.github/workflows/release-tauri-app.yaml

name: "release-tauri-app"
on:
  push:
    tags:
      - 'v[0-9]+.[0-9]+.[0-9]+'
      - 'v[0-9]+.[0-9]+.[0-9]+-[a-z]+'
      - 'v[0-9]+.[0-9]+.[0-9]+-[a-z]+.[0-9]+'

jobs:
  create-release:
    permissions: write-all
    runs-on: ubuntu-latest
    outputs:
      releaseId: ${{ steps.step1.outputs.id }}
    steps:
      - id: step1
        uses: ncipollo/release-action@v1
        with:
          name: "Volla Messages ${{ github.ref_name }}"
          body: "See the assets to download this version and install."
          prerelease: true
          draft: true

  release-tauri-app-linux:
    needs: create-release
    permissions: write-all
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v3

      - name: setup node
        uses: actions/setup-node@v1
        with:
          node-version: 20

      - name: install Rust stable
        uses: actions-rs/toolchain@v1
        with:
          override: true
          toolchain: 1.80.1

      - name: install Go stable
        uses: actions/setup-go@v4
        with:
          go-version: "stable"

      - name: install dependencies (ubuntu only)
        run: |
          sudo apt update
          sudo apt install libwebkit2gtk-4.1-dev \
            build-essential \
            curl \
            wget \
            file \
            libxdo-dev \
            libssl-dev \
            libayatana-appindicator3-dev \
            librsvg2-dev

      - name: Install and prepare
        run: |
          npm install
          npm run setup:happ-release

      - id: build-app
        uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          releaseId: ${{ needs.create-release.outputs.releaseId }}
          args: --verbose

  release-tauri-app-android:
    permissions: write-all
    needs: 
      - release-tauri-app-linux
      - create-release

    runs-on: 'ubuntu-22.04' 
    steps:
      - uses: actions/checkout@v3

      - name: Extend space
        uses: ./.github/actions/extend-space

      - name: Install nix
        uses: cachix/install-nix-action@v27
        with:
          github_access_token: ${{ secrets.GITHUB_TOKEN }}
          nix_path: nixpkgs=channel:nixos-24.05

      - uses: cachix/cachix-action@v15
        with:
          name: holochain-ci

      - uses: cachix/cachix-action@v15
        with:
          name: holochain-open-dev

      - uses: cachix/cachix-action@v15
        with:
          name: darksoil-studio

      - name: Install and prepare
        run: |
          nix develop --no-update-lock-file --command npm install && npm run setup:happ-release

      - name: setup Android signing
        run: |
          cd src-tauri/gen/android
          echo "keyAlias=${{ secrets.ANDROID_KEY_ALIAS }}" > keystore.properties
          echo "keyPassword=${{ secrets.ANDROID_KEY_PASSWORD }}" >> keystore.properties
          base64 -d <<< "${{ secrets.ANDROID_KEY_BASE64 }}" > $RUNNER_TEMP/keystore.jks
          echo "storeFile=$RUNNER_TEMP/keystore.jks" >> keystore.properties
          echo "storePassword=${{ secrets.ANDROID_KEY_PASSWORD }}" >> keystore.properties

      - name: Build android APKs
        run: |
          nix develop .#androidDev --no-update-lock-file --command bash -c "npm run tauri android build -- --apk --split-per-abi --target aarch64 --target i686 --target x86_64"

      - uses: AButler/upload-release-assets@v3.0
        with:
          files: src-tauri/gen/android/app/build/outputs/apk/*/release/app-*
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          release-id: ${{ needs.create-release.outputs.releaseId }}

  release-tauri-app-windows:
    needs: create-release
    permissions: write-all
    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v3

      - name: setup node
        uses: actions/setup-node@v1
        with:
          node-version: 20

      - name: install Rust stable
        uses: actions-rs/toolchain@v1
        with:
          override: true
          toolchain: 1.80.1

      - name: install Go stable
        uses: actions/setup-go@v4
        with:
          go-version: "stable"

      - name: Install and prepare
        run: |
          npm install
          npm run setup:happ-release

      - name: Build the App
        uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          args: --verbose

      ### Everything below this line is code signing for Windows via azure key vault, following these instructions:
      ### https://melatonin.dev/blog/how-to-code-sign-windows-installers-with-an-ev-cert-on-github-actions/
      - name: Sign the App
        run: |

          # read name and version from tauri.conf.json
          $TAURI_CONF = (Get-Content src-tauri\tauri.conf.json | Out-String | ConvertFrom-Json)
          $APP_PRODUCT_NAME_VERSION = "$($TAURI_CONF.productName)_$($TAURI_CONF.version)"

          $BUNDLE_OUT_PATH_1 = "D:\a\${{ github.event.repository.name }}\${{ github.event.repository.name }}\target\release\bundle\nsis\$($APP_PRODUCT_NAME_VERSION)_x64-setup.exe"
          $BUNDLE_OUT_PATH_2 = "D:\a\${{ github.event.repository.name }}\${{ github.event.repository.name }}\target\release\bundle\msi\$($APP_PRODUCT_NAME_VERSION)_x64_en-US.msi"

          dotnet tool install --global AzureSignTool

          # sign the output bundles
          AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v $BUNDLE_OUT_PATH_1
          AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v $BUNDLE_OUT_PATH_2

          # log hashes before and after code signing to verify that the uploaded assets are the right ones
          CertUtil -hashfile $BUNDLE_OUT_PATH_1 SHA256
          CertUtil -hashfile $BUNDLE_OUT_PATH_2 SHA256


      - name: view output bundle
        run: |
          ls D:\a\${{ github.event.repository.name }}\${{ github.event.repository.name }}\target\release\bundle\msi\*
          ls D:\a\${{ github.event.repository.name }}\${{ github.event.repository.name }}\target\release\bundle\nsis\*

      - name: Upload the Signed App
        uses: AButler/upload-release-assets@v3.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          release-id: ${{ needs.create-release.outputs.releaseId }}
          files: D:\a\${{ github.event.repository.name }}\${{ github.event.repository.name }}\target\release\bundle\msi\*;D:\a\${{ github.event.repository.name }}\${{ github.event.repository.name }}\target\release\bundle\nsis\*
          
  release-tauri-app-macos:
    needs: create-release
    permissions: write-all

    strategy:
      fail-fast: false
      matrix:
        include:
          - platform: 'macos-latest' # for Arm based macs (M1 and above).
          - platform: 'macos-13' # for Intel based macs.

    runs-on: ${{ matrix.platform }}

    steps:
      - uses: actions/checkout@v3

      - name: setup node
        uses: actions/setup-node@v1
        with:
          node-version: 20

      - name: install Rust stable
        uses: actions-rs/toolchain@v1
        with:
          override: true
          toolchain: 1.80.1

      - name: install Go stable
        uses: actions/setup-go@v4
        with:
          go-version: stable

      - name: Install and prepare
        run: |
          npm install
          npm run setup:happ-release

      - name: Build the App
        uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}

        with:
          releaseId: ${{ needs.create-release.outputs.releaseId }}
          args: --verbose