Skip to content
Manual Release

Manual Release #139

Sign in to view logs

Manual Release

Manual Release #139

Workflow file for this run

.github/workflows/release.yml at 27554fc
name: 'Manual Release'
on:
workflow_dispatch:
permissions: {}
jobs:
publish-studio:
# required for Azure OIDC
environment:
name: azure-trusted-signing
permissions:
contents: write
id-token: write
strategy:
fail-fast: false
matrix:
platform: [macos-latest, macos-15-intel, windows-latest, ubuntu-latest]
runs-on: ${{ matrix.platform }}
steps:
- id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@5d7e361bc7e0a183cde8afe9899fb7b596d2659b # v1.2.0
with:
repo_secrets: |
APPLE_CERTIFICATE_P12=apple-certificates:APPLE_CERTIFICATE_P12
CERTIFICATE_PASSWORD=apple-certificates:APPLE_CERTIFICATE_P12_PASSWORD
APPLE_API_KEY_ID=apple-certificates:APPLE_API_KEY_ID
APPLE_API_ISSUER=apple-certificates:APPLE_API_ISSUER
APPLE_API_KEY=apple-certificates:APPLE_API_KEY
SENTRY_DSN=sentry:SENTRY_DSN
SENTRY_AUTH_TOKEN=sentry:SENTRY_AUTH_TOKEN
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
with:
persist-credentials: false
- name: setup node
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
with:
node-version: 22
# try earlier python version for appdmg
# https://github.com/electron/forge/issues/3371#issuecomment-2105195302
- name: Install Python 3.11.4
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6
with:
python-version: '3.11.4'
- name: install dependencies
run: npm ci
- name: setup macos keychain
if: startsWith(matrix.platform, 'macos-')
run: |
echo "$APPLE_API_KEY" > ./apple_api_key.p8
echo $APPLE_CERTIFICATE_P12 | base64 --decode > certificate.p12
security create-keychain -p "$CERTIFICATE_PASSWORD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$CERTIFICATE_PASSWORD" build.keychain
security import certificate.p12 -k build.keychain -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$CERTIFICATE_PASSWORD" build.keychain
- name: publish macOS arm64
if: startsWith(matrix.platform, 'macos-latest')
env:
NODE_OPTIONS: '--max_old_space_size=8192'
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# apple notarization
APPLE_API_KEY: ./apple_api_key.p8
# sentry integration
# sentry vite plugin integration during build
SENTRY_ORG: ${{ vars.SENTRY_ORG }}
SENTRY_PROJECT: ${{ vars.SENTRY_PROJECT }}
run: |
npm run publish
- name: publish macOS x86_64
if: startsWith(matrix.platform, 'macos-15-intel')
env:
NODE_OPTIONS: '--max_old_space_size=8192'
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# apple notarization
APPLE_API_KEY: ./apple_api_key.p8
# sentry integration
# sentry vite plugin integration during build
SENTRY_ORG: ${{ vars.SENTRY_ORG }}
SENTRY_PROJECT: ${{ vars.SENTRY_PROJECT }}
run: |
npm run publish -- --arch=x64
- name: Get azure secrets
id: get-azure-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@5d7e361bc7e0a183cde8afe9899fb7b596d2659b # v1.2.0
if: startsWith(matrix.platform, 'windows-')
with:
export_env: false
repo_secrets: |
client-id=azure-trusted-signing:client-id
subscription-id=azure-trusted-signing:subscription-id
tenant-id=azure-trusted-signing:tenant-id
- name: Azure log in
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
if: startsWith(matrix.platform, 'windows-')
with:
client-id: ${{ fromJSON(steps.get-azure-secrets.outputs.secrets).client-id }}
subscription-id: ${{ fromJSON(steps.get-azure-secrets.outputs.secrets).subscription-id }}
tenant-id: ${{ fromJSON(steps.get-azure-secrets.outputs.secrets).tenant-id }}
- name: Setup .NET SDK
uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1
if: startsWith(matrix.platform, 'windows-')
with:
# renovate: datasource=dotnet-version depName=dotnet-sdk
dotnet-version: '8.0.414'
- name: Install Sign CLI tool
id: install-sign-tool
if: startsWith(matrix.platform, 'windows-')
shell: pwsh
env:
# renovate: datasource=nuget depName=sign
DOTNET_SIGN_VERSION: '0.9.1-beta.25379.1'
run: |
$toolPath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath (New-Guid).ToString()
New-Item -ItemType Directory -Path $toolPath | Out-Null
dotnet tool install --tool-path $toolPath sign --version ${env:DOTNET_SIGN_VERSION}
if ($LASTEXITCODE -ne 0) {
Write-Output "::error::Failed to install Sign CLI tool"
exit 1
}
"sign-tool=$toolPath" >> ${env:GITHUB_OUTPUT}
- name: publish Windows
if: startsWith(matrix.platform, 'windows-')
env:
NODE_OPTIONS: '--max_old_space_size=8192'
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# windows cert
TRUSTED_SIGNING_ACCOUNT: grafana-premium-eastus
TRUSTED_SIGNING_ENDPOINT: https://eus.codesigning.azure.net/
TRUSTED_SIGNING_PROFILE: grafana-production
SIGNTOOL_PATH: ${{ steps.install-sign-tool.outputs.sign-tool }}\sign
# sentry integration
# sentry vite plugin integration during build
SENTRY_ORG: ${{ vars.SENTRY_ORG }}
SENTRY_PROJECT: ${{ vars.SENTRY_PROJECT }}
run: npm run publish
- name: publish Linux
if: startsWith(matrix.platform, 'ubuntu-')
env:
NODE_OPTIONS: '--max_old_space_size=8192'
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# sentry integration
# sentry vite plugin integration during build
SENTRY_ORG: ${{ vars.SENTRY_ORG }}
SENTRY_PROJECT: ${{ vars.SENTRY_PROJECT }}
run: |
sudo apt install -y rpm
# There is a bug on Ubuntu 22.04 (ubuntu-latest) regarding stripping a binary for a different architecture.
# https://github.com/electron/forge/issues/3102
# https://github.com/electron/forge/issues/3701
echo "%__strip /bin/true" >> ~/.rpmmacros
npm run publish
npm run publish -- --arch=arm64
- name: cleanup macos certificates
if: startsWith(matrix.platform, 'macos-')
run: |
rm apple_api_key.p8
rm certificate.p12