Add comment #135
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Create Release" | |
on: | |
# Allow manual | |
workflow_dispatch: | |
push: | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
create-release: | |
permissions: | |
contents: write | |
runs-on: ubuntu-latest | |
outputs: | |
release_id: ${{ steps.create-release.outputs.result }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: setup node | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 20 | |
- name: Get app version | |
run: echo "PACKAGE_VERSION=$(node -p "require('./apps/desktop/src-tauri/tauri.conf.json').package.version")" >> $GITHUB_ENV | |
- name: Create release or skip | |
id: create-release | |
uses: actions/github-script@v7 | |
with: | |
script: | | |
const { script } = await import('${{ github.workspace }}/scripts/actions/create-release.js') | |
return await script({ github, context }); | |
build-tauri: | |
needs: create-release | |
permissions: | |
contents: write | |
strategy: | |
fail-fast: false | |
matrix: | |
settings: | |
# - host: macos-latest | |
# target: universal-apple-darwin | |
# toolchain: aarch64-apple-darwin,x86_64-apple-darwin | |
# bundles: app,dmg | |
# os: darwin | |
- host: windows-latest | |
target: x86_64-pc-windows-msvc | |
toolchain: x86_64-pc-windows-msvc | |
bundles: msi,nsis | |
os: windows | |
# - host: ubuntu-latest | |
# target: x86_64-unknown-linux-gnu | |
# toolchain: x86_64-unknown-linux-gnu | |
# bundles: deb,appimage | |
# os: linux | |
env: | |
APP_DIR: "apps/desktop" | |
runs-on: ${{ matrix.settings.host }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup node | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 20 | |
- name: Install Rust stable | |
uses: dtolnay/rust-toolchain@stable | |
with: | |
target: "${{ matrix.settings.toolchain }}" | |
- uses: Swatinem/rust-cache@v2 | |
with: | |
workspaces: "apps/desktop/src-tauri/target" | |
- name: install dependencies (ubuntu only) | |
if: matrix.settings.host == 'ubuntu-latest' | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.0-dev libappindicator3-dev librsvg2-dev patchelf | |
- uses: pnpm/action-setup@v2 | |
with: | |
version: 8 | |
- name: install frontend dependencies | |
run: pnpm install | |
- uses: tauri-apps/tauri-action@dev | |
env: | |
APPLE_ID: "${{ secrets.APPLE_ID }}" | |
APPLE_PASSWORD: "${{ secrets.APPLE_PASSWORD }}" | |
APPLE_TEAM_ID: "${{ secrets.APPLE_TEAM_ID }}" | |
APPLE_SIGNING_IDENTITY: "${{ secrets.APPLE_SIGNING_IDENTITY }}" | |
APPLE_CERTIFICATE: "${{ secrets.APPLE_CERTIFICATE }}" | |
APPLE_CERTIFICATE_PASSWORD: "${{ secrets.APPLE_CERTIFICATE_PASSWORD }}" | |
TAURI_PRIVATE_KEY: "${{ secrets.TAURI_PRIVATE_KEY }}" | |
TAURI_PUBLIC_KEY: "${{ secrets.TAURI_PUBLIC_KEY }}" | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
with: | |
projectPath: "${{ env.APP_DIR }}" | |
releaseId: ${{ needs.create-release.outputs.release_id }} | |
args: --target ${{ matrix.settings.target }} --bundles ${{ matrix.settings.bundles }},updater | |
sign-windows: | |
runs-on: ubuntu-latest | |
needs: [create-release, build-tauri] | |
permissions: | |
contents: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: setup node | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 20 | |
- name: Install Rust stable | |
uses: dtolnay/rust-toolchain@stable | |
- uses: Swatinem/rust-cache@v2 | |
- name: Install tauri cli | |
run: cargo install tauri-cli | |
- name: Download draft binaries | |
uses: actions/github-script@v7 | |
with: | |
script: | | |
const { script } = await import('${{ github.workspace }}/scripts/actions/download-draft-bins.js') | |
const id = "${{ needs.create-release.outputs.release_id }}"; | |
await script({ github, context }, id); | |
env: | |
# NOTE: we need this to download the bins | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Presign | |
run: | | |
ls -hal binaries | |
sha1sum binaries/* | |
- name: Sign Windows Binaries | |
run: | | |
echo "Starting code sign for windows bins..." | |
docker run -v "./binaries:/code/binaries" ghcr.io/hacksore/sslcom-codesign:latest batch_sign \ | |
-username=${ES_USERNAME} \ | |
-password=${ES_PASSWORD} \ | |
-credential_id=${ES_CREDENTIAL_ID} \ | |
-totp_secret=${ES_TOTP_SECRET} \ | |
-input_dir_path="/code/binaries" \ | |
-output_dir_path="/code/binaries/signed" | |
env: | |
ES_USERNAME: "${{ secrets.ES_USERNAME }}" | |
ES_PASSWORD: "${{ secrets.ES_PASSWORD }}" | |
ES_CREDENTIAL_ID: "${{ secrets.ES_CREDENTIAL_ID }}" | |
ES_TOTP_SECRET: "${{ secrets.ES_TOTP_SECRET }}" | |
- name: Postsign | |
run: | | |
ls -hal binaries/signed | |
sha1sum binaries/signed/* | |
# change the perms to 777 as the signer seems to change owner to root | |
chmod -R 777 binaries/signed | |
- name: Create a nsis.zip and msi.zip | |
run: | | |
# create a signature of the binaries with tauri signer, this does not mutate the original bin | |
# TODO: waiting for tauri to support env vars via https://github.com/tauri-apps/tauri/pull/8327 | |
cargo tauri signer sign --password "" --private-key "${{ secrets.TAURI_PRIVATE_KEY }}" binaries/signed/*.msi | |
cargo tauri signer sign --password "" --private-key "${{ secrets.TAURI_PRIVATE_KEY }}" binaries/signed/*.exe | |
# zip the binaries using the name "Overlayed" and the version from the package.json | |
cd binaries/signed | |
zip -r "Overlayed_${{ env.PACKAGE_VERSION }}_x64_en-US.msi.zip" *.msi | |
zip -r "Overlayed_${{ env.PACKAGE_VERSION }}_x64_en-US.nsis.zip" *.exe | |
# debug | |
ls -hal binaries/signed | |
# TODO: patch the release json to include the new sig files content for | |
# "windows-x86_64" | |
env: | |
TAURI_PRIVATE_KEY: "${{ secrets.TAURI_PRIVATE_KEY }}" | |
TAURI_PUBLIC_KEY: "${{ secrets.TAURI_PUBLIC_KEY }}" | |
- name: Upload signed windows binaries | |
uses: actions/github-script@v7 | |
with: | |
script: | | |
const { script } = await import('${{ github.workspace }}/scripts/actions/upload-signed-bins.js'); | |
const id = "${{ needs.create-release.outputs.release_id }}"; | |
await script({ github, context }, id); |