Configure Tauri updater signing for releases (#13) #3
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| id-token: write # GCP workload identity for Windows code signing | |
| jobs: | |
| release: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - platform: macos-latest | |
| args: "--target aarch64-apple-darwin" | |
| rust_target: aarch64-apple-darwin | |
| - platform: macos-latest | |
| args: "--target x86_64-apple-darwin" | |
| rust_target: x86_64-apple-darwin | |
| - platform: ubuntu-22.04 | |
| args: "" | |
| rust_target: "" | |
| - platform: windows-latest | |
| args: "" | |
| rust_target: "" | |
| runs-on: ${{ matrix.platform }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" | |
| cache: "npm" | |
| - name: Install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: ${{ matrix.rust_target }} | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| workspaces: "src-tauri -> target" | |
| - name: Install Linux dependencies | |
| if: matrix.platform == 'ubuntu-22.04' | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| libwebkit2gtk-4.1-dev \ | |
| libappindicator3-dev \ | |
| librsvg2-dev \ | |
| patchelf \ | |
| rpm | |
| - run: npm ci | |
| # --- Windows EV code signing via GCP Cloud KMS --- | |
| - name: Setup Windows code signing | |
| id: windows_signing | |
| if: matrix.platform == 'windows-latest' | |
| uses: ./.github/actions/setup-windows-signing | |
| with: | |
| ev_signing_cert: ${{ secrets.EV_SIGNING_CERT }} | |
| gcp_workload_id_provider: ${{ vars.GCP_WORKLOAD_ID_PROVIDER }} | |
| gcp_service_account: ${{ vars.GCP_SERVICE_ACCOUNT }} | |
| - name: Configure Tauri Windows signCommand | |
| if: matrix.platform == 'windows-latest' && env.JSIGN_PATH != '' | |
| shell: bash | |
| run: | | |
| cat > signing.conf.json << 'EOF' | |
| { | |
| "bundle": { | |
| "windows": { | |
| "signCommand": "powershell -File scripts/sign-windows.ps1 \"%1\"" | |
| } | |
| } | |
| } | |
| EOF | |
| echo "SIGNING_ARGS=--config signing.conf.json" >> "$GITHUB_ENV" | |
| - uses: tauri-apps/tauri-action@v0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # macOS signing & notarization (optional — skipped if not set) | |
| APPLE_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} | |
| APPLE_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }} | |
| APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| # Windows EV signing env vars (used by scripts/sign-windows.ps1) | |
| EV_KEYSTORE: ${{ vars.EV_KEYSTORE }} | |
| EV_KEY: ${{ vars.EV_KEY }} | |
| EV_TSA_URL: ${{ vars.EV_TSA_URL }} | |
| GCLOUD_ACCESS_TOKEN: ${{ steps.windows_signing.outputs.gcloud_access_token }} | |
| # Updater signing (optional) | |
| TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} | |
| TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} | |
| with: | |
| tagName: v__VERSION__ | |
| releaseName: "PR Buddy v__VERSION__" | |
| releaseBody: "See the assets below to download and install this version." | |
| releaseDraft: true | |
| prerelease: false | |
| args: ${{ matrix.args }} ${{ env.SIGNING_ARGS }} |