Skip to content

build package release #76

build package release

build package release #76

Workflow file for this run

name: build package release
on:
workflow_dispatch :
inputs:
release:
description: Create a github release
type: boolean
required: false
default: false
jobs:
build_on_linux:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@master
with:
node-version: 20
- name: install rpm tool
run:
sudo apt-get update;
sudo apt install rpm
- name: install dependencies
run: npm install
- name: package
run: npm run deploy
- name: store artifacts
uses: actions/upload-artifact@v4
with:
name: upverse-linux-packages
path: |
out/upverse*.deb
out/upverse*.tar.gz
build_on_mac_with_codesign_notarization:
runs-on: macos-latest
steps:
- name: "Prepare Codesigning"
# Extract the secrets we defined earlier as environment variables
env:
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_DEVELOPER_ID_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_DEVELOPER_ID_CERTIFICATE_PWD }}
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_DEVELOPER_ID_CERTIFICATE_NAME }}
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
run: |
# Turn our base64-encoded certificate back to a regular .p12 file
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
# We need to create a new keychain, otherwise using the certificate will prompt
# with a UI dialog asking for the certificate password, which we can't
# use in a headless CI environment
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
- uses: actions/checkout@v4
- uses: actions/setup-node@master
with:
node-version: 20
- name: get-package-version
id: package-version
uses: beaconbrigade/[email protected]
- name: install dependencies
run: npm install
- name: package # Codesigning should run automatically here by electron_builder
run: npm run deploy
- name: "Notarize app bundle"
# Extract the secrets we defined earlier as environment variables
env:
PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_APP_SPECIFIC_PWD }}
run: |
# Store the notarization credentials so that we can prevent a UI password dialog
# from blocking the CI
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
#echo "Creating temp notarization archive"
#ditto -c -k --keepParent "target/mac/Espanso.app" "notarization.zip"
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious
echo "Notarize app x64"
xcrun notarytool submit "out/upverse-${{ steps.package-version.outputs.version }}-mac-x64.zip" --keychain-profile "notarytool-profile" --wait
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
echo "Attach staple"
xcrun stapler staple "out/mac/upverse.app"
echo "Notarize app arm64"
xcrun notarytool submit "out/upverse-${{ steps.package-version.outputs.version }}-mac-arm64.zip" --keychain-profile "notarytool-profile" --wait
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
echo "Attach staple"
xcrun stapler staple "out/mac-arm64/upverse.app"
#Rezip the notarized app
ditto -c -k --keepParent "out/mac/upverse.app" "upverse-${{ steps.package-version.outputs.version }}-mac-x64-signed.zip"
ditto -c -k --keepParent "out/mac-arm64/upverse.app" "upverse-${{ steps.package-version.outputs.version }}-mac-arm64-signed.zip"
- name: store artifacts
uses: actions/upload-artifact@v4
with:
name: upverse-mac-packages
path: upverse*.zip
build_on_win:
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@master
with:
node-version: 20
- name: install dependencies
run: npm install
- name: package
run: npm run deploy
- name: store artifacts
uses: actions/upload-artifact@v4
with:
name: upverse-win-packages
path: |
out\upverse*.zip
out\upverse*.msi
out\upverse*.exe
release:
runs-on: ubuntu-latest
needs: [ build_on_linux, build_on_mac_with_codesign_notarization, build_on_win ]
if: ${{ github.event.inputs.release == 'true' }}
steps:
- name: checkout
uses: actions/checkout@v4
- name: get-package-version
id: package-version
uses: beaconbrigade/[email protected]
- name: download artifacts
uses: actions/download-artifact@v4
- name: release
uses: softprops/[email protected]
with:
name: v${{ steps.package-version.outputs.version }}
tag_name: v${{ steps.package-version.outputs.version }}
draft: false
prerelease: true
files: |
upverse-mac-packages/upverse-${{ steps.package-version.outputs.version }}-mac-x64-signed.zip
upverse-mac-packages/upverse-${{ steps.package-version.outputs.version }}-mac-arm64-signed.zip
upverse-linux-packages/upverse-${{ steps.package-version.outputs.version }}-linux-x64.tar.gz
upverse-linux-packages/upverse-${{ steps.package-version.outputs.version }}-linux-amd64.deb
upverse-win-packages/upverse-${{ steps.package-version.outputs.version }}-win-x64.zip
upverse-win-packages/upverse-${{ steps.package-version.outputs.version }}-win-x64.exe