Skip to content

Add comment

Add comment #135

Workflow file for this run

name: "Create Release"
on:
# Allow manual
workflow_dispatch:
push:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
create-release:
permissions:
contents: write
runs-on: ubuntu-latest
outputs:
release_id: ${{ steps.create-release.outputs.result }}
steps:
- uses: actions/checkout@v4
- name: setup node
uses: actions/setup-node@v4
with:
node-version: 20
- name: Get app version
run: echo "PACKAGE_VERSION=$(node -p "require('./apps/desktop/src-tauri/tauri.conf.json').package.version")" >> $GITHUB_ENV
- name: Create release or skip
id: create-release
uses: actions/github-script@v7
with:
script: |
const { script } = await import('${{ github.workspace }}/scripts/actions/create-release.js')
return await script({ github, context });
build-tauri:
needs: create-release
permissions:
contents: write
strategy:
fail-fast: false
matrix:
settings:
# - host: macos-latest
# target: universal-apple-darwin
# toolchain: aarch64-apple-darwin,x86_64-apple-darwin
# bundles: app,dmg
# os: darwin
- host: windows-latest
target: x86_64-pc-windows-msvc
toolchain: x86_64-pc-windows-msvc
bundles: msi,nsis
os: windows
# - host: ubuntu-latest
# target: x86_64-unknown-linux-gnu
# toolchain: x86_64-unknown-linux-gnu
# bundles: deb,appimage
# os: linux
env:
APP_DIR: "apps/desktop"
runs-on: ${{ matrix.settings.host }}
steps:
- uses: actions/checkout@v4
- name: Setup node
uses: actions/setup-node@v4
with:
node-version: 20
- name: Install Rust stable
uses: dtolnay/rust-toolchain@stable
with:
target: "${{ matrix.settings.toolchain }}"
- uses: Swatinem/rust-cache@v2
with:
workspaces: "apps/desktop/src-tauri/target"
- name: install dependencies (ubuntu only)
if: matrix.settings.host == 'ubuntu-latest'
run: |
sudo apt-get update
sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.0-dev libappindicator3-dev librsvg2-dev patchelf
- uses: pnpm/action-setup@v2
with:
version: 8
- name: install frontend dependencies
run: pnpm install
- uses: tauri-apps/tauri-action@dev
env:
APPLE_ID: "${{ secrets.APPLE_ID }}"
APPLE_PASSWORD: "${{ secrets.APPLE_PASSWORD }}"
APPLE_TEAM_ID: "${{ secrets.APPLE_TEAM_ID }}"
APPLE_SIGNING_IDENTITY: "${{ secrets.APPLE_SIGNING_IDENTITY }}"
APPLE_CERTIFICATE: "${{ secrets.APPLE_CERTIFICATE }}"
APPLE_CERTIFICATE_PASSWORD: "${{ secrets.APPLE_CERTIFICATE_PASSWORD }}"
TAURI_PRIVATE_KEY: "${{ secrets.TAURI_PRIVATE_KEY }}"
TAURI_PUBLIC_KEY: "${{ secrets.TAURI_PUBLIC_KEY }}"
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
with:
projectPath: "${{ env.APP_DIR }}"
releaseId: ${{ needs.create-release.outputs.release_id }}
args: --target ${{ matrix.settings.target }} --bundles ${{ matrix.settings.bundles }},updater
sign-windows:
runs-on: ubuntu-latest
needs: [create-release, build-tauri]
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- name: setup node
uses: actions/setup-node@v4
with:
node-version: 20
- name: Install Rust stable
uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: Install tauri cli
run: cargo install tauri-cli
- name: Download draft binaries
uses: actions/github-script@v7
with:
script: |
const { script } = await import('${{ github.workspace }}/scripts/actions/download-draft-bins.js')
const id = "${{ needs.create-release.outputs.release_id }}";
await script({ github, context }, id);
env:
# NOTE: we need this to download the bins
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Presign
run: |
ls -hal binaries
sha1sum binaries/*
- name: Sign Windows Binaries
run: |
echo "Starting code sign for windows bins..."
docker run -v "./binaries:/code/binaries" ghcr.io/hacksore/sslcom-codesign:latest batch_sign \
-username=${ES_USERNAME} \
-password=${ES_PASSWORD} \
-credential_id=${ES_CREDENTIAL_ID} \
-totp_secret=${ES_TOTP_SECRET} \
-input_dir_path="/code/binaries" \
-output_dir_path="/code/binaries/signed"
env:
ES_USERNAME: "${{ secrets.ES_USERNAME }}"
ES_PASSWORD: "${{ secrets.ES_PASSWORD }}"
ES_CREDENTIAL_ID: "${{ secrets.ES_CREDENTIAL_ID }}"
ES_TOTP_SECRET: "${{ secrets.ES_TOTP_SECRET }}"
- name: Postsign
run: |
ls -hal binaries/signed
sha1sum binaries/signed/*
# change the perms to 777 as the signer seems to change owner to root
chmod -R 777 binaries/signed
- name: Create a nsis.zip and msi.zip
run: |
# create a signature of the binaries with tauri signer, this does not mutate the original bin
# TODO: waiting for tauri to support env vars via https://github.com/tauri-apps/tauri/pull/8327
cargo tauri signer sign --password "" --private-key "${{ secrets.TAURI_PRIVATE_KEY }}" binaries/signed/*.msi
cargo tauri signer sign --password "" --private-key "${{ secrets.TAURI_PRIVATE_KEY }}" binaries/signed/*.exe
# zip the binaries using the name "Overlayed" and the version from the package.json
cd binaries/signed
zip -r "Overlayed_${{ env.PACKAGE_VERSION }}_x64_en-US.msi.zip" *.msi
zip -r "Overlayed_${{ env.PACKAGE_VERSION }}_x64_en-US.nsis.zip" *.exe
# debug
ls -hal binaries/signed
# TODO: patch the release json to include the new sig files content for
# "windows-x86_64"
env:
TAURI_PRIVATE_KEY: "${{ secrets.TAURI_PRIVATE_KEY }}"
TAURI_PUBLIC_KEY: "${{ secrets.TAURI_PUBLIC_KEY }}"
- name: Upload signed windows binaries
uses: actions/github-script@v7
with:
script: |
const { script } = await import('${{ github.workspace }}/scripts/actions/upload-signed-bins.js');
const id = "${{ needs.create-release.outputs.release_id }}";
await script({ github, context }, id);