fix: use tauri.conf.json for version info for windows code signing #204
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "release-tauri-app" | |
on: | |
push: | |
tags: | |
- 'v[0-9]+.[0-9]+.[0-9]+' | |
- 'v[0-9]+.[0-9]+.[0-9]+-[a-z]+' | |
- 'v[0-9]+.[0-9]+.[0-9]+-[a-z]+.[0-9]+' | |
jobs: | |
release-tauri-app-linux: | |
permissions: write-all | |
outputs: | |
releaseId: ${{ steps.build-app.outputs.releaseId }} | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: setup node | |
uses: actions/setup-node@v1 | |
with: | |
node-version: 20 | |
- name: install Rust stable | |
uses: actions-rs/toolchain@v1 | |
with: | |
override: true | |
toolchain: 1.80.1 | |
- name: install Go stable | |
uses: actions/setup-go@v4 | |
with: | |
go-version: "stable" | |
- name: install dependencies (ubuntu only) | |
run: | | |
sudo apt update | |
sudo apt install libwebkit2gtk-4.1-dev \ | |
build-essential \ | |
curl \ | |
wget \ | |
file \ | |
libxdo-dev \ | |
libssl-dev \ | |
libayatana-appindicator3-dev \ | |
librsvg2-dev | |
- name: Install and prepare | |
run: | | |
npm install | |
npm run setup:happ-release | |
- id: build-app | |
uses: tauri-apps/tauri-action@v0 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tagName: Relay-v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version. | |
releaseName: 'Relay v__VERSION__' | |
releaseBody: 'See the assets to download this version and install.' | |
releaseDraft: true | |
prerelease: false | |
args: --verbose | |
release-tauri-app-android: | |
permissions: write-all | |
needs: release-tauri-app-linux | |
environment: Relay Release | |
runs-on: 'ubuntu-22.04' | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Extend space | |
uses: ./.github/actions/extend-space | |
- name: Install nix | |
uses: cachix/install-nix-action@v27 | |
with: | |
github_access_token: ${{ secrets.GITHUB_TOKEN }} | |
nix_path: nixpkgs=channel:nixos-24.05 | |
- uses: cachix/cachix-action@v15 | |
with: | |
name: holochain-ci | |
- uses: cachix/cachix-action@v15 | |
with: | |
name: holochain-open-dev | |
- uses: cachix/cachix-action@v15 | |
with: | |
name: darksoil-studio | |
- name: Install and prepare | |
run: | | |
nix develop --no-update-lock-file --command npm install && npm run setup:happ-release | |
- name: setup Android signing | |
run: | | |
cd src-tauri/gen/android | |
echo "keyAlias=${{ secrets.ANDROID_KEY_ALIAS }}" > keystore.properties | |
echo "keyPassword=${{ secrets.ANDROID_KEY_PASSWORD }}" >> keystore.properties | |
base64 -d <<< "${{ secrets.ANDROID_KEY_BASE64 }}" > $RUNNER_TEMP/keystore.jks | |
echo "storeFile=$RUNNER_TEMP/keystore.jks" >> keystore.properties | |
echo "storePassword=${{ secrets.ANDROID_KEY_PASSWORD }}" >> keystore.properties | |
- name: Build android APKs | |
run: | | |
nix develop .#androidDev --no-update-lock-file --command bash -c "npm run tauri android build -- --apk --split-per-abi --target aarch64 --target i686 --target x86_64" | |
- uses: AButler/[email protected] | |
with: | |
files: src-tauri/gen/android/app/build/outputs/apk/*/release/app-* | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
release-id: ${{ needs.release-tauri-app-linux.outputs.releaseId }} | |
release-tauri-app-windows: | |
permissions: write-all | |
runs-on: windows-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: setup node | |
uses: actions/setup-node@v1 | |
with: | |
node-version: 20 | |
- name: install Rust stable | |
uses: actions-rs/toolchain@v1 | |
with: | |
override: true | |
toolchain: 1.80.1 | |
- name: install Go stable | |
uses: actions/setup-go@v4 | |
with: | |
go-version: "stable" | |
- name: Install and prepare | |
run: | | |
npm install | |
npm run setup:happ-release | |
### Everything below this line is code signing for Windows via azure key vault, following these instructions: | |
### https://melatonin.dev/blog/how-to-code-sign-windows-installers-with-an-ev-cert-on-github-actions/ | |
- name: Build and Sign the App | |
run: | | |
ls D:\a\ | |
# read productName and version from tauri.conf.json | |
$TAURI_CONF = (Get-Content src-tauri/tauri.conf.json | Out-String | ConvertFrom-Json) | |
$APP_PRODUCT_NAME_VERSION = '{0}_{1}' -f $TAURI_CONF.productName, $TAURI_CONF.version | |
npm run tauri build -- --verbose # building in verbose mode to get reasonable logging output in case of failure | |
dotnet tool install --global AzureSignTool | |
# sign the .msi file | |
AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v 'D:\a\relay\relay\src-tauri\target\release\bundle\msi\{0}_x64_en-US.msi' -f $APP_PRODUCT_NAME_VERSION | |
# sign the .exe file | |
AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v 'D:\a\relay\relay\src-tauri\target\release\bundle\nsis\{0}_x64-setup.exe' -f $APP_PRODUCT_NAME_VERSION | |
# log hashes before and after code signing to verify that the uploaded assets are the right ones | |
CertUtil -hashfile 'src-tauri\target\release\bundle\msi\{0}_x64_en-US.msi' -f $APP_PRODUCT_NAME_VERSION SHA256 | |
CertUtil -hashfile 'src-tauri\target\release\bundle\nsis\{0}_x64-setup.exe' -f $APP_PRODUCT_NAME_VERSION SHA256 | |
- name: upload signed .msi, .msi.zip, .msi.zip.sig, .exe, .nsis.zip, .nsis.zip.sig files to github release (Windows only) | |
uses: matthme/tauri-action-ev-signing@upload-only | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tagName: Relay-v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version. | |
releaseName: 'Relay v__VERSION__' | |
releaseBody: 'See the assets to download this version and install.' | |
releaseDraft: true | |
prerelease: false | |
args: --verbose | |
release-tauri-app-macos: | |
permissions: write-all | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- platform: 'macos-latest' # for Arm based macs (M1 and above). | |
- platform: 'macos-13' # for Intel based macs. | |
runs-on: ${{ matrix.platform }} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: setup node | |
uses: actions/setup-node@v1 | |
with: | |
node-version: 20 | |
- name: install Rust stable | |
uses: actions-rs/toolchain@v1 | |
with: | |
override: true | |
toolchain: 1.80.1 | |
- name: install Go stable | |
uses: actions/setup-go@v4 | |
with: | |
go-version: stable | |
- name: Install and prepare | |
run: | | |
npm install | |
npm run setup:happ-release | |
- name: Build the App | |
uses: tauri-apps/tauri-action@v0 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} | |
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} | |
APPLE_ID: ${{ secrets.APPLE_ID }} | |
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} | |
with: | |
tagName: Relay-v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version. | |
releaseName: 'Relay v__VERSION__' | |
releaseBody: 'See the assets to download this version and install.' | |
releaseDraft: true | |
prerelease: false | |
args: --verbose |