Skip to content

Release DMG on macOS via dist:mac; sync installer names #4

Release DMG on macOS via dist:mac; sync installer names

Release DMG on macOS via dist:mac; sync installer names #4

Workflow file for this run

name: Release
# Triggered by pushing a tag like v0.1.0. Builds the desktop app natively on
# each OS (Electrobun does not cross-compile) and uploads every build straight
# to the GitHub Release — bypassing actions/upload-artifact so the workflow
# keeps working even when the account-wide Actions artifact storage quota is
# full.
on:
push:
tags:
- "v*"
permissions:
contents: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false
jobs:
# 1. Create a draft release up front so every platform job can append to it.
prepare-release:
name: Prepare draft release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Create or reset draft release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.ref_name }}
name: Skiller ${{ github.ref_name }}
body: |
Desktop installers — download the one that matches your OS:
- **macOS (Apple Silicon):** `stable-macos-arm64-Skiller.dmg` (signed + notarized — drag to Applications)
- **Windows (x64):** `stable-win-x64-Skiller-Setup.zip` (extract and run `Skiller.exe`)
- **Linux (x64):** `stable-linux-x64-Skiller-Setup.tar.gz` (extract and run `bin/launcher`)
After the first install, Skiller checks this release on launch and
via **Settings → App Updates**. Updates are downloaded in the
background (delta patches when available) and applied on next
restart — no manual re-install required.
draft: true
prerelease: false
generate_release_notes: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
build-desktop:
name: Build ${{ matrix.label }}
needs: prepare-release
runs-on: ${{ matrix.runner }}
strategy:
fail-fast: false
matrix:
include:
- label: macos-arm64
runner: macos-14
script: dist:mac
- label: windows-x64
runner: windows-latest
script: build:win
- label: linux-x64
runner: ubuntu-latest
script: build:linux
steps:
- uses: actions/checkout@v5
- uses: oven-sh/setup-bun@v2
with:
bun-version: latest
# create-dmg produces the styled, drag-to-Applications DMG that
# replaces Electrobun's default.
- name: Install create-dmg (macOS)
if: runner.os == 'macOS'
run: brew install create-dmg
# Linux deps needed by Electrobun's WebKitGTK webview + system tooling.
- name: Install Linux deps
if: runner.os == 'Linux'
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
build-essential pkg-config cmake \
libgtk-3-dev libwebkit2gtk-4.1-dev \
libayatana-appindicator3-dev librsvg2-dev
- run: bun install --frozen-lockfile
# Import the Developer ID signing cert into a temporary keychain. The
# macOS runner has no signing identity by default; without this,
# `codesign --sign "$ELECTROBUN_DEVELOPER_ID" …` fails with
# "The specified item could not be found in the keychain."
- name: Import Developer ID certificate (macOS)
if: runner.os == 'macOS'
env:
MACOS_CERT_P12: ${{ secrets.MACOS_CERT_P12 }}
MACOS_CERT_P12_PASSWORD: ${{ secrets.MACOS_CERT_P12_PASSWORD }}
MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
run: |
KEYCHAIN_PATH="$RUNNER_TEMP/skiller-build.keychain-db"
CERT_PATH="$RUNNER_TEMP/cert.p12"
echo "$MACOS_CERT_P12" | base64 --decode > "$CERT_PATH"
security create-keychain -p "$MACOS_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "$MACOS_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security import "$CERT_PATH" \
-P "$MACOS_CERT_P12_PASSWORD" \
-A -t cert -f pkcs12 \
-k "$KEYCHAIN_PATH"
# Allow codesign to use the key without a UI prompt.
security set-key-partition-list -S apple-tool:,apple:,codesign: \
-s -k "$MACOS_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Put our keychain first in the search list so codesign finds it.
security list-keychain -d user -s "$KEYCHAIN_PATH" login.keychain
rm -f "$CERT_PATH"
# Write the App Store Connect API .p8 key from a secret so notarytool can
# use it. Secret contents should be the raw contents of AuthKey_XXXX.p8.
- name: Write notarization API key (macOS)
if: runner.os == 'macOS' && env.ELECTROBUN_APPLEAPIKEY_P8 != ''
env:
ELECTROBUN_APPLEAPIKEY_P8: ${{ secrets.ELECTROBUN_APPLEAPIKEY_P8 }}
run: |
KEY_PATH="$RUNNER_TEMP/AuthKey.p8"
printf '%s' "$ELECTROBUN_APPLEAPIKEY_P8" > "$KEY_PATH"
chmod 600 "$KEY_PATH"
echo "ELECTROBUN_APPLEAPIKEYPATH=$KEY_PATH" >> "$GITHUB_ENV"
- name: Build app
env:
# macOS signing + notarization (no-op on other OSes)
ELECTROBUN_DEVELOPER_ID: ${{ secrets.ELECTROBUN_DEVELOPER_ID }}
ELECTROBUN_APPLEAPIISSUER: ${{ secrets.ELECTROBUN_APPLEAPIISSUER }}
ELECTROBUN_APPLEAPIKEY: ${{ secrets.ELECTROBUN_APPLEAPIKEY }}
run: bun run ${{ matrix.script }}
# Upload every artifact directly to the draft Release. This avoids
# actions/upload-artifact entirely — no Actions storage quota involved.
- name: Upload build outputs to Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.ref_name }}
draft: true
files: artifacts/*
fail_on_unmatched_files: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
publish-release:
name: Publish release
needs: build-desktop
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
# Flip the draft to published once every platform job succeeded.
- name: Publish release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.ref_name }}
draft: false
prerelease: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}