This repository was archived by the owner on Dec 8, 2025. It is now read-only.
Build 108 of branch main by @NGPixel #108
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Release | |
| run-name: Build ${{ github.run_number }} of branch ${{ github.ref_name }} by @${{ github.actor }} | |
| on: | |
| workflow_dispatch: | |
| jobs: | |
| # ----------------------------------------------------------------- | |
| # PREPARE | |
| # ----------------------------------------------------------------- | |
| prepare: | |
| name: Prepare Release | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: write | |
| outputs: | |
| pkg_version: ${{ steps.semver.outputs.nextStrict }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get Next Version | |
| id: semver | |
| uses: ietf-tools/semver-action@v1 | |
| with: | |
| token: ${{ github.token }} | |
| branch: main | |
| patchAll: true | |
| skipInvalidTags: true | |
| - name: Create Draft Release | |
| uses: ncipollo/[email protected] | |
| with: | |
| prerelease: true | |
| draft: false | |
| commit: ${{ github.sha }} | |
| tag: ${{ steps.semver.outputs.nextStrict }} | |
| name: ${{ steps.semver.outputs.nextStrict }} | |
| body: '*pending*' | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate CHANGELOG | |
| id: changelog | |
| uses: Requarks/changelog-action@v1 | |
| with: | |
| token: ${{ github.token }} | |
| fromTag: ${{ steps.semver.outputs.nextStrict }} | |
| toTag: ${{ steps.semver.outputs.current }} | |
| writeToFile: false | |
| - name: Update Release Body | |
| uses: ncipollo/[email protected] | |
| with: | |
| prerelease: true | |
| updateOnlyUnreleased: true | |
| allowUpdates: true | |
| commit: ${{ github.sha }} | |
| tag: ${{ steps.semver.outputs.nextStrict }} | |
| name: ${{ steps.semver.outputs.nextStrict }} | |
| body: ${{ steps.changelog.outputs.changes }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| # ----------------------------------------------------------------- | |
| # BUILD ELECTRON | |
| # ----------------------------------------------------------------- | |
| build: | |
| name: Build Electron | |
| needs: [prepare] | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| id-token: write | |
| contents: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| platform: linux | |
| arch: x64 | |
| artifacts: "dist/electron/Packaged/*.+(deb|rpm|tar.gz),dist/electron/Packaged/latest-*.yml" | |
| # - os: ubuntu-24.04-arm | |
| # platform: linux | |
| # arch: arm64 | |
| # artifacts: "dist/electron/Packaged/*.+(deb|rpm|tar.gz),dist/electron/Packaged/latest-linux-arm64.yml" | |
| - os: macos-latest | |
| platform: darwin | |
| arch: arm64 | |
| artifacts: "dist/electron/Packaged/*-arm64-*.+(dmg|zip)" | |
| - os: macos-15-intel | |
| platform: darwin | |
| arch: x64 | |
| artifacts: "dist/electron/Packaged/*-x64-*.+(dmg|zip)" | |
| - os: windows-latest | |
| platform: win32 | |
| arch: x64 | |
| artifacts: "signed-build/*.exe,dist/electron/Packaged/latest.yml" | |
| env: | |
| PKG_VERSION: ${{needs.prepare.outputs.pkg_version}} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| - name: Set Version | |
| run: | | |
| node -e "const fs = require('node:fs'); const pkg = require('./package.json'); pkg.version = '${{ env.PKG_VERSION }}'; fs.writeFileSync('package.json', JSON.stringify(pkg, null, 2));" | |
| # => LOAD SECRETS | |
| - name: macOS - Fetch Secrets from Vault | |
| if: ${{ matrix.platform == 'darwin' }} | |
| uses: hashicorp/[email protected] | |
| with: | |
| method: jwt | |
| url: ${{ secrets.VAULT_URL }} | |
| role: ${{ secrets.VAULT_ROLE }} | |
| secrets: | | |
| kv/data/draftforge/apple API_ISSUER_ID | APPLE_API_ISSUER ; | |
| kv/data/draftforge/apple API_KEY_ID | APPLE_API_KEY_ID ; | |
| kv/data/draftforge/apple API_KEY_P8 | API_KEY_P8 ; | |
| kv/data/draftforge/apple DIST_CERT_P12 | CSC_LINK ; | |
| kv/data/draftforge/apple DIST_CERT_P12_PWD | CSC_KEY_PASSWORD ; | |
| - name: macOS - Save signing certs | |
| if: ${{ matrix.platform == 'darwin' }} | |
| run: | | |
| mkdir -p private_keys | |
| echo "APPLE_API_KEY=private_keys/AuthKeys_$APPLE_API_KEY_ID.p8" >> "$GITHUB_ENV" | |
| # echo "CSC_LINK=private_keys/distribution.p12" >> "$GITHUB_ENV" | |
| openssl base64 -d <<< "$API_KEY_P8" -out "private_keys/AuthKeys_$APPLE_API_KEY_ID.p8" | |
| # openssl base64 -d <<< "$DIST_CERT_P12" -out "private_keys/distribution.p12" | |
| - name: macOS - Import Certs into keychain | |
| if: ${{ matrix.platform == 'darwin' }} | |
| uses: apple-actions/import-codesign-certs@v3 | |
| with: | |
| p12-file-base64: ${{ env.CSC_LINK }} | |
| p12-password: ${{ env.CSC_KEY_PASSWORD }} | |
| # => BUILD ELECTRON | |
| - name: Install dependencies | |
| run: | | |
| npm ci | |
| - name: macOS - Build package | |
| if: ${{ matrix.platform == 'darwin' }} | |
| env: | |
| DEBUG: electron-notarize* | |
| run: | | |
| npx quasar build -m electron -T ${{ matrix.platform }} -P always | |
| - name: Linux/Windows - Build package | |
| if: ${{ matrix.platform != 'darwin' }} | |
| run: | | |
| npx quasar build -m electron -T ${{ matrix.platform }} -P always | |
| - name: Windows - Remove universal installers | |
| if: ${{ matrix.platform == 'win32' }} | |
| run: | | |
| Remove-Item dist/electron/Packaged/ietf-draftforge-win-${{ env.PKG_VERSION }}.exe | |
| # => UPLOAD ARTIFACTS | |
| - name: Windows - Upload Build Artifact | |
| if: ${{ matrix.platform == 'win32' }} | |
| id: artifactupload | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.platform }}-build | |
| path: "dist/electron/Packaged/*.exe" | |
| - name: macOS - Upload Manifest Artifact | |
| if: ${{ matrix.platform == 'darwin' }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: mac-manifest-${{ matrix.arch }} | |
| path: "dist/electron/Packaged/latest*.yml" | |
| # => WINDOWS APP SIGNING | |
| - id: signpath | |
| name: Windows - Sign Executables | |
| if: ${{ matrix.platform == 'win32' }} | |
| uses: signpath/github-action-submit-signing-request@v1 | |
| with: | |
| api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' | |
| organization-id: '${{ secrets.SIGNPATH_ORG_ID }}' | |
| project-slug: 'editor' | |
| signing-policy-slug: 'release-signing' | |
| github-artifact-id: '${{ steps.artifactupload.outputs.artifact-id }}' | |
| wait-for-completion: true | |
| output-artifact-directory: signed-build | |
| - name: Windows - Install yq | |
| if: ${{ matrix.platform == 'win32' }} | |
| run: | | |
| choco install yq | |
| - name: Windows - Recalculate exec signatures for latest.yml | |
| if: ${{ matrix.platform == 'win32' }} | |
| run: | | |
| $appVersion = yq '.version' dist/electron/Packaged/latest.yml | |
| $appX64Hash = Get-FileHash "signed-build/ietf-draftforge-win-x64-$appVersion.exe" -Algorithm SHA512 | |
| $appX64HashBytes = [byte[]] -split ($appX64Hash.Hash -replace '..', '0x$& ') | |
| $appX64HashB64 = [System.Convert]::ToBase64String($appX64HashBytes) | |
| $appArm64Hash = Get-FileHash "signed-build/ietf-draftforge-win-arm64-$appVersion.exe" -Algorithm SHA512 | |
| $appArm64HashBytes = [byte[]] -split ($appArm64Hash.Hash -replace '..', '0x$& ') | |
| $appArm64HashB64 = [System.Convert]::ToBase64String($appArm64HashBytes) | |
| $appX64Size = (Get-Item "signed-build/ietf-draftforge-win-x64-$appVersion.exe").Length | |
| $appArm64Size = (Get-Item "signed-build/ietf-draftforge-win-arm64-$appVersion.exe").Length | |
| yq -i 'del(.files.[0]) | del(.path) | del(.sha512)' dist/electron/Packaged/latest.yml | |
| yq -i ".files.[0].sha512 = `"$appX64HashB64`" | .files.[0].size = $appX64Size | .files.[1].sha512 = `"$appArm64HashB64`" | .files.[1].size = $appArm64Size" dist/electron/Packaged/latest.yml | |
| # => ADD TO RELEASE | |
| - name: Add Packages to Release | |
| uses: ncipollo/[email protected] | |
| with: | |
| prerelease: true | |
| updateOnlyUnreleased: true | |
| allowUpdates: true | |
| omitBody: true | |
| tag: ${{ env.PKG_VERSION }} | |
| name: ${{ env.PKG_VERSION }} | |
| artifacts: ${{ matrix.artifacts }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| # => CLEANUP | |
| - name: macOS - Purge signing certs | |
| if: ${{ matrix.platform == 'darwin' && always() }} | |
| run: | | |
| rm -rf private_keys | |
| # ----------------------------------------------------------------- | |
| # MERGE MANIFESTS | |
| # ----------------------------------------------------------------- | |
| mergeManifests: | |
| name: Merge Update Manifests | |
| needs: [prepare, build] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: write | |
| env: | |
| PKG_VERSION: ${{needs.prepare.outputs.pkg_version}} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| path: build/mac/artifacts | |
| pattern: mac-manifest-* | |
| - name: Merge Manifests | |
| working-directory: build/mac | |
| run: | | |
| npm ci | |
| node merge-update-manifests.mjs | |
| - name: Add Manifest to Release | |
| uses: ncipollo/[email protected] | |
| with: | |
| prerelease: true | |
| updateOnlyUnreleased: true | |
| allowUpdates: true | |
| omitBody: true | |
| tag: ${{ env.PKG_VERSION }} | |
| name: ${{ env.PKG_VERSION }} | |
| artifacts: build/mac/latest-mac.yml | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| # ----------------------------------------------------------------- | |
| # RELEASE | |
| # ----------------------------------------------------------------- | |
| release: | |
| name: Publish Release | |
| needs: [prepare, build, mergeManifests] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: write | |
| env: | |
| PKG_VERSION: ${{needs.prepare.outputs.pkg_version}} | |
| steps: | |
| - name: Finalize Release | |
| uses: ncipollo/[email protected] | |
| with: | |
| allowUpdates: true | |
| makeLatest: true | |
| prerelease: false | |
| omitBody: true | |
| draft: false | |
| tag: ${{ env.PKG_VERSION }} | |
| name: ${{ env.PKG_VERSION }} | |
| token: ${{ secrets.GITHUB_TOKEN }} |