Release #15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Compute next version | |
| id: version | |
| run: | | |
| source .ci/release.sh | |
| LAST_TAG="$(get_last_tag)" | |
| CHANGELOG="$(get_changelog "$LAST_TAG")" | |
| NEXT_VERSION="$(compute_next_version "$LAST_TAG" "$CHANGELOG")" | |
| echo "version=$NEXT_VERSION" >> "$GITHUB_OUTPUT" | |
| # Multiline changelog output | |
| echo "changelog<<EOF" >> "$GITHUB_OUTPUT" | |
| echo "$CHANGELOG" >> "$GITHUB_OUTPUT" | |
| echo "EOF" >> "$GITHUB_OUTPUT" | |
| echo "Next version: $NEXT_VERSION" | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.26' | |
| - name: Cross-compile binaries | |
| env: | |
| VERSION: ${{ steps.version.outputs.version }} | |
| LDFLAGS: -s -w -X main.version=${{ steps.version.outputs.version }} | |
| run: | | |
| mkdir -p dist | |
| targets=( | |
| "darwin amd64 " | |
| "darwin arm64 " | |
| "linux amd64 " | |
| "linux arm64 " | |
| "windows amd64 .exe" | |
| ) | |
| for target in "${targets[@]}"; do | |
| read -r os arch ext <<< "$target" | |
| output="dist/hourgit-${os}-${arch}-${VERSION}${ext}" | |
| echo "Building $output ..." | |
| CGO_ENABLED=0 GOOS="$os" GOARCH="$arch" \ | |
| go build -ldflags="$LDFLAGS" -o "$output" ./cmd/hourgit | |
| done | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: binaries | |
| path: dist/ | |
| retention-days: 1 | |
| outputs: | |
| version: ${{ steps.version.outputs.version }} | |
| changelog: ${{ steps.version.outputs.changelog }} | |
| sign-macos: | |
| runs-on: macos-latest | |
| needs: build | |
| steps: | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: binaries | |
| path: dist/ | |
| - name: Import code signing certificate | |
| env: | |
| APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }} | |
| APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| run: | | |
| # Decode certificate | |
| CERTIFICATE_PATH="$RUNNER_TEMP/certificate.p12" | |
| echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > "$CERTIFICATE_PATH" | |
| # Create temporary keychain | |
| KEYCHAIN_PATH="$RUNNER_TEMP/build.keychain" | |
| security create-keychain -p "" "$KEYCHAIN_PATH" | |
| security set-keychain-settings "$KEYCHAIN_PATH" | |
| security unlock-keychain -p "" "$KEYCHAIN_PATH" | |
| # Import certificate | |
| security import "$CERTIFICATE_PATH" \ | |
| -k "$KEYCHAIN_PATH" \ | |
| -P "$APPLE_CERTIFICATE_PASSWORD" \ | |
| -T /usr/bin/codesign | |
| # Allow codesign to access the keychain | |
| security set-key-partition-list -S apple-tool:,apple: -k "" "$KEYCHAIN_PATH" | |
| security list-keychains -d user -s "$KEYCHAIN_PATH" login.keychain | |
| - name: Sign macOS binaries | |
| env: | |
| VERSION: ${{ needs.build.outputs.version }} | |
| run: | | |
| # Find the signing identity | |
| IDENTITY=$(security find-identity -v -p codesigning "$RUNNER_TEMP/build.keychain" | grep "Developer ID Application" | head -1 | sed -E 's/.*"(.+)"/\1/') | |
| echo "Signing with identity: $IDENTITY" | |
| for arch in amd64 arm64; do | |
| BINARY="dist/hourgit-darwin-${arch}-${VERSION}" | |
| echo "Signing $BINARY ..." | |
| codesign --force --options runtime --sign "$IDENTITY" --timestamp "$BINARY" | |
| echo "Verifying signature ..." | |
| codesign -dvv "$BINARY" | |
| done | |
| - name: Notarize macOS binaries | |
| env: | |
| VERSION: ${{ needs.build.outputs.version }} | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| run: | | |
| for arch in amd64 arm64; do | |
| BINARY="dist/hourgit-darwin-${arch}-${VERSION}" | |
| ZIP="$RUNNER_TEMP/hourgit-darwin-${arch}.zip" | |
| echo "Creating ZIP for notarization: $ZIP" | |
| zip -j "$ZIP" "$BINARY" | |
| echo "Submitting for notarization ..." | |
| xcrun notarytool submit "$ZIP" \ | |
| --apple-id "$APPLE_ID" \ | |
| --password "$APPLE_ID_PASSWORD" \ | |
| --team-id "$APPLE_TEAM_ID" \ | |
| --wait | |
| done | |
| - name: Upload signed artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: binaries-signed | |
| path: dist/ | |
| retention-days: 1 | |
| release: | |
| runs-on: ubuntu-latest | |
| needs: [build, sign-macos] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download signed artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: binaries-signed | |
| path: dist/ | |
| - name: Generate checksums | |
| run: | | |
| cd dist | |
| sha256sum * > SHA256SUMS | |
| cat SHA256SUMS | |
| - name: Create tag | |
| env: | |
| VERSION: ${{ needs.build.outputs.version }} | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git tag -a "$VERSION" -m "Release $VERSION" | |
| git push origin "$VERSION" | |
| - name: Create GitHub Release | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| VERSION: ${{ needs.build.outputs.version }} | |
| CHANGELOG: ${{ needs.build.outputs.changelog }} | |
| run: | | |
| gh release create "$VERSION" dist/* \ | |
| --title "$VERSION" \ | |
| --notes "$CHANGELOG" |