forked from RhysSullivan/executor
-
Notifications
You must be signed in to change notification settings - Fork 0
187 lines (162 loc) · 6.34 KB
/
Copy pathpublish-desktop.yml
File metadata and controls
187 lines (162 loc) · 6.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
name: Publish Desktop App
run-name: "${{ format('publish desktop {0}', github.event_name == 'workflow_dispatch' && inputs.tag || github.ref_name) }}"
# Triggered manually or by publish-executor-package.yml after a CLI release
# lands. Builds Electron distributables for mac/win/linux with the Bun-compiled
# sidecar bundled in `resources/sidecar/`, then attaches them to the GitHub
# release matching the tag so electron-updater can pick them up.
on:
workflow_dispatch:
inputs:
tag:
description: Git tag to publish (e.g. v1.4.1)
required: true
type: string
permissions:
contents: read
concurrency:
group: publish-desktop-${{ github.ref }}
cancel-in-progress: false
jobs:
build:
permissions:
contents: read
strategy:
fail-fast: false
matrix:
include:
- os: macos-latest
arch: arm64
platform: mac
bun-target: bun-darwin-arm64
- os: macos-latest
arch: x64
platform: mac
bun-target: bun-darwin-x64
- os: ubuntu-latest
arch: x64
platform: linux
bun-target: bun-linux-x64
- os: windows-latest
arch: x64
platform: win
bun-target: bun-windows-x64
runs-on: ${{ matrix.os }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.11
- name: Validate release tag
env:
RAW_RELEASE_TAG: ${{ inputs.tag }}
run: bun run scripts/validate-release-ref.ts --tag-env RAW_RELEASE_TAG --write-env RELEASE_TAG
- name: Checkout release tag
env:
GH_TOKEN: ${{ secrets.RELEASE_PAT || github.token }}
shell: bash
run: |
auth_remote="https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
git fetch --force --tags "$auth_remote" "refs/tags/$RELEASE_TAG:refs/tags/$RELEASE_TAG"
git checkout --detach "$RELEASE_TAG"
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: 24
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Build web app
run: bun run --filter @executor-js/local build
- name: Build sidecar binary + stage web UI
env:
BUN_TARGET: ${{ matrix.bun-target }}
run: bun ./scripts/build-sidecar.ts
working-directory: apps/desktop
- name: Build Electron main/preload/renderer
run: bunx --bun electron-vite build
working-directory: apps/desktop
- name: Stage Apple API key (mac signing + notarization)
if: matrix.platform == 'mac' && env.APPLE_API_KEY != ''
env:
APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
run: |
mkdir -p "${RUNNER_TEMP}/private_keys"
printf '%s' "$APPLE_API_KEY" > "${RUNNER_TEMP}/private_keys/AuthKey.p8"
echo "APPLE_API_KEY_PATH=${RUNNER_TEMP}/private_keys/AuthKey.p8" >> "$GITHUB_ENV"
- name: Build desktop distributables
env:
# electron-builder reads GH_TOKEN for the publish step. We use
# --publish never here and attach assets explicitly in the release
# job so we don't fight electron-updater's metadata expectations.
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Apple signing + notarization. electron-builder picks these up:
# CSC_LINK / CSC_KEY_PASSWORD → import the Developer ID Application
# cert (.p12, base64) into a temp keychain for codesign
# APPLE_API_KEY (file path) / APPLE_API_KEY_ID / APPLE_API_ISSUER
# → notarytool authentication for the notarization upload
# When the secrets aren't set (forks, local), electron-builder
# silently produces an unsigned build.
CSC_LINK: ${{ secrets.CSC_LINK }}
CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
APPLE_API_KEY: ${{ env.APPLE_API_KEY_PATH }}
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
run: bunx --bun electron-builder --${{ matrix.platform }} --${{ matrix.arch }} --publish never --config electron-builder.config.ts
working-directory: apps/desktop
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: desktop-${{ matrix.platform }}-${{ matrix.arch }}
path: |
apps/desktop/dist/*.dmg
apps/desktop/dist/*.zip
apps/desktop/dist/*.exe
apps/desktop/dist/*.AppImage
apps/desktop/dist/*.deb
apps/desktop/dist/*.rpm
apps/desktop/dist/latest*.yml
if-no-files-found: warn
release:
needs: build
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout validation script
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.11
- name: Validate release tag
env:
RAW_RELEASE_TAG: ${{ inputs.tag }}
run: bun run scripts/validate-release-ref.ts --tag-env RAW_RELEASE_TAG --write-env RELEASE_TAG
- name: Download all artifacts
uses: actions/download-artifact@v4
with:
path: artifacts
merge-multiple: true
- name: Upload to GitHub Release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
while IFS= read -r file; do
echo "Uploading: $file"
gh release upload "$RELEASE_TAG" "$file" --repo "$GITHUB_REPOSITORY" --clobber
done < <(find artifacts -type f \
\( -name "*.dmg" -o -name "*.zip" -o -name "*.exe" \
-o -name "*.AppImage" -o -name "*.deb" -o -name "*.rpm" \
-o -name "latest*.yml" \))
# Flip draft → published only after every desktop asset is uploaded —
# this is the atomic point where the new tag becomes "latest".
- name: Promote release (draft → published)
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release edit "$RELEASE_TAG" --draft=false --repo "$GITHUB_REPOSITORY"