Skip to content
.github/workflows/release.yml

Bump release version to 0.1.11 #14

Sign in to view logs

Bump release version to 0.1.11

Bump release version to 0.1.11 #14

Workflow file for this run

.github/workflows/release.yml at 568c2ab
name: Release

Check failure on line 1 in .github/workflows/release.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/release.yml

Invalid workflow file 

(Line: 102, Col: 9): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.APPLE_CERTIFICATE != '' && secrets.APPLE_CERTIFICATE_PASSWORD != '' && secrets.KEYCHAIN_PASSWORD != '' && secrets.APPLE_SIGNING_IDENTITY != '' && secrets.APPLE_ID != '' && secrets.APPLE_APP_SPECIFIC_PASSWORD != '' && secrets.APPLE_TEAM_ID != ''
on:
push:
tags:
- "v*"
permissions:
contents: write
id-token: write
jobs:
validate-release-version:
name: Validate Tag and Cargo Version
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.ref_name }}
- name: Verify Cargo.lock is tracked
run: git ls-files --error-unmatch Cargo.lock >/dev/null
- name: Ensure tag matches Cargo.toml version
env:
TAG: ${{ github.ref_name }}
run: |
TAG_VERSION="${TAG#v}"
CARGO_VERSION="$(sed -n 's/^version = \"\\(.*\\)\"/\\1/p' Cargo.toml | head -n1)"
if [ -z "$CARGO_VERSION" ]; then
echo "Could not read package version from Cargo.toml" >&2
exit 1
fi
if [ "$TAG_VERSION" != "$CARGO_VERSION" ]; then
echo "Tag version ($TAG_VERSION) does not match Cargo.toml version ($CARGO_VERSION)." >&2
echo "Bump Cargo.toml, run cargo check, commit Cargo.lock, then retag." >&2
exit 1
fi
build-binaries:
name: Build ${{ matrix.asset_suffix }}
runs-on: ${{ matrix.runner }}
needs: validate-release-version
strategy:
fail-fast: false
matrix:
include:
- runner: macos-14
target: aarch64-apple-darwin
asset_suffix: darwin-arm64
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: "20"
cache: npm
cache-dependency-path: web/package-lock.json
- name: Install frontend dependencies
run: |
cd web
npm ci
- name: Setup Rust
uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}
- name: Cache Rust
uses: Swatinem/rust-cache@v2
- name: Build release binary
run: cargo build --release --target ${{ matrix.target }} --locked
- name: Prepare binary assets
env:
TAG: ${{ github.ref_name }}
TARGET: ${{ matrix.target }}
ASSET_SUFFIX: ${{ matrix.asset_suffix }}
run: |
VERSION="${TAG#v}"
mkdir -p dist
cp "target/${TARGET}/release/attn" "dist/attn-v${VERSION}-${ASSET_SUFFIX}"
chmod +x "dist/attn-v${VERSION}-${ASSET_SUFFIX}"
shasum -a 256 "dist/attn-v${VERSION}-${ASSET_SUFFIX}" > "dist/attn-v${VERSION}-${ASSET_SUFFIX}.sha256"
- name: Upload binary artifacts
uses: actions/upload-artifact@v4
with:
name: release-${{ matrix.asset_suffix }}
path: dist/*
retention-days: 7
build-signed-dmg:
name: Build, sign & notarize DMG
runs-on: macos-14
needs: validate-release-version
if: ${{ secrets.APPLE_CERTIFICATE != '' && secrets.APPLE_CERTIFICATE_PASSWORD != '' && secrets.KEYCHAIN_PASSWORD != '' && secrets.APPLE_SIGNING_IDENTITY != '' && secrets.APPLE_ID != '' && secrets.APPLE_APP_SPECIFIC_PASSWORD != '' && secrets.APPLE_TEAM_ID != '' }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: "20"
cache: npm
cache-dependency-path: web/package-lock.json
- name: Setup Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
targets: aarch64-apple-darwin
- name: Cache Rust
uses: Swatinem/rust-cache@v2
- name: Install cargo-bundle
uses: taiki-e/cache-cargo-install-action@v2
with:
tool: cargo-bundle
- name: Install frontend dependencies
run: |
cd web
npm ci
- name: Import code signing certificate
env:
CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE }}
CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
CERTIFICATE_PATH="$RUNNER_TEMP/build_certificate.p12"
KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
echo -n "$CERTIFICATE_BASE64" | base64 --decode > "$CERTIFICATE_PATH" || \
echo -n "$CERTIFICATE_BASE64" | base64 -D > "$CERTIFICATE_PATH"
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security import "$CERTIFICATE_PATH" -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security list-keychain -d user -s "$KEYCHAIN_PATH"
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
- name: Build app bundle
run: |
scripts/macos-build-bundle.sh prod aarch64-apple-darwin
APP_PATH="$(find target/aarch64-apple-darwin -path '*/bundle/osx/*.app' -maxdepth 6 | head -n1)"
if [ -z "$APP_PATH" ]; then
echo "No app bundle found" >&2
exit 1
fi
DMG_PATH="$(dirname "$APP_PATH")/attn.dmg"
echo "APP_PATH=$APP_PATH" >> "$GITHUB_ENV"
echo "DMG_PATH=$DMG_PATH" >> "$GITHUB_ENV"
- name: Sign app bundle
env:
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
run: scripts/macos-sign-app.sh "$APP_PATH" "$APPLE_SIGNING_IDENTITY"
- name: Create DMG
env:
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
run: scripts/macos-create-dmg.sh "$APP_PATH" "$DMG_PATH"
- name: Notarize DMG
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
run: scripts/macos-notarize-dmg.sh "$DMG_PATH"
- name: Prepare DMG assets
env:
TAG: ${{ github.ref_name }}
run: |
VERSION="${TAG#v}"
mkdir -p dist
cp "$DMG_PATH" "dist/attn-v${VERSION}-darwin-arm64.dmg"
shasum -a 256 "dist/attn-v${VERSION}-darwin-arm64.dmg" > "dist/attn-v${VERSION}-darwin-arm64.dmg.sha256"
- name: Upload DMG artifacts
uses: actions/upload-artifact@v4
with:
name: release-dmg-darwin-arm64
path: dist/*
retention-days: 7
- name: Cleanup keychain
if: always()
run: |
if [ -n "${KEYCHAIN_PATH:-}" ] && [ -f "$KEYCHAIN_PATH" ]; then
security delete-keychain "$KEYCHAIN_PATH"
fi
publish-release:
name: Publish GitHub Release
runs-on: ubuntu-latest
needs:
- build-binaries
- build-signed-dmg
if: ${{ always() && needs.build-binaries.result == 'success' && (needs.build-signed-dmg.result == 'success' || needs.build-signed-dmg.result == 'skipped') }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.ref_name }}
- name: Download artifacts
uses: actions/download-artifact@v4
with:
path: dist
pattern: release-*
merge-multiple: true
- name: Create or update release
env:
GH_TOKEN: ${{ github.token }}
TAG: ${{ github.ref_name }}
run: |
if gh release view "$TAG" >/dev/null 2>&1; then
echo "Release $TAG already exists; uploading updated assets."
else
gh release create "$TAG" \
--title "$TAG" \
--notes "Automated release for $TAG."
fi
gh release upload "$TAG" dist/* --clobber
publish-crates:
name: Publish crates.io
runs-on: ubuntu-latest
needs: publish-release
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.ref_name }}
- name: Install system dependencies
run: |
sudo apt-get update
sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: "24"
cache: npm
cache-dependency-path: web/package-lock.json
- name: Setup Rust
uses: dtolnay/rust-toolchain@stable
- name: Verify crate builds with locked dependencies
run: cargo check --locked
- name: Publish crate
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
run: cargo publish --locked
publish-npm:
name: Publish npm
runs-on: ubuntu-latest
needs: publish-release
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.ref_name }}
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: "24"
- name: Set package version from tag
run: npm version "${GITHUB_REF_NAME#v}" --no-git-tag-version --allow-same-version
- name: Publish package
run: npm publish --access public --provenance