg="$(find src-tauri/target/aarch64-apple-darwin/release/bundle/dmg -maxdepth 1 -name '*.dmg' | head -n 1)"
archive="$(find src-tauri/target/aarch64-apple-darwin/release/bundle/macos -maxdepth 1 -name '*.app.tar.gz' | head -n 1)"
signature="${archive}.sig"
cp "$dmg" unsigned-char-aarch64.dmg
cp "$archive" unsigned-char-aarch64.app.tar.gz
cp "$signature" unsigned-char-aarch64.app.tar.gz.sig
gh release upload "${{ steps.release_meta.outputs.tag }}" \
unsigned-char-aarch64.dmg \
unsigned-char-aarch64.app.tar.gz \
unsigned-char-aarch64.app.tar.gz.sig \
latest.json \
--clobber