feat: 添加 macOS 代码签名和公证支持 #189

Workflow file for this run

.github/workflows/release.yml at 3e6c58d

	name: 'publish'

	on:
	push:
	branches:
	- release

	jobs:
	build-android:
	runs-on: ubuntu-latest
	permissions:
	contents: write

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Setup pnpm
	uses: pnpm/action-setup@v4
	with:
	version: 9

	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version: lts/*
	cache: 'pnpm'

	- name: Install Rust stable
	uses: dtolnay/rust-toolchain@stable
	with:
	targets: aarch64-linux-android,armv7-linux-androideabi,i686-linux-android,x86_64-linux-android

	- name: Setup Android SDK
	uses: android-actions/setup-android@v3

	- name: Install Android NDK
	run: \|
	echo "y" \| sdkmanager "ndk;29.0.14206865"
	echo "ANDROID_NDK_HOME=$ANDROID_HOME/ndk/29.0.14206865" >> $GITHUB_ENV
	echo "NDK_HOME=$ANDROID_HOME/ndk/29.0.14206865" >> $GITHUB_ENV

	- name: Cache Rust dependencies
	uses: actions/cache@v4
	with:
	path: \|
	~/.cargo/registry/index
	~/.cargo/registry/cache
	~/.cargo/git/db
	src-tauri/target
	key: ${{ runner.os }}-cargo-android-${{ hashFiles('**/Cargo.lock') }}
	restore-keys: \|
	${{ runner.os }}-cargo-android-

	- name: Install frontend dependencies
	run: pnpm install

	- name: Build frontend
	run: pnpm build

	- name: Setup NDK toolchain
	run: \|
	export PATH=$PATH:$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64/bin
	ln -sf llvm-ranlib $ANDROID_NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ranlib \|\| true

	- name: Initialize and Build Android
	run: \|
	export PATH=$PATH:$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64/bin

	# Initialize Android project if not exists
	if [ ! -d "src-tauri/gen/android" ]; then
	echo "📱 Initializing Android project..."
	pnpm tauri android init
	else
	echo "✅ Android project already initialized"
	fi

	# Verify initialization
	if [ ! -d "src-tauri/gen/android" ]; then
	echo "❌ Android initialization failed"
	exit 1
	fi

	# Set custom Android icon
	echo "🎨 Setting custom Android icon..."
	ICON_SOURCE="public/app-ios-icon.png"
	MIPMAP_DIRS=(
	"src-tauri/gen/android/app/src/main/res/mipmap-mdpi"
	"src-tauri/gen/android/app/src/main/res/mipmap-hdpi"
	"src-tauri/gen/android/app/src/main/res/mipmap-xhdpi"
	"src-tauri/gen/android/app/src/main/res/mipmap-xxhdpi"
	"src-tauri/gen/android/app/src/main/res/mipmap-xxxhdpi"
	)

	# Install ImageMagick for icon conversion
	sudo apt-get update && sudo apt-get install -y imagemagick

	# Generate different sizes
	convert "$ICON_SOURCE" -resize 48x48 "${MIPMAP_DIRS[0]}/ic_launcher.png"
	convert "$ICON_SOURCE" -resize 72x72 "${MIPMAP_DIRS[1]}/ic_launcher.png"
	convert "$ICON_SOURCE" -resize 96x96 "${MIPMAP_DIRS[2]}/ic_launcher.png"
	convert "$ICON_SOURCE" -resize 144x144 "${MIPMAP_DIRS[3]}/ic_launcher.png"
	convert "$ICON_SOURCE" -resize 192x192 "${MIPMAP_DIRS[4]}/ic_launcher.png"

	echo "✅ Android icon set successfully"

	echo "🔨 Building Android APK and AAB..."
	pnpm tauri android build --apk --aab

	- name: Decode keystore
	env:
	ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
	run: \|
	echo "$ANDROID_KEYSTORE_BASE64" \| base64 -d > src-tauri/android-release.keystore
	ls -la src-tauri/android-release.keystore

	- name: Get version
	id: get_version
	run: \|
	VERSION=$(grep -o '"version": "[^"]"' src-tauri/tauri.conf.json \| head -1 \| sed 's/"version": "$.$"/\1/')
	echo "version=$VERSION" >> $GITHUB_OUTPUT
	echo "Version: $VERSION"

	- name: Sign and Rename APK
	env:
	ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
	ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
	run: \|
	cd src-tauri
	APK_PATH="gen/android/app/build/outputs/apk/universal/release/app-universal-release-unsigned.apk"
	VERSION="${{ steps.get_version.outputs.version }}"
	SIGNED_APK="gen/android/app/build/outputs/apk/universal/release/NoteGen_${VERSION}_android-universal.apk"

	if [ ! -f "$APK_PATH" ]; then
	echo "❌ APK file not found at $APK_PATH"
	ls -la gen/android/app/build/outputs/apk/universal/release/ \|\| true
	exit 1
	fi

	echo "📝 Signing APK with apksigner (V1 + V2 signatures)..."
	$ANDROID_HOME/build-tools/$(ls $ANDROID_HOME/build-tools \| tail -n 1)/apksigner sign \
	--ks android-release.keystore \
	--ks-key-alias note-gen \
	--ks-pass pass:"$ANDROID_KEYSTORE_PASSWORD" \
	--key-pass pass:"$ANDROID_KEY_PASSWORD" \
	--out "$SIGNED_APK" \
	"$APK_PATH"

	echo "✅ APK signed successfully"

	# Verify signature
	echo "🔍 Verifying APK signature..."
	$ANDROID_HOME/build-tools/$(ls $ANDROID_HOME/build-tools \| tail -n 1)/apksigner verify --verbose "$SIGNED_APK"

	# Show file info
	ls -lh "$SIGNED_APK"

	- name: Rename AAB
	run: \|
	cd src-tauri
	VERSION="${{ steps.get_version.outputs.version }}"
	AAB_PATH="gen/android/app/build/outputs/bundle/universalRelease/app-universal-release.aab"
	RENAMED_AAB="gen/android/app/build/outputs/bundle/universalRelease/NoteGen_${VERSION}_android-universal.aab"

	if [ -f "$AAB_PATH" ]; then
	mv "$AAB_PATH" "$RENAMED_AAB"
	echo "✅ AAB renamed to: $RENAMED_AAB"
	ls -lh "$RENAMED_AAB"
	fi

	- name: Upload APK as artifact
	uses: actions/upload-artifact@v4
	with:
	name: android-apk
	path: src-tauri/gen/android/app/build/outputs/apk/universal/release/NoteGen_*.apk
	if-no-files-found: error

	- name: Upload AAB as artifact
	uses: actions/upload-artifact@v4
	with:
	name: android-aab
	path: src-tauri/gen/android/app/build/outputs/bundle/universalRelease/NoteGen_*.aab
	if-no-files-found: warn

	- name: Upload to Release
	uses: softprops/action-gh-release@v1
	with:
	tag_name: note-gen-v${{ steps.get_version.outputs.version }}
	files: \|
	src-tauri/gen/android/app/build/outputs/apk/universal/release/NoteGen_*.apk
	src-tauri/gen/android/app/build/outputs/bundle/universalRelease/NoteGen_*.aab
	draft: false
	prerelease: false

	- name: Cleanup keystore
	if: always()
	run: \|
	rm -f src-tauri/android-release.keystore

	publish-tauri:
	outputs:
	appVersion: ${{ steps.set_output.outputs.appVersion }}
	permissions:
	contents: write
	strategy:
	fail-fast: false
	matrix:
	include:
	- platform: 'macos-latest'
	args: '--target aarch64-apple-darwin'
	- platform: 'macos-latest'
	args: '--target x86_64-apple-darwin'
	- platform: 'ubuntu-24.04'
	args: ''
	- platform: 'windows-latest'
	args: ''

	runs-on: ${{ matrix.platform }}
	steps:
	- uses: actions/checkout@v4

	- uses: pnpm/action-setup@v4
	with:
	version: 9
	run_install: true

	- name: setup node
	uses: actions/setup-node@v4
	with:
	node-version: lts/*
	cache: 'pnpm'

	- name: install Rust stable
	uses: dtolnay/rust-toolchain@stable
	with:
	targets: ${{ matrix.platform == 'macos-latest' && 'aarch64-apple-darwin,x86_64-apple-darwin' \|\| '' }}

	- name: install dependencies (ubuntu only)
	if: matrix.platform == 'ubuntu-24.04'
	run: \|
	sudo apt-get update
	sudo apt-get install pkg-config libclang-dev libxcb1-dev libxrandr-dev libdbus-1-dev libpipewire-0.3-dev libwayland-dev libegl-dev libglib2.0-dev libgtk-3-dev libwebkit2gtk-4.1-dev libgbm-dev libappindicator3-dev librsvg2-dev patchelf

	- name: install frontend dependencies
	run: pnpm install

	- name: Import Apple Certificate
	if: matrix.platform == 'macos-latest'
	env:
	APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
	APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
	KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD \|\| 'temporary_keychain_password' }}
	run: \|
	# Create variables
	CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
	KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

	# Import certificate from secrets
	echo -n "$APPLE_CERTIFICATE" \| base64 --decode -o $CERTIFICATE_PATH

	# Create temporary keychain
	security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
	security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

	# Import certificate to keychain
	security import $CERTIFICATE_PATH -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
	security list-keychain -d user -s $KEYCHAIN_PATH

	# Enable codesigning from a non user interactive shell
	security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

	- uses: tauri-apps/tauri-action@v0.5.23
	id: tauri-action
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
	TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
	APPLE_ID: ${{ secrets.APPLE_ID }}
	APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
	APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
	with:
	tagName: note-gen-v__VERSION__
	releaseName: 'NoteGen v__VERSION__'
	releaseBody: 'See the assets to download this version and install.'
	releaseDraft: false
	prerelease: false
	args: ${{ matrix.args }}

	- name: Generate release tag
	id: save_tag
	if: matrix.platform == 'ubuntu-24.04'
	run: \|
	# 调试输出
	echo ${{ steps.tauri-action.outputs.appVersion }}
	# 输出到步骤级
	echo "appVersion=${{ steps.tauri-action.outputs.appVersion }}" >> $GITHUB_OUTPUT

	- name: Set job output
	id: set_output
	if: matrix.platform == 'ubuntu-24.04'
	run: \|
	# 注意：这里引用的是 save_tag 步骤的 tag_name 输出
	echo "appVersion=${{ steps.save_tag.outputs.appVersion }}" >> $GITHUB_OUTPUT

	- name: Cleanup keychain
	if: matrix.platform == 'macos-latest' && always()
	run: \|
	KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
	security delete-keychain $KEYCHAIN_PATH \|\| true

	upgradeLink-upload:
	needs: publish-tauri
	permissions:
	contents: write
	runs-on: ubuntu-latest
	steps:
	- name: Send a request to UpgradeLink
	uses: toolsetlink/upgradelink-action@v5
	with:
	source-url: 'https://github.com/codexu/note-gen/releases/download/note-gen-v${{ needs.publish-tauri.outputs.appVersion }}/latest.json'
	access-key: ${{ secrets.UPGRADE_LINK_ACCESS_KEY }}
	tauri-key: ${{ secrets.UPGRADE_LINK_TAURI_KEY }}
	github-token: ${{ secrets.GITHUB_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: 添加 macOS 代码签名和公证支持 #189

Workflow file

feat: 添加 macOS 代码签名和公证支持 #189

Uh oh!

Workflow file for this run