-
Notifications
You must be signed in to change notification settings - Fork 3
172 lines (149 loc) · 6.29 KB
/
Copy pathrelease.yml
File metadata and controls
172 lines (149 loc) · 6.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
name: Release
# Triggered by pushing a tag like v0.1.0. Builds the desktop app natively on
# each OS (Electrobun does not cross-compile) and uploads every build straight
# to the GitHub Release — bypassing actions/upload-artifact so the workflow
# keeps working even when the account-wide Actions artifact storage quota is
# full.
on:
push:
tags:
- "v*"
permissions:
contents: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false
jobs:
# 1. Create a draft release up front so every platform job can append to it.
prepare-release:
name: Prepare draft release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Create or reset draft release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.ref_name }}
name: Skiller ${{ github.ref_name }}
body: |
Desktop installers — download the one that matches your OS:
- **macOS (Apple Silicon):** `stable-macos-arm64-Skiller.dmg` (signed + notarized — drag to Applications)
- **Windows (x64):** `stable-win-x64-Skiller-Setup.zip` (extract and run `Skiller.exe`)
- **Linux (x64):** `stable-linux-x64-Skiller-Setup.tar.gz` (extract and run `bin/launcher`)
After the first install, Skiller checks this release on launch and
via **Settings → App Updates**. Updates are downloaded in the
background (delta patches when available) and applied on next
restart — no manual re-install required.
draft: true
prerelease: false
generate_release_notes: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
build-desktop:
name: Build ${{ matrix.label }}
needs: prepare-release
runs-on: ${{ matrix.runner }}
strategy:
fail-fast: false
matrix:
include:
- label: macos-arm64
runner: macos-14
script: dist:mac
- label: windows-x64
runner: windows-latest
script: build:win
- label: linux-x64
runner: ubuntu-latest
script: build:linux
steps:
- uses: actions/checkout@v5
- uses: oven-sh/setup-bun@v2
with:
bun-version: latest
# create-dmg produces the styled, drag-to-Applications DMG that
# replaces Electrobun's default.
- name: Install create-dmg (macOS)
if: runner.os == 'macOS'
run: brew install create-dmg
# Linux deps needed by Electrobun's WebKitGTK webview + system tooling.
- name: Install Linux deps
if: runner.os == 'Linux'
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
build-essential pkg-config cmake \
libgtk-3-dev libwebkit2gtk-4.1-dev \
libayatana-appindicator3-dev librsvg2-dev
- run: bun install --frozen-lockfile
# Import the Developer ID signing cert into a temporary keychain. The
# macOS runner has no signing identity by default; without this,
# `codesign --sign "$ELECTROBUN_DEVELOPER_ID" …` fails with
# "The specified item could not be found in the keychain."
- name: Import Developer ID certificate (macOS)
if: runner.os == 'macOS'
env:
MACOS_CERT_P12: ${{ secrets.MACOS_CERT_P12 }}
MACOS_CERT_P12_PASSWORD: ${{ secrets.MACOS_CERT_P12_PASSWORD }}
MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
run: |
KEYCHAIN_PATH="$RUNNER_TEMP/skiller-build.keychain-db"
CERT_PATH="$RUNNER_TEMP/cert.p12"
echo "$MACOS_CERT_P12" | base64 --decode > "$CERT_PATH"
security create-keychain -p "$MACOS_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "$MACOS_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security import "$CERT_PATH" \
-P "$MACOS_CERT_P12_PASSWORD" \
-A -t cert -f pkcs12 \
-k "$KEYCHAIN_PATH"
# Allow codesign to use the key without a UI prompt.
security set-key-partition-list -S apple-tool:,apple:,codesign: \
-s -k "$MACOS_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Put our keychain first in the search list so codesign finds it.
security list-keychain -d user -s "$KEYCHAIN_PATH" login.keychain
rm -f "$CERT_PATH"
# Write the App Store Connect API .p8 key from a secret so notarytool can
# use it. Secret contents should be the raw contents of AuthKey_XXXX.p8.
- name: Write notarization API key (macOS)
if: runner.os == 'macOS' && env.ELECTROBUN_APPLEAPIKEY_P8 != ''
env:
ELECTROBUN_APPLEAPIKEY_P8: ${{ secrets.ELECTROBUN_APPLEAPIKEY_P8 }}
run: |
KEY_PATH="$RUNNER_TEMP/AuthKey.p8"
printf '%s' "$ELECTROBUN_APPLEAPIKEY_P8" > "$KEY_PATH"
chmod 600 "$KEY_PATH"
echo "ELECTROBUN_APPLEAPIKEYPATH=$KEY_PATH" >> "$GITHUB_ENV"
- name: Build app
env:
# macOS signing + notarization (no-op on other OSes)
ELECTROBUN_DEVELOPER_ID: ${{ secrets.ELECTROBUN_DEVELOPER_ID }}
ELECTROBUN_APPLEAPIISSUER: ${{ secrets.ELECTROBUN_APPLEAPIISSUER }}
ELECTROBUN_APPLEAPIKEY: ${{ secrets.ELECTROBUN_APPLEAPIKEY }}
run: bun run ${{ matrix.script }}
# Upload every artifact directly to the draft Release. This avoids
# actions/upload-artifact entirely — no Actions storage quota involved.
- name: Upload build outputs to Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.ref_name }}
draft: true
files: artifacts/*
fail_on_unmatched_files: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
publish-release:
name: Publish release
needs: build-desktop
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
# Flip the draft to published once every platform job succeeded.
- name: Publish release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.ref_name }}
draft: false
prerelease: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}