-
-
Notifications
You must be signed in to change notification settings - Fork 12
372 lines (337 loc) · 14.5 KB
/
tauri-build-dev.yml
File metadata and controls
372 lines (337 loc) · 14.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
name: 'generate experimental/dev stage draft GitHub release'
on:
push:
branches: [ dev ]
jobs:
create-release:
permissions:
contents: write
runs-on: ubuntu-22.04
outputs:
release_id: ${{ steps.create-release.outputs.result }}
steps:
- uses: actions/checkout@v4
- name: setup node
uses: actions/setup-node@v4
with:
node-version: 24
- name: get version
run: |
echo "PACKAGE_VERSION=$(node -p "require('./package.json').version")" >> $GITHUB_ENV
echo "GIT_TAG_NAME=dev-app-v$(node -p "require('./package.json').version")" >> $GITHUB_ENV
- name: create release
id: create-release
uses: actions/github-script@v7
with:
script: |
const { data } = await github.rest.repos.createRelease({
owner: context.repo.owner,
repo: context.repo.repo,
tag_name: `${process.env.GIT_TAG_NAME}`,
target_commitish: 'dev',
name: `Phoenix Code Experimental build v${process.env.PACKAGE_VERSION}`,
body: `**Phoenix Code Release Notes**\n\nPlease include detailed release notes here, highlighting new features, bug fixes, and improvements. Ensure to make these notes informative and clear for end-users.\n\n**For Maintainers:**\nTo distribute these release notes through the desktop application:\n1. Wait for a pull request with the updated release notes.\n3. Once the pull request is merged, merge to the update-notifications branch and the release notes will be automatically shown in the desktop builds.`,
draft: true,
prerelease: true
})
return data.id
build-mac-m1-node-modules:
permissions:
contents: write
timeout-minutes: 15
runs-on: macos-15
steps:
- uses: actions/checkout@v4
- name: macos hardware info
run: system_profiler SPSoftwareDataType SPHardwareDataType
- name: setup node
uses: actions/setup-node@v4
with:
node-version: 24
- name: install frontend dependencies
env:
GH_TOKEN: ${{ github.token }}
PRO_REPO_URL: ${{ secrets.PRO_REPO_URL }}
PRO_REPO_ACCESS_TOKEN: ${{ secrets.PRO_REPO_ACCESS_TOKEN }}
run: |
npm ci
npm run _ci-cloneAndBuildPhoenix
npm run _ci_make_src-node
cd src-tauri
mv src-node src-node-darwin-arm64
tar -czvf src-node-darwin-arm64.tar.gz src-node-darwin-arm64
mv src-node-darwin-arm64 src-node
cd ..
- name: Upload src-node.tar.gz with installed mac bins
uses: actions/upload-artifact@v4
with:
name: src-node-darwin-arm64.tar.gz
path: src-tauri/src-node-darwin-arm64.tar.gz
build-tauri:
needs: [create-release, build-mac-m1-node-modules]
permissions:
contents: write
timeout-minutes: 60
strategy:
fail-fast: false
matrix:
platform: [ macos-15-intel, windows-latest ]
runs-on: ${{ matrix.platform }}
steps:
- uses: actions/checkout@v4
- name: get Git Tag
shell: bash
run: echo "GIT_TAG_NAME=dev-app-v$(node -p "require('./package.json').version")" >> $GITHUB_ENV
- name: setup node
uses: actions/setup-node@v4
with:
node-version: 24
- name: Download src-node built on mac arm (Mac only)
if: matrix.platform == 'macos-15-intel'
uses: actions/download-artifact@v4
with:
name: src-node-darwin-arm64.tar.gz
path: /tmp/src-node-darwin-arm64.tar.gz
- name: install Rust stable
uses: dtolnay/rust-toolchain@stable
with:
toolchain: 1.85.1
- name: install frontend dependencies
env:
GH_TOKEN: ${{ github.token }}
PRO_REPO_URL: ${{ secrets.PRO_REPO_URL }}
PRO_REPO_ACCESS_TOKEN: ${{ secrets.PRO_REPO_ACCESS_TOKEN }}
run: |
npm ci
npm run _ci-release:dev
- name: setup src-node built on mac arm (Mac only)
if: matrix.platform == 'macos-15-intel'
run: |
ls /tmp/src-node-darwin-arm64.tar.gz
rm -rf src-node
tar -xzvf /tmp/src-node-darwin-arm64.tar.gz/src-node-darwin-arm64.tar.gz
ls src-node-darwin-arm64
mv src-node-darwin-arm64 src-node
- name: install AzureSignTool (windows only)
if: matrix.platform == 'windows-latest'
run: |
dotnet tool install --global AzureSignTool
- name: import certificate for signing (windows only)
if: matrix.platform == 'windows-latest'
run: |
echo "${{ secrets.AZURE_EV_CERT }}" > secret.cer
Import-Certificate -FilePath .\secret.cer -CertStoreLocation Cert:\LocalMachine\My
shell: powershell
- name: patch signTool (windows only)
if: matrix.platform == 'windows-latest'
run: Start-Process -FilePath .\src-build\win\copy_sign_tool.exe -Verb RunAs
shell: powershell
- name: setup env for signing (windows only)
if: matrix.platform == 'windows-latest'
env:
TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
AZURE_KEY_VAULT_URI: ${{ secrets.AZURE_KEY_VAULT_URI }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
AZURE_CERT_NAME: ${{ secrets.AZURE_CERT_NAME }}
AZURE_COMPANY_NAME: ${{ secrets.AZURE_COMPANY_NAME }}
run: |
$jsonContent = @{
"AZURE_KEY_VAULT_URI" = $env:AZURE_KEY_VAULT_URI
"AZURE_CLIENT_ID" = $env:AZURE_CLIENT_ID
"AZURE_TENANT_ID" = $env:AZURE_TENANT_ID
"AZURE_CLIENT_SECRET" = $env:AZURE_CLIENT_SECRET
"AZURE_CERT_NAME" = $env:AZURE_CERT_NAME
"AZURE_COMPANY_NAME" = $env:AZURE_COMPANY_NAME
}
$jsonContent | ConvertTo-Json | Out-File -FilePath ./secrets.json -Encoding utf8
# Load content from the file
$content = Get-Content -Path "./secrets.json" -Raw
# Replace \r\n with \n
$content = $content -replace "`r`n", "`n"
# Write the content back to the file
Set-Content -Path "./secrets.json" -Value $content
shell: powershell
- name: Sign embedded executables for (Mac Only)
if: matrix.platform == 'macos-15-intel'
env :
APPLE_KEY_IDENTITY_NAME: ${{ secrets.APPLE_KEY_IDENTITY_NAME }}
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
run: |
echo "Listing all files in src-tauri/src-node"
echo "======================================="
find src-tauri/src-node -type f
echo "======================================="
echo "Listing all files in src-node/"
echo "======================================="
find src-node/ -type f
certificate_encoded="$APPLE_CERTIFICATE"
certificate_password="$APPLE_CERTIFICATE_PASSWORD"
echo "Setting up keychain from environment variables..."
# Creating a temporary directory
tmp_dir=$(mktemp -d)
cert_path="$tmp_dir/cert.p12"
# Decode the encoded certificate and write it to the cert_path
echo "$certificate_encoded" | base64 --decode > "$cert_path"
# Generate a random password for the keychain
KEYCHAIN_PASSWORD=$(openssl rand -base64 16)
# Create a new keychain with the random password
security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
security import "$cert_path" -k build.keychain -P "$certificate_password" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" build.keychain
# Sign the files specified in src-build/mac/filesToSign
while IFS= read -r file; do
if [ -f "$file" ]; then
codesign --force --sign "$APPLE_KEY_IDENTITY_NAME" --keychain build.keychain --timestamp --options runtime "$file"
else
echo "File to sign not found, ignoring: $file"
fi
done < src-build/mac/filesToSign
# Clean up
security delete-keychain build.keychain
rm -rf "$tmp_dir" # removes the temporary directory and the certificate file within it
shell: bash
- uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ github.token }}
TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
PRO_REPO_URL: ${{ secrets.PRO_REPO_URL }}
PRO_REPO_ACCESS_TOKEN: ${{ secrets.PRO_REPO_ACCESS_TOKEN }}
with:
releaseId: ${{ needs.create-release.outputs.release_id }}
updaterJsonPreferNsis: true
tagName: ${{ env.GIT_TAG_NAME }}
- name: inject src-node built on mac arm (Mac only)
if: matrix.platform == 'macos-15-intel'
run: |
ls src-node
rm -rf src-tauri/src-node
mv src-node src-tauri/src-node
ls src-tauri/src-node
- name: setup env for mac arm (Mac only)
env:
GH_TOKEN: ${{ github.token }}
if: matrix.platform == 'macos-15-intel'
run: |
rustup target add aarch64-apple-darwin
npm run installNodeArmDarwin
- name: build for mac arm (Mac only)
if: matrix.platform == 'macos-15-intel'
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ github.token }}
TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
PRO_REPO_URL: ${{ secrets.PRO_REPO_URL }}
PRO_REPO_ACCESS_TOKEN: ${{ secrets.PRO_REPO_ACCESS_TOKEN }}
with:
releaseId: ${{ needs.create-release.outputs.release_id }}
args: --target aarch64-apple-darwin
tagName: ${{ env.GIT_TAG_NAME }}
build-linux-bins:
needs: [ create-release ]
permissions:
contents: write
timeout-minutes: 60
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: get Git Tag
shell: bash
run: echo "GIT_TAG_NAME=dev-app-v$(node -p "require('./package.json').version")" >> $GITHUB_ENV
- name: setup node
uses: actions/setup-node@v4
with:
node-version: 24
- name: install frontend dependencies
env:
GH_TOKEN: ${{ github.token }}
PRO_REPO_URL: ${{ secrets.PRO_REPO_URL }}
PRO_REPO_ACCESS_TOKEN: ${{ secrets.PRO_REPO_ACCESS_TOKEN }}
run: |
npm ci
npm run _ci-release:dev
npm run _ci-releaseElectronApp
ls -alh ./src-electron/dist/
echo "OUTPUT_FILENAME=$(ls ./src-electron/dist/*.AppImage | head -1 | xargs basename)" >> $GITHUB_ENV
- name: Sign AppImage with minisign
env:
TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
run: |
# Download and install minisign
wget https://github.com/jedisct1/minisign/releases/download/0.11/minisign-0.11-linux.tar.gz
tar -xzf minisign-0.11-linux.tar.gz
sudo mv minisign-linux/x86_64/minisign /usr/local/bin/
minisign -v
# Decode base64-encoded private key
echo "$TAURI_PRIVATE_KEY" | base64 -d > /tmp/tauri_private.key
# Debug: show key file info (not contents)
echo "Key file size: $(wc -c < /tmp/tauri_private.key) bytes"
echo "Key file lines: $(wc -l < /tmp/tauri_private.key)"
# Sign the AppImage
APPIMAGE_PATH="./src-electron/dist/${{ env.OUTPUT_FILENAME }}"
echo "$TAURI_KEY_PASSWORD" | minisign -S -s /tmp/tauri_private.key -m "$APPIMAGE_PATH" -t "$(date +%s) file:${{ env.OUTPUT_FILENAME }}"
# Clean up private key
rm /tmp/tauri_private.key
# Show signature file
echo "Signature file contents:"
cat "${APPIMAGE_PATH}.minisig"
# Rename .minisig to .sig for consistency
mv "${APPIMAGE_PATH}.minisig" "${APPIMAGE_PATH}.sig"
- name: Upload Release Asset
uses: softprops/action-gh-release@v2
with:
files: |
./src-electron/dist/${{ env.OUTPUT_FILENAME }}
./src-electron/dist/${{ env.OUTPUT_FILENAME }}.sig
tag_name: ${{ env.GIT_TAG_NAME }}
draft: true
env:
GITHUB_TOKEN: ${{ github.token }}
publish-release:
permissions:
contents: write
timeout-minutes: 15
runs-on: ubuntu-22.04
needs: [ create-release, build-tauri, build-linux-bins ]
steps:
- uses: actions/checkout@v4
- name: get Git Tag
run: echo "GIT_TAG_NAME=dev-app-v$(node -p "require('./package.json').version")" >> $GITHUB_ENV
- name: publish release
id: publish-release
uses: actions/github-script@v7
env:
release_id: ${{ needs.create-release.outputs.release_id }}
with:
script: |
github.rest.repos.updateRelease({
owner: context.repo.owner,
repo: context.repo.repo,
tag_name: `${process.env.GIT_TAG_NAME}`,
target_commitish: 'dev',
release_id: process.env.release_id,
draft: true,
prerelease: true
})