.github/workflows/release.yaml

name: "Create Release"

on:
  # Allow manual
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  create-release:
    permissions:
      contents: write
    runs-on: ubuntu-latest
    outputs:
      release_id: ${{ steps.create-release.outputs.result }}
    steps:
      - uses: actions/checkout@v4
      - name: setup node
        uses: actions/setup-node@v4
        with:
          node-version: 20
      - name: Get app version
        run: echo "PACKAGE_VERSION=$(node -p "require('./apps/desktop/src-tauri/tauri.conf.json').package.version")" >> $GITHUB_ENV
      - name: Create release or skip
        id: create-release
        uses: actions/github-script@v7
        with:
          script: |
            const { script } = await import('${{ github.workspace }}/scripts/actions/create-release.js')
            return await script({ github, context });

  build-tauri:
    name: Build (${{ matrix.settings.os }})
    needs: create-release
    permissions:
      contents: write
    strategy:
      fail-fast: false
      matrix:
        settings:
          - host: macos-latest
            target: universal-apple-darwin
            toolchain: aarch64-apple-darwin,x86_64-apple-darwin
            bundles: app,dmg
            os: darwin
          - host: windows-latest
            target: x86_64-pc-windows-msvc
            toolchain: x86_64-pc-windows-msvc
            bundles: msi,nsis
            os: windows
          - host: ubuntu-latest
            target: x86_64-unknown-linux-gnu
            toolchain: x86_64-unknown-linux-gnu
            bundles: deb,appimage
            os: linux
    env:
      APP_DIR: "apps/desktop"
    runs-on: ${{ matrix.settings.host }}
    steps:
      - uses: actions/checkout@v4
      - name: Setup node
        uses: actions/setup-node@v4
        with:
          node-version: 20
      - name: Install Rust stable
        uses: dtolnay/rust-toolchain@stable
        with:
          target: "${{ matrix.settings.toolchain }}"
      - uses: Swatinem/rust-cache@v2
        with:
          workspaces: "apps/desktop/src-tauri/target"
      - name: install dependencies (ubuntu only)
        if: matrix.settings.host == 'ubuntu-latest'
        run: |
          sudo apt-get update
          sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
      - uses: pnpm/action-setup@v3
        with:
          version: 9
      - name: install frontend dependencies
        run: pnpm install
      - uses: tauri-apps/tauri-action@dev
        env:
          APPLE_ID: "${{ secrets.APPLE_ID }}"
          APPLE_PASSWORD: "${{ secrets.APPLE_PASSWORD }}"
          APPLE_TEAM_ID: "${{ secrets.APPLE_TEAM_ID }}"
          APPLE_SIGNING_IDENTITY: "${{ secrets.APPLE_SIGNING_IDENTITY }}"
          APPLE_CERTIFICATE: "${{ secrets.APPLE_CERTIFICATE }}"
          APPLE_CERTIFICATE_PASSWORD: "${{ secrets.APPLE_CERTIFICATE_PASSWORD }}"
          TAURI_SIGNING_PRIVATE_KEY: "${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}"
          TAURI_SIGNING_PUBLIC_KEY: "${{ secrets.TAURI_SIGNING_PUBLIC_KEY }}"
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          VITE_AXIOM_TOKEN: "${{ secrets.VITE_AXIOM_TOKEN }}"
          VITE_SENTRY_AUTH_TOKEN: "${{ secrets.VITE_SENTRY_AUTH_TOKEN }}"
        with:
          projectPath: "${{ env.APP_DIR }}"
          releaseId: ${{ needs.create-release.outputs.release_id }}
          args: --target ${{ matrix.settings.target }} --bundles ${{ matrix.settings.bundles }},updater

  sign-windows:
    runs-on: ubuntu-latest
    needs: [create-release, build-tauri]
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
      - name: Download draft binaries
        uses: actions/github-script@v7
        with:
          script: |
            const { script } = await import('${{ github.workspace }}/scripts/actions/download-draft-bins.js')
            const id = "${{ needs.create-release.outputs.release_id }}";
            await script({ github, context }, id);
        env:
          # NOTE: we need this to download the bins
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Presign
        run: |
          ls -hal binaries
          sha1sum binaries/*
      - name: Sign Windows Binaries
        run: |
          echo "Starting code sign for windows bins..."
          docker run -v "./binaries:/code/binaries" ghcr.io/sslcom/codesigner:latest batch_sign \
            -username=${ES_USERNAME} \
            -password=${ES_PASSWORD} \
            -credential_id=${ES_CREDENTIAL_ID} \
            -totp_secret=${ES_TOTP_SECRET} \
            -input_dir_path="/code/binaries" \
            -output_dir_path="/code/binaries/signed"
        env:
          ES_USERNAME: "${{ secrets.ES_USERNAME }}"
          ES_PASSWORD: "${{ secrets.ES_PASSWORD }}"
          ES_CREDENTIAL_ID: "${{ secrets.ES_CREDENTIAL_ID }}"
          ES_TOTP_SECRET: "${{ secrets.ES_TOTP_SECRET }}"
      - name: Postsign
        run: |
          ls -hal binaries/signed
          sha1sum binaries/signed/*
      - name: Upload signed windows binaries
        uses: actions/github-script@v7
        with:
          script: |
            const { script } = await import('${{ github.workspace }}/scripts/actions/upload-signed-bins.js');
            const id = "${{ needs.create-release.outputs.release_id }}";
            await script({ github, context }, id);