-
Notifications
You must be signed in to change notification settings - Fork 3
125 lines (107 loc) · 3.92 KB
/
Copy pathbuild.yml
File metadata and controls
125 lines (107 loc) · 3.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
name: Build & Release
on:
push:
branches: [master]
tags: ['v*']
pull_request:
branches: [master]
workflow_dispatch:
permissions:
contents: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
strategy:
fail-fast: false
matrix:
include:
- os: macos-latest
platform: mac
- os: windows-latest
platform: win
- os: ubuntu-latest
platform: linux
runs-on: ${{ matrix.os }}
env:
# Expose secret presence as a plain env var so `if:` expressions
# can gate on it (secrets themselves can't be used in `if`).
HAS_MAC_SIGNING: ${{ secrets.CSC_LINK != '' }}
steps:
- uses: actions/checkout@v4
- uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: Install dependencies
run: bun install --frozen-lockfile
# Import the Developer ID Application certificate into a fresh
# keychain so electron-builder can find a valid signing identity.
# Skipped on non-mac runners and on mac runs without a CSC_LINK
# secret (e.g. forks / PRs) so those keep producing unsigned builds.
- name: Import signing certificate (macOS)
if: matrix.platform == 'mac' && env.HAS_MAC_SIGNING == 'true'
uses: apple-actions/import-codesign-certs@v3
with:
p12-file-base64: ${{ secrets.CSC_LINK }}
p12-password: ${{ secrets.CSC_KEY_PASSWORD }}
- name: Probe signing identities (macOS)
if: matrix.platform == 'mac'
run: security find-identity -v -p codesigning || true
- name: Typecheck
run: bun run typecheck
- name: Build
run: bun run build
- name: Package (${{ matrix.platform }})
# Only auto-publish to GitHub Releases on tag pushes; otherwise
# build the artifact and stop so PR / branch runs don't try to
# upload to a non-existent draft release.
#
# Signing + notarization: if the CSC_LINK secret is set on the
# mac runner, electron-builder will sign with that cert and
# @electron/notarize will notarize using APPLE_ID / APPLE_APP_
# SPECIFIC_PASSWORD / APPLE_TEAM_ID. If the secret is absent the
# build falls back to the old unsigned behavior so forks and PRs
# without secrets still build.
run: bunx electron-builder --${{ matrix.platform }} --publish ${{ startsWith(github.ref, 'refs/tags/v') && 'always' || 'never' }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Notarization credentials — @electron/notarize picks these up
# automatically when mac.notarize is true in electron-builder.
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
# If there's no signing cert available (fork / no secrets),
# disable auto-discovery so electron-builder doesn't try to
# match an ad-hoc identity and explode on notarize.
CSC_IDENTITY_AUTO_DISCOVERY: ${{ env.HAS_MAC_SIGNING }}
- name: Upload artifacts
if: success()
uses: actions/upload-artifact@v4
with:
name: flicky-${{ matrix.platform }}
if-no-files-found: ignore
path: |
release/*.dmg
release/*.zip
release/*.exe
release/*.AppImage
release/*.deb
release:
if: startsWith(github.ref, 'refs/tags/v')
needs: build
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v4
with:
merge-multiple: true
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
files: |
*.dmg
*.zip
*.exe
*.AppImage
*.deb
generate_release_notes: true