Skip to content

[WAIT FOR COOLDOWN PERIOD] enable push triggers for desktop publish workflows #1793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
paustint wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[WAIT FOR COOLDOWN PERIOD] enable push triggers for desktop publish workflows #1793

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 8 additions & 11 deletions .github/workflows/publish-desktop-macos.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,9 @@ on:
description: "Git ref (tag or branch) to build"
required: true
default: "main"
# Enable once the manual flow is proven rock solid: the `desktop-v*` tag that
# release.yml pushes (via the GitHub App token) will then auto-trigger this.
# push:
# tags:
# - "desktop-v*"
push:
tags:
- "desktop-v*"

concurrency:
group: release-desktop-macos-${{ github.ref }}
Expand All @@ -31,7 +29,6 @@ jobs:
build-macos:
runs-on: macos-latest
timeout-minutes: 60
environment: production
env:
Comment thread
paustint marked this conversation as resolved.
Comment thread
paustint marked this conversation as resolved.
NODE_OPTIONS: "--max_old_space_size=8192"
# Turns on the mac signing branch in electron-builder.config.js
Expand All @@ -43,14 +40,14 @@ jobs:
# Developer ID cert — electron-builder imports this into a temp keychain
CSC_LINK: ${{ secrets.APPLE_CERTIFICATE_P12_BASE64 }}
CSC_KEY_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
# S3-compatible release storage creds (Backblaze B2 during the Cloudflare R2 sunset)
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DESKTOP_UPDATES_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_DESKTOP_UPDATES_SECRET_ACCESS_KEY }}
AWS_ENDPOINT_URL: ${{ secrets.AWS_DESKTOP_UPDATES_ENDPOINT_URL }}

steps:
- uses: actions/checkout@v6
with:
ref: ${{ inputs.ref || github.ref }}
ref: ${{ github.event.inputs.ref || github.ref }}

- uses: pnpm/action-setup@v6
with:
Expand Down Expand Up @@ -97,7 +94,7 @@ jobs:
run: pnpm build:desktop

# electron-builder --mac -p always: signs, notarizes, uploads the dmg/zip installers
# + update metadata to the Backblaze bucket, and points clients at the release feed subdomain.
# + update metadata to the R2 desktop-updates bucket, and points clients at the release feed subdomain.
- name: Package, sign, notarize, and publish macOS installers
working-directory: dist/desktop-build
run: pnpm publish:mac
19 changes: 8 additions & 11 deletions .github/workflows/publish-desktop-windows.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,9 @@ on:
description: "Git ref (tag or branch) to build"
required: true
default: "main"
# Enable once the manual flow is proven rock solid: the `desktop-v*` tag that
# release.yml pushes (via the GitHub App token) will then auto-trigger this.
# push:
# tags:
# - "desktop-v*"
push:
tags:
- "desktop-v*"
Comment thread
paustint marked this conversation as resolved.

concurrency:
group: release-desktop-windows-${{ github.ref }}
Expand All @@ -31,7 +29,6 @@ jobs:
build-windows:
runs-on: windows-latest
timeout-minutes: 60
environment: production
env:
Comment thread
paustint marked this conversation as resolved.
Comment thread
paustint marked this conversation as resolved.
NODE_OPTIONS: "--max_old_space_size=8192"
# Turns on the win `azureSignOptions` branch in electron-builder.config.js
Expand All @@ -40,14 +37,14 @@ jobs:
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
# S3-compatible release storage creds (Backblaze B2 during the Cloudflare R2 sunset)
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DESKTOP_UPDATES_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_DESKTOP_UPDATES_SECRET_ACCESS_KEY }}
AWS_ENDPOINT_URL: ${{ secrets.AWS_DESKTOP_UPDATES_ENDPOINT_URL }}

steps:
- uses: actions/checkout@v6
with:
ref: ${{ inputs.ref || github.ref }}
ref: ${{ github.event.inputs.ref || github.ref }}

- uses: pnpm/action-setup@v6
with:
Expand Down Expand Up @@ -82,7 +79,7 @@ jobs:
run: pnpm build:desktop

# electron-builder --win -p always: signs via Azure Trusted Signing, uploads installers
# + update metadata to the Backblaze bucket, and points clients at the release feed subdomain.
# + update metadata to the R2 desktop-updates bucket, and points clients at the release feed subdomain.
- name: Package, sign, and publish Windows installers
working-directory: dist/desktop-build
run: pnpm publish:win
13 changes: 6 additions & 7 deletions electron-builder.config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ const ENV = {
PROVISIONING_PROFILE_PATH_MAS: process.env.PROVISIONING_PROFILE_PATH_MAS,
AWS_ACCESS_KEY_ID: process.env.AWS_ACCESS_KEY_ID,
AWS_SECRET_ACCESS_KEY: process.env.AWS_SECRET_ACCESS_KEY,
AWS_ENDPOINT_URL: process.env.AWS_ENDPOINT_URL,
AZURE_TENANT_ID: process.env.AZURE_TENANT_ID,
AZURE_CLIENT_ID: process.env.AZURE_CLIENT_ID,
AZURE_CLIENT_SECRET: process.env.AZURE_CLIENT_SECRET,
Expand Down Expand Up @@ -181,23 +182,21 @@ const config = {
],

publish:
ENV.IS_CODESIGNING_ENABLED && ENV.AWS_ACCESS_KEY_ID && ENV.AWS_SECRET_ACCESS_KEY
ENV.IS_CODESIGNING_ENABLED && ENV.AWS_ACCESS_KEY_ID && ENV.AWS_SECRET_ACCESS_KEY && ENV.AWS_ENDPOINT_URL
? [
// Primary feed clients read from — a subdomain we control, decoupled from any
// storage vendor. Backed by Backblaze today, Cloudflare R2 after the DNS cutover.
// storage vendor. Backed by Cloudflare R2.
{
provider: 'generic',
url: 'https://release-updates.getjetstream.app/jetstream/releases',
},
// Upload target during the sunset: keep publishing to Backblaze so existing clients
// (pinned to the raw B2 endpoint in their baked app-update.yml) keep updating.
{
provider: 's3',
// Local testing with MinIO
// endpoint: 'http://localhost:9000',
endpoint: 'https://s3.us-east-005.backblazeb2.com',
endpoint: ENV.AWS_ENDPOINT_URL,
bucket: 'desktop-updates',
path: `jetstream/releases`,
region: 'auto',
acl: null,
},
Comment on lines 184 to 200
]
: null,
Expand Down
1 change: 1 addition & 0 deletions scripts/build-electron.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,7 @@ async function build() {
'AZURE_CLIENT_SECRET',
'AWS_ACCESS_KEY_ID',
'AWS_SECRET_ACCESS_KEY',
'AWS_ENDPOINT_URL',
]) {
if (process.env[key]) {
envValues[key] = process.env[key];
Expand Down
Loading