.github/workflows/tauri-build-dev.yml

name: 'generate experimental/dev stage draft GitHub release'

on:
  push:
    branches: [ dev ]

jobs:
  create-release:
    permissions:
      contents: write
    runs-on: ubuntu-latest
    outputs:
      release_id: ${{ steps.create-release.outputs.result }}

    steps:
      - uses: actions/checkout@v4
      - name: setup node
        uses: actions/setup-node@v4
        with:
          node-version: 20
      - name: get version
        run: |
          echo "PACKAGE_VERSION=$(node -p "require('./package.json').version")" >> $GITHUB_ENV
          echo "GIT_TAG_NAME=dev-app-v$(node -p "require('./package.json').version")" >> $GITHUB_ENV
      - name: create release
        id: create-release
        uses: actions/github-script@v7
        with:
          script: |
            const { data } = await github.rest.repos.createRelease({
              owner: context.repo.owner,
              repo: context.repo.repo,
              tag_name: `${process.env.GIT_TAG_NAME}`,
              target_commitish: 'dev',
              name: `Phoenix Code Experimental build v${process.env.PACKAGE_VERSION}`,
              body: 'Take a look at the assets to download and install Phoenix Code For your platform.\n\n>UpdateNotification: <replace this text to show a 1 line **Release Notes** to the user in the notification dialogue ![image](https://github.com/abose/phoenix-desktop/assets/5336369/c747898a-29ef-43c7-b74e-dddd5104a56c). Wait for a new pull request in the repo.>',
              draft: true,
              prerelease: true
            })
            return data.id

  build-tauri:
    needs: create-release
    permissions:
      contents: write
    strategy:
      fail-fast: false
      matrix:
        platform: [ macos-latest, ubuntu-latest, windows-latest ]

    runs-on: ${{ matrix.platform }}
    steps:
      - uses: actions/checkout@v4
      - name: get Git Tag
        shell: bash
        run: echo "GIT_TAG_NAME=dev-app-v$(node -p "require('./package.json').version")" >> $GITHUB_ENV
      - name: setup node
        uses: actions/setup-node@v4
        with:
          node-version: 20
      - name: install Rust stable
        uses: dtolnay/rust-toolchain@stable
      - name: install dependencies (ubuntu only)
        if: matrix.platform == 'ubuntu-latest'
        run: |
          sudo apt-get update
          sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.0-dev libayatana-appindicator3-dev librsvg2-dev
          sudo apt-get install -y libwebrtc-audio-processing-dev
          sudo apt-get install -y libunwind-dev
          sudo apt-get install -y libgstreamer1.0-dev libgstreamer-plugins-base1.0-dev libgstreamer-plugins-bad1.0-dev gstreamer1.0-plugins-base gstreamer1.0-plugins-good gstreamer1.0-plugins-bad gstreamer1.0-plugins-ugly gstreamer1.0-libav gstreamer1.0-tools gstreamer1.0-x gstreamer1.0-alsa gstreamer1.0-gl gstreamer1.0-gtk3 gstreamer1.0-qt5 gstreamer1.0-pulseaudio
      - name: install frontend dependencies
        run: |
          npm ci
          npm run _ci-release:dev
      - name: install AzureSignTool (windows only)
        if: matrix.platform == 'windows-latest'
        run: |
          dotnet tool install --global AzureSignTool
      - name: import certificate for signing (windows only)
        if: matrix.platform == 'windows-latest'
        run: |
          echo "${{ secrets.AZURE_EV_CERT }}" > secret.cer
          Import-Certificate -FilePath .\secret.cer -CertStoreLocation Cert:\LocalMachine\My
        shell: powershell
      - name: patch signTool (windows only)
        if: matrix.platform == 'windows-latest'
        run: Start-Process  -FilePath .\src-build\win\copy_sign_tool.exe -Verb RunAs
        shell: powershell
      - name: setup env for signing (windows only)
        if: matrix.platform == 'windows-latest'
        env:
          TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
          TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
          AZURE_KEY_VAULT_URI: ${{ secrets.AZURE_KEY_VAULT_URI }}
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
          AZURE_CERT_NAME: ${{ secrets.AZURE_CERT_NAME }}
          AZURE_COMPANY_NAME: ${{ secrets.AZURE_COMPANY_NAME }}
        run: |
          $jsonContent = @{
             "AZURE_KEY_VAULT_URI" = $env:AZURE_KEY_VAULT_URI
             "AZURE_CLIENT_ID" = $env:AZURE_CLIENT_ID
             "AZURE_TENANT_ID" = $env:AZURE_TENANT_ID
             "AZURE_CLIENT_SECRET" = $env:AZURE_CLIENT_SECRET
             "AZURE_CERT_NAME" = $env:AZURE_CERT_NAME
             "AZURE_COMPANY_NAME" = $env:AZURE_COMPANY_NAME
           }
          $jsonContent | ConvertTo-Json | Out-File -FilePath ./secrets.json -Encoding utf8
          # Load content from the file
          $content = Get-Content -Path "./secrets.json" -Raw
          
          # Replace \r\n with \n
          $content = $content -replace "`r`n", "`n"
          
          # Write the content back to the file
          Set-Content -Path "./secrets.json" -Value $content
        shell: powershell
      - name: Sign embedded executables for (Mac Only)
        if: matrix.platform == 'macos-latest'
        env :
          APPLE_KEY_IDENTITY_NAME: ${{ secrets.APPLE_KEY_IDENTITY_NAME }}
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
        run: |
          certificate_encoded="$APPLE_CERTIFICATE"
          certificate_password="$APPLE_CERTIFICATE_PASSWORD"

          echo "Setting up keychain from environment variables..."

          # Creating a temporary directory
          tmp_dir=$(mktemp -d)
          cert_path="$tmp_dir/cert.p12"
          # Decode the encoded certificate and write it to the cert_path
          echo "$certificate_encoded" | base64 --decode > "$cert_path"

          # Generate a random password for the keychain
          KEYCHAIN_PASSWORD=$(openssl rand -base64 16)

          # Create a new keychain with the random password
          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
          security import "$cert_path" -k build.keychain -P "$certificate_password" -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" build.keychain

          # Sign the files specified in src-build/mac/filesToSign
          while IFS= read -r file; do
              codesign --sign "$APPLE_KEY_IDENTITY_NAME" --keychain build.keychain --timestamp --options runtime "$file"
          done < src-build/mac/filesToSign

          # Clean up
          security delete-keychain build.keychain
          rm -rf "$tmp_dir" # removes the temporary directory and the certificate file within it

        shell: bash

      - uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
          TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
          ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        with:
          releaseId: ${{ needs.create-release.outputs.release_id }}
          updaterJsonPreferNsis: true
          tagName: ${{ env.GIT_TAG_NAME }}

      - name: setup env for mac arm (Mac only)
        if: matrix.platform == 'macos-latest'
        run: |
          rustup target add aarch64-apple-darwin
          npm run installNodeArmDarwin
      - name: build for mac arm (Mac only)
        if: matrix.platform == 'macos-latest'
        uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
          TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
          ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        with:
          releaseId: ${{ needs.create-release.outputs.release_id }}
          args: --target aarch64-apple-darwin
          tagName: ${{ env.GIT_TAG_NAME }}

  publish-release:
    permissions:
      contents: write
    runs-on: ubuntu-latest
    needs: [ create-release, build-tauri ]

    steps:
      - uses: actions/checkout@v4
      - name: get Git Tag
        run: echo "GIT_TAG_NAME=dev-app-v$(node -p "require('./package.json').version")" >> $GITHUB_ENV
      - name: publish release
        id: publish-release
        uses: actions/github-script@v7
        env:
          release_id: ${{ needs.create-release.outputs.release_id }}
        with:
          script: |
            github.rest.repos.updateRelease({
              owner: context.repo.owner,
              repo: context.repo.repo,
              tag_name: `${process.env.GIT_TAG_NAME}`,
              target_commitish: 'dev',
              release_id: process.env.release_id,
              draft: true,
              prerelease: true
            })