Disable macOS notarization to fix release asset uploads #77
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| permissions: | |
| contents: write | |
| name: Release app | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| - release/** | |
| - 'v*' # run on branches named like v0.0.6 | |
| tags: | |
| - 'v*.*.*' # keep tag-based releases as well | |
| jobs: | |
| build: | |
| environment: release | |
| permissions: | |
| contents: write | |
| strategy: | |
| matrix: | |
| os: | |
| - { name: "windows", image: "windows-2022" } | |
| - { name: "linux", image: "ubuntu-22.04" } | |
| - { name: "macos-intel", image: "macos-13" } | |
| - { name: "macos", image: "macos-13" } | |
| runs-on: ${{ matrix.os.image }} | |
| env: | |
| CI: true | |
| steps: | |
| - name: Github checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Use Node.js | |
| uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0 | |
| with: | |
| node-version: 20 | |
| cache: 'npm' | |
| - name: Ensure npm cache directory exists (Windows) | |
| if: runner.os == 'Windows' | |
| run: | | |
| powershell -Command "New-Item -Path 'C:\npm\cache' -ItemType Directory -Force | Out-Null" | |
| - name: Cache npm cache and node_modules | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ${{ runner.os == 'Windows' && 'C:\\npm\\cache' || '~/.npm' }} | |
| node_modules | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| - name: Clean up potential corrupted install (CI-only) | |
| run: | | |
| if [ "${{ runner.os }}" = "Windows" ]; then | |
| powershell -Command "if (Test-Path node_modules) { Remove-Item -Recurse -Force node_modules } ; if (Test-Path package-lock.json) { Remove-Item -Force package-lock.json }" | |
| else | |
| rm -rf node_modules package-lock.json || true | |
| fi | |
| shell: bash | |
| - name: Configure npm for CI (cache path + disable optional deps) | |
| run: | | |
| if [ "${{ runner.os }}" = "Windows" ]; then | |
| npm config set cache "C:\\npm\\cache" --global | |
| else | |
| npm config set cache "${HOME}/.npm" --global | |
| fi | |
| npm config set optional false --global | |
| shell: bash | |
| - name: Install dependencies (npm ci || npm install fallback) | |
| run: | | |
| set -e | |
| if [ "${{ runner.os }}" = "Windows" ]; then | |
| npm ci --no-audit --prefer-offline || (powershell -Command "if (Test-Path package-lock.json) { Remove-Item -Force package-lock.json }" ; npm install --no-audit --prefer-offline) | |
| else | |
| npm ci --no-audit --prefer-offline || (rm -f package-lock.json && npm install --no-audit --prefer-offline) | |
| fi | |
| shell: bash | |
| - name: Try rebuild rollup native binary (non-fatal) | |
| run: | | |
| if [[ "${{ matrix.os.name }}" == "linux" ]]; then | |
| npm rebuild @rollup/rollup-linux-x64-gnu || true | |
| elif [[ "${{ matrix.os.name }}" == "macos-intel" ]]; then | |
| npm rebuild @rollup/rollup-darwin-x64 || true | |
| elif [[ "${{ matrix.os.name }}" == "macos" ]]; then | |
| npm rebuild @rollup/rollup-darwin-arm64 || true | |
| elif [[ "${{ matrix.os.name }}" == "windows" ]]; then | |
| npm rebuild @rollup/rollup-win32-x64-msvc || true | |
| fi | |
| shell: bash | |
| - name: Build | |
| env: | |
| NODE_OPTIONS: "--max-old-space-size=4096" | |
| run: npm run build | |
| shell: bash | |
| - name: Publish app | |
| env: | |
| NODE_OPTIONS: "--max-old-space-size=4096" | |
| SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} | |
| run: | | |
| set -e | |
| echo "=== Running publish (npm run publish) ===" | |
| npm run publish 2>&1 | sed -n '1,500p' | |
| shell: bash | |
| - name: Wait for GitHub to register release uploads | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -e | |
| VERSION=$(node -e "console.log(require('./package.json').version)") | |
| TAG="v${VERSION}" | |
| attempts=0 | |
| max=9 | |
| sleep_interval=10 | |
| while [ $attempts -lt $max ]; do | |
| resp=$(curl -s -H "Authorization: token ${GITHUB_TOKEN}" -H "Accept: application/vnd.github.v3+json" "https://api.github.com/repos/${{ github.repository }}/releases/tags/${TAG}" || true) | |
| if echo "$resp" | grep -q "\"message\": \"Not Found\""; then | |
| echo "Release ${TAG} not found yet." | |
| else | |
| echo "$resp" | jq -r '. | {name: .name, tag_name: .tag_name, draft: .draft, published_at: .published_at, html_url: .html_url, assets_count: .assets | length}' | |
| echo "$resp" | jq -r '.assets[] | "\(.name) | \(.size) | \(.browser_download_url)"' || true | |
| assets_count=$(echo "$resp" | jq '.assets | length') | |
| if [ "$assets_count" -gt 0 ]; then | |
| break | |
| fi | |
| fi | |
| attempts=$((attempts+1)) | |
| sleep $sleep_interval | |
| done | |
| shell: bash | |
| verify-assets: | |
| name: Verify Release Assets | |
| needs: build | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: read | |
| packages: read | |
| actions: read | |
| id-token: write | |
| steps: | |
| - name: Github checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Use Node.js | |
| uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0 | |
| with: | |
| node-version: 20 | |
| - name: Verify all release assets are uploaded | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: node scripts/verify-release-assets.js | |
| shell: bash |