mirror of
https://github.com/different-ai/openwork
synced 2026-04-25 17:15:34 +02:00
148 lines
4.4 KiB
YAML
148 lines
4.4 KiB
YAML
name: Release macOS (Apple Silicon)
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- "v*"
|
|
workflow_dispatch:
|
|
inputs:
|
|
tag:
|
|
description: "Tag to release (e.g., v0.1.2). Leave empty to use current ref."
|
|
required: false
|
|
type: string
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
release-macos-aarch64:
|
|
runs-on: macos-14
|
|
timeout-minutes: 240
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Node
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 20
|
|
|
|
- name: Setup pnpm
|
|
uses: pnpm/action-setup@v4
|
|
with:
|
|
version: 10.27.0
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Setup Rust
|
|
uses: dtolnay/rust-toolchain@stable
|
|
with:
|
|
targets: aarch64-apple-darwin
|
|
|
|
- name: Import Apple signing certificate
|
|
env:
|
|
APPLE_CODESIGN_CERT_P12_BASE64: ${{ secrets.APPLE_CODESIGN_CERT_P12_BASE64 }}
|
|
APPLE_CODESIGN_CERT_PASSWORD: ${{ secrets.APPLE_CODESIGN_CERT_PASSWORD }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
KEYCHAIN_PATH="$RUNNER_TEMP/openwork-signing.keychain-db"
|
|
KEYCHAIN_PASSWORD="$(openssl rand -hex 12)"
|
|
|
|
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
|
|
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
|
|
|
|
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
|
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
|
|
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
|
security default-keychain -s "$KEYCHAIN_PATH"
|
|
|
|
CERT_P12="$RUNNER_TEMP/openwork-certificate.p12"
|
|
printf '%s' "$APPLE_CODESIGN_CERT_P12_BASE64" | base64 --decode > "$CERT_P12"
|
|
|
|
security import "$CERT_P12" \
|
|
-k "$KEYCHAIN_PATH" \
|
|
-P "$APPLE_CODESIGN_CERT_PASSWORD" \
|
|
-A \
|
|
-T /usr/bin/codesign \
|
|
-T /usr/bin/security
|
|
|
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
|
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
|
|
|
- name: Write notary API key
|
|
env:
|
|
APPLE_NOTARY_API_KEY_P8_BASE64: ${{ secrets.APPLE_NOTARY_API_KEY_P8_BASE64 }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
NOTARY_KEY="$RUNNER_TEMP/AuthKey.p8"
|
|
printf '%s' "$APPLE_NOTARY_API_KEY_P8_BASE64" | base64 --decode > "$NOTARY_KEY"
|
|
chmod 600 "$NOTARY_KEY"
|
|
|
|
echo "NOTARY_KEY=$NOTARY_KEY" >> "$GITHUB_ENV"
|
|
|
|
- name: Build Tauri DMG (Apple Silicon)
|
|
env:
|
|
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
pnpm exec tauri build --bundles dmg
|
|
|
|
DMG_PATH="$(ls -1 "$GITHUB_WORKSPACE/src-tauri/target/release/bundle/dmg/"*.dmg | head -n 1)"
|
|
echo "DMG_PATH=$DMG_PATH" >> "$GITHUB_ENV"
|
|
echo "Built DMG: $DMG_PATH"
|
|
|
|
- name: Sign DMG (Developer ID)
|
|
env:
|
|
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
codesign --force --timestamp --sign "$APPLE_SIGNING_IDENTITY" "$DMG_PATH"
|
|
|
|
- name: Notarize DMG
|
|
env:
|
|
APPLE_NOTARY_API_KEY_ID: ${{ secrets.APPLE_NOTARY_API_KEY_ID }}
|
|
APPLE_NOTARY_API_ISSUER_ID: ${{ secrets.APPLE_NOTARY_API_ISSUER_ID }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
xcrun notarytool submit "$DMG_PATH" \
|
|
--key "$NOTARY_KEY" \
|
|
--key-id "$APPLE_NOTARY_API_KEY_ID" \
|
|
--issuer "$APPLE_NOTARY_API_ISSUER_ID" \
|
|
--wait --timeout 3h
|
|
|
|
- name: Staple notarization ticket
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
xcrun stapler staple "$DMG_PATH"
|
|
spctl -a -vv --type open "$DMG_PATH"
|
|
|
|
- name: Create or update GitHub Release
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
TAG_INPUT="${{ inputs.tag }}"
|
|
if [ -n "$TAG_INPUT" ]; then
|
|
TAG="$TAG_INPUT"
|
|
else
|
|
TAG="${GITHUB_REF_NAME}"
|
|
fi
|
|
|
|
LABEL="OpenWork macOS (Apple Silicon)"
|
|
ASSET="${DMG_PATH}#${LABEL}"
|
|
|
|
if gh release view "$TAG" >/dev/null 2>&1; then
|
|
gh release upload "$TAG" "$ASSET" --clobber
|
|
else
|
|
gh release create "$TAG" "$ASSET" --title "OpenWork $TAG" --generate-notes --verify-tag
|
|
fi
|