OmniVoice-Studio/.github/workflows/release.yml at main · januscaler/OmniVoice-Studio · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
# Desktop release pipeline — self-updating binaries for mac/linux/windows.
#
# Triggers:
#   - push of a tag matching `v*` (e.g. `v0.2.0`) → full release, publishes
#     artifacts + signed updater manifest (`latest.json`) to GH Releases.
#   - workflow_dispatch → on-demand build, uploads artifacts as workflow
#     artifacts only (no release, no updater manifest).
#
# Strategy: matrix builds per target. Each runner produces a PyInstaller
# frozen backend + Tauri bundle. `tauri-apps/tauri-action` signs the updater
# payloads with TAURI_SIGNING_PRIVATE_KEY and uploads to the GH Release for
# the tag. The built-in updater plugin polls the release's `latest.json` on
# client boot.
#
# Windows/Linux support: first-pass enabled. Expect the first few runs on
# each to surface PyInstaller/Tauri issues that never showed up locally on
# macOS — iterate on CI.

name: Desktop Release

on:
  push:
    tags: ['v*']
  workflow_dispatch:
    inputs:
      draft:
        description: "Create as draft release (tag push only)"
        required: false
        default: "true"

permissions:
  contents: write    # needed to attach artifacts + updater manifest to GH Release

env:
  # Run all JavaScript actions on Node 24 (GH deprecates Node 20 in Sep 2026).
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

jobs:
  # Fast gating job — runs backend pytest + frontend node:test + tsc on a
  # single Linux runner. The matrix build below waits on this via `needs:`
  # so we don't burn 4× platform-matrix minutes on a broken commit.
  test:
    name: Tests (backend + frontend)
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4

      - name: Setup Python 3.11
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      # enable-cache persists ~/.cache/uv keyed on uv.lock.
      - name: Install uv
        uses: astral-sh/setup-uv@v3
        with:
          enable-cache: true
          cache-dependency-glob: "uv.lock"

      # Node 22 is needed for --experimental-strip-types so node:test can
      # import .ts files directly from frontend/src/api/*.
      - name: Setup Node 22
        uses: actions/setup-node@v4
        with:
          node-version: '22'

      - name: Setup Bun
        uses: oven-sh/setup-bun@v1

      # Backend tests need ffmpeg (subprocess calls in fixtures). Cache the
      # resolved .debs so warm runs skip the apt-get update + install.
      - name: System deps (ffmpeg)
        uses: awalsh128/cache-apt-pkgs-action@latest
        with:
          packages: ffmpeg
          version: 1.0

      - name: Install Python deps
        run: uv sync

      - name: Run pytest
        run: uv run pytest tests/ -q --tb=short

      - name: Cache bun deps
        uses: actions/cache@v4
        with:
          path: ~/.bun/install/cache
          key: ${{ runner.os }}-bun-${{ hashFiles('frontend/bun.lock', 'bun.lock') }}
          restore-keys: |
            ${{ runner.os }}-bun-

      - name: Install frontend deps
        working-directory: frontend
        run: bun install

      - name: Frontend typecheck
        working-directory: frontend
        run: bunx tsc --noEmit

      # Invoke node directly (not `bun run test`) because `bun run` auto-aliases
      # `node` to `bun` in script bodies, and bun doesn't support
      # --experimental-strip-types.
      - name: Run frontend node:test
        working-directory: frontend
        run: node --experimental-strip-types --no-warnings --test ../tests/frontend/*.test.mjs

  build:
    needs: test
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: macos-14
            arch: aarch64-apple-darwin
            label: "macOS Apple Silicon"
            rust_target: aarch64-apple-darwin
            bundles: "app,dmg,updater"

          # macOS Intel dropped: Apple shipped the last Intel Mac in 2023 and
          # Rosetta 2 runs the ARM build natively. macos-13 runner backlog
          # was also blocking every release tag for ~10 min.
          # Windows: force MSI bundling via --bundles. NSIS fails at makensis
          # because our PyInstaller payload approaches its ~2 GB stub limit.
          - os: windows-2022
            arch: x86_64-pc-windows-msvc
            label: "Windows x64"
            rust_target: x86_64-pc-windows-msvc
            bundles: "msi,updater"

          # Linux: ship .deb + .AppImage. AppImage is universal (no distro
          # package-manager dep), runs on any glibc-2.31+ host. Now viable
          # because the thin uv-venv installer is ~10 MB (vs the prior ~2 GB
          # PyInstaller payload that exceeded linuxdeploy limits). FUSE
          # unavailability on GH runners handled via APPIMAGE_EXTRACT_AND_RUN=1.
          - os: ubuntu-22.04
            arch: x86_64-unknown-linux-gnu
            label: "Linux x64"
            rust_target: x86_64-unknown-linux-gnu
            bundles: "deb,appimage,updater"

    runs-on: ${{ matrix.os }}
    name: ${{ matrix.label }}

    steps:
      - uses: actions/checkout@v4

      # ── Language runtimes ──────────────────────────────────────────────
      - name: Setup Rust (stable)
        uses: dtolnay/rust-toolchain@stable
        with:
          targets: ${{ matrix.rust_target }}

      # Cache ~/.cargo/registry + {target}/ per rust_target. Cargo dep
      # compile is the long pole of the build — cold is ~5-7 min, warm
      # drops to ~1-2 min.
      - name: Rust cache
        uses: Swatinem/rust-cache@v2
        with:
          workspaces: frontend/src-tauri -> target
          key: ${{ matrix.rust_target }}

      - name: Setup Bun
        uses: oven-sh/setup-bun@v1

      # ── Platform deps (Tauri host requirements only — no Python here) ─
      # The runtime Python/uv bootstrap happens on the user's machine at
      # first launch, not in CI. CI only packages the source (pyproject.toml,
      # uv.lock, backend/*.py) into the Tauri installer as resources.
      - name: macOS system deps
        if: runner.os == 'macOS'
        run: |
          brew install ffmpeg || true

      - name: Linux system deps
        if: runner.os == 'Linux'
        run: |
          sudo apt-get update
          sudo apt-get install -y \
            libwebkit2gtk-4.1-dev \
            build-essential curl wget file libxdo-dev libssl-dev \
            libayatana-appindicator3-dev librsvg2-dev \
            libasound2-dev ffmpeg

      # ── Frontend build ─────────────────────────────────────────────────
      - name: Cache bun deps
        uses: actions/cache@v4
        with:
          path: ~/.bun/install/cache
          key: ${{ runner.os }}-bun-${{ hashFiles('frontend/bun.lock', 'bun.lock') }}
          restore-keys: |
            ${{ runner.os }}-bun-

      - name: Install frontend deps
        working-directory: frontend
        run: bun install

      # ── Tauri build + sign + publish ───────────────────────────────────
      # tauri-action handles: bundle, sign updater payload with the
      # TAURI_SIGNING_PRIVATE_KEY secret, attach to release, update
      # latest.json with per-platform download URLs & signatures. The
      # installer ships the repo's pyproject.toml + uv.lock + backend/
      # tree as Tauri resources; lib.rs::ensure_venv_ready recreates the
      # venv on first launch via `uv sync --frozen --no-dev`.
      # Fetch the standalone `uv` binary for the current matrix target and
      # drop it at `binaries/uv-<rust-target-triple>{ext}`. tauri.conf.json
      # references `binaries/uv` via `bundle.externalBin`, and tauri-bundler
      # picks up the per-target file automatically. The runtime then uses
      # the bundled binary instead of downloading uv on first launch.
      #
      # Pinned uv version mirrors the `UV_VERSION` constant in lib.rs; bump
      # both together when refreshing.
      - name: Bundle uv (${{ matrix.rust_target }})
        shell: bash
        env:
          UV_VERSION: "0.11.7"
          TRIPLE: ${{ matrix.rust_target }}
        run: |
          set -euo pipefail
          mkdir -p frontend/src-tauri/binaries
          case "$TRIPLE" in
            aarch64-apple-darwin|x86_64-apple-darwin|x86_64-unknown-linux-gnu)
              ARCHIVE="tar.gz"
              ;;
            x86_64-pc-windows-msvc)
              ARCHIVE="zip"
              ;;
            *)
              echo "Unsupported target for uv bundling: $TRIPLE"
              exit 1
              ;;
          esac
          URL="https://github.com/astral-sh/uv/releases/download/${UV_VERSION}/uv-${TRIPLE}.${ARCHIVE}"
          echo "Fetching $URL"
          WORK=$(mktemp -d)
          if [ "$ARCHIVE" = "zip" ]; then
            curl -fsSL "$URL" -o "$WORK/uv.zip"
            unzip -j -o "$WORK/uv.zip" -d "$WORK"
            mv "$WORK/uv.exe" "frontend/src-tauri/binaries/uv-${TRIPLE}.exe"
          else
            curl -fsSL "$URL" | tar -xz -C "$WORK"
            mv "$WORK/uv-${TRIPLE}/uv" "frontend/src-tauri/binaries/uv-${TRIPLE}"
            chmod +x "frontend/src-tauri/binaries/uv-${TRIPLE}"
          fi
          ls -la "frontend/src-tauri/binaries/"

      # Download static ffmpeg + ffprobe binaries and drop them into the
      # Tauri sidecar directory. Sources:
      #   macOS:         evermeet.cx — individual .zip per binary (x86_64,
      #                  runs fine on Apple Silicon via Rosetta 2)
      #   Linux/Windows: BtbN/FFmpeg-Builds — single archive with both bins
      - name: Bundle ffmpeg + ffprobe (${{ matrix.rust_target }})
        shell: bash
        env:
          TRIPLE: ${{ matrix.rust_target }}
        run: |
          set -euo pipefail
          BINDIR="frontend/src-tauri/binaries"
          mkdir -p "$BINDIR"
          WORK=$(mktemp -d)

          case "$TRIPLE" in
            aarch64-apple-darwin|x86_64-apple-darwin)
              # evermeet.cx ships each binary as a separate .zip containing
              # a single x86_64 Mach-O executable (runs via Rosetta on arm64).
              for TOOL in ffmpeg ffprobe; do
                if [ "$TOOL" = "ffmpeg" ]; then
                  URL="https://evermeet.cx/ffmpeg/getrelease/zip"
                else
                  URL="https://evermeet.cx/ffmpeg/getrelease/${TOOL}/zip"
                fi
                echo "Fetching $TOOL from evermeet.cx"
                curl -fsSL "$URL" -o "$WORK/${TOOL}.zip"
                unzip -o -j "$WORK/${TOOL}.zip" -d "$WORK"
                mv "$WORK/${TOOL}" "$BINDIR/${TOOL}-${TRIPLE}"
                chmod +x "$BINDIR/${TOOL}-${TRIPLE}"
              done
              ;;
            x86_64-unknown-linux-gnu)
              URL="https://github.com/BtbN/FFmpeg-Builds/releases/download/latest/ffmpeg-master-latest-linux64-gpl.tar.xz"
              echo "Fetching ffmpeg from BtbN (linux64)"
              curl -fsSL "$URL" -o "$WORK/ffmpeg.tar.xz"
              tar -xJf "$WORK/ffmpeg.tar.xz" -C "$WORK"
              # Archive extracts to ffmpeg-master-latest-linux64-gpl/bin/
              EXTRACTED=$(find "$WORK" -type d -name "bin" | head -1)
              mv "$EXTRACTED/ffmpeg"  "$BINDIR/ffmpeg-${TRIPLE}"
              mv "$EXTRACTED/ffprobe" "$BINDIR/ffprobe-${TRIPLE}"
              chmod +x "$BINDIR/ffmpeg-${TRIPLE}" "$BINDIR/ffprobe-${TRIPLE}"
              ;;
            x86_64-pc-windows-msvc)
              URL="https://github.com/BtbN/FFmpeg-Builds/releases/download/latest/ffmpeg-master-latest-win64-gpl.zip"
              echo "Fetching ffmpeg from BtbN (win64)"
              curl -fsSL "$URL" -o "$WORK/ffmpeg.zip"
              unzip -o "$WORK/ffmpeg.zip" -d "$WORK"
              EXTRACTED=$(find "$WORK" -type f -name "ffmpeg.exe" | head -1)
              EXTRACTED_DIR=$(dirname "$EXTRACTED")
              mv "$EXTRACTED_DIR/ffmpeg.exe"  "$BINDIR/ffmpeg-${TRIPLE}.exe"
              mv "$EXTRACTED_DIR/ffprobe.exe" "$BINDIR/ffprobe-${TRIPLE}.exe"
              ;;
            *)
              echo "⚠ No ffmpeg bundling for target: $TRIPLE (will download at first run)"
              ;;
          esac
          ls -la "$BINDIR/"


      # Extract the matching CHANGELOG.md section so the release body has
      # real notes instead of "see commit log". Falls back to a one-liner
      # if the tag has no matching `## [X.Y.Z]` section yet — keeps the
      # release publishable even when CHANGELOG hasn't been updated.
      - name: Extract CHANGELOG section for tag
        id: changelog
        shell: bash
        run: |
          TAG="${GITHUB_REF_NAME#v}"
          BODY=""
          if [ -f CHANGELOG.md ]; then
            BODY=$(awk -v tag="$TAG" '
              /^## \[/ {
                if (in_section) exit
                if ($0 ~ "\\[" tag "\\]") { in_section = 1; next }
              }
              in_section { print }
            ' CHANGELOG.md | sed -e :a -e '/^\n*$/{$d;N;ba' -e '}')
          fi
          if [ -z "$BODY" ]; then
            BODY="Auto-generated release for ${GITHUB_REF_NAME}. See [CHANGELOG.md](https://github.com/${GITHUB_REPOSITORY}/blob/main/CHANGELOG.md) and the commit log for details."
          fi
          {
            echo 'body<<RELEASE_BODY_EOF'
            echo "$BODY"
            echo 'RELEASE_BODY_EOF'
          } >> "$GITHUB_OUTPUT"

      - name: Build + release (Tauri)
        uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
          # GH runners disable FUSE, so linuxdeploy's AppImage can't mount
          # itself at bundle time. This env tells linuxdeploy to extract-and-run
          # instead, which works without FUSE.
          APPIMAGE_EXTRACT_AND_RUN: 1
        with:
          projectPath: frontend
          args: --target ${{ matrix.rust_target }} --bundles ${{ matrix.bundles }}
          tagName: ${{ github.ref_name }}
          releaseName: "OmniVoice Studio ${{ github.ref_name }}"
          releaseBody: ${{ steps.changelog.outputs.body }}
          releaseDraft: ${{ inputs.draft || 'true' }}
          prerelease: false
          updaterJsonPreferNsis: false
          includeUpdaterJson: true