Fold macOS desktop release flow into tag release workflow #11

Workflow file for this run

.github/workflows/release.yml at fa233d9

	name: Release
Check failure on line 1 in .github/workflows/release.yml View workflow run for this annotation GitHub Actions / .github/workflows/release.yml Invalid workflow file `(Line: 75, Col: 9): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.APPLE_CERTIFICATE != '' && secrets.APPLE_CERTIFICATE_PASSWORD != '' && secrets.KEYCHAIN_PASSWORD != '' && secrets.APPLE_SIGNING_IDENTITY != '' && secrets.APPLE_ID != '' && secrets.APPLE_APP_SPECIFIC_PASSWORD != '' && secrets.APPLE_TEAM_ID != ''`

	on:
	push:
	tags:
	- "v*"

	permissions:
	contents: write
	id-token: write

	jobs:
	build-binaries:
	name: Build ${{ matrix.asset_suffix }}
	runs-on: ${{ matrix.runner }}
	strategy:
	fail-fast: false
	matrix:
	include:
	- runner: macos-14
	target: aarch64-apple-darwin
	asset_suffix: darwin-arm64
	- runner: macos-13
	target: x86_64-apple-darwin
	asset_suffix: darwin-x64
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version: "20"
	cache: npm
	cache-dependency-path: web/package-lock.json

	- name: Install frontend dependencies
	run: \|
	cd web
	npm ci

	- name: Setup Rust
	uses: dtolnay/rust-toolchain@stable
	with:
	targets: ${{ matrix.target }}

	- name: Cache Rust
	uses: Swatinem/rust-cache@v2

	- name: Build release binary
	run: cargo build --release --target ${{ matrix.target }} --locked

	- name: Prepare binary assets
	env:
	TAG: ${{ github.ref_name }}
	TARGET: ${{ matrix.target }}
	ASSET_SUFFIX: ${{ matrix.asset_suffix }}
	run: \|
	VERSION="${TAG#v}"
	mkdir -p dist
	cp "target/${TARGET}/release/attn" "dist/attn-v${VERSION}-${ASSET_SUFFIX}"
	chmod +x "dist/attn-v${VERSION}-${ASSET_SUFFIX}"
	shasum -a 256 "dist/attn-v${VERSION}-${ASSET_SUFFIX}" > "dist/attn-v${VERSION}-${ASSET_SUFFIX}.sha256"

	- name: Upload binary artifacts
	uses: actions/upload-artifact@v4
	with:
	name: release-${{ matrix.asset_suffix }}
	path: dist/*
	retention-days: 7

	build-signed-dmg:
	name: Build, sign & notarize DMG
	runs-on: macos-14
	if: ${{ secrets.APPLE_CERTIFICATE != '' && secrets.APPLE_CERTIFICATE_PASSWORD != '' && secrets.KEYCHAIN_PASSWORD != '' && secrets.APPLE_SIGNING_IDENTITY != '' && secrets.APPLE_ID != '' && secrets.APPLE_APP_SPECIFIC_PASSWORD != '' && secrets.APPLE_TEAM_ID != '' }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version: "20"
	cache: npm
	cache-dependency-path: web/package-lock.json

	- name: Setup Rust toolchain
	uses: dtolnay/rust-toolchain@stable
	with:
	targets: aarch64-apple-darwin

	- name: Cache Rust
	uses: Swatinem/rust-cache@v2

	- name: Install cargo-bundle
	uses: taiki-e/cache-cargo-install-action@v2
	with:
	tool: cargo-bundle

	- name: Install frontend dependencies
	run: \|
	cd web
	npm ci

	- name: Import code signing certificate
	env:
	CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE }}
	CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
	KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
	run: \|
	CERTIFICATE_PATH="$RUNNER_TEMP/build_certificate.p12"
	KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"

	echo -n "$CERTIFICATE_BASE64" \| base64 --decode > "$CERTIFICATE_PATH" \|\| \
	echo -n "$CERTIFICATE_BASE64" \| base64 -D > "$CERTIFICATE_PATH"

	security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
	security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
	security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
	security import "$CERTIFICATE_PATH" -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
	security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
	security list-keychain -d user -s "$KEYCHAIN_PATH"

	echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"

	- name: Build app bundle
	run: \|
	scripts/macos-build-bundle.sh prod aarch64-apple-darwin

	APP_PATH="$(find target/aarch64-apple-darwin -path '/bundle/osx/.app' -maxdepth 6 \| head -n1)"
	if [ -z "$APP_PATH" ]; then
	echo "No app bundle found" >&2
	exit 1
	fi

	DMG_PATH="$(dirname "$APP_PATH")/attn.dmg"
	echo "APP_PATH=$APP_PATH" >> "$GITHUB_ENV"
	echo "DMG_PATH=$DMG_PATH" >> "$GITHUB_ENV"

	- name: Sign app bundle
	env:
	APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
	run: scripts/macos-sign-app.sh "$APP_PATH" "$APPLE_SIGNING_IDENTITY"

	- name: Create DMG
	env:
	APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
	run: scripts/macos-create-dmg.sh "$APP_PATH" "$DMG_PATH"

	- name: Notarize DMG
	env:
	APPLE_ID: ${{ secrets.APPLE_ID }}
	APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
	APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
	run: scripts/macos-notarize-dmg.sh "$DMG_PATH"

	- name: Prepare DMG assets
	env:
	TAG: ${{ github.ref_name }}
	run: \|
	VERSION="${TAG#v}"
	mkdir -p dist
	cp "$DMG_PATH" "dist/attn-v${VERSION}-darwin-arm64.dmg"
	shasum -a 256 "dist/attn-v${VERSION}-darwin-arm64.dmg" > "dist/attn-v${VERSION}-darwin-arm64.dmg.sha256"

	- name: Upload DMG artifacts
	uses: actions/upload-artifact@v4
	with:
	name: release-dmg-darwin-arm64
	path: dist/*
	retention-days: 7

	- name: Cleanup keychain
	if: always()
	run: \|
	if [ -n "${KEYCHAIN_PATH:-}" ] && [ -f "$KEYCHAIN_PATH" ]; then
	security delete-keychain "$KEYCHAIN_PATH"
	fi

	publish-release:
	name: Publish GitHub Release
	runs-on: ubuntu-latest
	needs:
	- build-binaries
	- build-signed-dmg
	if: ${{ always() && needs.build-binaries.result == 'success' && (needs.build-signed-dmg.result == 'success' \|\| needs.build-signed-dmg.result == 'skipped') }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	ref: ${{ github.ref_name }}

	- name: Download artifacts
	uses: actions/download-artifact@v4
	with:
	path: dist
	pattern: release-*
	merge-multiple: true

	- name: Create or update release
	env:
	GH_TOKEN: ${{ github.token }}
	TAG: ${{ github.ref_name }}
	run: \|
	if gh release view "$TAG" >/dev/null 2>&1; then
	echo "Release $TAG already exists; uploading updated assets."
	else
	gh release create "$TAG" \
	--title "$TAG" \
	--notes "Automated release for $TAG."
	fi
	gh release upload "$TAG" dist/* --clobber

	publish-crates:
	name: Publish crates.io
	runs-on: ubuntu-latest
	needs: publish-release
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	ref: ${{ github.ref_name }}

	- name: Install system dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev

	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version: "24"
	cache: npm
	cache-dependency-path: web/package-lock.json

	- name: Setup Rust
	uses: dtolnay/rust-toolchain@stable

	- name: Publish crate
	env:
	CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
	run: cargo publish --locked

	publish-npm:
	name: Publish npm
	runs-on: ubuntu-latest
	needs: publish-release
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	ref: ${{ github.ref_name }}

	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version: "24"

	- name: Set package version from tag
	run: npm version "${GITHUB_REF_NAME#v}" --no-git-tag-version --allow-same-version

	- name: Publish package
	run: npm publish --access public --provenance

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fold macOS desktop release flow into tag release workflow #11

Workflow file

Fold macOS desktop release flow into tag release workflow #11

Uh oh!

Workflow file for this run

GitHub Actions / .github/workflows/release.yml