-
Notifications
You must be signed in to change notification settings - Fork 3
147 lines (125 loc) · 5.74 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: 'publish'
on:
push:
branches:
- release
jobs:
publish:
strategy:
fail-fast: false
matrix:
platform: [windows-2019, macos-12, macos-latest, ubuntu-22.04]
env:
MACOSX_DEPLOYMENT_TARGET: 10.13
permissions:
contents: write
runs-on: ${{ matrix.platform }}
steps:
- uses: actions/checkout@v2
- name: Setup for macOS code signing
if: matrix.platform == 'macos-12' || matrix.platform == 'macos-latest'
uses: matthme/import-codesign-certs@5565bb656f60c98c8fc515f3444dd8db73545dc2
with:
p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
- name: setup node
uses: actions/setup-node@v1
with:
node-version: 20
- name: Retrieve version
run: |
echo "Retrieved App version: $(node -p -e "require('./package.json').version")"
echo "APP_VERSION=$(node -p -e "require('./package.json').version")" >> $GITHUB_OUTPUT
id: version
shell: bash
- name: Retrieve appId
run: |
echo "APP_ID=$(node ./scripts/read-app-id.js)" >> $GITHUB_OUTPUT
id: appId
shell: bash
- name: Retrieve whether Windows code signing should be attempted
run: |
echo "WINDOWS_CODE_SIGNING=$(node ./scripts/read-windows-code-signing.js)" >> $GITHUB_OUTPUT
id: shouldWindowsCodeSign
shell: bash
- name: install Rust
uses: dtolnay/[email protected]
- name: install Go stable
uses: actions/setup-go@v4
with:
go-version: 'stable'
- name: Environment setup
run: |
yarn setup
# This step is only used for testing in the official kangaroo repo
- name: Overwrite Names for release testing
if: ${{ github.repository }} == 'https://github.com/holochain-apps/holochain-kangaroo-electron'
run: |
echo ${{ github.repository }}
echo "overwriting names for release testing"
node ./scripts/overwrite-with-test-name.js
- name: build and upload the app (macOS arm64)
if: matrix.platform == 'macos-latest'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
APPLE_DEV_IDENTITY: ${{ secrets.APPLE_DEV_IDENTITY }}
APPLE_ID_EMAIL: ${{ secrets.APPLE_ID_EMAIL }}
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
DEBUG: electron-osx-sign*,electron-notarize*
run: |
yarn build:mac-arm64
ls dist
- name: build and upload the app (macOS x86)
if: matrix.platform == 'macos-12'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
APPLE_DEV_IDENTITY: ${{ secrets.APPLE_DEV_IDENTITY }}
APPLE_ID_EMAIL: ${{ secrets.APPLE_ID_EMAIL }}
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
DEBUG: electron-osx-sign*,electron-notarize*
run: |
yarn build:mac-x64
ls dist
- name: build and upload the app (Ubuntu 22.04)
if: matrix.platform == 'ubuntu-22.04'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
yarn build:linux
ls dist
# Modify the postinst script of the .deb file
node ./scripts/extend-deb-postinst.mjs
gh release upload "v${{ steps.version.outputs.APP_VERSION }}" "latest-linux.yml" --clobber
gh release upload "v${{ steps.version.outputs.APP_VERSION }}" "dist/${{ steps.appId.outputs.APP_ID }}_${{ steps.version.outputs.APP_VERSION }}_amd64.deb" --clobber
- name: build, sign and upload the app (Windows)
shell: bash
if: matrix.platform == 'windows-2019'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
yarn build:win
ls dist
# If Windows EV code signing is set to true in kangaroo.config.ts, do code signing here
if [ "${{steps.shouldWindowsCodeSign.output.WINDOWS_CODE_SIGNING}}" == true ]; then
# Assumes this setup of EV certificates:
# https://melatonin.dev/blog/how-to-code-sign-windows-installers-with-an-ev-cert-on-github-actions/
# Sign the .exe file
dotnet tool install --global --version 4.0.1 AzureSignTool
echo "sha512 before code signing"
CertUtil -hashfile "dist/${{ steps.appId.outputs.APP_ID }}-${{ steps.version.outputs.APP_VERSION }}-setup.exe" SHA512
AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "dist/${{ steps.appId.outputs.APP_ID }}-${{ steps.version.outputs.APP_VERSION }}-setup.exe"
echo "sha512 after code signing"
CertUtil -hashfile "dist/${{ steps.appId.outputs.APP_ID }}-${{ steps.version.outputs.APP_VERSION }}-setup.exe" SHA512
# Overwrite the latest.yml one with one containing the sha512 of the code signed .exe file
node ./scripts/latest-yaml.js
gh release upload "v${{ steps.version.outputs.APP_VERSION }}" "latest.yml" --clobber
gh release upload "v${{ steps.version.outputs.APP_VERSION }}" "dist/${{ steps.appId.outputs.APP_ID }}-${{ steps.version.outputs.APP_VERSION }}-setup.exe" --clobber
fi
- name: Merge latest-mac.yml mac release files
if: matrix.platform == 'macos-latest' || matrix.platform == 'macos-12'
run: |
node ./scripts/merge-mac-yamls.mjs
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}