livebook/.github/workflows/release.yml at 4bd6846fb3e7b1b794a6c0a017401cb310b0629e · livebook-dev/livebook · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
name: Release

on:
  push:
    tags:
      - "v*.*.*"
  schedule:
    # Daily at 00:00
    - cron: "0 0 * * *"
  # Workflow dispatch always builds as nightly
  workflow_dispatch:

permissions:
  contents: read

jobs:
  create_release:
    if: github.repository == 'livebook-dev/livebook'
    name: "Create release"
    permissions:
      contents: write
    runs-on: ubuntu-latest
    env:
      GITHUB_TOKEN: ${{ secrets.GH_RELEASE_TOKEN }}
    steps:
      - name: Checkout git repo
        uses: actions/checkout@v6

      - name: Create release
        run: |
          if [[ "${{ github.ref_type }}" == "tag" ]]; then
            gh release create \
              --repo ${{ github.repository }} \
              --title ${{ github.ref_name }} \
              --draft \
              ${{ github.ref_name }}
          else
            ref_name="nightly"
            notes="Automated nightly build for ${GITHUB_SHA}."

            if ! gh release view $ref_name; then
              gh release create \
                --repo ${{ github.repository }} \
                --title $ref_name \
                --notes "${notes}" \
                --latest=false \
                $ref_name
            else
              gh release edit \
                --repo ${{ github.repository }} \
                $ref_name \
                --notes "${notes}"
            fi

            git tag $ref_name --force
            git push origin $ref_name --force
          fi

  app:
    if: github.repository == 'livebook-dev/livebook'
    name: "Desktop (${{ matrix.gui_target }})"
    needs: [create_release]
    permissions:
      contents: write # Required for uploading release assets
    strategy:
      fail-fast: false
      matrix:
        include:
          - platform: macos-15
            gui_target: "aarch64-apple-darwin"
          - platform: macos-15-intel
            gui_target: "x86_64-apple-darwin"
          - platform: windows-2022
            gui_target: "x86_64-pc-windows-msvc"
          - platform: ubuntu-22.04-arm
            gui_target: "aarch64-unknown-linux-gnu"
          - platform: ubuntu-22.04
            gui_target: "x86_64-unknown-linux-gnu"
    runs-on: ${{ matrix.platform }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Read versions
        shell: bash
        run: |
          . versions
          echo "elixir=$elixir" >> $GITHUB_ENV
          echo "otp=$otp" >> $GITHUB_ENV

      - uses: erlef/setup-beam@v1
        with:
          otp-version: ${{ env.otp }}
          elixir-version: ${{ env.elixir }}

      - name: Setup Rust
        uses: dtolnay/rust-toolchain@stable
        with:
          targets: ${{ matrix.gui_target }}

      - name: Rust cache
        uses: Swatinem/rust-cache@v2
        with:
          workspaces: rel/app/src-tauri
          cache-directories: |
            ~/.cargo/bin
          key: ${{ matrix.gui_target }}

      - name: Install dependencies (Linux)
        if: runner.os == 'Linux'
        shell: bash
        run: |
          sudo apt-get update
          sudo apt-get install -y \
            libwebkit2gtk-4.1-dev \
            libgtk-3-dev \
            libayatana-appindicator3-dev \
            librsvg2-dev \
            patchelf \
            libwxgtk3.0-gtk3-dev \
            xdg-utils

      - name: Install Tauri CLI
        shell: bash
        run: |
          # Only install if not already cached
          if ! command -v cargo-tauri &> /dev/null; then
            cargo install tauri-cli --version "=2.8.0" --locked
          else
            echo "cargo-tauri already installed: $(cargo-tauri --version)"
          fi

      - name: Install trusted-signing-cli (Windows)
        if: runner.os == 'Windows'
        run: |
          cargo install trusted-signing-cli@0.9.0

      - name: Install Apple certificate (macOS)
        if: runner.os == 'macOS'
        env:
          P12_BASE64: ${{ secrets.APPLE_CERTIFICATE_P12_BASE64 }}
          P12_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
          KEYCHAIN_PASSWORD: secret
        run: |
          # Only run if certificate is provided
          if [ -n "$P12_BASE64" ]; then
            # Create variables
            CERTIFICATE_PATH=$RUNNER_TEMP/apple_certificate.p12
            KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

            echo -n "$P12_BASE64" | base64 --decode -o $CERTIFICATE_PATH

            # Create temporary keychain
            security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
            security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
            security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

            # Import certificate to keychain
            security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
            security list-keychain -d user -s $KEYCHAIN_PATH
          fi

      - name: Build Tauri app
        uses: tauri-apps/tauri-action@v0.6
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          MIX_ENV: prod
          MIX_TARGET: app
          # macOS codesigning/notarization
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE_P12_BASE64 }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
          # Windows codesigning
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          AZURE_TRUSTED_SIGNING_ACCOUNT_NAME: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
          AZURE_CERTIFICATE_PROFILE_NAME: ${{ secrets.AZURE_CERTIFICATE_PROFILE_NAME }}
          # Tauri updater
          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
        with:
          projectPath: rel/app
          tauriScript: ./tauri.sh
          args: --target ${{ matrix.gui_target }}
          tagName: ${{ github.ref_type == 'tag' && github.ref_name || 'nightly' }}
          releaseName: ${{ github.ref_type == 'tag' && github.ref_name || 'nightly' }}
          releaseDraft: true
          assetNamePattern: "Livebook-[platform]-[arch][ext]"

      - name: Verify app notarization (macOS)
        if: runner.os == 'macOS'
        shell: bash
        run: |
          app_path="rel/app/src-tauri/target/${{ matrix.gui_target }}/release/bundle/macos/Livebook.app"
          echo "Verifying $app_path"
          spctl -a -t exec -vvv "$app_path"

  docker:
    if: github.repository == 'livebook-dev/livebook'
    name: Docker (${{ matrix.name }})
    permissions:
      contents: read
      packages: write # Required for pushing to ghcr.io
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        include:
          - name: "default"
            suffix: ""
            build_args: |
              VARIANT=default
          - name: "cuda12"
            tag_suffix: "-cuda12"
            build_args: |
              VARIANT=cuda
              CUDA_VERSION_MAJOR=12
              CUDA_VERSION_MINOR=8
    steps:
      - uses: actions/checkout@v6

      - run: |
          . versions
          echo "elixir=$elixir" >> $GITHUB_ENV
          echo "otp=$otp" >> $GITHUB_ENV
          echo "ubuntu=$ubuntu" >> $GITHUB_ENV

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/livebook-dev/livebook
          flavor: |
            suffix=${{ matrix.tag_suffix }},onlatest=true
          tags: |
            type=semver,pattern={{version}}
            type=raw,value=nightly,enable=${{ github.ref_type != 'tag' }}

      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          build-args: |
            BASE_IMAGE=hexpm/elixir:${{ env.elixir }}-erlang-${{ env.otp }}-ubuntu-${{ env.ubuntu }}
            ${{ matrix.build_args }}