CodeVetter/.github/workflows/release.yml at main · sarthak-fleet/CodeVetter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
name: Release Desktop App

on:
  release:
    types: [created]
  workflow_dispatch:
    inputs:
      tag:
        description: "Release tag (e.g. v1.1.12) to build artifacts for"
        required: true
        type: string

permissions:
  contents: write

jobs:
  build:
    strategy:
      matrix:
        platform: [macos-latest]
    runs-on: ${{ matrix.platform }}

    steps:
      - uses: actions/checkout@v6
        with:
          # On workflow_dispatch we want the commit the tag points at, not
          # the head of main — checkout the tag explicitly.
          ref: ${{ github.event.release.tag_name || inputs.tag }}

      - name: Setup pnpm
        uses: pnpm/action-setup@v6
        with:
          version: 10

      - name: Setup Node
        uses: actions/setup-node@v6
        with:
          node-version: 22
          cache: pnpm

      - name: Setup Rust
        uses: dtolnay/rust-toolchain@stable

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2

      - name: Cache Rust
        uses: Swatinem/rust-cache@v2
        with:
          workspaces: apps/desktop/src-tauri

      - name: Install dependencies
        run: pnpm install --ignore-scripts

      - name: Build Tauri app
        id: tauri
        uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
        with:
          projectPath: apps/desktop
          tagName: ${{ github.event.release.tag_name || inputs.tag }}
          releaseName: ${{ github.event.release.name || format('CodeVetter {0}', inputs.tag) }}
          releaseBody: ${{ github.event.release.body || '' }}
          releaseDraft: false
          prerelease: false
          # Emit latest.json manifest with signatures so the in-app updater
          # can detect + verify releases. The explicit --bundles list forces
          # tauri build to also produce the updater (.tar.gz + .sig) artifacts;
          # without it tauri-action silently skips the signature upload.
          args: --target aarch64-apple-darwin --bundles app,dmg,updater
          includeUpdaterJson: true
          updaterJsonPreferNsis: false

      # tauri-action repackages the .app -> .tar.gz AFTER tauri build signed
      # the original tarball, so the on-disk .sig is stale (or absent). Sign
      # the final tarball ourselves with the same minisign key, then upload
      # .sig + latest.json. Idempotent via gh release upload --clobber.
      - name: Sign updater tarball + upload manifest
        if: always() && hashFiles('apps/desktop/src-tauri/target/aarch64-apple-darwin/release/bundle/macos/CodeVetter.app.tar.gz') != ''
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAG: ${{ github.event.release.tag_name || inputs.tag }}
          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
        run: |
          set -euxo pipefail
          BUNDLE=apps/desktop/src-tauri/target/aarch64-apple-darwin/release/bundle/macos
          TAR_FILE="$BUNDLE/CodeVetter.app.tar.gz"
          SIG_FILE="$TAR_FILE.sig"

          # Re-sign the (possibly repackaged) tarball. tauri-cli writes the
          # signature next to the input file as <input>.sig.
          cd apps/desktop
          pnpm exec tauri signer sign \
            --private-key "$TAURI_SIGNING_PRIVATE_KEY" \
            --password "${TAURI_SIGNING_PRIVATE_KEY_PASSWORD:-}" \
            "../../$TAR_FILE"
          cd ../..

          test -f "$SIG_FILE" || { echo "tauri signer did not produce $SIG_FILE" >&2; exit 1; }

          VERSION="${TAG#v}"
          PUB_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          URL="https://github.com/${GITHUB_REPOSITORY}/releases/download/$TAG/CodeVetter_aarch64.app.tar.gz"
          jq -n \
            --arg version "$VERSION" \
            --arg pub_date "$PUB_DATE" \
            --arg url "$URL" \
            --rawfile sig "$SIG_FILE" \
            '{
              version: $version,
              notes: "See release notes",
              pub_date: $pub_date,
              platforms: {
                "darwin-aarch64": {
                  signature: $sig,
                  url: $url
                }
              }
            }' > latest.json

          gh release upload "$TAG" \
            "$SIG_FILE#CodeVetter_aarch64.app.tar.gz.sig" \
            "latest.json" \
            --clobber --repo "$GITHUB_REPOSITORY"