.github/workflows/publish.yml

name: Publish distributables into new GitHub release

on:
  repository_dispatch:
    types: [publish]
  # Enable manual trigger
  workflow_dispatch:

jobs:
  mac:
    strategy:
      fail-fast: false
      matrix:
        app: [hostd, renterd, walletd]
    runs-on: macos-latest
    defaults:
      run:
        working-directory: ${{ matrix.app }}
    steps:
      - uses: actions/checkout@v4
      - name: Setup
        uses: ./.github/actions/daemon-setup
        with:
          daemon: ${{ matrix.app }}
          node_version: 20.10.0
      - name: Setup signing
        env:
          APPLE_CERT_ID: ${{ secrets.APPLE_CERT_ID }}
          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
          APPLE_KEY_B64: ${{ secrets.APPLE_KEY_B64 }}
          APPLE_CERT_B64: ${{ secrets.APPLE_CERT_B64 }}
          APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }}
          APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
        run: |
          # extract apple cert
          APPLE_CERT_PATH=$RUNNER_TEMP/apple_cert.p12
          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
          echo -n "$APPLE_CERT_B64" | base64 --decode --output $APPLE_CERT_PATH

          # extract apple key
          mkdir -p ~/private_keys
          APPLE_API_KEY_PATH=~/private_keys/AuthKey_$APPLE_API_KEY.p8
          echo "APPLE_API_KEY_PATH=$APPLE_API_KEY_PATH" >> $GITHUB_ENV
          echo -n "$APPLE_KEY_B64" | base64 --decode --output $APPLE_API_KEY_PATH

          # create temp keychain
          security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security default-keychain -s $KEYCHAIN_PATH
          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
          security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

          # import keychain
          security import $APPLE_CERT_PATH -P $APPLE_CERT_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security find-identity -v $KEYCHAIN_PATH -p codesigning
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $APPLE_KEYCHAIN_PASSWORD $KEYCHAIN_PATH
      - name: Build
        uses: nick-fields/retry@v3
        with:
          max_attempts: 3
          timeout_minutes: 30
          retry_wait_seconds: 30
          command: npm run build
      - name: Download daemon binary
        run: npm run download:binary
        shell: bash
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Package executable bundles, sign and notarize, make and publish distributables
        uses: nick-fields/retry@v3
        env:
          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
          APPLE_API_KEY_PATH: ${{ env.APPLE_API_KEY_PATH }}
          BUCKET_ACCESS_KEY_ID: ${{ secrets.BUCKET_ACCESS_KEY_ID }}
          BUCKET_SECRET_ACCESS_KEY: ${{ secrets.BUCKET_SECRET_ACCESS_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          max_attempts: 3
          timeout_minutes: 30
          retry_wait_seconds: 30
          command: |
            npm run publish --arch=arm64,x64
  linux:
    strategy:
      fail-fast: false
      matrix:
        app: [hostd, renterd, walletd]
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ${{ matrix.app }}
    steps:
      - uses: actions/checkout@v4
      - name: Setup
        uses: ./.github/actions/daemon-setup
        with:
          daemon: ${{ matrix.app }}
          node_version: 20.10.0
      - name: Build
        uses: nick-fields/retry@v3
        with:
          max_attempts: 3
          timeout_minutes: 30
          retry_wait_seconds: 30
          command: npm run build
      - name: Download daemon binary
        run: npm run download:binary
        shell: bash
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Package executable bundles, make and publish distributables
        uses: nick-fields/retry@v3
        env:
          BUCKET_ACCESS_KEY_ID: ${{ secrets.BUCKET_ACCESS_KEY_ID }}
          BUCKET_SECRET_ACCESS_KEY: ${{ secrets.BUCKET_SECRET_ACCESS_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          max_attempts: 3
          timeout_minutes: 30
          retry_wait_seconds: 30
          command: |
            npm run publish --arch=arm64,x64
  windows:
    strategy:
      fail-fast: false
      matrix:
        app: [hostd, renterd, walletd]
    runs-on: windows-latest
    defaults:
      run:
        working-directory: ${{ matrix.app }}
    steps:
      - uses: actions/checkout@v4
      - name: Setup
        uses: ./.github/actions/daemon-setup
        with:
          daemon: ${{ matrix.app }}
          node_version: 20.10.0
      - name: Setup signing
        run: dotnet tool install --global AzureSignTool
      - name: Build
        uses: nick-fields/retry@v3
        with:
          max_attempts: 3
          timeout_minutes: 30
          retry_wait_seconds: 30
          command: npm run build
      - name: Download daemon binary
        run: npm run download:binary
        shell: bash
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Package executable bundles, sign and notarize, make and publish distributables
        uses: nick-fields/retry@v3
        env:
          BUCKET_ACCESS_KEY_ID: ${{ secrets.BUCKET_ACCESS_KEY_ID }}
          BUCKET_SECRET_ACCESS_KEY: ${{ secrets.BUCKET_SECRET_ACCESS_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          max_attempts: 3
          timeout_minutes: 30
          retry_wait_seconds: 30
          command: |
            npm run publish --arch=x64
            # #TODO: probably not correct
            # APP_PATH="out/${{ matrix.app }}-win32-x64/${{ matrix.app }}.app"
            # BINARY_PATH="$APP_PATH/Contents/Windows/${{ matrix.app }}.exe"
            # azuresigntool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v $BINARY_PATH