Skip to content

Commit 30904ac

Browse files
oldjoldj
committed
fix(ci): download+sign uploaded archives, dynamic latest.json from .sig assets
1 parent d1709c1 commit 30904ac

5 files changed

Lines changed: 91 additions & 82 deletions

File tree

.github/workflows/release.yml

Lines changed: 86 additions & 77 deletions
Original file line numberDiff line numberDiff line change
@@ -163,10 +163,10 @@ jobs:
163163
includeUpdaterJson: true
164164
args: ${{ matrix.args }}
165165

166-
# Sign updater archives and upload .sig files manually.
167-
# tauri-action creates .app.tar.gz / .nsis.zip / .AppImage.tar.gz
168-
# but its internal signing logic doesn't reliably produce .sig
169-
# files, so we run `tauri signer sign` ourselves.
166+
# Sign updater archives. tauri-action renames files during upload
167+
# (e.g. SwitchHosts.app.tar.gz → SwitchHosts_aarch64.app.tar.gz),
168+
# so we download the UPLOADED archives from the release, sign them,
169+
# and upload the .sig files with matching names.
170170
- name: Sign updater archives
171171
if: steps.tag.outputs.name != ''
172172
shell: bash
@@ -175,30 +175,33 @@ jobs:
175175
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
176176
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
177177
run: |
178+
TAG="${{ steps.tag.outputs.name }}"
178179
RELEASE_ID="${{ steps.tauri.outputs.releaseId }}"
179180
REPO="${{ github.repository }}"
180181
if [ -z "$RELEASE_ID" ] || [ -z "$TAURI_SIGNING_PRIVATE_KEY" ]; then
181182
echo "Skipping signing (no release ID or no signing key)"
182183
exit 0
183184
fi
184185
185-
# Find updater archives in the build output
186-
ARCHIVES=$(find src-tauri/target -type f \( \
187-
-name "*.app.tar.gz" -o \
188-
-name "*.nsis.zip" -o \
189-
-name "*.AppImage.tar.gz" \
190-
\) ! -name "*.sig" 2>/dev/null)
191-
192-
for ARCHIVE in $ARCHIVES; do
193-
echo "Signing: $ARCHIVE"
194-
npx tauri signer sign "$ARCHIVE"
195-
SIG="${ARCHIVE}.sig"
186+
mkdir -p /tmp/updater-sign
187+
188+
# Find updater archives (.app.tar.gz / .nsis.zip / .AppImage.tar.gz) in the release
189+
gh api "repos/$REPO/releases/$RELEASE_ID/assets" --paginate \
190+
--jq '.[] | select(.name | test("\\.(app\\.tar\\.gz|nsis\\.zip|AppImage\\.tar\\.gz)$")) | "\(.id)\t\(.name)"' | \
191+
while IFS=$'\t' read -r AID NAME; do
192+
echo "Downloading: $NAME"
193+
gh api -H "Accept: application/octet-stream" \
194+
"repos/$REPO/releases/assets/$AID" > "/tmp/updater-sign/$NAME"
195+
196+
echo "Signing: $NAME"
197+
npx tauri signer sign "/tmp/updater-sign/$NAME"
198+
199+
SIG="/tmp/updater-sign/${NAME}.sig"
196200
if [ -f "$SIG" ]; then
197-
echo "Uploading: $(basename "$SIG")"
198-
gh release upload "${{ steps.tag.outputs.name }}" "$SIG" \
199-
--repo "$REPO" --clobber
201+
echo "Uploading: ${NAME}.sig"
202+
gh release upload "$TAG" "$SIG" --repo "$REPO" --clobber
200203
else
201-
echo "::warning::Signature file not created for $ARCHIVE"
204+
echo "::warning::Signature not created for $NAME"
202205
fi
203206
done
204207
@@ -306,70 +309,77 @@ jobs:
306309
307310
DOWNLOAD_BASE="https://github.com/$REPO/releases/download/$TAG"
308311
309-
# Helper: read .sig file content from release assets
310-
get_sig() {
311-
local sig_name="$1"
312-
gh api "repos/$REPO/releases/$RELEASE_ID/assets" --paginate \
313-
--jq ".[] | select(.name == \"$sig_name\") | .url" | head -1 | \
314-
xargs -I{} gh api -H "Accept: application/octet-stream" {} 2>/dev/null || echo ""
315-
}
316-
317-
# Collect per-platform entries
312+
# Build platform entries dynamically from actual .sig assets.
313+
# For each .sig file, derive the archive name and the Tauri
314+
# platform key from the filename pattern.
318315
PLATFORMS="{}"
319316
320-
# macOS universal
321-
SIG=$(get_sig "SwitchHosts_universal.app.tar.gz.sig")
322-
if [ -n "$SIG" ]; then
323-
PLATFORMS=$(echo "$PLATFORMS" | jq \
324-
--arg url "$DOWNLOAD_BASE/SwitchHosts_universal.app.tar.gz" \
325-
--arg sig "$SIG" \
326-
'. + {"darwin-universal": {"url": $url, "signature": $sig}}')
327-
fi
328-
329-
# macOS aarch64
330-
SIG=$(get_sig "SwitchHosts_aarch64.app.tar.gz.sig")
331-
if [ -n "$SIG" ]; then
332-
PLATFORMS=$(echo "$PLATFORMS" | jq \
333-
--arg url "$DOWNLOAD_BASE/SwitchHosts_aarch64.app.tar.gz" \
334-
--arg sig "$SIG" \
335-
'. + {"darwin-aarch64": {"url": $url, "signature": $sig}}')
336-
fi
337-
338-
# macOS x64
339-
SIG=$(get_sig "SwitchHosts_x64.app.tar.gz.sig")
340-
if [ -n "$SIG" ]; then
341-
PLATFORMS=$(echo "$PLATFORMS" | jq \
342-
--arg url "$DOWNLOAD_BASE/SwitchHosts_x64.app.tar.gz" \
343-
--arg sig "$SIG" \
344-
'. + {"darwin-x86_64": {"url": $url, "signature": $sig}}')
345-
fi
317+
gh api "repos/$REPO/releases/$RELEASE_ID/assets" --paginate \
318+
--jq '.[] | select(.name | endswith(".sig")) | "\(.id)\t\(.name)"' | \
319+
while IFS=$'\t' read -r AID SIG_NAME; do
320+
# Download sig content
321+
SIG_CONTENT=$(gh api -H "Accept: application/octet-stream" \
322+
"repos/$REPO/releases/assets/$AID" 2>/dev/null)
323+
[ -z "$SIG_CONTENT" ] && continue
324+
325+
# Derive archive name (strip .sig suffix)
326+
ARCHIVE_NAME="${SIG_NAME%.sig}"
327+
328+
# Determine Tauri platform key from filename
329+
PLATFORM_KEY=""
330+
case "$ARCHIVE_NAME" in
331+
*_universal.app.tar.gz) PLATFORM_KEY="darwin-universal" ;;
332+
*_aarch64.app.tar.gz) PLATFORM_KEY="darwin-aarch64" ;;
333+
*_x64.app.tar.gz) PLATFORM_KEY="darwin-x86_64" ;;
334+
*_x64-setup.nsis.zip) PLATFORM_KEY="windows-x86_64" ;;
335+
*_x86-setup.nsis.zip) PLATFORM_KEY="windows-i686" ;;
336+
*_arm64-setup.nsis.zip) PLATFORM_KEY="windows-aarch64" ;;
337+
*_amd64.AppImage.tar.gz) PLATFORM_KEY="linux-x86_64" ;;
338+
*_aarch64.AppImage.tar.gz) PLATFORM_KEY="linux-aarch64" ;;
339+
esac
340+
[ -z "$PLATFORM_KEY" ] && continue
346341
347-
# Windows x64
348-
SIG=$(get_sig "SwitchHosts_${VERSION}_x64-setup.nsis.zip.sig")
349-
if [ -n "$SIG" ]; then
342+
echo " $PLATFORM_KEY → $ARCHIVE_NAME"
350343
PLATFORMS=$(echo "$PLATFORMS" | jq \
351-
--arg url "$DOWNLOAD_BASE/SwitchHosts_${VERSION}_x64-setup.nsis.zip" \
352-
--arg sig "$SIG" \
353-
'. + {"windows-x86_64": {"url": $url, "signature": $sig}}')
354-
fi
344+
--arg key "$PLATFORM_KEY" \
345+
--arg url "$DOWNLOAD_BASE/$ARCHIVE_NAME" \
346+
--arg sig "$SIG_CONTENT" \
347+
'. + {($key): {"url": $url, "signature": $sig}}')
348+
done
355349
356-
# Linux x86_64
357-
SIG=$(get_sig "SwitchHosts_${VERSION}_amd64.AppImage.tar.gz.sig")
358-
if [ -n "$SIG" ]; then
359-
PLATFORMS=$(echo "$PLATFORMS" | jq \
360-
--arg url "$DOWNLOAD_BASE/SwitchHosts_${VERSION}_amd64.AppImage.tar.gz" \
361-
--arg sig "$SIG" \
362-
'. + {"linux-x86_64": {"url": $url, "signature": $sig}}')
363-
fi
350+
# The while loop runs in a subshell (pipe), so $PLATFORMS
351+
# changes are lost. Re-read from the actual assets:
352+
PLATFORMS="{}"
353+
for entry in $(gh api "repos/$REPO/releases/$RELEASE_ID/assets" --paginate \
354+
--jq '.[] | select(.name | endswith(".sig")) | .id'); do
355+
356+
ASSET=$(gh api "repos/$REPO/releases/assets/$entry")
357+
SIG_NAME=$(echo "$ASSET" | jq -r '.name')
358+
SIG_CONTENT=$(gh api -H "Accept: application/octet-stream" \
359+
"repos/$REPO/releases/assets/$entry" 2>/dev/null)
360+
[ -z "$SIG_CONTENT" ] && continue
361+
362+
ARCHIVE_NAME="${SIG_NAME%.sig}"
363+
PLATFORM_KEY=""
364+
case "$ARCHIVE_NAME" in
365+
*_universal.app.tar.gz) PLATFORM_KEY="darwin-universal" ;;
366+
*_aarch64.app.tar.gz) PLATFORM_KEY="darwin-aarch64" ;;
367+
*_x64.app.tar.gz) PLATFORM_KEY="darwin-x86_64" ;;
368+
*_x64-setup.nsis.zip) PLATFORM_KEY="windows-x86_64" ;;
369+
*_x86-setup.nsis.zip) PLATFORM_KEY="windows-i686" ;;
370+
*_arm64-setup.nsis.zip) PLATFORM_KEY="windows-aarch64" ;;
371+
*_amd64.AppImage.tar.gz) PLATFORM_KEY="linux-x86_64" ;;
372+
*_aarch64.AppImage.tar.gz) PLATFORM_KEY="linux-aarch64" ;;
373+
esac
374+
[ -z "$PLATFORM_KEY" ] && continue
364375
365-
# Linux aarch64
366-
SIG=$(get_sig "SwitchHosts_${VERSION}_aarch64.AppImage.tar.gz.sig")
367-
if [ -n "$SIG" ]; then
376+
echo " $PLATFORM_KEY → $ARCHIVE_NAME"
368377
PLATFORMS=$(echo "$PLATFORMS" | jq \
369-
--arg url "$DOWNLOAD_BASE/SwitchHosts_${VERSION}_aarch64.AppImage.tar.gz" \
370-
--arg sig "$SIG" \
371-
'. + {"linux-aarch64": {"url": $url, "signature": $sig}}')
372-
fi
378+
--arg key "$PLATFORM_KEY" \
379+
--arg url "$DOWNLOAD_BASE/$ARCHIVE_NAME" \
380+
--arg sig "$SIG_CONTENT" \
381+
'. + {($key): {"url": $url, "signature": $sig}}')
382+
done
373383
374384
NOW=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
375385
LATEST=$(jq -n \
@@ -381,6 +391,5 @@ jobs:
381391
echo "$LATEST" | jq .
382392
echo "$LATEST" > latest.json
383393
384-
# Upload (clobber if already exists from a previous run)
385394
gh release upload "$TAG" latest.json --repo "$REPO" --clobber
386395
echo "latest.json uploaded with $(echo "$PLATFORMS" | jq 'keys | length') platform(s)"

package-lock.json

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"private": true,
3-
"version": "5.0.0-beta.14",
3+
"version": "5.0.0-beta.15",
44
"scripts": {
55
"start": "cross-env NODE_ENV=development electron ./build/main.js",
66
"pretest": "rimraf ./test/tmp",

src-tauri/tauri.conf.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"$schema": "https://schema.tauri.app/config/2",
33
"productName": "SwitchHosts",
4-
"version": "5.0.0-beta.14",
4+
"version": "5.0.0-beta.15",
55
"identifier": "net.oldj.switchhosts",
66
"build": {
77
"beforeDevCommand": "npm run dev:renderer",

src/version.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
"5.0.0-beta.14"
1+
"5.0.0-beta.15"

0 commit comments

Comments
 (0)