.github/workflows/release-codesigned.yaml

name: "publish"
on:
  push:
    branches:
      - release-codesigned

jobs:
  publish-tauri:
    permissions:
      contents: write
    strategy:
      fail-fast: false
      matrix:
        platform: [windows-2019, macos-11, ubuntu-20.04]
    env:
      MACOSX_DEPLOYMENT_TARGET: 10.13

    runs-on: ${{ matrix.platform }}
    steps:
      - uses: actions/checkout@v2
      - name: setup node
        uses: actions/setup-node@v1
        with:
          node-version: 16
      - name: install Rust stable
        uses: actions-rs/toolchain@v1
        with:
          override: true
          toolchain: stable
      - name: install Go stable
        uses: actions/setup-go@v4
        with:
          go-version: 'stable'
      - name: install app dependencies and info
        run: npm install && npm run tauri info

      - name: setup binaries (Windows only)
        if: matrix.platform == 'windows-2019'
        run: |
          mkdir src-tauri/bins

          cargo install --version 0.3.0 lair_keystore
          $LkPath = Get-Command lair-keystore | Select-Object -ExpandProperty Definition
          Copy-Item $LkPath -Destination src-tauri/bins/lair-keystore-v0.3.0-x86_64-pc-windows-msvc.exe


          cargo install holochain --version holochain-v0.2.3-beta-rc.1 --locked --features sqlite-encrypted
          $HcPath = Get-Command holochain | Select-Object -ExpandProperty Definition
          Copy-Item $HcPath -Destination src-tauri/bins/holochain-v0.2.3-beta-rc.1-x86_64-pc-windows-msvc.exe


      - name: setup binaries (macos only)
        if: matrix.platform == 'macos-11'
        run: |
          mkdir src-tauri/bins

          cargo install --version 0.3.0 lair_keystore
          LAIR_PATH=$(which lair-keystore)
          cp $LAIR_PATH src-tauri/bins/lair-keystore-v0.3.0-x86_64-apple-darwin

          cargo install holochain --version holochain-v0.2.3-beta-rc.1 --locked --features sqlite-encrypted
          HOLOCHAIN_PATH=$(which holochain)
          cp $HOLOCHAIN_PATH src-tauri/bins/holochain-v0.2.3-beta-rc.1-x86_64-apple-darwin


      - name: install dependencies (ubuntu only)
        if: matrix.platform == 'ubuntu-20.04'
        run: |
          sudo apt-get update
          sudo apt-get install -y libwebkit2gtk-4.0-dev libcanberra-gtk-module libcanberra-gtk3-module build-essential curl wget libssl-dev libgtk-3-dev squashfs-tools libgtksourceview-3.0-dev libappindicator3-dev patchelf librsvg2-dev ayatana-indicator-application

      - name: setup binaries (ubuntu only)
        if: matrix.platform == 'ubuntu-20.04'
        run: |
          mkdir src-tauri/bins

          cargo install --version 0.3.0 lair_keystore
          LAIR_PATH=$(which lair-keystore)
          cp $LAIR_PATH src-tauri/bins/lair-keystore-v0.3.0-x86_64-unknown-linux-gnu

          cargo install holochain --version holochain-v0.2.3-beta-rc.1 --locked --features sqlite-encrypted
          HOLOCHAIN_PATH=$(which holochain)
          cp $HOLOCHAIN_PATH src-tauri/bins/holochain-v0.2.3-beta-rc.1-x86_64-unknown-linux-gnu


      - name: generate dist folder
        run: npm run dist

      - name: build the app (macOS and Linux only)
        if: matrix.platform == 'ubuntu-20.04' || matrix.platform == 'macos-11' # HELP remove this line if Windows code signing is NOT wanted
        uses: tauri-apps/tauri-action@dev
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
          TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}

        with:
          tagName: v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version
          releaseName: "talking-stickies v__VERSION__"
          releaseBody: "See assets below to download and install this version."
          releaseDraft: true
          prerelease: true
          args: --verbose


      ### Everything below this line is code signing for Windows via azure key vault, following these instructions:
      ### https://melatonin.dev/blog/how-to-code-sign-windows-installers-with-an-ev-cert-on-github-actions/
      ### HELP Remove everything below if Windows code signing is NOT wanted.

      - name: build and sign the app (Windows only)
        if: matrix.platform == 'windows-2019'
        run: |

          npm run tauri build -- --verbose # building in verbose mode to get reasonable logging output in case of failure

          dotnet tool install --global AzureSignTool

          # replace-me -- HELP
          # 1. replace all occurrences of talking-stickies-kangaroo-1 with the name you of your GitHub repository
          # 2. replace all occurrences of TalkingStickies with the productName field in tauri.conf.json
          # 3. replace all occurrences of 0.0.1 with the version field in tauri.conf.json
          # !! NOTE: The version field needs to be updated manually here with each new version of your app, otherwise the Windows build will fail.

          # sign the .msi file
          AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "D:\a\talking-stickies-kangaroo-1\talking-stickies-kangaroo-1\src-tauri\target\release\bundle\msi\TalkingStickies_0.0.1_x64_en-US.msi"
          # sign the .exe file
          AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "D:\a\talking-stickies-kangaroo-1\talking-stickies-kangaroo-1\src-tauri\target\release\bundle\nsis\TalkingStickies_0.0.1_x64-setup.exe"

          # # Uncomment the lines below if you have the updater enabled
          # # =========================================================

          # # remove the .msi.zip and .msi.zip.sig files generated by tauri's build command as they are not code signed
          # rm "D:\a\talking-stickies-kangaroo-1\talking-stickies-kangaroo-1\src-tauri\target\release\bundle\msi\TalkingStickies_0.0.1_x64_en-US.msi.zip"
          # rm "D:\a\talking-stickies-kangaroo-1\talking-stickies-kangaroo-1\src-tauri\target\release\bundle\msi\TalkingStickies_0.0.1_x64_en-US.msi.zip.sig"
          # rm "D:\a\talking-stickies-kangaroo-1\talking-stickies-kangaroo-1\target\release\bundle\nsis\TalkingStickies_0.0.1_x64-setup.nsis.zip"
          # rm "D:\a\talking-stickies-kangaroo-1\talking-stickies-kangaroo-1\target\release\bundle\nsis\TalkingStickies_0.0.1_x64-setup.nsis.zip.sig"

          # # zip and sign the code signed .msi
          # 7z a -mx=0 "D:\a\talking-stickies-kangaroo-1\talking-stickies-kangaroo-1\src-tauri\target\release\bundle\msi\TalkingStickies_0.0.1_x64_en-US.msi.zip" "D:\a\talking-stickies-kangaroo-1\talking-stickies-kangaroo-1\target\release\bundle\msi\TalkingStickies_0.0.1_x64_en-US.msi"
          # npm run tauri signer sign "D:\a\talking-stickies-kangaroo-1\talking-stickies-kangaroo-1\src-tauri\target\release\bundle\msi\TalkingStickies_0.0.1_x64_en-US.msi.zip" -- -k ${{ secrets.TAURI_PRIVATE_KEY }} -p "${{ secrets.TAURI_KEY_PASSWORD }}"

          # 7z a -mx=0 "D:\a\talking-stickies-kangaroo-1\talking-stickies-kangaroo-1\target\release\bundle\nsis\TalkingStickies_0.0.1_x64-setup.nsis.zip" "D:\a\talking-stickies-kangaroo-1\talking-stickies-kangaroo-1\target\release\bundle\nsis\TalkingStickies_0.0.1_x64-setup.exe"
          # npm run tauri signer sign "D:\a\talking-stickies-kangaroo-1\talking-stickies-kangaroo-1\target\release\bundle\nsis\TalkingStickies_0.0.1_x64-setup.nsis.zip" -- -k ${{ secrets.TAURI_PRIVATE_KEY_0_2 }} -p "${{ secrets.TAURI_KEY_PASSWORD }}"

          # # =========================================================

          # log hashes before and after code signing to verify that the uploaded assets are the right ones
          CertUtil -hashfile "D:\a\talking-stickies-kangaroo-1\talking-stickies-kangaroo-1\src-tauri\target\release\bundle\msi\TalkingStickies_0.0.1_x64_en-US.msi" SHA256
          CertUtil -hashfile "D:\a\talking-stickies-kangaroo-1\talking-stickies-kangaroo-1\src-tauri\target\release\bundle\nsis\TalkingStickies_0.0.1_x64-setup.exe" SHA256
          # # Uncomment the lines below if you have the updater enabled
          # CertUtil -hashfile "D:\a\talking-stickies-kangaroo-1\talking-stickies-kangaroo-1\src-tauri\target\release\bundle\msi\TalkingStickies_0.0.1_x64_en-US.msi.zip" SHA256
          # CertUtil -hashfile "D:\a\talking-stickies-kangaroo-1\talking-stickies-kangaroo-1\src-tauri\target\release\bundle\msi\TalkingStickies_0.0.1_x64_en-US.msi.zip.sig" SHA256
        env:
          TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
          TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}


      - name: upload signed .msi, .msi.zip, .msi.zip.sig, .exe, .nsis.zip, .nsis.zip.sig files to github release (Windows only)
        uses: matthme/tauri-action-ev-signing@upload-only
        if: matrix.platform == 'windows-2019'
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tagName: v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version
          releaseName: "talking-stickies v__VERSION__"
          releaseBody: "See assets below to download and install this version."
          releaseDraft: true
          prerelease: true
          args: --verbose