ci: make Apple signing optional for unsigned dev builds #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Desktop App | |
| on: | |
| push: | |
| tags: ['v*'] | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| jobs: | |
| build-macos: | |
| runs-on: macos-14 # Apple Silicon runner | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| cache-dependency-path: frontend/package-lock.json | |
| - name: Setup Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: aarch64-apple-darwin | |
| - name: Rust cache | |
| uses: swatinem/rust-cache@v2 | |
| with: | |
| workspaces: tauri/src-tauri | |
| - name: Install frontend dependencies | |
| run: cd frontend && npm ci | |
| - name: Build frontend | |
| run: cd frontend && npm run build | |
| - name: Download standalone Python | |
| run: | | |
| mkdir -p tauri/src-tauri/resources/python | |
| curl -L -o python.tar.gz \ | |
| "https://github.com/indygreg/python-build-standalone/releases/download/20240415/cpython-3.13.0-aarch64-apple-darwin-install_only_stripped.tar.gz" | |
| tar xzf python.tar.gz -C tauri/src-tauri/resources/python --strip-components=1 | |
| rm python.tar.gz | |
| - name: Create Python venv with dependencies | |
| run: | | |
| tauri/src-tauri/resources/python/bin/python3 -m venv tauri/src-tauri/resources/venv | |
| tauri/src-tauri/resources/venv/bin/pip install --no-cache-dir -e . | |
| - name: Copy project source to resources | |
| run: | | |
| mkdir -p tauri/src-tauri/resources/project | |
| rsync -a --exclude='node_modules' --exclude='.venv' --exclude='.git' \ | |
| --exclude='desktop' --exclude='tauri' --exclude='__pycache__' \ | |
| --exclude='*.pyc' --exclude='.env' --exclude='logs' \ | |
| --exclude='.claude' --exclude='.codex' \ | |
| . tauri/src-tauri/resources/project/ | |
| - name: Build Tauri app | |
| uses: tauri-apps/tauri-action@v0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Apple signing (optional — unsigned build if secrets not configured) | |
| APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} | |
| APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| with: | |
| projectPath: tauri | |
| tagName: ${{ github.ref_name }} | |
| releaseName: 'NarraNexus ${{ github.ref_name }}' | |
| releaseBody: 'Unsigned development build. On macOS, right-click → Open to bypass Gatekeeper.' | |
| releaseDraft: true | |
| prerelease: true |