parallel-code/.github/workflows/release.yml at main · johannesjo/parallel-code · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
name: Release

on:
  push:
    tags:
      - 'v*'

permissions:
  contents: write

jobs:
  create-release:
    runs-on: ubuntu-latest
    outputs:
      release_id: ${{ steps.create.outputs.id }}
    steps:
      - uses: actions/checkout@v4

      - name: Create draft release
        id: create
        uses: softprops/action-gh-release@v2
        with:
          draft: true
          generate_release_notes: true

  build-linux:
    needs: create-release
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 'lts/*'
          cache: npm

      - run: npm ci
      - run: npm run build -- --publish never

      - name: Upload artifacts
        uses: softprops/action-gh-release@v2
        with:
          tag_name: ${{ github.ref_name }}
          files: |
            release/*.AppImage
            release/*.deb
          draft: true

  build-macos:
    needs: create-release
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 'lts/*'
          cache: npm

      - name: Import code signing certificate
        env:
          DMG_CERT: ${{ secrets.DMG_CERT }}
          DMG_CERT_PWD: ${{ secrets.DMG_CERT_PWD }}
        run: |
          CERTIFICATE_PATH="$RUNNER_TEMP/build_certificate.p12"
          KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
          KEYCHAIN_PWD=$(openssl rand -base64 32)

          echo -n "$DMG_CERT" | base64 --decode -o "$CERTIFICATE_PATH"

          security create-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_PATH"
          security set-keychain-settings -lut 3600 "$KEYCHAIN_PATH"
          security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_PATH"

          security import "$CERTIFICATE_PATH" -P "$DMG_CERT_PWD" \
            -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"

          security set-key-partition-list -S apple-tool:,apple:,codesign: \
            -s -k "$KEYCHAIN_PWD" "$KEYCHAIN_PATH"

          security list-keychains -d user -s "$KEYCHAIN_PATH"

      - name: Prepare API key for notarization
        env:
          APPLE_API_KEY_B64: ${{ secrets.APPLE_API_KEY }}
        run: |
          mkdir -p "$RUNNER_TEMP/private_keys"
          echo -n "$APPLE_API_KEY_B64" | base64 --decode > "$RUNNER_TEMP/private_keys/AuthKey.p8"

      - run: npm ci

      - name: Build and sign
        env:
          NODE_OPTIONS: '--max-old-space-size=4096'
          APPLE_API_KEY: ${{ runner.temp }}/private_keys/AuthKey.p8
          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
        run: npm run build -- --universal --publish never

      - name: Upload artifacts
        uses: softprops/action-gh-release@v2
        with:
          tag_name: ${{ github.ref_name }}
          files: release/*.dmg
          draft: true

      - name: Cleanup signing artifacts
        if: always()
        run: |
          security delete-keychain "$RUNNER_TEMP/app-signing.keychain-db" 2>/dev/null || true
          rm -f "$RUNNER_TEMP/private_keys/AuthKey.p8" 2>/dev/null || true
          rm -f "$RUNNER_TEMP/build_certificate.p12" 2>/dev/null || true