with logs #19
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Release (macOS) | |
| on: | |
| push: | |
| tags: | |
| - '*' | |
| permissions: | |
| contents: write | |
| jobs: | |
| build-macos: | |
| runs-on: macos-latest | |
| strategy: | |
| matrix: | |
| arch: [ x86_64, aarch64 ] | |
| env: | |
| # Build constants | |
| TARGET: macos | |
| ARCH: ${{ matrix.arch }} | |
| VERSION: ${{ github.ref_name }} | |
| # Where dx places the .app | |
| APP_DIR: /Users/runner/work/ore-app/ore-app/dist/OreApp.app | |
| # AWS publish constants | |
| AWS_REGION: us-east-1 | |
| S3_BUCKET_NAME: ore-app-xyz | |
| steps: | |
| # 1) Check out code | |
| - name: Check out code | |
| uses: actions/checkout@v3 | |
| # 2) Cache Cargo registry | |
| - name: Cache Cargo registry | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.cargo/registry | |
| key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-registry- | |
| # 3) Cache target directory | |
| - name: Cache target directory | |
| uses: actions/cache@v3 | |
| with: | |
| path: target | |
| key: ${{ runner.os }}-cargo-target-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-target- | |
| # 4) Install Rust (stable) | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| profile: minimal | |
| override: true | |
| # 5) Add Rust target based on matrix.arch | |
| - name: Add Rust target | |
| run: | | |
| rustup target add ${{ matrix.arch }}-apple-darwin | |
| # 6) Install CLI tools | |
| - name: Install dioxus-cli and cargo-packager | |
| run: | | |
| cargo install [email protected] [email protected] | |
| # 7) Build & Package for whichever arch is active | |
| - name: Build and Package | |
| run: | | |
| CARGO_BUILD_TARGET=${{ matrix.arch }}-apple-darwin \ | |
| dx bundle --platform desktop --package-types macos --release | |
| # 8) Import Developer ID Certificate (Apple codesign) | |
| - name: Import Developer ID cert | |
| run: | | |
| echo "$DEVID_CERT_BASE64" | base64 --decode > developer_id.p12 | |
| security create-keychain -p "" build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p "" build.keychain | |
| security import developer_id.p12 -k ~/Library/Keychains/build.keychain -P "$DEVID_CERT_PASSWORD" -T /usr/bin/codesign | |
| security set-key-partition-list -S apple-tool:,apple: -s -k "" ~/Library/Keychains/build.keychain | |
| env: | |
| DEVID_CERT_BASE64: ${{ secrets.DEVID_CERT_BASE64 }} | |
| DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} | |
| # 9) Code-sign .app (Apple) | |
| - name: Code-sign .app | |
| run: | | |
| codesign --deep --force --verify --verbose --options runtime \ | |
| --sign "Developer ID Application: $DEVID_NAME ($DEVID_TEAM_ID)" \ | |
| "${{ env.APP_DIR }}" | |
| env: | |
| DEVID_NAME: ${{ secrets.DEVID_NAME }} | |
| DEVID_TEAM_ID: ${{ secrets.DEVID_TEAM_ID }} | |
| # 10) Notarize the signed .app | |
| - name: Notarize app | |
| run: | | |
| brew install jq || true | |
| set -euxo pipefail | |
| ZIP_FILE="ORE_${{ env.VERSION }}.app.zip" | |
| /usr/bin/zip -r "$ZIP_FILE" "${{ env.APP_DIR }}" | |
| xcrun notarytool submit "$ZIP_FILE" \ | |
| --apple-id "$NOTARIZE_APPLE_ID" \ | |
| --team-id "$DEVID_TEAM_ID" \ | |
| --password "$NOTARIZE_APP_PASSWORD" \ | |
| --verbose \ | |
| --wait | |
| # Staple the app | |
| xcrun stapler staple "${{ env.APP_DIR }}" | |
| env: | |
| NOTARIZE_APPLE_ID: ${{ secrets.NOTARIZE_APPLE_ID }} | |
| NOTARIZE_APP_PASSWORD: ${{ secrets.NOTARIZE_APP_PASSWORD }} | |
| DEVID_TEAM_ID: ${{ secrets.DEVID_TEAM_ID }} | |
| # 11) Configure AWS credentials | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v3 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| # 12) Package .app into a tar.gz, sign it with cargo-packager, and upload both tarball and signature to S3 | |
| - name: Package, Sign, and Upload .tar.gz | |
| env: | |
| CARGO_PACKAGER_SIGN_PRIVATE_KEY: ${{ secrets.CARGO_PACKAGER_SIGN_PRIVATE_KEY }} | |
| CARGO_PACKAGER_SIGN_PRIVATE_KEY_PASSWORD: ${{ secrets.CARGO_PACKAGER_SIGN_PRIVATE_KEY_PASSWORD }} | |
| run: | | |
| # Create the tarball from the .app folder | |
| TAR_FILE="ORE_${{ env.VERSION }}.app.tar.gz" | |
| tar -czf "$TAR_FILE" -C "$(dirname "${{ env.APP_DIR }}")" "$(basename "${{ env.APP_DIR }}")" | |
| # Sign the tarball (cargo packager expects a file, not a folder) | |
| cargo packager signer sign "$TAR_FILE" | |
| # Determine output architecture naming | |
| if [ "${{ env.ARCH }}" = "x86_64" ]; then | |
| OUT_ARCH="x64" | |
| else | |
| OUT_ARCH="aarch64" | |
| fi | |
| # Upload the tarball and its signature (.sig) file to S3 | |
| aws s3 cp "$TAR_FILE" "s3://${{ env.S3_BUCKET_NAME }}/${{ env.TARGET }}/${{ env.ARCH }}/${{ env.VERSION }}/ore_${{ env.VERSION }}_${OUT_ARCH}.app.tar.gz" | |
| aws s3 cp "$TAR_FILE.sig" "s3://${{ env.S3_BUCKET_NAME }}/${{ env.TARGET }}/${{ env.ARCH }}/${{ env.VERSION }}/ore_${{ env.VERSION }}_${OUT_ARCH}.app.tar.gz.sig" | |
| # 13) Print link for the app | |
| - name: Print S3 download link | |
| run: | | |
| if [ "${{ env.ARCH }}" = "x86_64" ]; then | |
| OUT_ARCH="x64" | |
| else | |
| OUT_ARCH="aarch64" | |
| fi | |
| echo "Download macOS artifact for $OUT_ARCH at:" | |
| echo "https://${{ env.S3_BUCKET_NAME }}.s3.amazonaws.com/${{ env.TARGET }}/${{ env.ARCH }}/${{ env.VERSION }}/ore_${{ env.VERSION }}_${OUT_ARCH}.app.tar.gz" |