Build 79 of branch main by @NGPixel #79
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Release | |
| run-name: Build ${{ github.run_number }} of branch ${{ github.ref_name }} by @${{ github.actor }} | |
| on: | |
| workflow_dispatch: | |
| jobs: | |
| # ----------------------------------------------------------------- | |
| # PREPARE | |
| # ----------------------------------------------------------------- | |
| prepare: | |
| name: Prepare Release | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: write | |
| outputs: | |
| pkg_version: ${{ steps.semver.outputs.nextStrict }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get Next Version | |
| id: semver | |
| uses: ietf-tools/semver-action@v1 | |
| with: | |
| token: ${{ github.token }} | |
| branch: main | |
| skipInvalidTags: true | |
| - name: Create Draft Release | |
| uses: ncipollo/[email protected] | |
| with: | |
| prerelease: true | |
| draft: false | |
| commit: ${{ github.sha }} | |
| tag: ${{ steps.semver.outputs.nextStrict }} | |
| name: ${{ steps.semver.outputs.nextStrict }} | |
| body: '*pending*' | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate CHANGELOG | |
| id: changelog | |
| uses: Requarks/changelog-action@v1 | |
| with: | |
| token: ${{ github.token }} | |
| fromTag: ${{ steps.semver.outputs.nextStrict }} | |
| toTag: ${{ steps.semver.outputs.current }} | |
| writeToFile: false | |
| - name: Update Release Body | |
| uses: ncipollo/[email protected] | |
| with: | |
| prerelease: true | |
| updateOnlyUnreleased: true | |
| allowUpdates: true | |
| commit: ${{ github.sha }} | |
| tag: ${{ steps.semver.outputs.nextStrict }} | |
| name: ${{ steps.semver.outputs.nextStrict }} | |
| body: ${{ steps.changelog.outputs.changes }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| # ----------------------------------------------------------------- | |
| # BUILD ELECTRON | |
| # ----------------------------------------------------------------- | |
| build-electron: | |
| name: Build Electron | |
| needs: [prepare] | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| id-token: write | |
| contents: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| platform: linux | |
| - os: macos-latest | |
| platform: darwin | |
| - os: windows-latest | |
| platform: win32 | |
| env: | |
| PKG_VERSION: ${{needs.prepare.outputs.pkg_version}} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| - name: macOS - Fetch Secrets from Vault | |
| if: ${{ matrix.platform == 'darwin' }} | |
| uses: hashicorp/[email protected] | |
| with: | |
| method: jwt | |
| url: ${{ secrets.VAULT_URL }} | |
| role: ${{ secrets.VAULT_ROLE }} | |
| secrets: | | |
| kv/data/draftforge/apple API_ISSUER_ID | APPLE_API_ISSUER ; | |
| kv/data/draftforge/apple API_KEY_ID | APPLE_API_KEY_ID ; | |
| kv/data/draftforge/apple API_KEY_P8 | API_KEY_P8 ; | |
| kv/data/draftforge/apple DIST_CERT_P12 | CSC_LINK ; | |
| kv/data/draftforge/apple DIST_CERT_P12_PWD | CSC_KEY_PASSWORD ; | |
| - name: macOS - Save signing certs | |
| if: ${{ matrix.platform == 'darwin' }} | |
| run: | | |
| mkdir -p private_keys | |
| echo "APPLE_API_KEY=private_keys/AuthKeys_$APPLE_API_KEY_ID.p8" >> "$GITHUB_ENV" | |
| # echo "CSC_LINK=private_keys/distribution.p12" >> "$GITHUB_ENV" | |
| openssl base64 -d <<< "$API_KEY_P8" -out "private_keys/AuthKeys_$APPLE_API_KEY_ID.p8" | |
| # openssl base64 -d <<< "$DIST_CERT_P12" -out "private_keys/distribution.p12" | |
| - name: macOS - Import Certs into keychain | |
| if: ${{ matrix.platform == 'darwin' }} | |
| uses: apple-actions/import-codesign-certs@v3 | |
| with: | |
| p12-file-base64: ${{ env.CSC_LINK }} | |
| p12-password: ${{ env.CSC_KEY_PASSWORD }} | |
| - name: Set Version | |
| run: | | |
| node -e "const fs = require('node:fs'); const pkg = require('./package.json'); pkg.version = '${{ env.PKG_VERSION }}'; fs.writeFileSync('package.json', JSON.stringify(pkg, null, 2));" | |
| - name: Build package | |
| run: | | |
| echo "Installing dependencies..." | |
| npm ci | |
| echo "Build package..." | |
| npx quasar build -m electron -T ${{ matrix.platform }} -P always | |
| - name: Windows - Remove universal installers | |
| if: ${{ matrix.platform == 'win32' }} | |
| run: | | |
| Remove-Item dist/electron/Packaged/ietf-draftforge-win-${{ env.PKG_VERSION }}.exe | |
| - name: Windows - Upload Build Artifact | |
| if: ${{ matrix.platform == 'win32' }} | |
| id: artifactupload | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.platform }}-build | |
| path: "dist/electron/Packaged/*.exe" | |
| - id: signpath | |
| name: Windows - Sign Executables | |
| if: ${{ matrix.platform == 'win32' }} | |
| uses: signpath/github-action-submit-signing-request@v1 | |
| with: | |
| api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' | |
| organization-id: '${{ secrets.SIGNPATH_ORG_ID }}' | |
| project-slug: 'editor' | |
| signing-policy-slug: 'release-signing' | |
| github-artifact-id: '${{ steps.artifactupload.outputs.artifact-id }}' | |
| wait-for-completion: true | |
| output-artifact-directory: signed-build | |
| - name: Windows - Install yq | |
| if: ${{ matrix.platform == 'win32' }} | |
| run: | | |
| choco install yq | |
| - name: Windows - Recalculate exec signatures for latest.yml | |
| if: ${{ matrix.platform == 'win32' }} | |
| run: | | |
| $appVersion = yq '.version' dist/electron/Packaged/latest.yml | |
| $appX64Hash = Get-FileHash "signed-build/ietf-draftforge-win-x64-$appVersion.exe" -Algorithm SHA512 | |
| $appX64HashBytes = [byte[]] -split ($appX64Hash.Hash -replace '..', '0x$& ') | |
| $appX64HashB64 = [System.Convert]::ToBase64String($appX64HashBytes) | |
| $appArm64Hash = Get-FileHash "signed-build/ietf-draftforge-win-arm64-$appVersion.exe" -Algorithm SHA512 | |
| $appArm64HashBytes = [byte[]] -split ($appArm64Hash.Hash -replace '..', '0x$& ') | |
| $appArm64HashB64 = [System.Convert]::ToBase64String($appArm64HashBytes) | |
| $appX64Size = (Get-Item "signed-build/ietf-draftforge-win-x64-$appVersion.exe").Length | |
| $appArm64Size = (Get-Item "signed-build/ietf-draftforge-win-arm64-$appVersion.exe").Length | |
| yq -i 'del(.files.[0]) | del(.path) | del(.sha512)' dist/electron/Packaged/latest.yml | |
| yq -i ".files.[0].sha512 = `"$appX64HashB64`" | .files.[0].size = `"$appX64Size`" | .files.[1].sha512 = `"$appArm64HashB64`" | .files.[1].size = `"$appArm64Size`"" dist/electron/Packaged/latest.yml | |
| - name: Windows - Add Signed Packages to Release | |
| if: ${{ matrix.platform == 'win32' }} | |
| uses: ncipollo/[email protected] | |
| with: | |
| prerelease: true | |
| updateOnlyUnreleased: true | |
| allowUpdates: true | |
| omitBody: true | |
| tag: ${{ env.PKG_VERSION }} | |
| name: ${{ env.PKG_VERSION }} | |
| artifacts: "signed-build/*.exe,dist/electron/Packaged/latest.yml" | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: macOS/Linux - Add Packages to Release | |
| if: ${{ matrix.platform != 'win32' }} | |
| uses: ncipollo/[email protected] | |
| with: | |
| prerelease: true | |
| updateOnlyUnreleased: true | |
| allowUpdates: true | |
| omitBody: true | |
| tag: ${{ env.PKG_VERSION }} | |
| name: ${{ env.PKG_VERSION }} | |
| artifacts: "dist/electron/Packaged/*.+(dmg|AppImage|deb|rpm|tar.gz),dist/electron/Packaged/latest*.yml" | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: macOS - Purge signing certs | |
| if: ${{ matrix.platform == 'darwin' && always() }} | |
| run: | | |
| rm -rf private_keys | |
| # ----------------------------------------------------------------- | |
| # RELEASE | |
| # ----------------------------------------------------------------- | |
| release: | |
| name: Publish Release | |
| needs: [prepare, build-electron] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: write | |
| env: | |
| PKG_VERSION: ${{needs.prepare.outputs.pkg_version}} | |
| steps: | |
| - name: Finalize Release | |
| uses: ncipollo/[email protected] | |
| with: | |
| allowUpdates: true | |
| makeLatest: true | |
| prerelease: false | |
| omitBody: true | |
| draft: false | |
| tag: ${{ env.PKG_VERSION }} | |
| name: ${{ env.PKG_VERSION }} | |
| token: ${{ secrets.GITHUB_TOKEN }} |