Skip to content

Merge pull request #4 from nerds-github/snyk-upgrade-30147788291df6d6… #36

Merge pull request #4 from nerds-github/snyk-upgrade-30147788291df6d6…

Merge pull request #4 from nerds-github/snyk-upgrade-30147788291df6d6… #36

Workflow file for this run

name: Build
on:
push:
branches:
- "**"
tags:
- "v*"
workflow_dispatch:
inputs:
tag_version:
description: "Tag Version"
required: true
# https://docs.github.com/en/enterprise-cloud@latest/actions/writing-workflows/choosing-what-your-workflow-does/control-the-concurrency-of-workflows-and-jobs
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
env:
VITE_WEB_URL: ${{ vars.VITE_WEB_URL }}
VITE_API_URL: ${{ vars.VITE_API_URL }}
VITE_IMGPROXY_URL: ${{ vars.VITE_IMGPROXY_URL }}
VITE_SENTRY_DSN: ${{ vars.VITE_SENTRY_DSN }}
VITE_POSTHOG_KEY: ${{ vars.VITE_POSTHOG_KEY }}
NODE_OPTIONS: --max-old-space-size=8192
jobs:
release:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [macos-latest, ubuntu-latest, windows-latest]
permissions:
id-token: write
contents: write
attestations: write
steps:
- name: Check out Git repository Fully
uses: actions/checkout@v4
if: github.event.inputs.tag_version != '' || github.ref_type == 'tag'
with:
fetch-depth: 0
lfs: true
- name: Check out Git repository
uses: actions/checkout@v4
if: github.event.inputs.tag_version == '' && github.ref_type != 'tag'
with:
fetch-depth: 1
lfs: true
- name: Setup pnpm
uses: pnpm/action-setup@v4
- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version: 22
cache: "pnpm"
- name: Install appdmg
if: runner.os == 'macOS'
run: pnpm add -g appdmg
- name: Install the Apple certificate and provisioning profile
if: runner.os == 'macOS'
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# apply provisioning profile
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
- name: Install dependencies
run: pnpm i
- name: Build
if: matrix.os != 'macos-latest'
run: pnpm build
env:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
- name: Build (macOS)
if: matrix.os == 'macos-latest'
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
KEYCHAIN_PATH: ${{ runner.temp }}/app-signing.keychain-db
run: pnpm build:macos
- name: Upload file
uses: actions/upload-artifact@v4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
with:
name: ${{ matrix.os }}
path: |
out/make/**/*.zip
out/make/**/*.exe
out/make/**/*.AppImage
out/make/**/*.yml
retention-days: 90
- name: Upload file (dmg)
uses: actions/upload-artifact@v4
if: matrix.os == 'macos-latest'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
name: macos-dmg
path: |
out/make/**/*.dmg
retention-days: 90
- name: Generate artifact attestation
if: github.ref_type == 'tag' || github.event.inputs.tag_version != ''
continue-on-error: true
uses: actions/attest-build-provenance@v1
with:
subject-path: |
out/make/**/*.dmg
out/make/**/*.zip
out/make/**/*.exe
out/make/**/*.AppImage
out/make/**/*.yml
- run: npx changelogithub
if: github.ref_type == 'tag' || github.event.inputs.tag_version != ''
continue-on-error: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Version
id: version
uses: ./.github/actions/setup-version
- name: Create Release Draft
if: github.ref_type == 'tag' || github.event.inputs.tag_version != ''
uses: softprops/action-gh-release@v2
with:
name: v${{ steps.version.outputs.APP_VERSION }}
draft: false
prerelease: true
tag_name: v${{ steps.version.outputs.APP_VERSION }}
files: |
out/make/**/*.dmg
out/make/**/*.zip
out/make/**/*.exe
out/make/**/*.AppImage
out/make/**/*.yml