-
Notifications
You must be signed in to change notification settings - Fork 0
161 lines (147 loc) · 6.12 KB
/
release.yml
File metadata and controls
161 lines (147 loc) · 6.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: Release
on:
push:
tags:
- "v*"
workflow_dispatch:
permissions:
contents: write
id-token: write # GCP workload identity for Windows code signing
jobs:
release:
strategy:
fail-fast: false
matrix:
include:
- platform: macos-latest
args: "--target aarch64-apple-darwin"
rust_target: aarch64-apple-darwin
- platform: macos-latest
args: "--target x86_64-apple-darwin"
rust_target: x86_64-apple-darwin
- platform: ubuntu-22.04
args: ""
rust_target: ""
- platform: windows-latest
args: ""
rust_target: ""
runs-on: ${{ matrix.platform }}
steps:
- uses: actions/checkout@v4
- name: Sync version from git tag
if: startsWith(github.ref, 'refs/tags/v')
shell: bash
run: |
# Extract version from tag (strip leading 'v')
VERSION="${GITHUB_REF_NAME#v}"
echo "VERSION=$VERSION" >> "$GITHUB_ENV"
# Update tauri.conf.json
cd src-tauri
sed -i.bak 's/"version": "[^"]*"/"version": "'"$VERSION"'"/' tauri.conf.json && rm -f tauri.conf.json.bak
# Update Cargo.toml (only the first version = line, i.e. the package version)
sed -i.bak '0,/^version = ".*"/s//version = "'"$VERSION"'"/' Cargo.toml && rm -f Cargo.toml.bak
echo "Set version to $VERSION"
- uses: actions/setup-node@v4
with:
node-version: "20"
cache: "npm"
- name: Install Rust stable
uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.rust_target }}
- uses: swatinem/rust-cache@v2
with:
workspaces: "src-tauri -> target"
- name: Install Linux dependencies
if: matrix.platform == 'ubuntu-22.04'
run: |
sudo apt-get update
sudo apt-get install -y \
libwebkit2gtk-4.1-dev \
libappindicator3-dev \
librsvg2-dev \
patchelf \
rpm
- run: npm ci
# --- Windows EV code signing via GCP Cloud KMS ---
- name: Setup Windows code signing
id: windows_signing
if: matrix.platform == 'windows-latest'
uses: ./.github/actions/setup-windows-signing
with:
ev_signing_cert: ${{ secrets.EV_SIGNING_CERT }}
gcp_workload_id_provider: ${{ vars.GCP_WORKLOAD_ID_PROVIDER }}
gcp_service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
- name: Configure Tauri Windows signCommand
if: matrix.platform == 'windows-latest' && env.JSIGN_PATH != ''
shell: pwsh
run: |
# Resolve absolute paths — Tauri's bundler uses std::process::Command
# (no shell) so bare names like 'pwsh' fail PATH lookup on Windows.
$pwshPath = (Get-Command pwsh).Source -replace '\\', '/'
$scriptPath = (Resolve-Path "scripts/sign-windows.ps1").Path -replace '\\', '/'
$config = @{
bundle = @{
windows = @{
signCommand = @{
cmd = $pwshPath
args = @("-File", $scriptPath, "%1")
}
}
}
} | ConvertTo-Json -Depth 10
$config | Set-Content signing.conf.json
Write-Host "signing.conf.json:"
Get-Content signing.conf.json
Add-Content -Path $env:GITHUB_ENV -Value "SIGNING_ARGS=--config signing.conf.json"
- uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Enable bundler debug logging — sign command stdout/stderr is
# swallowed on failure; RUST_LOG surfaces the command invocation.
RUST_LOG: tauri_bundler=debug
# macOS signing & notarization (optional — skipped if not set)
APPLE_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
# Windows EV signing env vars (used by scripts/sign-windows.ps1)
EV_KEYSTORE: ${{ vars.EV_KEYSTORE }}
EV_KEY: ${{ vars.EV_KEY }}
EV_TSA_URL: ${{ vars.EV_TSA_URL }}
GCLOUD_ACCESS_TOKEN: ${{ steps.windows_signing.outputs.gcloud_access_token }}
# Updater signing (optional — only set when the secret exists)
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY || '' }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD || '' }}
with:
tagName: ${{ github.ref_name }}
releaseName: "PR Buddy ${{ github.ref_name }}"
releaseBody: "See the assets below to download and install this version."
releaseDraft: true
prerelease: false
args: ${{ matrix.args }} ${{ env.SIGNING_ARGS }}
# Dump sign script log on failure — Tauri bundler swallows subprocess
# stdout/stderr when the sign command exits non-zero, making failures
# invisible. The script writes a transcript to $RUNNER_TEMP/sign-windows.log.
- name: Dump signing log on failure
if: failure() && matrix.platform == 'windows-latest'
shell: pwsh
run: |
$logFile = Join-Path $env:RUNNER_TEMP "sign-windows.log"
if (Test-Path $logFile) {
Write-Host "=== sign-windows.log ==="
Get-Content $logFile
Write-Host "=== end sign-windows.log ==="
} else {
Write-Host "No sign-windows.log found at $logFile"
Write-Host "Sign script may not have been invoked, or RUNNER_TEMP differs."
Write-Host "Checking TEMP fallback..."
$fallback = Join-Path $env:TEMP "sign-windows.log"
if (Test-Path $fallback) {
Get-Content $fallback
} else {
Write-Host "No log file found at $fallback either."
}
}