Skip to content

feat: code signing and notarization for macos releases #202

feat: code signing and notarization for macos releases

feat: code signing and notarization for macos releases #202

name: "release-tauri-app"
on:
push:
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'
- 'v[0-9]+.[0-9]+.[0-9]+-[a-z]+'
- 'v[0-9]+.[0-9]+.[0-9]+-[a-z]+.[0-9]+'
jobs:
release-tauri-app-linux:
permissions: write-all
outputs:
releaseId: ${{ steps.build-app.outputs.releaseId }}
runs-on: ubuntu-22.04
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
# Checks out a copy of your repository on the ubuntu-latest machine
- uses: actions/checkout@v3
- name: setup node
uses: actions/setup-node@v1
with:
node-version: 20
- name: install Rust stable
uses: actions-rs/toolchain@v1
with:
override: true
toolchain: 1.80.1
- name: install Go stable
uses: actions/setup-go@v4
with:
go-version: "stable"
- name: install dependencies (ubuntu only)
run: |
sudo apt update
sudo apt install libwebkit2gtk-4.1-dev \
build-essential \
curl \
wget \
file \
libxdo-dev \
libssl-dev \
libayatana-appindicator3-dev \
librsvg2-dev
- name: Install and prepare
run: |
npm install
npm run setup:happ-release
- id: build-app
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tagName: Relay-v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version.
releaseName: 'Relay v__VERSION__'
releaseBody: 'See the assets to download this version and install.'
releaseDraft: true
prerelease: false
release-tauri-app-android:
permissions: write-all
needs: release-tauri-app-linux
environment: Relay Release
runs-on: 'ubuntu-22.04'
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
# Checks out a copy of your repository on the ubuntu-latest machine
- uses: actions/checkout@v3
- name: Extend space
uses: ./.github/actions/extend-space
- name: Install nix
uses: cachix/install-nix-action@v27
with:
github_access_token: ${{ secrets.GITHUB_TOKEN }}
nix_path: nixpkgs=channel:nixos-24.05
- uses: cachix/cachix-action@v15
with:
name: holochain-ci
- uses: cachix/cachix-action@v15
with:
name: holochain-open-dev
- uses: cachix/cachix-action@v15
with:
name: darksoil-studio
- name: Install and prepare
run: |
nix develop --no-update-lock-file --command npm install && npm run setup:happ-release
- name: setup Android signing
run: |
cd src-tauri/gen/android
echo "keyAlias=${{ secrets.ANDROID_KEY_ALIAS }}" > keystore.properties
echo "keyPassword=${{ secrets.ANDROID_KEY_PASSWORD }}" >> keystore.properties
base64 -d <<< "${{ secrets.ANDROID_KEY_BASE64 }}" > $RUNNER_TEMP/keystore.jks
echo "storeFile=$RUNNER_TEMP/keystore.jks" >> keystore.properties
echo "storePassword=${{ secrets.ANDROID_KEY_PASSWORD }}" >> keystore.properties
- name: Build android APKs
run: |
nix develop .#androidDev --no-update-lock-file --command bash -c "npm run tauri android build -- --apk --split-per-abi --target aarch64 --target i686 --target x86_64"
- uses: AButler/[email protected]
with:
files: src-tauri/gen/android/app/build/outputs/apk/*/release/app-*
repo-token: ${{ secrets.GITHUB_TOKEN }}
release-id: ${{ needs.release-tauri-app-linux.outputs.releaseId }}
release-tauri-app-windows:
permissions: write-all
runs-on: windows-latest
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
# Checks out a copy of your repository on the ubuntu-latest machine
- uses: actions/checkout@v3
- name: setup node
uses: actions/setup-node@v1
with:
node-version: 20
- name: install Rust stable
uses: actions-rs/toolchain@v1
with:
override: true
toolchain: 1.80.1
- name: install Go stable
uses: actions/setup-go@v4
with:
go-version: "stable"
- name: Install and prepare
run: |
npm install
npm run setup:happ-release
- name: build the app
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tagName: Relay-v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version.
releaseName: 'Relay v__VERSION__'
releaseBody: 'See the assets to download this version and install.'
releaseDraft: true
prerelease: false
release-tauri-app-macos:
permissions: write-all
strategy:
fail-fast: false
matrix:
include:
- platform: 'macos-latest' # for Arm based macs (M1 and above).
- platform: 'macos-13' # for Intel based macs.
# - platform: 'ubuntu-22.04'
runs-on: ${{ matrix.platform }}
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
# Checks out a copy of your repository on the ubuntu-latest machine
- uses: actions/checkout@v3
- name: setup node
uses: actions/setup-node@v1
with:
node-version: 20
- name: install Rust stable
uses: actions-rs/toolchain@v1
with:
override: true
toolchain: 1.80.1
- name: install Go stable
uses: actions/setup-go@v4
with:
go-version: stable
- name: Install and prepare
run: |
npm install
npm run setup:happ-release
- name: Import Apple Developer Certificate
env:
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
security find-identity -v -p codesigning build.keychain
- name: Verify Apple Developer Certificate
run: |
CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Apple Development")
CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
echo "Certificate imported."
- name: Save Apple Api Key to expected path
env:
APPLE_API_KEY_PATH_BASE64: ${{ secrets.APPLE_API_KEY_PATH_BASE64 }}
APPLE_API_KEY_PATH: ${{ secrets.APPLE_API_KEY_PATH }}
run: |
echo $APPLE_API_KEY_PATH_BASE64 | base64 --decode > $APPLE_API_KEY_PATH
- name: Build the App
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
with:
tagName: Relay-v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version.
releaseName: 'Relay v__VERSION__'
releaseBody: 'See the assets to download this version and install.'
releaseDraft: true
prerelease: false