-
Notifications
You must be signed in to change notification settings - Fork 0
578 lines (512 loc) · 26.3 KB
/
Copy pathrelease.yml
File metadata and controls
578 lines (512 loc) · 26.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
name: Release
on:
push:
tags:
- 'v[0-9]*'
permissions:
contents: write
jobs:
release:
name: Build & Release
runs-on: macos-26
steps:
- name: Checkout
uses: actions/checkout@v6
with:
# Persist this token for the later `git push` of the version bump +
# appcast.xml back to main. When `main` is protected by a branch
# ruleset, the default GITHUB_TOKEN (github-actions[bot]) cannot push
# to it, so set a RELEASE_PAT secret — a fine-grained PAT owned by a
# repo admin with Contents: write — and the push bypasses as that
# admin. Falls back to GITHUB_TOKEN when no PAT is set (e.g. an
# unprotected fork), so nothing breaks without it.
token: ${{ secrets.RELEASE_PAT || secrets.GITHUB_TOKEN }}
fetch-depth: 0
- name: Set version from tag
run: |
VERSION="${GITHUB_REF_NAME#v}"
IFS='.' read -r _MAJOR _MINOR _PATCH <<< "$VERSION"
BUILD=$(( _MAJOR * 1000 + _MINOR * 100 + _PATCH ))
echo "VERSION=${VERSION}" >> $GITHUB_ENV
echo "BUILD=${BUILD}" >> $GITHUB_ENV
echo "TAG=${GITHUB_REF_NAME}" >> $GITHUB_ENV
- name: Select Xcode
run: |
if [ -d /Applications/Xcode.app ]; then
sudo xcode-select -s /Applications/Xcode.app
else
XCODE_PATH=$(ls -d /Applications/Xcode*.app 2>/dev/null | sort -V | tail -1)
echo "Using Xcode at: ${XCODE_PATH}"
sudo xcode-select -s "${XCODE_PATH}"
fi
xcodebuild -version
- name: Update version in project
run: |
/usr/libexec/PlistBuddy -c "Set :CFBundleShortVersionString ${{ env.VERSION }}" DoomCoder/Info.plist
/usr/libexec/PlistBuddy -c "Set :CFBundleVersion ${{ env.BUILD }}" DoomCoder/Info.plist
sed -i '' "s/MARKETING_VERSION = [^;]*/MARKETING_VERSION = ${{ env.VERSION }}/g" DoomCoder.xcodeproj/project.pbxproj
sed -i '' "s/CURRENT_PROJECT_VERSION = [^;]*/CURRENT_PROJECT_VERSION = ${{ env.BUILD }}/g" DoomCoder.xcodeproj/project.pbxproj
sed -i '' "s/MARKETING_VERSION = [^;]*/MARKETING_VERSION = ${{ env.VERSION }}/g" DoomCoderCompanion/DoomCoderCompanion.xcodeproj/project.pbxproj
sed -i '' "s/MARKETING_VERSION: \"[^\"]*\"/MARKETING_VERSION: \"${{ env.VERSION }}\"/" DoomCoderCompanion/project.yml
- name: Import Developer ID certificate
env:
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
echo "${APPLE_CERTIFICATE}" | base64 --decode > certificate.p12
security create-keychain -p "${KEYCHAIN_PASSWORD}" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "${KEYCHAIN_PASSWORD}" build.keychain
security set-keychain-settings -t 7200 -u build.keychain
# Import cert — allow codesign, xcodebuild, and security to use it
security import certificate.p12 \
-k build.keychain \
-P "${APPLE_CERTIFICATE_PASSWORD}" \
-T /usr/bin/codesign \
-T /usr/bin/xcodebuild \
-T /usr/bin/security
# Allow all Apple tools to use the key without prompts
security set-key-partition-list \
-S apple-tool:,apple:,codesign: \
-s -k "${KEYCHAIN_PASSWORD}" build.keychain
# Add build.keychain to the search list (default-keychain ≠ search list)
security list-keychains -d user -s \
build.keychain \
~/Library/Keychains/login.keychain-db
security find-identity -v -p codesigning build.keychain
- name: Install Mac Developer ID provisioning profile
env:
MAC_PROFILE: ${{ secrets.MAC_PROVISIONING_PROFILE }}
run: |
if [ -z "${MAC_PROFILE:-}" ]; then
echo "::error::MAC_PROVISIONING_PROFILE secret is empty"
exit 1
fi
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
PROFILE_PATH="$HOME/Library/MobileDevice/Provisioning Profiles/DoomCoder_Mac_DevID.provisionprofile"
printf '%s' "$MAC_PROFILE" | base64 -D > "$PROFILE_PATH"
# Save the path so later steps can embed it
echo "MAC_PROFILE_PATH=$PROFILE_PATH" >> "$GITHUB_ENV"
# Validate it parses + show its name
echo "Installed profile:"
security cms -D -i "$PROFILE_PATH" | plutil -extract Name xml1 -o - - | grep '<string>'
echo "Profile platform:"
security cms -D -i "$PROFILE_PATH" | plutil -extract Platform xml1 -o - - | grep '<string>'
- name: Resolve Swift Packages
run: |
xcodebuild -resolvePackageDependencies \
-project DoomCoder.xcodeproj \
-scheme DoomCoder
- name: Write App Store Connect API key
id: write-asc-key
env:
API_KEY: ${{ secrets.APP_STORE_CONNECT_PRIVATE_KEY }}
API_KEY_ID_RAW: ${{ secrets.APP_STORE_CONNECT_KEY_ID }}
API_ISSUER_RAW: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
run: |
set -euo pipefail
API_KEY_ID=$(printf '%s' "$API_KEY_ID_RAW" | tr -d '[:space:]')
API_ISSUER=$(printf '%s' "$API_ISSUER_RAW" | tr -d '[:space:]')
mkdir -p "$HOME/.appstoreconnect/private_keys"
RAW_FILE="$RUNNER_TEMP/api_key_raw.p8"
KEY_FILE="$HOME/.appstoreconnect/private_keys/AuthKey_${API_KEY_ID}.p8"
if printf '%s' "$API_KEY" | head -c 20 | grep -q "^-----BEGIN"; then
printf '%s' "$API_KEY" | tr -d '\r' > "$RAW_FILE"
else
printf '%s' "$API_KEY" | tr -d '\r ' | base64 -D > "$RAW_FILE"
fi
RAW_CONTENT=$(cat "$RAW_FILE" | tr -d '\r')
KEY_TYPE=$(printf '%s' "$RAW_CONTENT" | grep -o -- "-----BEGIN [^-]*-----" | head -1 | sed 's/-----BEGIN //;s/-----//')
B64=$(printf '%s' "$RAW_CONTENT" | grep -v "^-----" | tr -d '\n\r ')
{ printf -- "-----BEGIN %s-----\n" "$KEY_TYPE"
printf '%s' "$B64" | fold -w 64
printf "\n-----END %s-----\n" "$KEY_TYPE"; } > "$KEY_FILE"
chmod 600 "$KEY_FILE"
rm -f "$RAW_FILE"
echo "key_id=${API_KEY_ID}" >> "$GITHUB_OUTPUT"
echo "issuer_id=${API_ISSUER}" >> "$GITHUB_OUTPUT"
echo "key_path=${KEY_FILE}" >> "$GITHUB_OUTPUT"
echo "ASC API key written ($(wc -l < "$KEY_FILE") lines) for key ID: ${API_KEY_ID}"
- name: Build Release Archive
run: |
# Manual signing with Developer ID identity + our Developer ID
# provisioning profile. Xcode reconciles app entitlements with the
# profile's authorized entitlements at sign time — no re-sign step
# is needed (and re-sign was the root cause of AMFI rejections in
# v2.4.0–v2.4.2: codesign --entitlements embedded a verbatim plist
# whose format/values did not match the embedded profile).
xcodebuild \
-project DoomCoder.xcodeproj \
-scheme DoomCoder \
-configuration Release \
-archivePath build/DoomCoder.xcarchive \
archive \
CODE_SIGN_STYLE=Manual \
CODE_SIGN_IDENTITY="Developer ID Application" \
PROVISIONING_PROFILE_SPECIFIER="DoomCoder Mac DevID" \
DEVELOPMENT_TEAM="${{ secrets.APPLE_TEAM_ID }}" \
MARKETING_VERSION="${{ env.VERSION }}" \
CURRENT_PROJECT_VERSION="${{ env.BUILD }}" \
OTHER_CODE_SIGN_FLAGS="--timestamp --options=runtime"
- name: Extract signed app from archive
run: |
mkdir -p build/export
APP_IN_ARCHIVE="build/DoomCoder.xcarchive/Products/Applications/DoomCoder.app"
if [ ! -d "$APP_IN_ARCHIVE" ]; then
echo "::error::App not found in archive at $APP_IN_ARCHIVE"
ls -laR build/DoomCoder.xcarchive/Products/ || true
exit 1
fi
cp -R "$APP_IN_ARCHIVE" build/export/DoomCoder.app
APP="build/export/DoomCoder.app"
echo "✅ Extracted DoomCoder.app from archive"
echo " Size: $(du -sh "$APP" | cut -f1)"
echo ""
echo "=== Embedded provisioning profile ==="
security cms -D -i "$APP/Contents/embedded.provisionprofile" \
| plutil -extract Name xml1 -o - - | grep '<string>'
echo ""
echo "=== Signing identity ==="
codesign -dv "$APP" 2>&1 | grep -E "Authority|TeamIdentifier|Identifier="
echo ""
echo "=== Bundled entitlements ==="
codesign -d --entitlements - --xml "$APP" 2>/dev/null \
| plutil -convert xml1 -o - -
echo ""
echo "=== Deep verify ==="
codesign --verify --deep --strict --verbose=2 "$APP"
echo "✅ Archive signing verified"
- name: Re-sign Sparkle nested helper binaries
run: |
# Xcode's Manual archive signs the outer .app and Sparkle.framework
# wrapper, but it does NOT deep-sign the helper executables nested
# inside Sparkle (Updater.app, Autoupdate, Downloader.xpc, Installer.xpc).
# Those ship from the SPM artifact pre-signed by Sparkle Project's
# "Developer ID" — which is NOT our Developer ID, so notarization
# rejects them with "not signed with a valid Developer ID certificate".
#
# We re-sign ONLY those inner helpers with OUR Developer ID +
# --timestamp + --options=runtime. We do NOT touch the outer .app,
# its embedded.provisionprofile, or its entitlements — so AMFI's
# strict profile↔entitlement match for the main app is preserved.
APP="build/export/DoomCoder.app"
SPARKLE="$APP/Contents/Frameworks/Sparkle.framework"
IDENTITY="Developer ID Application: Yashwanth Reddy Katipally (A9P2388PHM)"
if [ ! -d "$SPARKLE" ]; then
echo "⚠️ Sparkle.framework not found — skipping"
exit 0
fi
# Inside-out re-sign: deepest first, then wrappers, then the
# framework itself. Use the helper's existing entitlements (Sparkle
# ships its own correct hardened-runtime entitlements per helper).
resign() {
local target="$1"
if [ ! -e "$target" ]; then
echo " skip (missing): $target"
return
fi
# Preserve the helper's existing entitlements rather than embedding
# the main app's entitlements (which would be wrong for a helper).
local ent_file
ent_file=$(mktemp)
if codesign -d --entitlements - --xml "$target" 2>/dev/null \
| plutil -convert xml1 -o "$ent_file" - 2>/dev/null \
&& [ -s "$ent_file" ]; then
codesign --force --sign "$IDENTITY" \
--timestamp --options=runtime \
--entitlements "$ent_file" \
"$target"
else
codesign --force --sign "$IDENTITY" \
--timestamp --options=runtime \
"$target"
fi
rm -f "$ent_file"
echo " ✅ re-signed: ${target#$APP/}"
}
echo "=== Re-signing Sparkle inner helpers ==="
# 1. Deepest Mach-O binaries first
resign "$SPARKLE/Versions/B/XPCServices/Downloader.xpc/Contents/MacOS/Downloader"
resign "$SPARKLE/Versions/B/XPCServices/Installer.xpc/Contents/MacOS/Installer"
resign "$SPARKLE/Versions/B/Updater.app/Contents/MacOS/Updater"
resign "$SPARKLE/Versions/B/Autoupdate"
# 2. XPC service bundles
resign "$SPARKLE/Versions/B/XPCServices/Downloader.xpc"
resign "$SPARKLE/Versions/B/XPCServices/Installer.xpc"
# 3. Updater.app bundle
resign "$SPARKLE/Versions/B/Updater.app"
# 4. Sparkle.framework itself (re-seal after inner changes)
resign "$SPARKLE"
# 5. Finally, re-sign the main app so its CodeDirectory hash matches
# the now-modified Sparkle inside. CRITICAL: use --preserve-metadata
# to keep the byte-exact entitlements blob Xcode embedded during
# archive — re-serializing via --entitlements caused the v2.4.2
# AMFI rejection (icloud-services string-vs-array mismatch).
codesign --force --sign "$IDENTITY" \
--timestamp --options=runtime \
--preserve-metadata=entitlements,requirements,flags,runtime \
"$APP"
echo " ✅ re-signed main app (entitlements preserved byte-exact)"
echo ""
echo "=== Verifying re-signed bundle ==="
codesign --verify --deep --strict --verbose=2 "$APP"
echo "✅ Sparkle re-sign pass complete"
- name: Audit all binary signatures
run: |
APP="build/export/DoomCoder.app"
echo "=== Signing identity for every Mach-O in the bundle ==="
find "$APP" -type f | while IFS= read -r f; do
if file "$f" 2>/dev/null | grep -qE "Mach-O|shared library"; then
AUTHORITY=$(codesign -dv "$f" 2>&1 | grep "^Authority=" | head -1 || echo "UNSIGNED")
printf " %-60s %s\n" "$(basename "$f")" "$AUTHORITY"
fi
done
echo ""
echo "=== spctl assessment ==="
# spctl may fail on CI runners — that's expected; log it for debugging only
spctl --assess --type execute --verbose "$APP" 2>&1 || true
- name: Notarize app
env:
NOTARIZE_KEY_P8: ${{ secrets.NOTARIZE_KEY_P8 }}
NOTARIZE_KEY_ID: ${{ secrets.NOTARIZE_KEY_ID }}
NOTARIZE_ISSUER_ID: ${{ secrets.NOTARIZE_ISSUER_ID }}
run: |
echo "${NOTARIZE_KEY_P8}" | base64 --decode > /tmp/AuthKey.p8
chmod 600 /tmp/AuthKey.p8
# Create the ZIP Apple requires for submission
ditto -c -k --sequesterRsrc --keepParent \
"build/export/DoomCoder.app" \
"build/DoomCoder-notarize.zip"
# ── Submit (no-wait — just upload and get an ID) ───────────────────
echo "Submitting to Apple notarization..."
SUBMIT_JSON=$(xcrun notarytool submit "build/DoomCoder-notarize.zip" \
--key /tmp/AuthKey.p8 \
--key-id "${NOTARIZE_KEY_ID}" \
--issuer "${NOTARIZE_ISSUER_ID}" \
--no-wait \
--output-format json)
echo "Submit response: ${SUBMIT_JSON}"
SUBMISSION_ID=$(echo "${SUBMIT_JSON}" | \
python3 -c "import json,sys; print(json.load(sys.stdin)['id'])")
echo "Submission ID: ${SUBMISSION_ID}"
# ── Poll with notarytool info (every 30 s, max 120 polls = 60 min) ──
# We use short-lived `notarytool info` calls instead of the long-running
# `notarytool wait`, which has hung indefinitely on macos-26 beta runners
# when the underlying HTTPS connection drops mid-stream.
#
# NOTE: We deliberately do NOT wrap with `timeout` — that binary does not
# exist on macOS (it's GNU coreutils) and silently failed every poll in
# earlier runs, producing 40 consecutive `poll_error` with no diagnostics.
# `notarytool info` is a short HTTPS call and returns quickly on its own.
echo "Polling notarization status (up to 60 min)..."
FINAL_STATUS="in_progress"
for ATTEMPT in $(seq 1 120); do
sleep 30
INFO_STDERR=$(mktemp)
INFO_JSON=$(xcrun notarytool info "${SUBMISSION_ID}" \
--key /tmp/AuthKey.p8 \
--key-id "${NOTARIZE_KEY_ID}" \
--issuer "${NOTARIZE_ISSUER_ID}" \
--output-format json 2>"${INFO_STDERR}") || INFO_JSON='{"status":"poll_error"}'
FINAL_STATUS=$(echo "${INFO_JSON}" | \
python3 -c "import json,sys; print(json.load(sys.stdin).get('status','unknown'))" \
2>/dev/null || echo "parse_error")
echo " [$(printf '%03d' $ATTEMPT)/120] $(date -u '+%H:%M:%S UTC') — ${FINAL_STATUS}"
# Surface stderr from notarytool whenever the call failed so we can
# actually diagnose problems (previously suppressed with 2>/dev/null).
if [ "${FINAL_STATUS}" = "poll_error" ] || [ "${FINAL_STATUS}" = "parse_error" ] || [ "${FINAL_STATUS}" = "unknown" ]; then
if [ -s "${INFO_STDERR}" ]; then
echo " ↳ notarytool stderr:"
sed 's/^/ /' "${INFO_STDERR}"
fi
if [ -n "${INFO_JSON}" ]; then
echo " ↳ notarytool stdout: ${INFO_JSON}"
fi
fi
rm -f "${INFO_STDERR}"
case "${FINAL_STATUS}" in
Accepted)
echo "✅ Notarization accepted by Apple"
break
;;
Invalid)
echo "❌ Apple rejected the submission"
echo "=== Apple Notarization Log ==="
xcrun notarytool log "${SUBMISSION_ID}" \
--key /tmp/AuthKey.p8 \
--key-id "${NOTARIZE_KEY_ID}" \
--issuer "${NOTARIZE_ISSUER_ID}" || true
rm -f /tmp/AuthKey.p8
exit 1
;;
# "in_progress" | "poll_error" | "parse_error" → keep polling
esac
done
# ── Final verdict ──────────────────────────────────────────────────
if [ "${FINAL_STATUS}" != "Accepted" ]; then
echo "::error::Notarization did not complete within 60 min. Final status: ${FINAL_STATUS}"
echo "=== Apple Notarization Log ==="
xcrun notarytool log "${SUBMISSION_ID}" \
--key /tmp/AuthKey.p8 \
--key-id "${NOTARIZE_KEY_ID}" \
--issuer "${NOTARIZE_ISSUER_ID}" || true
rm -f /tmp/AuthKey.p8
exit 1
fi
rm -f /tmp/AuthKey.p8
- name: Staple notarization ticket
run: |
xcrun stapler staple "build/export/DoomCoder.app"
xcrun stapler validate "build/export/DoomCoder.app"
echo "✅ Notarization ticket stapled"
- name: Create DMG
run: |
brew install create-dmg --quiet 2>/dev/null || true
create-dmg \
--volname "DoomCoder" \
--window-pos 200 120 \
--window-size 600 400 \
--icon-size 128 \
--icon "DoomCoder.app" 175 190 \
--hide-extension "DoomCoder.app" \
--app-drop-link 425 185 \
"DoomCoder-${{ env.VERSION }}.dmg" \
"build/export/"
codesign --sign "Developer ID Application" --timestamp \
"DoomCoder-${{ env.VERSION }}.dmg"
echo "✅ DMG created and signed"
- name: Create distribution ZIP
run: |
ditto -c -k --sequesterRsrc --keepParent \
"build/export/DoomCoder.app" \
"DoomCoder-${{ env.VERSION }}.zip"
ZIP_SIZE=$(stat -f%z "DoomCoder-${{ env.VERSION }}.zip")
echo "ZIP_SIZE=${ZIP_SIZE}" >> $GITHUB_ENV
echo "ZIP: ${ZIP_SIZE} bytes"
- name: Download Sparkle tools
run: |
SPARKLE_VER="2.9.1"
curl -sL "https://github.com/sparkle-project/Sparkle/releases/download/${SPARKLE_VER}/Sparkle-${SPARKLE_VER}.tar.xz" \
-o sparkle.tar.xz
mkdir -p sparkle-tools
tar xf sparkle.tar.xz -C sparkle-tools
chmod +x sparkle-tools/bin/*
- name: Sign ZIP with Sparkle EdDSA
env:
SPARKLE_PRIVATE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY }}
run: |
SPARKLE_SIG=$(echo "${SPARKLE_PRIVATE_KEY}" | \
sparkle-tools/bin/sign_update --ed-key-file - -p \
"DoomCoder-${{ env.VERSION }}.zip")
echo "Signature: ${SPARKLE_SIG}"
echo "SPARKLE_SIG=${SPARKLE_SIG}" >> $GITHUB_ENV
- name: Update appcast.xml
run: |
python3 scripts/update_appcast.py \
--version "${{ env.VERSION }}" \
--build "${{ env.BUILD }}" \
--signature "${{ env.SPARKLE_SIG }}" \
--size "${{ env.ZIP_SIZE }}" \
--download-url "https://github.com/katipally/Doom-Coder/releases/download/${{ env.TAG }}/DoomCoder-${{ env.VERSION }}.zip"
# Publish the GitHub Release (with the notarized DMG + ZIP) BEFORE the
# appcast push to main. The deliverable users actually download must not
# depend on the bookkeeping commit succeeding — if the protected-branch
# push ever fails, the release is already live and recoverable. It also
# guarantees the appcast's download URL resolves the moment it lands.
- name: Create GitHub Release
uses: softprops/action-gh-release@v3.0.0
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
with:
name: "Doom Coder ${{ env.TAG }}"
files: |
DoomCoder-${{ env.VERSION }}.dmg
DoomCoder-${{ env.VERSION }}.zip
generate_release_notes: true
body: |
## 📦 Installation
**DMG (recommended):**
1. Download **`DoomCoder-${{ env.VERSION }}.dmg`** below
2. Open it and drag **DoomCoder** into your Applications folder
3. Launch — no Gatekeeper warnings, no "unidentified developer" prompts
**ZIP:**
1. Download **`DoomCoder-${{ env.VERSION }}.zip`**
2. Unzip and move `DoomCoder.app` to `/Applications`
DoomCoder is **signed with a Developer ID and notarized by Apple**.
Existing users receive automatic updates via the built-in Sparkle updater.
---
Full changelog: [CHANGELOG.md](https://github.com/katipally/Doom-Coder/blob/main/docs/CHANGELOG.md)
- name: Commit version bump and appcast.xml
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
# Helper: re-apply version bumps to pbxproj files and project.yml.
# Called once at the start and again after any git reset in the retry
# loop — a reset reverts these files to origin/main so they must be
# re-patched before staging.
bump_versions() {
sed -i '' "s/MARKETING_VERSION = [^;]*/MARKETING_VERSION = ${{ env.VERSION }}/g" DoomCoder.xcodeproj/project.pbxproj
sed -i '' "s/CURRENT_PROJECT_VERSION = [^;]*/CURRENT_PROJECT_VERSION = ${{ env.BUILD }}/g" DoomCoder.xcodeproj/project.pbxproj
sed -i '' "s/MARKETING_VERSION = [^;]*/MARKETING_VERSION = ${{ env.VERSION }}/g" DoomCoderCompanion/DoomCoderCompanion.xcodeproj/project.pbxproj
sed -i '' "s/MARKETING_VERSION: \"[^\"]*\"/MARKETING_VERSION: \"${{ env.VERSION }}\"/" DoomCoderCompanion/project.yml
# README macOS version badges are static (no shields.io GitHub-API
# dependency, so they never flap on rate limits). The bot rewrites
# the literal version here so the README always matches the release
# we just published. iOS uses a dynamic App Store badge (separate
# pipeline) and is intentionally not touched.
sed -i '' "s|/badge/release-v[0-9][0-9.]*|/badge/release-v${{ env.VERSION }}|g" README.md
sed -i '' "s|/badge/latest-v[0-9][0-9.]*|/badge/latest-v${{ env.VERSION }}|g" README.md
}
# The "Update version in project" step already ran sed, but calling
# bump_versions again here is idempotent and handles the reset case.
bump_versions
# CRITICAL: stage ONLY the specific files we intend to commit.
# `git add -A` picks up .github/workflows changes which GITHUB_TOKEN
# cannot push (workflow files are protected), causing the push to fail.
for attempt in 1 2 3 4 5; do
echo "--- Commit attempt ${attempt} ---"
git add appcast.xml \
README.md \
DoomCoder.xcodeproj/project.pbxproj \
DoomCoderCompanion/DoomCoderCompanion.xcodeproj/project.pbxproj \
DoomCoderCompanion/project.yml
if ! git diff --cached --quiet; then
git commit -m "chore: bump version to ${{ env.TAG }}"
fi
git fetch origin main
# --autostash: the archive/notarize/dmg steps that ran earlier can
# leave stray unstaged changes in tracked files (e.g. Xcode rewriting
# a pbxproj). Without it, `git pull --rebase` aborts with "you have
# unstaged changes" and we waste an attempt falling back to the hard
# reset below. Autostash shelves those build-time changes for the
# rebase and restores them after; we never commit them, so a noisy
# pop is harmless — the push below only sends committed history.
if ! git pull --rebase --autostash -X theirs origin main; then
git rebase --abort || true
git reset --hard "origin/main"
bump_versions
python3 scripts/update_appcast.py \
--version "${{ env.VERSION }}" \
--build "${{ env.BUILD }}" \
--signature "${{ env.SPARKLE_SIG }}" \
--size "${{ env.ZIP_SIZE }}" \
--download-url "https://github.com/katipally/Doom-Coder/releases/download/${{ env.TAG }}/DoomCoder-${{ env.VERSION }}.zip"
continue
fi
if git push origin HEAD:main; then
echo "Push succeeded on attempt ${attempt}"
exit 0
fi
sleep $((attempt * 2))
done
echo "::error::appcast.xml/version-bump push to main failed after 5 attempts."
echo "::error::The GitHub Release IS already published — only the Sparkle"
echo "::error::auto-update feed (appcast.xml on main) is stale. See README/RELEASING."
exit 1
- name: Clean up keychain
if: always()
run: |
security delete-keychain build.keychain 2>/dev/null || true
rm -f certificate.p12 /tmp/AuthKey.p8
rm -rf ~/.appstoreconnect/private_keys