🤖 Add release workflow for automated binary publishing (#168)

ammar-agent · web-flow · commit 747ae0f6ff75 · 2025-10-10T15:04:13.000-05:00
## Summary

Adds automated release workflow that builds and publishes macOS and
Linux binaries when a GitHub release is published.

## Release Process

1. **Bump version** in  (e.g.,  → )
2. **Commit and push** the version change to main
3. **Create a draft release** on GitHub with a tag (e.g., ) and write
release notes
4. **Publish the draft release** → triggers the workflow
5. **Wait for builds** (~10-15 minutes) - binaries are automatically
attached to the release

## Changes

- **** - New workflow triggered on `release: published`
  - Builds macOS (x64 + arm64 DMGs)
  - Builds Linux (AppImage)
  - Uses `--publish always` to attach artifacts to GitHub release
- **** - Configure electron-builder to publish to GitHub releases
- **** - Document release process and workflow maintenance

## DRY Approach

The release workflow reuses the same build setup as :
- Same dependency installation steps
- Same build process
- Same code signing configuration

**Key difference:** uses for PR verification, while uses with to attach
binaries to releases.

## Testing

This can be tested by:
1. Merging this PR
2. Creating a test release (can be deleted after)
3. Verifying binaries are attached after workflow completes

_Generated with `cmux`_
diff --git a/.github/actions/setup-cmux/action.yml b/.github/actions/setup-cmux/action.yml
@@ -0,0 +1,13 @@
+name: 'Setup cmux build environment'
+description: 'Setup Bun and install dependencies'
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Bun
+      uses: oven-sh/setup-bun@v2
+      with:
+        bun-version: latest
+
+    - name: Install dependencies
+      run: bun install --frozen-lockfile
+      shell: bash
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -14,42 +14,25 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: latest
-
-      - name: Install dependencies
-        run: bun install --frozen-lockfile
+      - uses: ./.github/actions/setup-cmux
 
       - name: Install ImageMagick
         run: brew install imagemagick
 
       - name: Build application
         run: bun run build
 
-      - name: Package for macOS
-        run: |
-          # Decode certificate to file to avoid issues with newlines in base64 string
-          if [ -n "${{ secrets.MACOS_CERTIFICATE }}" ]; then
-            echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 -D > /tmp/certificate.p12
-            export CSC_LINK="/tmp/certificate.p12"
-            export CSC_KEY_PASSWORD="${{ secrets.MACOS_CERTIFICATE_PWD }}"
-          fi
-
-          # Notarization credentials (optional - will skip if not provided)
-          if [ -n "${{ secrets.AC_APIKEY_ID }}" ]; then
-            # Decode API key to file
-            echo "${{ secrets.AC_APIKEY_P8_BASE64 }}" | base64 -D > /tmp/AuthKey.p8
-            export APPLE_API_KEY="/tmp/AuthKey.p8"
-            export APPLE_API_KEY_ID="${{ secrets.AC_APIKEY_ID }}"
-            export APPLE_API_ISSUER="${{ secrets.AC_APIKEY_ISSUER_ID }}"
-            echo "✅ Notarization credentials found (API key) - will notarize"
-          else
-            echo "⚠️  No notarization credentials - skipping notarization"
-          fi
+      - name: Setup code signing
+        run: ./scripts/setup-macos-signing.sh
+        env:
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+          AC_APIKEY_P8_BASE64: ${{ secrets.AC_APIKEY_P8_BASE64 }}
+          AC_APIKEY_ID: ${{ secrets.AC_APIKEY_ID }}
+          AC_APIKEY_ISSUER_ID: ${{ secrets.AC_APIKEY_ISSUER_ID }}
 
-          make dist-mac
+      - name: Package for macOS
+        run: make dist-mac
 
       - name: Upload macOS DMG (x64)
         uses: actions/upload-artifact@v4
@@ -74,13 +57,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: latest
-
-      - name: Install dependencies
-        run: bun install --frozen-lockfile
+      - uses: ./.github/actions/setup-cmux
 
       - name: Install ImageMagick
         run: sudo apt-get update && sudo apt-get install -y imagemagick
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,58 @@
+name: Release
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: write  # Required for electron-builder to upload release assets
+
+jobs:
+  build-macos:
+    name: Build and Release macOS
+    runs-on: macos-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - uses: ./.github/actions/setup-cmux
+
+      - name: Install ImageMagick
+        run: brew install imagemagick
+
+      - name: Build application
+        run: bun run build
+
+      - name: Setup code signing
+        run: ./scripts/setup-macos-signing.sh
+        env:
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+          AC_APIKEY_P8_BASE64: ${{ secrets.AC_APIKEY_P8_BASE64 }}
+          AC_APIKEY_ID: ${{ secrets.AC_APIKEY_ID }}
+          AC_APIKEY_ISSUER_ID: ${{ secrets.AC_APIKEY_ISSUER_ID }}
+
+      - name: Package and publish for macOS
+        run: bun x electron-builder --mac --publish always
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  build-linux:
+    name: Build and Release Linux
+    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16' || 'ubuntu-latest' }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - uses: ./.github/actions/setup-cmux
+
+      - name: Install ImageMagick
+        run: sudo apt-get update && sudo apt-get install -y imagemagick
+
+      - name: Build application
+        run: bun run build
+
+      - name: Package and publish for Linux
+        run: bun x electron-builder --linux --publish always
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/package.json b/package.json
@@ -96,6 +96,10 @@
   "build": {
     "appId": "com.cmux.app",
     "productName": "Cmux",
+    "publish": {
+      "provider": "github",
+      "releaseType": "release"
+    },
     "directories": {
       "output": "release"
     },
diff --git a/scripts/setup-macos-signing.sh b/scripts/setup-macos-signing.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# Sets up macOS code signing and notarization from GitHub secrets
+# Usage: ./scripts/setup-macos-signing.sh
+#
+# Required environment variables:
+#   MACOS_CERTIFICATE          - Base64-encoded .p12 certificate
+#   MACOS_CERTIFICATE_PWD      - Certificate password
+#   AC_APIKEY_P8_BASE64        - Base64-encoded Apple API key (.p8)
+#   AC_APIKEY_ID               - Apple API Key ID
+#   AC_APIKEY_ISSUER_ID        - Apple API Issuer ID
+
+set -euo pipefail
+
+# Setup code signing certificate
+if [ -n "${MACOS_CERTIFICATE:-}" ]; then
+  echo "Setting up code signing certificate..."
+  echo "$MACOS_CERTIFICATE" | base64 -D > /tmp/certificate.p12
+  echo "CSC_LINK=/tmp/certificate.p12" >> "$GITHUB_ENV"
+  echo "CSC_KEY_PASSWORD=$MACOS_CERTIFICATE_PWD" >> "$GITHUB_ENV"
+else
+  echo "⚠️  No code signing certificate provided - building unsigned"
+fi
+
+# Setup notarization credentials
+if [ -n "${AC_APIKEY_ID:-}" ]; then
+  echo "Setting up notarization credentials..."
+  echo "$AC_APIKEY_P8_BASE64" | base64 -D > /tmp/AuthKey.p8
+  echo "APPLE_API_KEY=/tmp/AuthKey.p8" >> "$GITHUB_ENV"
+  echo "APPLE_API_KEY_ID=$AC_APIKEY_ID" >> "$GITHUB_ENV"
+  echo "APPLE_API_ISSUER=$AC_APIKEY_ISSUER_ID" >> "$GITHUB_ENV"
+  echo "✅ Notarization credentials configured"
+else
+  echo "⚠️  No notarization credentials - skipping notarization"
+fi
