Merge pull request #5 from BOTOOM/release-please--branches--main--com… #17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| inputs: | |
| build_macos: | |
| description: 'Build macOS (uses extra credits)' | |
| required: false | |
| type: boolean | |
| default: false | |
| permissions: | |
| contents: write | |
| issues: write | |
| pull-requests: write | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| # Step 1: release-please creates/updates a release PR with changelog | |
| # When merged, it creates a GitHub release + git tag automatically | |
| release-please: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| release_created: ${{ steps.release.outputs.release_created }} | |
| tag_name: ${{ steps.release.outputs.tag_name }} | |
| version: ${{ steps.release.outputs.version }} | |
| steps: | |
| - uses: googleapis/release-please-action@v4 | |
| id: release | |
| with: | |
| token: ${{ secrets.RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }} | |
| config-file: release-please-config.json | |
| manifest-file: .release-please-manifest.json | |
| # Step 2: Build Linux + Windows (always when release is created) | |
| build-linux-windows: | |
| needs: release-please | |
| if: ${{ needs.release-please.outputs.release_created }} | |
| permissions: | |
| contents: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - platform: ubuntu-22.04 | |
| target: x86_64-unknown-linux-gnu | |
| - platform: windows-latest | |
| target: x86_64-pc-windows-msvc | |
| runs-on: ${{ matrix.platform }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install dependencies (Ubuntu) | |
| if: matrix.platform == 'ubuntu-22.04' | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf | |
| - name: Install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: ${{ matrix.target }} | |
| - name: Rust cache | |
| uses: swatinem/rust-cache@v2 | |
| with: | |
| workspaces: './src-tauri -> target' | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: 'npm' | |
| - name: Install frontend dependencies | |
| run: npm ci | |
| - name: Install FFmpeg (Ubuntu) | |
| if: matrix.platform == 'ubuntu-22.04' | |
| run: sudo apt-get install -y ffmpeg | |
| - name: Install FFmpeg (Windows) | |
| if: matrix.platform == 'windows-latest' | |
| run: choco install ffmpeg -y | |
| - name: Sync release version across app files | |
| shell: bash | |
| env: | |
| RELEASE_VERSION: ${{ needs.release-please.outputs.version }} | |
| run: | | |
| python - <<'PY' | |
| import json | |
| import os | |
| import re | |
| from pathlib import Path | |
| version = os.environ["RELEASE_VERSION"] | |
| tauri_conf_path = Path("src-tauri/tauri.conf.json") | |
| tauri_conf = json.loads(tauri_conf_path.read_text(encoding="utf-8")) | |
| tauri_conf["version"] = version | |
| tauri_conf_path.write_text(json.dumps(tauri_conf, indent=2) + "\n", encoding="utf-8") | |
| cargo_toml_path = Path("src-tauri/Cargo.toml") | |
| cargo_toml = cargo_toml_path.read_text(encoding="utf-8") | |
| cargo_toml, replacements = re.subn( | |
| r'(?m)^version = "[^"]+"$', | |
| f'version = "{version}"', | |
| cargo_toml, | |
| count=1, | |
| ) | |
| if replacements != 1: | |
| raise SystemExit("Failed to update package.version in src-tauri/Cargo.toml") | |
| cargo_toml_path.write_text(cargo_toml, encoding="utf-8") | |
| print(f"Synchronized release version {version}") | |
| PY | |
| - name: Validate updater signing secrets | |
| shell: bash | |
| env: | |
| TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} | |
| TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} | |
| run: | | |
| if [ -z "$TAURI_SIGNING_PRIVATE_KEY" ] || [ -z "$TAURI_SIGNING_PRIVATE_KEY_PASSWORD" ]; then | |
| echo "::error::Missing TAURI_SIGNING_PRIVATE_KEY and/or TAURI_SIGNING_PRIVATE_KEY_PASSWORD secrets." | |
| echo "::error::Generate them with: npm run tauri signer generate -- -w ~/.tauri/cliprithm.key" | |
| echo "::error::Store the private key content or path in TAURI_SIGNING_PRIVATE_KEY and the passphrase in TAURI_SIGNING_PRIVATE_KEY_PASSWORD." | |
| exit 1 | |
| fi | |
| - name: Build Tauri app | |
| uses: tauri-apps/tauri-action@v0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} | |
| TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} | |
| with: | |
| tagName: ${{ needs.release-please.outputs.tag_name }} | |
| releaseName: 'Cliprithm ${{ needs.release-please.outputs.version }}' | |
| releaseBody: '' | |
| releaseDraft: false | |
| prerelease: false | |
| args: --target ${{ matrix.target }} | |
| publish-aur: | |
| needs: release-please | |
| if: ${{ needs.release-please.outputs.release_created }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Check AUR configuration | |
| id: aur-config | |
| shell: bash | |
| env: | |
| AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }} | |
| run: | | |
| if [ -z "$AUR_SSH_PRIVATE_KEY" ]; then | |
| echo "enabled=false" >> "$GITHUB_OUTPUT" | |
| echo "::notice::Skipping AUR publish because AUR_SSH_PRIVATE_KEY is not configured." | |
| exit 0 | |
| fi | |
| echo "enabled=true" >> "$GITHUB_OUTPUT" | |
| - name: Generate AUR package files | |
| if: steps.aur-config.outputs.enabled == 'true' | |
| env: | |
| RELEASE_VERSION: ${{ needs.release-please.outputs.version }} | |
| RELEASE_TAG: ${{ needs.release-please.outputs.tag_name }} | |
| run: | | |
| python3 scripts/generate_aur_package.py \ | |
| --version "$RELEASE_VERSION" \ | |
| --tag "$RELEASE_TAG" \ | |
| --output-dir .artifacts/aur | |
| - name: Configure SSH for AUR | |
| if: steps.aur-config.outputs.enabled == 'true' | |
| shell: bash | |
| env: | |
| AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }} | |
| run: | | |
| mkdir -p ~/.ssh | |
| chmod 700 ~/.ssh | |
| printf '%s\n' "$AUR_SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519 | |
| chmod 600 ~/.ssh/id_ed25519 | |
| ssh-keyscan aur.archlinux.org >> ~/.ssh/known_hosts | |
| chmod 644 ~/.ssh/known_hosts | |
| - name: Publish AUR package repository | |
| if: steps.aur-config.outputs.enabled == 'true' | |
| shell: bash | |
| env: | |
| RELEASE_VERSION: ${{ needs.release-please.outputs.version }} | |
| AUR_PACKAGE_REPO_SSH_URL: ${{ vars.AUR_PACKAGE_REPO_SSH_URL }} | |
| run: | | |
| REPO_URL="${AUR_PACKAGE_REPO_SSH_URL:-ssh://aur@aur.archlinux.org/cliprithm.git}" | |
| git clone "$REPO_URL" /tmp/aur-cliprithm | |
| cp .artifacts/aur/PKGBUILD /tmp/aur-cliprithm/PKGBUILD | |
| cp .artifacts/aur/.SRCINFO /tmp/aur-cliprithm/.SRCINFO | |
| git -C /tmp/aur-cliprithm config user.name "github-actions[bot]" | |
| git -C /tmp/aur-cliprithm config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git -C /tmp/aur-cliprithm add PKGBUILD .SRCINFO | |
| if git -C /tmp/aur-cliprithm diff --cached --quiet; then | |
| echo "AUR package repository already up to date." | |
| exit 0 | |
| fi | |
| git -C /tmp/aur-cliprithm commit -m "cliprithm ${RELEASE_VERSION}" | |
| git -C /tmp/aur-cliprithm push origin HEAD | |
| # Step 3: Build macOS (only when manually opted in) | |
| build-macos: | |
| needs: release-please | |
| if: ${{ needs.release-please.outputs.release_created && github.event.inputs.build_macos == 'true' }} | |
| permissions: | |
| contents: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - platform: macos-latest | |
| target: aarch64-apple-darwin | |
| - platform: macos-latest | |
| target: x86_64-apple-darwin | |
| runs-on: ${{ matrix.platform }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: ${{ matrix.target }} | |
| - name: Rust cache | |
| uses: swatinem/rust-cache@v2 | |
| with: | |
| workspaces: './src-tauri -> target' | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: 'npm' | |
| - name: Install frontend dependencies | |
| run: npm ci | |
| - name: Install FFmpeg (macOS) | |
| run: brew install ffmpeg | |
| - name: Sync release version across app files | |
| shell: bash | |
| env: | |
| RELEASE_VERSION: ${{ needs.release-please.outputs.version }} | |
| run: | | |
| python - <<'PY' | |
| import json | |
| import os | |
| import re | |
| from pathlib import Path | |
| version = os.environ["RELEASE_VERSION"] | |
| tauri_conf_path = Path("src-tauri/tauri.conf.json") | |
| tauri_conf = json.loads(tauri_conf_path.read_text(encoding="utf-8")) | |
| tauri_conf["version"] = version | |
| tauri_conf_path.write_text(json.dumps(tauri_conf, indent=2) + "\n", encoding="utf-8") | |
| cargo_toml_path = Path("src-tauri/Cargo.toml") | |
| cargo_toml = cargo_toml_path.read_text(encoding="utf-8") | |
| cargo_toml, replacements = re.subn( | |
| r'(?m)^version = "[^"]+"$', | |
| f'version = "{version}"', | |
| cargo_toml, | |
| count=1, | |
| ) | |
| if replacements != 1: | |
| raise SystemExit("Failed to update package.version in src-tauri/Cargo.toml") | |
| cargo_toml_path.write_text(cargo_toml, encoding="utf-8") | |
| print(f"Synchronized release version {version}") | |
| PY | |
| - name: Validate updater signing secrets | |
| shell: bash | |
| env: | |
| TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} | |
| TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} | |
| run: | | |
| if [ -z "$TAURI_SIGNING_PRIVATE_KEY" ] || [ -z "$TAURI_SIGNING_PRIVATE_KEY_PASSWORD" ]; then | |
| echo "::error::Missing TAURI_SIGNING_PRIVATE_KEY and/or TAURI_SIGNING_PRIVATE_KEY_PASSWORD secrets." | |
| echo "::error::Generate them with: npm run tauri signer generate -- -w ~/.tauri/cliprithm.key" | |
| echo "::error::Store the private key content or path in TAURI_SIGNING_PRIVATE_KEY and the passphrase in TAURI_SIGNING_PRIVATE_KEY_PASSWORD." | |
| exit 1 | |
| fi | |
| - name: Build Tauri app | |
| uses: tauri-apps/tauri-action@v0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} | |
| TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} | |
| with: | |
| tagName: ${{ needs.release-please.outputs.tag_name }} | |
| releaseName: 'Cliprithm ${{ needs.release-please.outputs.version }}' | |
| releaseBody: '' | |
| releaseDraft: false | |
| prerelease: false | |
| args: --target ${{ matrix.target }} |