[Build] #30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Terms: | |
# "build" - Compile web project using webpack. | |
# "package" - Produce a distributive package for a specific platform as a workflow artifact. | |
# "publish" - Send a package to corresponding store and GitHub release page. | |
# "release" - build + package + publish | |
# | |
# Jobs in this workflow will skip the "publish" step when `PUBLISH_REPO` is not set. | |
name: Package and publish | |
on: | |
workflow_dispatch: | |
push: | |
branches: master | |
env: | |
APP_NAME: Telegram A | |
jobs: | |
electron-release: | |
name: Build, package and publish Electron | |
runs-on: macOS-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup Node.js ${{ vars.NODE_VERSION }} | |
uses: actions/setup-node@v4 | |
with: | |
node-version: ${{ vars.NODE_VERSION }} | |
- name: Cache node modules | |
id: npm-cache | |
uses: actions/cache@v4 | |
with: | |
path: node_modules | |
key: ${{ runner.os }}-build-${{ hashFiles('**/package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-build- | |
- name: Install dependencies | |
if: steps.npm-cache.outputs.cache-hit != 'true' | |
run: npm ci | |
- name: Import MacOS signing certificate | |
env: | |
APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }} | |
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
run: | | |
KEY_CHAIN=build.keychain | |
CERTIFICATE_P12=certificate.p12 | |
echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > $CERTIFICATE_P12 | |
security create-keychain -p actions $KEY_CHAIN | |
security default-keychain -s $KEY_CHAIN | |
security unlock-keychain -p actions $KEY_CHAIN | |
security import $CERTIFICATE_P12 -k $KEY_CHAIN -P $APPLE_CERTIFICATE_PASSWORD -T /usr/bin/codesign | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k actions $KEY_CHAIN | |
security find-identity -v -p codesigning $KEY_CHAIN | |
- name: Get branch name for current workflow run | |
id: branch-name | |
uses: tj-actions/branch-names@v8 | |
- name: Build, package and publish | |
env: | |
TELEGRAM_API_ID: ${{ secrets.TELEGRAM_API_ID }} | |
TELEGRAM_API_HASH: ${{ secrets.TELEGRAM_API_HASH }} | |
APPLE_ID: ${{ secrets.APPLE_ID }} | |
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} | |
GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
PUBLISH_REPO: ${{ vars.PUBLISH_REPO }} | |
BASE_URL: ${{ vars.BASE_URL }} | |
IS_PREVIEW: ${{ steps.branch-name.outputs.current_branch != 'master' }} | |
run: | | |
if [ -z "$PUBLISH_REPO" ]; then | |
npm run electron:package:staging | |
else | |
npm run electron:release:production | |
fi | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.APP_NAME }}-x64.dmg | |
path: dist-electron/${{ env.APP_NAME }}-x64.dmg | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.APP_NAME }}-arm64.dmg | |
path: dist-electron/${{ env.APP_NAME }}-arm64.dmg | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.APP_NAME }}-x86_64.AppImage | |
path: dist-electron/${{ env.APP_NAME }}-x86_64.AppImage | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.APP_NAME }}-x64.exe | |
path: dist-electron/${{ env.APP_NAME }}-x64.exe | |
electron-sign-for-windows: | |
name: Sign and re-publish Windows package | |
needs: electron-release | |
runs-on: windows-latest | |
if: vars.PUBLISH_REPO != '' | |
env: | |
GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
PUBLISH_REPO: ${{ vars.PUBLISH_REPO }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup certificate | |
shell: bash | |
run: echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 | |
- name: Set environment variables | |
id: variables | |
shell: bash | |
run: | | |
echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT | |
echo "FILE_NAME=${{ env.APP_NAME }}-x64.exe" >> "$GITHUB_ENV" | |
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" | |
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" | |
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" | |
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" | |
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH | |
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH | |
echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH | |
- name: Setup SSM KSP | |
env: | |
SM_API_KEY: ${{ secrets.SM_API_KEY }} | |
shell: cmd | |
run: | | |
curl.exe -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools.msi | |
msiexec /i smtools.msi /quiet /qn | |
smksp_registrar.exe list | |
smctl.exe keypair ls | |
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user | |
smksp_cert_sync.exe | |
- name: Download Windows package | |
id: download-artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ${{ env.FILE_NAME }} | |
- name: Sign package | |
env: | |
KEYPAIR_ALIAS: ${{ secrets.KEYPAIR_ALIAS }} | |
FILE_PATH: ${{ steps.download-artifact.outputs.download-path }} | |
shell: cmd | |
run: smctl.exe sign --keypair-alias=%KEYPAIR_ALIAS% --input "%FILE_PATH%\%FILE_NAME%" | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.FILE_NAME }} | |
path: ${{ env.FILE_NAME }} | |
overwrite: true | |
- name: Get latest release ID | |
id: release-id | |
shell: bash | |
run: | | |
RELEASE_ID=$(curl -s -H "Authorization: Bearer $GH_TOKEN" "https://api.github.com/repos/$PUBLISH_REPO/releases?per_page=1" | jq -r '.[0].id') | |
echo "release_id=$RELEASE_ID" >> $GITHUB_OUTPUT | |
- name: Delete existing asset | |
env: | |
RELEASE_ID: ${{ steps.release-id.outputs.release_id }} | |
shell: bash | |
run: | | |
PUBLISH_FILE_NAME=${FILE_NAME// /-} # Consistency with electron-builder | |
ASSET_ID=$(curl -s -H "Authorization: Bearer $GH_TOKEN" "https://api.github.com/repos/$PUBLISH_REPO/releases/$RELEASE_ID/assets" | jq -r --arg PUBLISH_FILE_NAME "$PUBLISH_FILE_NAME" '.[] | select(.name == $PUBLISH_FILE_NAME) | .id') | |
curl -X DELETE -H "Authorization: Bearer $GH_TOKEN" "https://api.github.com/repos/$PUBLISH_REPO/releases/assets/$ASSET_ID" | |
- name: Push new asset | |
env: | |
FILE_PATH: ${{ steps.download-artifact.outputs.download-path }} | |
RELEASE_ID: ${{ steps.release-id.outputs.release_id }} | |
shell: bash | |
run: | | |
PUBLISH_FILE_NAME=${FILE_NAME// /-} # Consistency with electron-builder | |
curl -X POST -H "Authorization: Bearer $GH_TOKEN" \ | |
-H "Content-Type: application/octet-stream" \ | |
--data-binary "@$FILE_PATH\\$FILE_NAME" \ | |
"https://uploads.github.com/repos/$PUBLISH_REPO/releases/$RELEASE_ID/assets?name=$PUBLISH_FILE_NAME" | |
- name: Publish release | |
env: | |
RELEASE_ID: ${{ steps.release-id.outputs.release_id }} | |
shell: bash | |
run: | | |
curl -X PATCH -H "Authorization: Bearer $GH_TOKEN" "https://api.github.com/repos/$PUBLISH_REPO/releases/$RELEASE_ID" -d '{"draft": false}' |