Sign electron app on macos runner #394
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Package client | |
on: | |
pull_request: | |
paths: | |
- .github/workflows/package-client.yml | |
- client/electron/package.js | |
- client/electron/snap/* | |
workflow_call: | |
inputs: | |
version: | |
description: The version to use | |
type: string | |
required: true | |
version_patch_run_id: | |
description: | | |
The run id where the version.patch artifact was uploaded. | |
If not provided, the workflow will generate the patch by itself. | |
type: string | |
required: true | |
commit_sha: | |
required: true | |
type: string | |
description: The commit SHA to use when checkout'ing the repository | |
default: ${{ github.sha }} | |
nightly_build: | |
type: boolean | |
description: The current build is a nightly build | |
default: false | |
secrets: | |
SENTRY_AUTH_TOKEN: | |
required: true | |
workflow_dispatch: | |
inputs: | |
version: | |
description: The version to use (if not provided, will generate one from code space version) | |
type: string | |
required: false | |
# Set `concurrency` to prevent this workflow from being run on code that is not up-to-date on a PR (e.g. when making many push quickly on a PR). | |
# This behavior is only intended for a PR and not for merge commits on the main branch. Having the workflow run on each merge commit can be useful to spot regressions missed by previous checks. | |
# To distinguish between these cases, we use `head_ref` that is only defined on `pull-request` and fallback to `run_id` (this is a counter, so it's value is unique between workflow call). | |
concurrency: | |
group: package-client-${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
env: | |
# We use the version 18.12 because the version >= 18.13 have some breaking changes on how they format the date. | |
# That would break our unit test if we don't update them. | |
node-version: 18.12.0 | |
wasm-pack-version: 0.12.1 | |
WINFSP_VERSION: 2.0.23075 | |
permissions: | |
contents: read | |
jobs: | |
version: | |
if: ${{ inputs.version_patch_run_id == '' }} | |
uses: ./.github/workflows/_parse_version.yml | |
with: | |
version: ${{ inputs.version }} | |
commit_sha: ${{ inputs.commit_sha }} | |
webapp: | |
needs: version | |
# Always run the job if `version` job is skipped otherwise only if `version` job was successful. | |
if: ${{ inputs.version_patch_run_id != '' && always() || success() }} | |
runs-on: ubuntu-22.04 | |
name: ⚡ Package web app | |
steps: | |
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # pin v4.2.1 | |
with: | |
ref: ${{ inputs.commit_sha }} | |
timeout-minutes: 5 | |
- uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # pin v4.0.4 | |
with: | |
node-version: ${{ env.node-version }} | |
timeout-minutes: 2 | |
- name: Download version.patch artifact | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # pin v4.1.8 | |
with: | |
name: version.patch | |
path: ${{ runner.temp }}/version.patch | |
run-id: ${{ inputs.version_patch_run_id || github.run_id }} | |
- name: Apply version.patch | |
run: git apply --allow-empty ${{ runner.temp }}/version.patch/version.patch | |
- name: Install dependencies | |
run: npm clean-install | |
working-directory: client | |
# Install syft | |
- uses: taiki-e/install-action@437c908c7e5ee18b63a261286cbe5147219f8a39 # pin v2.44.44 | |
with: | |
tool: [email protected], wasm-pack@${{ env.wasm-pack-version }} | |
- name: Build web bindings | |
run: npm run build:release | |
working-directory: bindings/web | |
- name: Build web app | |
run: npm run web:release | |
env: | |
PARSEC_APP_SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
working-directory: client | |
- name: Generate SBOM | |
run: syft packages --config=.syft.yaml --output=spdx-json=client/dist/Parsec-SBOM-Web.spdx.json . | |
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # pin v4.4.3 | |
with: | |
name: webapp | |
path: client/dist/ | |
if-no-files-found: error | |
electron-snap: | |
needs: version | |
runs-on: ubuntu-22.04 | |
# Always run the job if `version` job is skipped otherwise only if `version` job was successful. | |
if: ${{ inputs.version_patch_run_id != '' && always() || success() }} | |
steps: | |
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # pin v4.2.1 | |
with: | |
ref: ${{ inputs.commit_sha }} | |
timeout-minutes: 5 | |
- name: Download version.patch artifact | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # pin v4.1.8 | |
with: | |
name: version.patch | |
path: ${{ runner.temp }}/version.patch | |
run-id: ${{ inputs.version_patch_run_id || github.run_id }} | |
- name: Load version config | |
id: version | |
shell: bash | |
run: | | |
cat version.patch/version.ini > "$GITHUB_OUTPUT" | |
cat "$GITHUB_OUTPUT" | |
working-directory: ${{ runner.temp }} | |
- name: Apply version.patch | |
run: git apply --allow-empty ${{ runner.temp }}/version.patch/version.patch | |
- name: Install snapcraft | |
uses: samuelmeuli/action-snapcraft@d33c176a9b784876d966f80fb1b461808edc0641 # pin v2.1.1 | |
timeout-minutes: 1 | |
- name: Setup LXD | |
uses: canonical/setup-lxd@4e959f8e0d9c5feb27d44c5e4d9a330a782edee0 # pin v0.1.1 | |
timeout-minutes: 2 | |
- name: Patch cannot install cypress on lxd | |
run: npm remove cypress{,-file-upload,-real-events,-vite} | |
working-directory: client | |
timeout-minutes: 2 | |
- name: Patch snapcraft for nightly build | |
if: inputs.nightly_build | |
run: | |
sed -i 's/node package.js --mode prod --platform linux dir/& --nightly/' snap/snapcraft.yaml | |
working-directory: client/electron | |
# We need to patch the vite.config.js because we cannot pass the secret to the snap build (either via build-args or env). | |
- name: Patch vite config for snap build | |
run: >- | |
sed -i | |
-e s'/if (process.env.PARSEC_APP_SENTRY_AUTH_TOKEN)/if (true)/' | |
-e s';authToken: process.env.PARSEC_APP_SENTRY_AUTH_TOKEN;authToken: "${{ secrets.SENTRY_AUTH_TOKEN }}";' | |
vite.config.ts | |
working-directory: client | |
- name: Patch snapcraft file for sentry auth token and vite mode | |
run: >- | |
sed -i | |
-e s';SENTRY_AUTH_TOKEN: __TOKEN__;SENTRY_AUTH_TOKEN: "${{ secrets.SENTRY_AUTH_TOKEN }}";' | |
-e s'/VITE_MODE: development/VITE_MODE: ${{ steps.version.outputs.type }}/' | |
snap/snapcraft.yaml | |
working-directory: client/electron | |
- name: Build snap | |
run: | | |
ln -sv client/electron/snap | |
snapcraft pack --use-lxd -v | |
timeout-minutes: 30 | |
- name: Rename artifacts | |
shell: bash | |
run: | | |
ARCH=$(uname -m) | |
mv -v parsec_*_*.snap Parsec_${{ steps.version.outputs.full }}_linux_$ARCH.snap | |
# Install syft | |
- uses: taiki-e/install-action@437c908c7e5ee18b63a261286cbe5147219f8a39 # pin v2.44.44 | |
with: | |
tool: [email protected] | |
- name: Generate SBOM | |
run: syft packages --config=.syft.yaml --output=spdx-json=Parsec-SBOM-Electron-linux-snap.spdx.json . | |
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # pin v4.4.3 | |
with: | |
name: linux-snap-${{ runner.arch }}-electron | |
path: | | |
Parsec_${{ steps.version.outputs.full }}_linux_*.snap | |
Parsec-SBOM-*.spdx.json | |
if-no-files-found: error | |
timeout-minutes: 10 | |
electron-non-snap: | |
needs: version | |
# Always run the job if `version` job is skipped otherwise only if `version` job was successful. | |
if: ${{ inputs.version_patch_run_id != '' && always() || success() }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- name: 🏁 Windows | |
platform: windows | |
os: windows-2022 | |
raw_latest_file: latest.yml | |
extension: exe | |
os_alias: win | |
artifact_tag: windows-exe | |
- name: 🍎 macOS | |
platform: macos | |
os: macos-13 | |
raw_latest_file: latest-mac.yml | |
extension: "*" # Use wildcard to match dmg and zip extension | |
os_alias: mac | |
artifact_tag: macos-dmg | |
- name: 🐧 AppImage 4 Linux | |
platform: linux | |
os: ubuntu-22.04 | |
raw_latest_file: latest-linux.yml | |
os_alias: linux | |
extension: AppImage | |
artifact_tag: linux-appimage | |
name: "${{matrix.name }}: ⚡ Package electron" | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 60 | |
steps: | |
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # pin v4.2.1 | |
with: | |
ref: ${{ inputs.commit_sha }} | |
timeout-minutes: 5 | |
- uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # pin v4.0.4 | |
with: | |
node-version: ${{ env.node-version }} | |
timeout-minutes: 2 | |
- name: Download version.patch artifact | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # pin v4.1.8 | |
with: | |
name: version.patch | |
path: ${{ runner.temp }}/version.patch | |
run-id: ${{ inputs.version_patch_run_id || github.run_id }} | |
- name: Load version config | |
id: version | |
shell: bash | |
run: | | |
cat version.patch/version.ini > "$GITHUB_OUTPUT" | |
cat "$GITHUB_OUTPUT" | |
working-directory: ${{ runner.temp }} | |
- name: Apply version.patch | |
run: git apply --allow-empty ${{ runner.temp }}/version.patch/version.patch | |
- name: Windows > Install WinFSP | |
if: matrix.platform == 'windows' | |
shell: bash -eux {0} | |
run: | | |
choco install winfsp -y --version=${{ env.WINFSP_VERSION }} | |
curl -L https://github.com/winfsp/winfsp/releases/download/v2.0/winfsp-tests-${{ env.WINFSP_VERSION }}.zip -o D:/a/_temp/winfsp-tests.zip | |
unzip D:/a/_temp/winfsp-tests.zip -d D:/a/_temp/ | |
mv 'D:/a/_temp/winfsp-tests-x64.exe' 'C:/Program Files (x86)/WinFsp/bin/' | |
timeout-minutes: 2 | |
- name: MacOS > Install macFUSE | |
if: matrix.platform == 'macos' | |
run: brew install --cask macfuse | |
timeout-minutes: 5 | |
- name: Linux > Install system dependencies | |
if: matrix.platform == 'linux' | |
run: | | |
sudo apt-get install -y fuse3 libfuse3-dev | |
timeout-minutes: 2 | |
- name: Install client dependencies | |
# Use `--ignore-scripts` to prevent the postinstall script trying to be smarter than us and | |
# install electron dependencies (as it would use `npm install` instead of `npm clean-install`). | |
run: npm clean-install --ignore-scripts | |
working-directory: client | |
timeout-minutes: 10 | |
- name: Install electron dependencies | |
run: npm clean-install | |
working-directory: client/electron | |
timeout-minutes: 2 | |
- name: Install electron bindings dependencies | |
run: npm clean-install | |
working-directory: bindings/electron | |
timeout-minutes: 1 | |
- name: Build Electron bindings | |
run: npm run build:release | |
working-directory: bindings/electron | |
# MacOS is really slow when build rust | |
timeout-minutes: 30 | |
- name: Build client for electron | |
run: npm run native:build -- --mode ${{ steps.version.outputs.type }} | |
working-directory: client | |
timeout-minutes: 5 | |
- name: Copy client build result to electron | |
run: npm exec cap copy @capacitor-community/electron | |
working-directory: client | |
timeout-minutes: 1 | |
- name: Prepare codesign | |
shell: bash | |
if: matrix.platform == 'macos' | |
run: | | |
printenv MACOS_CERT | base64 --decode > certificate.p12 | |
security create-keychain -p "${{ secrets.MACOS_CI_KEYCHAIN_PASSWD }}" build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p "${{ secrets.MACOS_CI_KEYCHAIN_PASSWD }}" build.keychain | |
security import certificate.p12 -k build.keychain -P "${{ secrets.MACOS_CERT_PASSWD }}" -T /usr/bin/codesign | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.MACOS_CI_KEYCHAIN_PASSWD }}" build.keychain | |
env: | |
MACOS_CERT: ${{ secrets.MACOS_CERT }} | |
timeout-minutes: 2 | |
- name: Build Electron apps | |
# What's about the extra `--` in `-- --nightly`? | |
# The reason is for npm to pass the flag `--nightly` to the underlying npm script. | |
# But since the base npm script `npm run electron:release` call another npm script, | |
# we need to escape the flag another time by adding another `--`. | |
run: >- | |
npm run electron:release | |
${{ (matrix.platform == 'linux' || inputs.nightly_build || matrix.platform == 'macos') && '--' || '' }} | |
${{ matrix.platform == 'linux' && 'appimage' || '' }} | |
${{ inputs.nightly_build && '--nightly' || '' }} | |
${{ matrix.platform != 'windows' && '--sign' || ''}} | |
env: | |
PARSEC_APP_SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
# FIXME: Remove me before merging, I'm just here to test the code signing for macos | |
CSC_FOR_PULL_REQUEST: true | |
CSC_LINK: ${{ matrix.platform == 'macos' && secrets.MACOS_CERT}} | |
CSC_KEY_PASSWORD: ${{ matrix.platform == 'macos' && secrets.MACOS_CERT_PASSWD }} | |
CSC_NAME: ${{ matrix.platform == 'macos' && secrets.MACOS_CERT_COMMON_NAME }} | |
CSC_IDENTITY_AUTO_DISCOVERY: ${{ matrix.platform == 'macos' }} | |
CSC_KEYCHAIN: ${{ matrix.platform == 'macos' && 'build.keychain' }} | |
APPLE_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} | |
APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID}} | |
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PASSWD }} | |
working-directory: client/electron | |
timeout-minutes: 10 | |
- name: Upload client electron sourcemaps | |
run: npm run sentry:sourcemaps | |
env: | |
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
working-directory: client/electron | |
timeout-minutes: 1 | |
# Install syft | |
- uses: taiki-e/install-action@437c908c7e5ee18b63a261286cbe5147219f8a39 # pin v2.44.44 | |
with: | |
tool: [email protected] | |
- name: Generate SBOM | |
run: syft packages --config=.syft.yaml --output=spdx-json=client/electron/dist/Parsec-SBOM-Electron-${{ matrix.artifact_tag }}.spdx.json . | |
- name: Debug dist folder | |
if: runner.debug || false | |
run: ls client/electron/dist | |
- name: Build info | |
id: build-info | |
shell: bash | |
run: | | |
arch=$(uname -m) | |
app_file="Parsec_${{ steps.version.outputs.full }}_${{ matrix.os_alias }}_${arch}${{ matrix.platform == 'windows' && '.unsigned' || '' }}.${{ matrix.extension }}" | |
latest_file="latest-${{ matrix.os_alias }}-${arch}.yml" | |
cat << EOF | tee -a $GITHUB_OUTPUT | |
arch=$arch | |
app_file=$app_file | |
latest_file=$latest_file | |
EOF | |
- name: Rename "latest" file | |
shell: bash | |
run: mv -v "${{ matrix.raw_latest_file }}" "${{ steps.build-info.outputs.latest_file }}" | |
working-directory: client/electron/dist | |
- name: Sanity check that "latest" file contain the correct application file | |
shell: bash | |
run: | | |
cat "${{ steps.build-info.outputs.latest_file }}" | |
grep -q -e "${{ steps.build-info.outputs.app_file }}" "${{ steps.build-info.outputs.latest_file }}" | |
working-directory: client/electron/dist | |
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # pin v4.4.3 | |
with: | |
name: ${{ matrix.artifact_tag }}-${{ runner.arch }}-electron | |
path: | | |
client/electron/dist/${{ steps.build-info.outputs.app_file }} | |
client/electron/dist/${{ steps.build-info.outputs.app_file }}.blockmap | |
client/electron/dist/${{ steps.build-info.outputs.latest_file }} | |
client/electron/dist/Parsec-SBOM-*.spdx.json | |
if-no-files-found: error | |
timeout-minutes: 10 | |
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # pin v4.4.3 | |
if: matrix.platform == 'windows' | |
with: | |
name: ${{ matrix.artifact_tag }}-${{ runner.arch }}-electron-pre-built | |
path: | | |
client/electron/app | |
client/electron/build | |
client/electron/assets | |
client/electron/scripts | |
client/electron/package.js | |
client/electron/package.json | |
client/electron/package-lock.json | |
client/electron/sign-windows-package.cmd | |
client/electron/README.md | |
if-no-files-found: error | |
timeout-minutes: 10 |