chore(deps): bump openssl from 0.10.75 to 0.10.78 in /apps/desktop/src-tauri #161
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Linux | |
| on: | |
| workflow_call: | |
| inputs: | |
| version: | |
| description: "Version number (e.g., 1.0.0)" | |
| required: true | |
| type: string | |
| secrets: | |
| # Tauri updater signing (required for auto-updates) | |
| TAURI_PRIVATE_KEY: | |
| required: true | |
| TAURI_KEY_PASSWORD: | |
| required: false | |
| TAURI_PUBLIC_KEY: | |
| required: true | |
| outputs: | |
| artifact-name: | |
| description: "Name of the uploaded artifact" | |
| value: ${{ jobs.build.outputs.artifact-name }} | |
| pull_request: | |
| branches: | |
| - master | |
| - main | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| build: | |
| name: Build Linux x64 | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| artifact-name: linux-build | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Determine build mode | |
| id: build-mode | |
| run: | | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| echo "mode=validation" >> $GITHUB_OUTPUT | |
| echo "version=0.0.0-dev" >> $GITHUB_OUTPUT | |
| else | |
| echo "mode=release" >> $GITHUB_OUTPUT | |
| echo "version=${{ inputs.version }}" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Validate required secrets for release | |
| if: steps.build-mode.outputs.mode == 'release' | |
| env: | |
| TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }} | |
| TAURI_PUBLIC_KEY: ${{ secrets.TAURI_PUBLIC_KEY }} | |
| run: | | |
| MISSING="" | |
| [ -z "$TAURI_PRIVATE_KEY" ] && MISSING="$MISSING TAURI_PRIVATE_KEY" | |
| [ -z "$TAURI_PUBLIC_KEY" ] && MISSING="$MISSING TAURI_PUBLIC_KEY" | |
| if [ -n "$MISSING" ]; then | |
| echo "Error: Missing required secrets for signed release:$MISSING" | |
| echo "All releases must be signed. Set up the required secrets before releasing." | |
| exit 1 | |
| fi | |
| echo "All required secrets are configured" | |
| - name: Install Linux dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| libwebkit2gtk-4.0-dev \ | |
| libgtk-3-dev \ | |
| libayatana-appindicator3-dev \ | |
| librsvg2-dev \ | |
| patchelf | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| version: 9 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" | |
| cache: "pnpm" | |
| - name: Get pnpm store directory | |
| id: get-pnpm-store | |
| shell: bash | |
| run: | | |
| STORE_PATH=$(pnpm store path --silent || echo "$HOME/.pnpm-store") | |
| echo "path=$STORE_PATH" >> $GITHUB_OUTPUT | |
| - name: Setup pnpm cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ${{ steps.get-pnpm-store.outputs.path }} | |
| key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pnpm-store- | |
| - name: Setup Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Cache Rust dependencies | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| workspaces: apps/desktop/src-tauri | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Build workspace packages | |
| run: | | |
| pnpm build:mero-react | |
| - name: Generate icons | |
| working-directory: apps/desktop | |
| run: pnpm tauri icon src-tauri/icons/icon.png | |
| - name: Prepare merod binary | |
| working-directory: apps/desktop | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: pnpm merod:prepare | |
| - name: Strip merod binary | |
| run: | | |
| MEROD_BINARY="apps/desktop/src-tauri/merod/merod" | |
| if [ -f "$MEROD_BINARY" ]; then | |
| BEFORE=$(stat --printf="%s" "$MEROD_BINARY") | |
| strip "$MEROD_BINARY" | |
| AFTER=$(stat --printf="%s" "$MEROD_BINARY") | |
| echo "Stripped merod: $(( BEFORE / 1024 / 1024 ))MB → $(( AFTER / 1024 / 1024 ))MB" | |
| else | |
| echo "Warning: merod binary not found at $MEROD_BINARY" | |
| fi | |
| - name: Update version in tauri.conf.json | |
| if: steps.build-mode.outputs.mode == 'release' | |
| run: | | |
| VERSION="${{ steps.build-mode.outputs.version }}" | |
| cd apps/desktop/src-tauri | |
| node -e " | |
| const fs = require('fs'); | |
| const config = JSON.parse(fs.readFileSync('tauri.conf.json', 'utf8')); | |
| config.package.version = '$VERSION'; | |
| fs.writeFileSync('tauri.conf.json', JSON.stringify(config, null, 2)); | |
| " | |
| - name: Inject updater pubkey from secret | |
| if: steps.build-mode.outputs.mode == 'release' | |
| env: | |
| TAURI_PUBLIC_KEY: ${{ secrets.TAURI_PUBLIC_KEY }} | |
| run: | | |
| if [ -n "$TAURI_PUBLIC_KEY" ]; then | |
| cd apps/desktop/src-tauri | |
| node -e " | |
| const fs = require('fs'); | |
| const config = JSON.parse(fs.readFileSync('tauri.conf.json', 'utf8')); | |
| config.tauri.updater.pubkey = process.env.TAURI_PUBLIC_KEY; | |
| fs.writeFileSync('tauri.conf.json', JSON.stringify(config, null, 2)); | |
| " | |
| echo "Injected TAURI_PUBLIC_KEY into tauri.conf.json" | |
| else | |
| echo "No TAURI_PUBLIC_KEY provided, using default pubkey" | |
| fi | |
| - name: Patch wry for webkit2gtk 0.18.2 compatibility | |
| run: | | |
| # wry 0.24.11 uses `use webkit2gtk::{traits::*, ...}` but on Linux with webkit2gtk 0.18.2 | |
| # the trait methods from SettingsExt are not resolved through the glob. Adding the | |
| # explicit import is the fix the Rust compiler itself suggests. | |
| cargo fetch --manifest-path apps/desktop/src-tauri/Cargo.toml | |
| WRY_MOD=$(find ~/.cargo/registry/src -name "mod.rs" -path "*/wry-0.24.*/src/webview/webkitgtk/*" 2>/dev/null | head -1) | |
| if [ -n "$WRY_MOD" ]; then | |
| if ! grep -q "use webkit2gtk::SettingsExt" "$WRY_MOD"; then | |
| sed -i 's/^use webkit2gtk::{/use webkit2gtk::SettingsExt;\nuse webkit2gtk::{/' "$WRY_MOD" | |
| echo "Patched: $WRY_MOD" | |
| else | |
| echo "Already patched, skipping." | |
| fi | |
| else | |
| echo "wry webkitgtk mod.rs not found in cargo cache" | |
| exit 1 | |
| fi | |
| - name: Build Tauri app for Linux | |
| working-directory: apps/desktop | |
| env: | |
| # beforeBuildCommand runs merod:prepare again; reuse binary from "Prepare merod binary" (no GITHUB_TOKEN here). | |
| MEROD_SKIP_IF_EXISTS: "1" | |
| TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }} | |
| TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }} | |
| run: pnpm exec tauri build --bundles appimage,deb,rpm | |
| - name: Verify build outputs | |
| if: steps.build-mode.outputs.mode == 'validation' | |
| run: | | |
| echo "Checking for expected build outputs..." | |
| APPIMAGE_FILE=$(find apps/desktop/src-tauri/target/release/bundle -name "*.AppImage" 2>/dev/null | head -1) | |
| DEB_FILE=$(find apps/desktop/src-tauri/target/release/bundle -name "*.deb" 2>/dev/null | head -1) | |
| RPM_FILE=$(find apps/desktop/src-tauri/target/release/bundle -name "*.rpm" 2>/dev/null | head -1) | |
| if [ -z "$APPIMAGE_FILE" ]; then | |
| echo "Error: AppImage not found" | |
| exit 1 | |
| fi | |
| echo "AppImage: $APPIMAGE_FILE ($(du -sh "$APPIMAGE_FILE" | cut -f1))" | |
| [ -n "$DEB_FILE" ] && echo "DEB: $DEB_FILE ($(du -sh "$DEB_FILE" | cut -f1))" | |
| [ -n "$RPM_FILE" ] && echo "RPM: $RPM_FILE ($(du -sh "$RPM_FILE" | cut -f1))" | |
| echo "Build validation passed" | |
| - name: Collect and normalize assets | |
| if: steps.build-mode.outputs.mode == 'release' | |
| run: | | |
| node scripts/release/collect-assets.cjs \ | |
| --version "${{ steps.build-mode.outputs.version }}" \ | |
| --platform linux \ | |
| --output release-assets/ | |
| - name: Upload artifacts | |
| if: steps.build-mode.outputs.mode == 'release' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: linux-build | |
| path: release-assets/ | |
| retention-days: 7 |