1.3.0 #16

Workflow file for this run

.github/workflows/build-macos.yml at 342c88d

	name: Build and Release (macOS)

	on:
	push:
	tags:
	- '*'

	permissions:
	contents: write

	jobs:
	build-macos:
	runs-on: macos-latest

	strategy:
	matrix:
	arch: [ x86_64, aarch64 ]

	env:
	# Build constants
	TARGET: macos
	ARCH: ${{ matrix.arch }}
	VERSION: ${{ github.ref_name }}

	# Where dx places the .app
	APP_DIR: /Users/runner/work/ore-app/ore-app/dist/OreApp.app

	# AWS publish constants
	AWS_REGION: us-east-1
	S3_BUCKET_NAME: ore-app-xyz

	steps:
	# 1) Check out code
	- name: Check out code
	uses: actions/checkout@v3

	# 2) Cache Cargo registry
	- name: Cache Cargo registry
	uses: actions/cache@v3
	with:
	path: ~/.cargo/registry
	key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
	restore-keys: \|
	${{ runner.os }}-cargo-registry-

	# 3) Cache target directory
	- name: Cache target directory
	uses: actions/cache@v3
	with:
	path: target
	key: ${{ runner.os }}-cargo-target-${{ hashFiles('**/Cargo.lock') }}
	restore-keys: \|
	${{ runner.os }}-cargo-target-

	# 4) Install Rust (stable)
	- name: Install Rust
	uses: dtolnay/rust-toolchain@stable
	with:
	profile: minimal
	override: true

	# 5) Add Rust target based on matrix.arch
	- name: Add Rust target
	run: \|
	rustup target add ${{ matrix.arch }}-apple-darwin

	# 6) Install CLI tools
	- name: Install dioxus-cli and cargo-packager
	run: \|
	cargo install [email protected] [email protected]

	# 7) Build & Package for whichever arch is active
	- name: Build and Package
	run: \|
	CARGO_BUILD_TARGET=${{ matrix.arch }}-apple-darwin \
	dx bundle --platform desktop --package-types macos --release

	# 8) Import Developer ID Certificate (Apple codesign)
	- name: Import Developer ID cert
	run: \|
	echo "$DEVID_CERT_BASE64" \| base64 --decode > developer_id.p12

	security create-keychain -p "" build.keychain
	security default-keychain -s build.keychain
	security unlock-keychain -p "" build.keychain

	security import developer_id.p12 -k ~/Library/Keychains/build.keychain -P "$DEVID_CERT_PASSWORD" -T /usr/bin/codesign

	security set-key-partition-list -S apple-tool:,apple: -s -k "" ~/Library/Keychains/build.keychain
	env:
	DEVID_CERT_BASE64: ${{ secrets.DEVID_CERT_BASE64 }}
	DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }}

	# 9) Code-sign .app (Apple)
	- name: Code-sign .app
	run: \|
	codesign --deep --force --verify --verbose --options runtime \
	--sign "Developer ID Application: $DEVID_NAME ($DEVID_TEAM_ID)" \
	"${{ env.APP_DIR }}"
	env:
	DEVID_NAME: ${{ secrets.DEVID_NAME }}
	DEVID_TEAM_ID: ${{ secrets.DEVID_TEAM_ID }}

	# 10) Notarize the signed .app
	- name: Notarize app
	run: \|
	brew install jq \|\| true
	set -euxo pipefail

	ZIP_FILE="ORE_${{ env.VERSION }}.app.zip"
	/usr/bin/zip -r "$ZIP_FILE" "${{ env.APP_DIR }}"

	xcrun notarytool submit "$ZIP_FILE" \
	--apple-id "$NOTARIZE_APPLE_ID" \
	--team-id "$DEVID_TEAM_ID" \
	--password "$NOTARIZE_APP_PASSWORD" \
	--verbose \
	--wait

	# Staple the app
	xcrun stapler staple "${{ env.APP_DIR }}"
	env:
	NOTARIZE_APPLE_ID: ${{ secrets.NOTARIZE_APPLE_ID }}
	NOTARIZE_APP_PASSWORD: ${{ secrets.NOTARIZE_APP_PASSWORD }}
	DEVID_TEAM_ID: ${{ secrets.DEVID_TEAM_ID }}

	# 11) Configure AWS credentials
	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v3
	with:
	aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
	aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	aws-region: ${{ env.AWS_REGION }}

	# 12) Package .app into a tar.gz, sign it with cargo-packager, and upload both tarball and signature to S3
	- name: Package, Sign, and Upload .tar.gz
	env:
	CARGO_PACKAGER_SIGN_PRIVATE_KEY: ${{ secrets.CARGO_PACKAGER_SIGN_PRIVATE_KEY }}
	CARGO_PACKAGER_SIGN_PRIVATE_KEY_PASSWORD: ${{ secrets.CARGO_PACKAGER_SIGN_PRIVATE_KEY_PASSWORD }}
	run: \|
	# Create the tarball from the .app folder
	TAR_FILE="ORE_${{ env.VERSION }}.app.tar.gz"
	tar -czf "$TAR_FILE" -C "$(dirname "${{ env.APP_DIR }}")" "$(basename "${{ env.APP_DIR }}")"

	# Sign the tarball (cargo packager expects a file, not a folder)
	cargo packager signer sign "$TAR_FILE"

	# Determine output architecture naming
	if [ "${{ env.ARCH }}" = "x86_64" ]; then
	OUT_ARCH="x64"
	else
	OUT_ARCH="aarch64"
	fi

	# Upload the tarball and its signature (.sig) file to S3
	aws s3 cp "$TAR_FILE" "s3://${{ env.S3_BUCKET_NAME }}/${{ env.TARGET }}/${{ env.ARCH }}/${{ env.VERSION }}/ore_${{ env.VERSION }}_${OUT_ARCH}.app.tar.gz"
	aws s3 cp "$TAR_FILE.sig" "s3://${{ env.S3_BUCKET_NAME }}/${{ env.TARGET }}/${{ env.ARCH }}/${{ env.VERSION }}/ore_${{ env.VERSION }}_${OUT_ARCH}.app.tar.gz.sig"

	# 13) Print link for the app
	- name: Print S3 download link
	run: \|
	if [ "${{ env.ARCH }}" = "x86_64" ]; then
	OUT_ARCH="x64"
	else
	OUT_ARCH="aarch64"
	fi

	echo "Download macOS artifact for $OUT_ARCH at:"
	echo "https://${{ env.S3_BUCKET_NAME }}.s3.amazonaws.com/${{ env.TARGET }}/${{ env.ARCH }}/${{ env.VERSION }}/ore_${{ env.VERSION }}_${OUT_ARCH}.app.tar.gz"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

1.3.0 #16

Workflow file

1.3.0 #16

Jobs

Run details

Workflow file for this run