clash-verge-service-ipc/.github/workflows/release.yml at main · clash-verge-rev/clash-verge-service-ipc · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
name: Release CI

on:
  workflow_dispatch:
  push:
    branches:
      - 'v*.*.*'
permissions: write-all

jobs:
  release-update:
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: windows-latest
            target: x86_64-pc-windows-msvc
          - os: windows-latest
            target: i686-pc-windows-msvc
          - os: windows-latest
            target: aarch64-pc-windows-msvc
          - os: ubuntu-latest
            target: x86_64-unknown-linux-gnu
          - os: ubuntu-latest
            target: i686-unknown-linux-gnu
          - os: ubuntu-latest
            target: aarch64-unknown-linux-gnu
          - os: ubuntu-latest
            target: armv7-unknown-linux-gnueabihf
          - os: macos-latest  # Apple Silicon
            target: aarch64-apple-darwin
            arch: arm64
          - os: macos-15-intel  # Intel macOS
            target: x86_64-apple-darwin
            arch: x86_64

    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Install Rust
        if: matrix.os != 'ubuntu-latest'
        uses: dtolnay/rust-toolchain@master
        with:
          toolchain: stable

      - name: Add Rust Target
        if: matrix.os != 'ubuntu-latest'
        run: rustup target add ${{ matrix.target }}

      # macOS 特定的交叉编译设置
      - name: Setup macOS cross compilation
        if: startsWith(matrix.os, 'macos')
        run: |
          echo "CARGO_TARGET_$(echo ${{ matrix.target }} | tr '[:lower:]' '[:upper:]' | tr '-' '_')_LINKER=clang" >> $GITHUB_ENV
          echo "CC_$(echo ${{ matrix.target }} | tr '-' '_')=clang" >> $GITHUB_ENV
          echo "CXX_$(echo ${{ matrix.target }} | tr '-' '_')=clang++" >> $GITHUB_ENV

          # 设置 SDK 路径
          if [ "${{ matrix.target }}" = "x86_64-apple-darwin" ]; then
            echo "SDKROOT=$(xcrun --sdk macosx --show-sdk-path)" >> $GITHUB_ENV
            echo "MACOSX_DEPLOYMENT_TARGET=10.15" >> $GITHUB_ENV
          elif [ "${{ matrix.target }}" = "aarch64-apple-darwin" ]; then
            echo "SDKROOT=$(xcrun --sdk macosx --show-sdk-path)" >> $GITHUB_ENV
            echo "MACOSX_DEPLOYMENT_TARGET=11.0" >> $GITHUB_ENV
          fi

      - name: Build
        if: matrix.os != 'ubuntu-latest'
        run: |
          cargo build --release --target ${{ matrix.target }} --features standalone --verbose

      - name: Build
        if: matrix.os == 'ubuntu-latest'
        uses: ./.github/build-for-linux
        with:
          target: ${{ matrix.target }}
          features: standalone

      - name: Update Tag
        uses: richardsimko/update-tag@v1
        with:
          tag_name: ${{ matrix.target }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: CodeSign
        if: startsWith(matrix.os, 'macos')
        run: |
          # 设置证书
          echo "${{ secrets.APPLE_CERTIFICATE }}" | base64 --decode > cert.p12
          security create-keychain -p github-actions github-actions.keychain
          security default-keychain -s github-actions.keychain
          security unlock-keychain -p github-actions github-actions.keychain
          security import cert.p12 -k github-actions.keychain -P "${{ secrets.APPLE_CERTIFICATE_PASSWORD }}" -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k github-actions github-actions.keychain

          echo "签名前验证架构:"
          file target/${{ matrix.target }}/release/install-service
          lipo -info target/${{ matrix.target }}/release/install-service || true

          # 对所有服务程序进行签名
          for bin in clash-verge-service clash-verge-service-install clash-verge-service-uninstall; do
            codesign --force \
              -s "${{ secrets.APPLE_SIGNING_IDENTITY }}" \
              --keychain github-actions.keychain \
              --options runtime \
              --timestamp \
              --identifier "io.github.clash-verge-rev.clash-verge-rev-service-ipc" \
              target/${{ matrix.target }}/release/$bin
          done

          # 验证签名
          for bin in clash-verge-service clash-verge-service-install clash-verge-service-uninstall; do
            codesign -dvv target/${{ matrix.target }}/release/$bin
            codesign -d --entitlements /dev/stdout target/${{ matrix.target }}/release/$bin
          done

      - name: Release
        if: matrix.os == 'windows-latest'
        uses: softprops/action-gh-release@v2
        with:
          name: ${{ matrix.target }}
          tag_name: ${{ matrix.target }}
          token: ${{ secrets.GITHUB_TOKEN }}
          files: |
            target/${{ matrix.target }}/release/clash-verge-service.exe
            target/${{ matrix.target }}/release/clash-verge-service-install.exe
            target/${{ matrix.target }}/release/clash-verge-service-uninstall.exe

      - name: Release
        if: matrix.os != 'windows-latest'
        uses: softprops/action-gh-release@v2
        with:
          name: ${{ matrix.target }}
          tag_name: ${{ matrix.target }}
          token: ${{ secrets.GITHUB_TOKEN }}
          files: |
            target/${{ matrix.target }}/release/clash-verge-service
            target/${{ matrix.target }}/release/clash-verge-service-install
            target/${{ matrix.target }}/release/clash-verge-service-uninstall