Release #14

Workflow file for this run

.github/workflows/release.yml at c489fa7

	name: Release

	on:
	workflow_dispatch:
	inputs:
	platform:
	description: 'Platform to build'
	required: false
	default: 'all'
	type: choice
	options:
	- all
	- macos
	- linux
	- windows
	release:
	types: [published]

	permissions:
	contents: write

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	jobs:
	build-macos:
	name: Build macOS (ARM64)
	if: >
	github.event_name == 'release' \|\|
	inputs.platform == 'all' \|\| inputs.platform == 'macos' \|\| inputs.platform == ''
	runs-on: [macOS, ARM64]
	timeout-minutes: 30

	steps:
	- uses: actions/checkout@v4

	- name: Setup Tauri build environment
	uses: ./.github/actions/setup-tauri-build

	- name: Import Apple certificate
	env:
	APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
	APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
	KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
	run: \|
	KEYCHAIN_PATH="$HOME/Library/Keychains/ci_signing.keychain-db"
	echo $APPLE_CERTIFICATE \| base64 --decode > certificate.p12
	security create-keychain -p "$KEYCHAIN_PASSWORD" ci_signing.keychain
	security default-keychain -s ci_signing.keychain
	security unlock-keychain -p "$KEYCHAIN_PASSWORD" ci_signing.keychain
	security set-keychain-settings -t 3600 -u ci_signing.keychain
	security list-keychains -d user -s ci_signing.keychain login.keychain
	security import certificate.p12 -k ci_signing.keychain \
	-P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
	security set-key-partition-list -S apple-tool:,apple:,codesign: \
	-s -k "$KEYCHAIN_PASSWORD" ci_signing.keychain
	security find-identity -v -p codesigning ci_signing.keychain
	rm certificate.p12

	- name: Decode App Store Connect API key
	env:
	APPLE_API_KEY_B64: ${{ secrets.APPLE_API_KEY_B64 }}
	run: \|
	echo "$APPLE_API_KEY_B64" \| base64 --decode > /tmp/auth_key.p8

	- name: Build binary
	env:
	GITHUB_TOKEN: ${{ github.token }}
	LASTFM_API_KEY: ${{ secrets.LASTFM_API_KEY }}
	LASTFM_API_SECRET: ${{ secrets.LASTFM_API_SECRET }}
	run: task ci:build TARGET=aarch64-apple-darwin

	- name: Bundle and sign
	env:
	APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
	run: task ci:bundle TARGET=aarch64-apple-darwin

	- name: Upload artifacts
	uses: actions/upload-artifact@v4
	with:
	name: macos-arm64
	path: \|
	target/aarch64-apple-darwin/release/bundle/dmg/*.dmg
	target/aarch64-apple-darwin/release/bundle/macos/*.app
	retention-days: 7

	- name: Notarize
	env:
	APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
	APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
	run: task ci:notarize TARGET=aarch64-apple-darwin

	- name: Upload release assets
	if: github.event_name == 'release'
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	gh release upload "${{ github.event.release.tag_name }}" \
	target/aarch64-apple-darwin/release/bundle/dmg/*.dmg

	- name: Cleanup CI keychain
	if: always()
	run: \|
	security delete-keychain ci_signing.keychain \|\| true
	rm -f /tmp/auth_key.p8

	build-linux-amd64:
	name: Build Linux (amd64)
	if: >
	github.event_name == 'release' \|\|
	inputs.platform == 'all' \|\| inputs.platform == 'linux' \|\| inputs.platform == ''
	runs-on: blacksmith-4vcpu-ubuntu-2404
	timeout-minutes: 30

	steps:
	- uses: actions/checkout@v4

	- name: Setup Tauri build environment
	uses: ./.github/actions/setup-tauri-build

	- name: Build binary
	env:
	GITHUB_TOKEN: ${{ github.token }}
	LASTFM_API_KEY: ${{ secrets.LASTFM_API_KEY }}
	LASTFM_API_SECRET: ${{ secrets.LASTFM_API_SECRET }}
	run: task ci:build TARGET=x86_64-unknown-linux-gnu

	- name: Bundle
	run: task ci:bundle TARGET=x86_64-unknown-linux-gnu BUNDLES=deb

	- name: Upload artifacts
	uses: actions/upload-artifact@v4
	with:
	name: linux-amd64
	path: target/x86_64-unknown-linux-gnu/release/bundle/deb/*.deb
	retention-days: 7

	- name: Upload release assets
	if: github.event_name == 'release'
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	gh release upload "${{ github.event.release.tag_name }}" \
	target/x86_64-unknown-linux-gnu/release/bundle/deb/*.deb

	build-linux-arm64:
	name: Build Linux (ARM64)
	if: >
	github.event_name == 'release' \|\|
	inputs.platform == 'all' \|\| inputs.platform == 'linux' \|\| inputs.platform == ''
	runs-on: blacksmith-4vcpu-ubuntu-2404
	timeout-minutes: 60

	steps:
	- uses: actions/checkout@v4

	- name: Install Task
	uses: go-task/setup-task@v1

	- name: Restore Taskfile fingerprint cache
	uses: actions/cache@v4
	with:
	path: .task
	key: task-${{ runner.os }}-${{ hashFiles('taskfiles/ci.yml') }}
	restore-keys: \|
	task-${{ runner.os }}-

	- name: Setup Blacksmith Builder
	uses: useblacksmith/setup-docker-builder@v1

	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3
	with:
	platforms: arm64

	- name: Build ARM64 .deb
	run: \|
	docker buildx build \
	--platform linux/arm64 \
	--file docker/Dockerfile.linux-arm64 \
	--build-arg LASTFM_API_KEY=${{ secrets.LASTFM_API_KEY }} \
	--build-arg LASTFM_API_SECRET=${{ secrets.LASTFM_API_SECRET }} \
	--target artifacts \
	--output type=local,dest=dist/linux-arm64 \
	.

	- name: Upload artifacts
	uses: actions/upload-artifact@v4
	with:
	name: linux-arm64
	path: dist/linux-arm64/*.deb
	retention-days: 7

	- name: Upload release assets
	if: github.event_name == 'release'
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	gh release upload "${{ github.event.release.tag_name }}" \
	dist/linux-arm64/*.deb

	build-windows:
	name: Build Windows (x64)
	if: >
	github.event_name == 'release' \|\|
	inputs.platform == 'all' \|\| inputs.platform == 'windows' \|\| inputs.platform == ''
	runs-on: [self-hosted, Windows, X64]
	timeout-minutes: 45

	steps:
	- name: Bootstrap Windows prerequisites
	shell: powershell
	run: \|
	$ProgressPreference = 'SilentlyContinue'
	$toInstall = @()
	if (-not (Get-Command git -ErrorAction SilentlyContinue)) { $toInstall += 'git' }
	if (-not (Get-Command pwsh -ErrorAction SilentlyContinue)) { $toInstall += 'pwsh' }
	if ($toInstall.Count -gt 0) {
	choco install @toInstall -y
	}
	$gitPath = (Get-ItemProperty 'HKLM:\SOFTWARE\GitForWindows' -ErrorAction SilentlyContinue).InstallPath
	if ($gitPath) {
	echo "$gitPath\cmd" >> $env:GITHUB_PATH
	}

	- uses: actions/checkout@v4

	- name: Setup Tauri build environment
	uses: ./.github/actions/setup-tauri-build

	- name: Install Windows SDK (signtool)
	shell: pwsh
	run: \|
	choco install windows-sdk-10.1 -y
	$signtool = Get-ChildItem -Path "${env:ProgramFiles(x86)}\Windows Kits\10\bin" `
	-Recurse -Filter signtool.exe \| Where-Object { $_.FullName -match '\\x64\\' } `
	\| Sort-Object { [version]($_.FullName -replace '.\\(\d+\.\d+\.\d+\.\d+)\\.','$1') } `
	\| Select-Object -Last 1 -ExpandProperty FullName
	echo "SIGNTOOL_PATH=$signtool" >> $env:GITHUB_ENV

	- name: Generate self-signed code signing certificate
	shell: pwsh
	env:
	WINDOWS_CERT_PASSWORD: ${{ secrets.WINDOWS_CERT_PASSWORD }}
	run: \|
	$password = ConvertTo-SecureString -String $env:WINDOWS_CERT_PASSWORD -Force -AsPlainText
	$cert = New-SelfSignedCertificate -Type CodeSigningCert -Subject 'CN=MT' `
	-CertStoreLocation Cert:\CurrentUser\My -NotAfter (Get-Date).AddYears(5)
	Export-PfxCertificate -Cert $cert -FilePath "${{ runner.temp }}\mt-cert.pfx" -Password $password
	echo "CERT_PATH=${{ runner.temp }}\mt-cert.pfx" >> $env:GITHUB_ENV

	- name: Write signing config override
	shell: pwsh
	env:
	WINDOWS_CERT_PASSWORD: ${{ secrets.WINDOWS_CERT_PASSWORD }}
	run: \|
	$signScript = Join-Path "${{ runner.temp }}" 'sign.cmd'
	@"
	@echo off
	"$env:SIGNTOOL_PATH" sign /f "$env:CERT_PATH" /p "$env:WINDOWS_CERT_PASSWORD" /t http://timestamp.digicert.com /fd SHA256 %1
	"@ \| Out-File -FilePath $signScript -Encoding ascii
	$config = @{
	build = @{ beforeBuildCommand = "" }
	bundle = @{ windows = @{ signCommand = @{ cmd = "cmd"; args = @("/C", $signScript, "%1") } } }
	} \| ConvertTo-Json -Depth 5
	$configPath = "${{ runner.temp }}\sign-override.json"
	$config \| Out-File -FilePath $configPath -Encoding utf8
	echo "SIGN_CONFIG_PATH=$configPath" >> $env:GITHUB_ENV

	- name: Build binary
	shell: pwsh
	env:
	LASTFM_API_KEY: ${{ secrets.LASTFM_API_KEY }}
	LASTFM_API_SECRET: ${{ secrets.LASTFM_API_SECRET }}
	run: task ci:build TARGET=x86_64-pc-windows-msvc CONFIG=${{ env.SIGN_CONFIG_PATH }}

	- name: Bundle NSIS installer
	shell: pwsh
	run: task ci:bundle TARGET=x86_64-pc-windows-msvc BUNDLES=nsis CONFIG=${{ env.SIGN_CONFIG_PATH }}

	- name: Upload artifacts
	uses: actions/upload-artifact@v4
	with:
	name: windows-x64
	path: target/x86_64-pc-windows-msvc/release/bundle/nsis/*.exe
	retention-days: 7

	- name: Upload release assets
	if: github.event_name == 'release'
	shell: pwsh
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	gh release upload "${{ github.event.release.tag_name }}" (Get-Item target/x86_64-pc-windows-msvc/release/bundle/nsis/*.exe)

	- name: Cleanup certificate
	if: always()
	shell: pwsh
	run: \|
	Remove-Item -Force "${{ runner.temp }}\mt-cert.pfx" -ErrorAction SilentlyContinue
	Remove-Item -Force "${{ runner.temp }}\sign-override.json" -ErrorAction SilentlyContinue
	Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert \| Where-Object { $_.Subject -eq 'CN=MT' } \| Remove-Item

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Release #14

Workflow file

Release #14

Uh oh!

Workflow file for this run