Release Desktop App #66
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Desktop App | |
| on: | |
| release: | |
| types: [created] | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: "Release tag (e.g. v1.1.12) to build artifacts for" | |
| required: true | |
| type: string | |
| permissions: | |
| contents: write | |
| jobs: | |
| build: | |
| strategy: | |
| matrix: | |
| platform: [macos-latest] | |
| runs-on: ${{ matrix.platform }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| # On workflow_dispatch we want the commit the tag points at, not | |
| # the head of main — checkout the tag explicitly. | |
| ref: ${{ github.event.release.tag_name || inputs.tag }} | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v6 | |
| with: | |
| version: 10 | |
| - name: Setup Node | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: 22 | |
| cache: pnpm | |
| - name: Setup Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Setup Bun | |
| uses: oven-sh/setup-bun@v2 | |
| - name: Cache Rust | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| workspaces: apps/desktop/src-tauri | |
| - name: Install dependencies | |
| run: pnpm install --ignore-scripts | |
| - name: Build Tauri app | |
| id: tauri | |
| uses: tauri-apps/tauri-action@v0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} | |
| TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} | |
| with: | |
| projectPath: apps/desktop | |
| tagName: ${{ github.event.release.tag_name || inputs.tag }} | |
| releaseName: ${{ github.event.release.name || format('CodeVetter {0}', inputs.tag) }} | |
| releaseBody: ${{ github.event.release.body || '' }} | |
| releaseDraft: false | |
| prerelease: false | |
| # Emit latest.json manifest with signatures so the in-app updater | |
| # can detect + verify releases. The explicit --bundles list forces | |
| # tauri build to also produce the updater (.tar.gz + .sig) artifacts; | |
| # without it tauri-action silently skips the signature upload. | |
| args: --target aarch64-apple-darwin --bundles app,dmg,updater | |
| includeUpdaterJson: true | |
| updaterJsonPreferNsis: false | |
| # tauri-action repackages the .app -> .tar.gz AFTER tauri build signed | |
| # the original tarball, so the on-disk .sig is stale (or absent). Sign | |
| # the final tarball ourselves with the same minisign key, then upload | |
| # .sig + latest.json. Idempotent via gh release upload --clobber. | |
| - name: Sign updater tarball + upload manifest | |
| if: always() && hashFiles('apps/desktop/src-tauri/target/aarch64-apple-darwin/release/bundle/macos/CodeVetter.app.tar.gz') != '' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| TAG: ${{ github.event.release.tag_name || inputs.tag }} | |
| TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} | |
| TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} | |
| run: | | |
| set -euxo pipefail | |
| BUNDLE=apps/desktop/src-tauri/target/aarch64-apple-darwin/release/bundle/macos | |
| TAR_FILE="$BUNDLE/CodeVetter.app.tar.gz" | |
| SIG_FILE="$TAR_FILE.sig" | |
| # Re-sign the (possibly repackaged) tarball. tauri-cli writes the | |
| # signature next to the input file as <input>.sig. | |
| cd apps/desktop | |
| pnpm exec tauri signer sign \ | |
| --private-key "$TAURI_SIGNING_PRIVATE_KEY" \ | |
| --password "${TAURI_SIGNING_PRIVATE_KEY_PASSWORD:-}" \ | |
| "../../$TAR_FILE" | |
| cd ../.. | |
| test -f "$SIG_FILE" || { echo "tauri signer did not produce $SIG_FILE" >&2; exit 1; } | |
| VERSION="${TAG#v}" | |
| PUB_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") | |
| URL="https://github.com/${GITHUB_REPOSITORY}/releases/download/$TAG/CodeVetter_aarch64.app.tar.gz" | |
| jq -n \ | |
| --arg version "$VERSION" \ | |
| --arg pub_date "$PUB_DATE" \ | |
| --arg url "$URL" \ | |
| --rawfile sig "$SIG_FILE" \ | |
| '{ | |
| version: $version, | |
| notes: "See release notes", | |
| pub_date: $pub_date, | |
| platforms: { | |
| "darwin-aarch64": { | |
| signature: $sig, | |
| url: $url | |
| } | |
| } | |
| }' > latest.json | |
| gh release upload "$TAG" \ | |
| "$SIG_FILE#CodeVetter_aarch64.app.tar.gz.sig" \ | |
| "latest.json" \ | |
| --clobber --repo "$GITHUB_REPOSITORY" |