This repository was archived by the owner on Apr 28, 2026. It is now read-only.
Prepare 0.0.9 release #16
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: false | |
| jobs: | |
| release: | |
| runs-on: macos-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Resolve release version | |
| id: release_meta | |
| run: | | |
| version="$(node -e "console.log(JSON.parse(require('fs').readFileSync('package.json', 'utf8')).version)")" | |
| echo "version=$version" >> "$GITHUB_OUTPUT" | |
| if [ "${GITHUB_REF_TYPE}" = "tag" ]; then | |
| echo "tag=${GITHUB_REF_NAME}" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "tag=v$version" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Setup Bun | |
| uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: "1.3.9" | |
| - name: Setup Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: aarch64-apple-darwin | |
| - name: Rust cache | |
| uses: swatinem/rust-cache@v2 | |
| with: | |
| workspaces: src-tauri -> target | |
| - name: Install dependencies | |
| run: bun install --frozen-lockfile | |
| - name: Import Apple certificate | |
| env: | |
| APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} | |
| APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
| run: | | |
| python3 - <<'PY' | |
| import base64 | |
| import os | |
| certificate = os.environ["APPLE_CERTIFICATE"] | |
| with open("certificate.p12", "wb") as handle: | |
| handle.write(base64.b64decode(certificate)) | |
| PY | |
| security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain | |
| security set-keychain-settings -t 3600 -u build.keychain | |
| security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign | |
| security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain | |
| security find-identity -v -p codesigning build.keychain | |
| - name: Resolve signing identity | |
| id: signing_identity | |
| run: | | |
| cert_info="$( | |
| security find-identity -v -p codesigning build.keychain | grep "Developer ID Application" | head -n 1 | |
| )" | |
| if [ -z "$cert_info" ]; then | |
| cert_info="$( | |
| security find-identity -v -p codesigning build.keychain | grep "Apple Development" | head -n 1 | |
| )" | |
| fi | |
| if [ -z "$cert_info" ]; then | |
| echo "No signing identity found in build.keychain" >&2 | |
| exit 1 | |
| fi | |
| cert_id="$(echo "$cert_info" | awk -F'"' '{print $2}')" | |
| echo "identity=$cert_id" >> "$GITHUB_OUTPUT" | |
| - name: Reset SwiftPM artifacts | |
| run: | | |
| rm -rf "$HOME/Library/Caches/org.swift.swiftpm/artifacts" | |
| rm -rf src-tauri/swift-permissions/.build | |
| - name: Build signed release bundles | |
| env: | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD || secrets.APPLE_ID_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} | |
| APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| APPLE_SIGNING_IDENTITY: ${{ steps.signing_identity.outputs.identity }} | |
| KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
| TAURI_SIGNING_PRIVATE_KEY_SECRET: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} | |
| TAURI_SIGNING_PRIVATE_KEY_PASSWORD_SECRET: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} | |
| run: | | |
| printf '%s' "$TAURI_SIGNING_PRIVATE_KEY_SECRET" > updater.key | |
| export TAURI_SIGNING_PRIVATE_KEY="$PWD/updater.key" | |
| export TAURI_SIGNING_PRIVATE_KEY_PASSWORD="$TAURI_SIGNING_PRIVATE_KEY_PASSWORD_SECRET" | |
| bun run tauri build --target aarch64-apple-darwin | |
| - name: Ensure GitHub release exists | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| gh release view "${{ steps.release_meta.outputs.tag }}" >/dev/null 2>&1 || \ | |
| gh release create "${{ steps.release_meta.outputs.tag }}" \ | |
| --title "unsigned Char v${{ steps.release_meta.outputs.version }}" \ | |
| --notes-file release-notes.md | |
| - name: Generate updater manifest | |
| env: | |
| GITHUB_REPOSITORY: ${{ github.repository }} | |
| run: node scripts/build-updater-manifest.mjs "${{ steps.release_meta.outputs.version }}" | |
| - name: Upload updater assets and manifest | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| dmg="$(find src-tauri/target/aarch64-apple-darwin/release/bundle/dmg -maxdepth 1 -name '*.dmg' | head -n 1)" | |
| archive="$(find src-tauri/target/aarch64-apple-darwin/release/bundle/macos -maxdepth 1 -name '*.app.tar.gz' | head -n 1)" | |
| signature="${archive}.sig" | |
| cp "$dmg" unsigned-char-aarch64.dmg | |
| cp "$archive" unsigned-char-aarch64.app.tar.gz | |
| cp "$signature" unsigned-char-aarch64.app.tar.gz.sig | |
| gh release upload "${{ steps.release_meta.outputs.tag }}" \ | |
| unsigned-char-aarch64.dmg \ | |
| unsigned-char-aarch64.app.tar.gz \ | |
| unsigned-char-aarch64.app.tar.gz.sig \ | |
| latest.json \ | |
| --clobber |