.github/workflows/tauri-build-staging.yml

name: 'generate pre-release/staging draft GitHub release'

on:
  push:
    branches: [ staging ]

jobs:
  create-release:
    permissions:
      contents: write
    runs-on: ubuntu-latest
    outputs:
      release_id: ${{ steps.create-release.outputs.result }}

    steps:
      - uses: actions/checkout@v4
      - name: setup node
        uses: actions/setup-node@v4
        with:
          node-version: 20
      - name: get version
        run: |
          echo "PACKAGE_VERSION=$(node -p "require('./package.json').version")" >> $GITHUB_ENV
          echo "GIT_TAG_NAME=staging-app-v$(node -p "require('./package.json').version")" >> $GITHUB_ENV
      - name: create release
        id: create-release
        uses: actions/github-script@v7
        with:
          script: |
            const { data } = await github.rest.repos.createRelease({
              owner: context.repo.owner,
              repo: context.repo.repo,
              tag_name: `${process.env.GIT_TAG_NAME}`,
              target_commitish: 'staging',
              name: `Phoenix Code Pre-release v${process.env.PACKAGE_VERSION}`,
              body: 'Take a look at the assets to download and install Phoenix Code For your platform.\n\n>UpdateNotification: <replace this text to show a 1 line **Release Notes** to the user in the notification dialogue ![image](https://github.com/abose/phoenix-desktop/assets/5336369/c747898a-29ef-43c7-b74e-dddd5104a56c). Wait for a new pull request in the repo.>',
              draft: true,
              prerelease: true
            })
            return data.id

  build-mac-m1-node-modules:
    permissions:
      contents: write
    timeout-minutes: 15
    runs-on: macos-14
    steps:
      - uses: actions/checkout@v4
      - name: macos hardware info
        run: system_profiler SPSoftwareDataType SPHardwareDataType
      - name: setup node
        uses: actions/setup-node@v4
        with:
          node-version: 20
      - name: install frontend dependencies
        run: |
          npm ci
          npm run _ci-cloneAndBuildPhoenix
          npm run _ci_make_src-node
          cd src-tauri
          mv src-node src-node-darwin-arm64
          tar -czvf src-node-darwin-arm64.tar.gz src-node-darwin-arm64
          mv src-node-darwin-arm64 src-node
          cd ..
      - name: Upload src-node.tar.gz with installed mac bins
        uses: actions/upload-artifact@v4
        with:
          name: src-node-darwin-arm64.tar.gz
          path: src-tauri/src-node-darwin-arm64.tar.gz

  build-tauri:
    needs: [create-release, build-mac-m1-node-modules]
    permissions:
      contents: write
    timeout-minutes: 60
    strategy:
      fail-fast: false
      matrix:
        platform: [ macos-latest, ubuntu-22.04, windows-latest ]

    runs-on: ${{ matrix.platform }}
    steps:
      - uses: actions/checkout@v4
      - name: get Git Tag
        shell: bash
        run: echo "GIT_TAG_NAME=staging-app-v$(node -p "require('./package.json').version")" >> $GITHUB_ENV
      - name: setup node
        uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: Download src-node built on mac arm (Mac only)
        if: matrix.platform == 'macos-latest'
        uses: actions/download-artifact@v4
        with:
          name: src-node-darwin-arm64.tar.gz
          path: /tmp/src-node-darwin-arm64.tar.gz

      - name: install Rust stable
        uses: dtolnay/rust-toolchain@stable
      - name: install dependencies (ubuntu only)
        if: matrix.platform == 'ubuntu-22.04'
        run: |
          sudo apt-get update
          sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.0-dev libayatana-appindicator3-dev librsvg2-dev
          sudo apt-get install -y libwebrtc-audio-processing-dev
          sudo apt-get install -y libunwind-dev
          sudo apt-get install -y libgstreamer1.0-dev libgstreamer-plugins-base1.0-dev libgstreamer-plugins-bad1.0-dev gstreamer1.0-plugins-base gstreamer1.0-plugins-good gstreamer1.0-plugins-bad gstreamer1.0-plugins-ugly gstreamer1.0-libav gstreamer1.0-tools gstreamer1.0-x gstreamer1.0-alsa gstreamer1.0-gl gstreamer1.0-gtk3 gstreamer1.0-qt5 gstreamer1.0-pulseaudio
      - name: install frontend dependencies
        run: |
          npm ci
          npm run _ci-release:staging

      - name: setup src-node built on mac arm (Mac only)
        if: matrix.platform == 'macos-latest'
        run: |
          ls /tmp/src-node-darwin-arm64.tar.gz
          rm -rf src-node
          tar -xzvf /tmp/src-node-darwin-arm64.tar.gz/src-node-darwin-arm64.tar.gz
          ls src-node-darwin-arm64
          mv src-node-darwin-arm64 src-node

      - name: install AzureSignTool (windows only)
        if: matrix.platform == 'windows-latest'
        run: |
          dotnet tool install --global AzureSignTool
      - name: import certificate for signing (windows only)
        if: matrix.platform == 'windows-latest'
        run: |
          echo "${{ secrets.AZURE_EV_CERT }}" > secret.cer
          Import-Certificate -FilePath .\secret.cer -CertStoreLocation Cert:\LocalMachine\My
        shell: powershell
      - name: patch signTool (windows only)
        if: matrix.platform == 'windows-latest'
        run: Start-Process  -FilePath .\src-build\win\copy_sign_tool.exe -Verb RunAs
        shell: powershell
      - name: setup env for signing (windows only)
        if: matrix.platform == 'windows-latest'
        env:
          TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
          TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
          AZURE_KEY_VAULT_URI: ${{ secrets.AZURE_KEY_VAULT_URI }}
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
          AZURE_CERT_NAME: ${{ secrets.AZURE_CERT_NAME }}
          AZURE_COMPANY_NAME: ${{ secrets.AZURE_COMPANY_NAME }}
        run: |
          $jsonContent = @{
             "AZURE_KEY_VAULT_URI" = $env:AZURE_KEY_VAULT_URI
             "AZURE_CLIENT_ID" = $env:AZURE_CLIENT_ID
             "AZURE_TENANT_ID" = $env:AZURE_TENANT_ID
             "AZURE_CLIENT_SECRET" = $env:AZURE_CLIENT_SECRET
             "AZURE_CERT_NAME" = $env:AZURE_CERT_NAME
             "AZURE_COMPANY_NAME" = $env:AZURE_COMPANY_NAME
           }
          $jsonContent | ConvertTo-Json | Out-File -FilePath ./secrets.json -Encoding utf8
          # Load content from the file
          $content = Get-Content -Path "./secrets.json" -Raw
          
          # Replace \r\n with \n
          $content = $content -replace "`r`n", "`n"
          
          # Write the content back to the file
          Set-Content -Path "./secrets.json" -Value $content
        shell: powershell
      - name: Sign embedded executables for (Mac Only)
        if: matrix.platform == 'macos-latest'
        env :
          APPLE_KEY_IDENTITY_NAME: ${{ secrets.APPLE_KEY_IDENTITY_NAME }}
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
        run: |
          certificate_encoded="$APPLE_CERTIFICATE"
          certificate_password="$APPLE_CERTIFICATE_PASSWORD"

          echo "Setting up keychain from environment variables..."

          # Creating a temporary directory
          tmp_dir=$(mktemp -d)
          cert_path="$tmp_dir/cert.p12"
          # Decode the encoded certificate and write it to the cert_path
          echo "$certificate_encoded" | base64 --decode > "$cert_path"

          # Generate a random password for the keychain
          KEYCHAIN_PASSWORD=$(openssl rand -base64 16)

          # Create a new keychain with the random password
          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
          security import "$cert_path" -k build.keychain -P "$certificate_password" -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" build.keychain

          # Sign the files specified in src-build/mac/filesToSign
          while IFS= read -r file; do
            if [ -f "$file" ]; then
              codesign --sign "$APPLE_KEY_IDENTITY_NAME" --keychain build.keychain --timestamp --options runtime "$file"
            else
              echo "File to sign not found, ignoring: $file"
            fi
          done < src-build/mac/filesToSign

          # Clean up
          security delete-keychain build.keychain
          rm -rf "$tmp_dir" # removes the temporary directory and the certificate file within it

        shell: bash

      - uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
          TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
          ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        with:
          releaseId: ${{ needs.create-release.outputs.release_id }}
          updaterJsonPreferNsis: true
          tagName: ${{ env.GIT_TAG_NAME }}

      - name: inject src-node built on mac arm (Mac only)
        if: matrix.platform == 'macos-latest'
        run: |
          ls src-node
          rm -rf src-tauri/src-node
          mv src-node src-tauri/src-node
          ls src-tauri/src-node

      - name: setup env for mac arm (Mac only)
        if: matrix.platform == 'macos-latest'
        run: |
          rustup target add aarch64-apple-darwin
          npm run installNodeArmDarwin
      - name: build for mac arm (Mac only)
        if: matrix.platform == 'macos-latest'
        uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
          TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
          ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        with:
          releaseId: ${{ needs.create-release.outputs.release_id }}
          args: --target aarch64-apple-darwin
          tagName: ${{ env.GIT_TAG_NAME }}

  build-linux-bins:
    needs: [ create-release ]
    permissions:
      contents: write
    timeout-minutes: 60
    strategy:
      fail-fast: false
      matrix:
        platform: [ ubuntu-20.04, ubuntu-22.04]

    runs-on: ${{ matrix.platform }}
    steps:
      - uses: actions/checkout@v4
      - name: get Git Tag
        run: echo "GIT_TAG_NAME=staging-app-v$(node -p "require('./package.json').version")" >> $GITHUB_ENV
      - name: setup node
        uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: GLIBC version
        run: |
          ldd --version
      - name: install Rust stable
        uses: dtolnay/rust-toolchain@stable
      - name: install dependencies (ubuntu only)
        run: |
          sudo apt-get update
          sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.0-dev libayatana-appindicator3-dev librsvg2-dev
          sudo apt-get install -y libwebrtc-audio-processing-dev
          sudo apt-get install -y libunwind-dev
          sudo apt-get install -y libgstreamer1.0-dev libgstreamer-plugins-base1.0-dev libgstreamer-plugins-bad1.0-dev gstreamer1.0-plugins-base gstreamer1.0-plugins-good gstreamer1.0-plugins-bad gstreamer1.0-plugins-ugly gstreamer1.0-libav gstreamer1.0-tools gstreamer1.0-x gstreamer1.0-alsa gstreamer1.0-gl gstreamer1.0-gtk3 gstreamer1.0-qt5 gstreamer1.0-pulseaudio
      - name: install frontend dependencies
        run: |
          npm ci
          npm run _ci-release:staging
          npm run _ci-disableBundleConfig
          npm run tauri build
          ls -alh ./src-tauri/target/release
          mkdir ./src-tauri/target/release/binDist
          cp ./src-tauri/target/release/phoenix-code-pre-release ./src-tauri/target/release/binDist
          cp ./src-tauri/target/release/phnode ./src-tauri/target/release/binDist
          cp -r ./src-tauri/target/release/src-node ./src-tauri/target/release/binDist
          ls -alh ./src-tauri/target/release/binDist
          tar -cvzf binDist.tar.gz -C ./src-tauri/target/release binDist
          ls -alh binDist.tar.gz
          GLIBC_VER=$(ldd --version | head -n1 | awk '{print $NF}')
          OUTPUT_FILENAME="phoenix-code-pre-release_$(node -p "require('./package.json').version")_amd64_linux_bin-GLIBC-${GLIBC_VER}.tar.gz"
          mv binDist.tar.gz "$OUTPUT_FILENAME"
          echo "OUTPUT_FILENAME=$OUTPUT_FILENAME" >> $GITHUB_ENV
          ls
      - name: Upload Release Asset
        uses: softprops/action-gh-release@v1
        with:
          files: ${{ env.OUTPUT_FILENAME }}
          tag_name: ${{ env.GIT_TAG_NAME }}
          draft: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  publish-release:
    permissions:
      contents: write
    timeout-minutes: 15
    runs-on: ubuntu-22.04
    needs: [ create-release, build-tauri, build-linux-bins ]

    steps:
      - uses: actions/checkout@v4
      - name: get Git Tag
        run: echo "GIT_TAG_NAME=staging-app-v$(node -p "require('./package.json').version")" >> $GITHUB_ENV
      - name: publish release
        id: publish-release
        uses: actions/github-script@v7
        env:
          release_id: ${{ needs.create-release.outputs.release_id }}
        with:
          script: |
            github.rest.repos.updateRelease({
              owner: context.repo.owner,
              repo: context.repo.repo,
              tag_name: `${process.env.GIT_TAG_NAME}`,
              target_commitish: 'staging',
              release_id: process.env.release_id,
              draft: true,
              prerelease: true
            })