magic-context/.github/workflows/dashboard-release.yml at master · cortexkit/magic-context · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
name: Dashboard Release

on:
  push:
    tags:
      - "dashboard-v*"
  workflow_dispatch:

permissions:
  contents: write

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

jobs:
  build:
    name: Build Dashboard (${{ matrix.settings.label }})
    strategy:
      fail-fast: false
      matrix:
        settings:
          - host: macos-latest
            target: aarch64-apple-darwin
            label: macOS ARM64
            arch: arm64
          - host: macos-latest
            target: x86_64-apple-darwin
            label: macOS Intel
            arch: x64
          - host: ubuntu-22.04
            target: x86_64-unknown-linux-gnu
            label: Linux x64
            arch: x64
          - host: windows-latest
            target: x86_64-pc-windows-msvc
            label: Windows x64
            arch: x64

    runs-on: ${{ matrix.settings.host }}
    steps:
      - uses: actions/checkout@v4

      - uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      - name: Install Rust stable
        uses: dtolnay/rust-toolchain@stable
        with:
          targets: ${{ matrix.settings.target }}

      - name: Install Linux dependencies
        if: contains(matrix.settings.host, 'ubuntu')
        run: |
          sudo apt-get update
          sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf

      - name: Install dependencies
        run: bun install

      # macOS: import Apple certificate for code signing
      - name: Import Apple certificate
        if: contains(matrix.settings.host, 'macos')
        env:
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
        run: |
          CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12
          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
          KEYCHAIN_PASSWORD=$(openssl rand -base64 32)

          echo -n "$APPLE_CERTIFICATE" | base64 --decode -o $CERTIFICATE_PATH

          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security import $CERTIFICATE_PATH -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security list-keychain -d user -s $KEYCHAIN_PATH

          # Extract signing identity — MUST be "Developer ID Application", not "Apple Development"
          IDENTITY=$(security find-identity -v -p codesigning $KEYCHAIN_PATH | grep "Developer ID Application" | head -1 | sed 's/.*"\(.*\)".*/\1/')
          if [ -z "$IDENTITY" ]; then
            echo "::error::No 'Developer ID Application' certificate found in keychain. Check APPLE_CERTIFICATE secret."
            security find-identity -v -p codesigning $KEYCHAIN_PATH
            exit 1
          fi
          echo "Found signing identity: $IDENTITY"
          echo "APPLE_SIGNING_IDENTITY=$IDENTITY" >> $GITHUB_ENV

      # macOS: write App Store Connect API key for notarization
      - name: Write Apple API key
        if: contains(matrix.settings.host, 'macos')
        env:
          APPLE_API_KEY_CONTENT: ${{ secrets.APPLE_API_KEY_CONTENT }}
        run: |
          mkdir -p $RUNNER_TEMP
          echo "$APPLE_API_KEY_CONTENT" > $RUNNER_TEMP/apple-api-key.p8

      - name: Build and upload artifacts
        uses: tauri-apps/tauri-action@v0
        timeout-minutes: 60
        with:
          projectPath: packages/dashboard
          tauriScript: bunx tauri
          args: --target ${{ matrix.settings.target }}
          updaterJsonPreferNsis: true
          tagName: ${{ github.ref_name }}
          releaseName: "Dashboard ${{ github.ref_name }}"
          releaseDraft: true
          assetNamePattern: magic-context-dashboard-[platform]-${{ matrix.settings.arch }}[ext]
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
          # macOS code signing + notarization
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
          APPLE_API_KEY_PATH: ${{ runner.temp }}/apple-api-key.p8

  # Deploy latest.json to gh-pages for the updater endpoint.
  #
  # Tauri's updater endpoint lives at https://cortexkit.github.io/magic-context/latest.json.
  # That URL must keep serving the latest signed manifest after every dashboard
  # release. We deploy ONLY latest.json by staging it in an isolated directory
  # and pointing publish_dir at that directory — previous configs used
  # `publish_dir: .` together with the (non-existent) `include_files` input,
  # which silently published the entire repo checkout to gh-pages on every
  # release.
  deploy-updater:
    name: Deploy updater manifest
    needs: build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Download latest.json from release (with retry)
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          TAG="${{ github.ref_name }}"
          mkdir -p _updater_publish
          OUT=_updater_publish/latest.json
          # Retry up to 20×15s (5 minutes) — first-time uploads of large
          # platform binaries can take longer than a single fixed sleep,
          # and tauri-action publishes assets in parallel.
          for attempt in $(seq 1 20); do
            if gh release download "$TAG" --pattern "latest.json" --output "$OUT" --clobber 2>/dev/null; then
              echo "✓ downloaded latest.json on attempt $attempt"
              cat "$OUT"
              exit 0
            fi
            echo "attempt $attempt: latest.json not yet available, sleeping 15s…"
            sleep 15
          done
          echo "::error::latest.json never became available on release $TAG"
          exit 1

      - name: Deploy to gh-pages
        uses: peaceiris/actions-gh-pages@v4
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          # Publish ONLY the staging dir, which contains exactly one file:
          # latest.json. Anything else in the workspace stays out of gh-pages.
          publish_dir: ./_updater_publish
          publish_branch: gh-pages
          # keep_files: true preserves any other files that already exist
          # on gh-pages so we don't wipe the branch on each release.
          keep_files: true
          # force_orphan would discard gh-pages history; we keep history so
          # the branch acts as a normal append-only artifact log.
          force_orphan: false