docs(release): clarify installers and aur publishing #18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| issues: write | |
| pull-requests: write | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| # Step 1: release-please creates/updates a release PR with changelog | |
| # When merged, it creates a GitHub release + git tag automatically | |
| release-please: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| release_created: ${{ steps.release.outputs.release_created }} | |
| tag_name: ${{ steps.release.outputs.tag_name }} | |
| version: ${{ steps.release.outputs.version }} | |
| steps: | |
| - uses: googleapis/release-please-action@v4 | |
| id: release | |
| with: | |
| token: ${{ secrets.RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }} | |
| config-file: release-please-config.json | |
| manifest-file: .release-please-manifest.json | |
| # Step 2: Build Linux + Windows (always when release is created) | |
| build-linux-windows: | |
| needs: release-please | |
| if: ${{ needs.release-please.outputs.release_created }} | |
| permissions: | |
| contents: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - platform: ubuntu-22.04 | |
| target: x86_64-unknown-linux-gnu | |
| - platform: windows-latest | |
| target: x86_64-pc-windows-msvc | |
| runs-on: ${{ matrix.platform }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install dependencies (Ubuntu) | |
| if: matrix.platform == 'ubuntu-22.04' | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf | |
| - name: Install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: ${{ matrix.target }} | |
| - name: Rust cache | |
| uses: swatinem/rust-cache@v2 | |
| with: | |
| workspaces: './src-tauri -> target' | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: 22 | |
| cache: 'npm' | |
| - name: Install frontend dependencies | |
| run: npm ci | |
| - name: Install FFmpeg (Ubuntu) | |
| if: matrix.platform == 'ubuntu-22.04' | |
| run: sudo apt-get install -y ffmpeg | |
| - name: Install FFmpeg (Windows) | |
| if: matrix.platform == 'windows-latest' | |
| run: choco install ffmpeg -y | |
| - name: Sync release version across app files | |
| shell: bash | |
| env: | |
| RELEASE_VERSION: ${{ needs.release-please.outputs.version }} | |
| run: | | |
| python - <<'PY' | |
| import json | |
| import os | |
| import re | |
| from pathlib import Path | |
| version = os.environ["RELEASE_VERSION"] | |
| tauri_conf_path = Path("src-tauri/tauri.conf.json") | |
| tauri_conf = json.loads(tauri_conf_path.read_text(encoding="utf-8")) | |
| tauri_conf["version"] = version | |
| tauri_conf_path.write_text(json.dumps(tauri_conf, indent=2) + "\n", encoding="utf-8") | |
| cargo_toml_path = Path("src-tauri/Cargo.toml") | |
| cargo_toml = cargo_toml_path.read_text(encoding="utf-8") | |
| cargo_toml, replacements = re.subn( | |
| r'(?m)^version = "[^"]+"$', | |
| f'version = "{version}"', | |
| cargo_toml, | |
| count=1, | |
| ) | |
| if replacements != 1: | |
| raise SystemExit("Failed to update package.version in src-tauri/Cargo.toml") | |
| cargo_toml_path.write_text(cargo_toml, encoding="utf-8") | |
| print(f"Synchronized release version {version}") | |
| PY | |
| - name: Validate updater signing secrets | |
| shell: bash | |
| env: | |
| TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} | |
| TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} | |
| run: | | |
| if [ -z "$TAURI_SIGNING_PRIVATE_KEY" ] || [ -z "$TAURI_SIGNING_PRIVATE_KEY_PASSWORD" ]; then | |
| echo "::error::Missing TAURI_SIGNING_PRIVATE_KEY and/or TAURI_SIGNING_PRIVATE_KEY_PASSWORD secrets." | |
| echo "::error::Generate them with: npm run tauri signer generate -- -w ~/.tauri/cliprithm.key" | |
| echo "::error::Store the private key content or path in TAURI_SIGNING_PRIVATE_KEY and the passphrase in TAURI_SIGNING_PRIVATE_KEY_PASSWORD." | |
| exit 1 | |
| fi | |
| - name: Build Tauri app | |
| uses: tauri-apps/tauri-action@action-v0.6.2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} | |
| TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} | |
| with: | |
| tagName: ${{ needs.release-please.outputs.tag_name }} | |
| releaseName: 'Cliprithm ${{ needs.release-please.outputs.version }}' | |
| releaseBody: '' | |
| releaseDraft: false | |
| prerelease: false | |
| args: --target ${{ matrix.target }} | |
| publish-aur: | |
| needs: | |
| - release-please | |
| - build-linux-windows | |
| if: ${{ needs.release-please.outputs.release_created }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Check AUR configuration | |
| id: aur-config | |
| shell: bash | |
| env: | |
| AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }} | |
| run: | | |
| if [ -z "$AUR_SSH_PRIVATE_KEY" ]; then | |
| echo "enabled=false" >> "$GITHUB_OUTPUT" | |
| echo "::notice::Skipping AUR publish because AUR_SSH_PRIVATE_KEY is not configured." | |
| exit 0 | |
| fi | |
| echo "enabled=true" >> "$GITHUB_OUTPUT" | |
| - name: Generate AUR source package files | |
| if: steps.aur-config.outputs.enabled == 'true' | |
| env: | |
| RELEASE_VERSION: ${{ needs.release-please.outputs.version }} | |
| RELEASE_TAG: ${{ needs.release-please.outputs.tag_name }} | |
| run: | | |
| python3 scripts/generate_aur_package.py \ | |
| --version "$RELEASE_VERSION" \ | |
| --tag "$RELEASE_TAG" \ | |
| --output-dir .artifacts/aur/source | |
| - name: Generate AUR binary package files | |
| if: steps.aur-config.outputs.enabled == 'true' | |
| env: | |
| RELEASE_VERSION: ${{ needs.release-please.outputs.version }} | |
| RELEASE_TAG: ${{ needs.release-please.outputs.tag_name }} | |
| run: | | |
| python3 scripts/generate_aur_package.py \ | |
| --package bin \ | |
| --version "$RELEASE_VERSION" \ | |
| --tag "$RELEASE_TAG" \ | |
| --output-dir .artifacts/aur/bin | |
| - name: Configure SSH for AUR | |
| if: steps.aur-config.outputs.enabled == 'true' | |
| shell: bash | |
| env: | |
| AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }} | |
| run: | | |
| mkdir -p ~/.ssh | |
| chmod 700 ~/.ssh | |
| printf '%s\n' "$AUR_SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519 | |
| chmod 600 ~/.ssh/id_ed25519 | |
| ssh-keyscan aur.archlinux.org >> ~/.ssh/known_hosts | |
| chmod 644 ~/.ssh/known_hosts | |
| - name: Publish AUR source package repository | |
| if: steps.aur-config.outputs.enabled == 'true' | |
| shell: bash | |
| env: | |
| RELEASE_VERSION: ${{ needs.release-please.outputs.version }} | |
| AUR_PACKAGE_REPO_SSH_URL: ${{ vars.AUR_PACKAGE_REPO_SSH_URL }} | |
| run: | | |
| REPO_URL="${AUR_PACKAGE_REPO_SSH_URL:-ssh://aur@aur.archlinux.org/cliprithm.git}" | |
| git clone "$REPO_URL" /tmp/aur-cliprithm | |
| cp .artifacts/aur/source/PKGBUILD /tmp/aur-cliprithm/PKGBUILD | |
| cp .artifacts/aur/source/.SRCINFO /tmp/aur-cliprithm/.SRCINFO | |
| git -C /tmp/aur-cliprithm config user.name "github-actions[bot]" | |
| git -C /tmp/aur-cliprithm config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git -C /tmp/aur-cliprithm add PKGBUILD .SRCINFO | |
| if git -C /tmp/aur-cliprithm diff --cached --quiet; then | |
| echo "AUR package repository already up to date." | |
| exit 0 | |
| fi | |
| git -C /tmp/aur-cliprithm commit -m "cliprithm ${RELEASE_VERSION}" | |
| git -C /tmp/aur-cliprithm push origin HEAD | |
| - name: Publish AUR binary package repository | |
| if: steps.aur-config.outputs.enabled == 'true' | |
| shell: bash | |
| env: | |
| RELEASE_VERSION: ${{ needs.release-please.outputs.version }} | |
| AUR_PACKAGE_REPO_SSH_URL: ${{ vars.AUR_PACKAGE_REPO_SSH_URL }} | |
| run: | | |
| SOURCE_REPO_URL="${AUR_PACKAGE_REPO_SSH_URL:-ssh://aur@aur.archlinux.org/cliprithm.git}" | |
| case "$SOURCE_REPO_URL" in | |
| *cliprithm.git) | |
| REPO_URL="${SOURCE_REPO_URL%cliprithm.git}cliprithm-bin.git" | |
| ;; | |
| *) | |
| echo "::error::AUR_PACKAGE_REPO_SSH_URL must end with cliprithm.git so cliprithm-bin.git can be derived automatically." | |
| exit 1 | |
| ;; | |
| esac | |
| git clone "$REPO_URL" /tmp/aur-cliprithm-bin | |
| cp .artifacts/aur/bin/PKGBUILD /tmp/aur-cliprithm-bin/PKGBUILD | |
| cp .artifacts/aur/bin/.SRCINFO /tmp/aur-cliprithm-bin/.SRCINFO | |
| git -C /tmp/aur-cliprithm-bin config user.name "github-actions[bot]" | |
| git -C /tmp/aur-cliprithm-bin config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git -C /tmp/aur-cliprithm-bin add PKGBUILD .SRCINFO | |
| if git -C /tmp/aur-cliprithm-bin diff --cached --quiet; then | |
| echo "AUR binary package repository already up to date." | |
| exit 0 | |
| fi | |
| git -C /tmp/aur-cliprithm-bin commit -m "cliprithm-bin ${RELEASE_VERSION}" | |
| git -C /tmp/aur-cliprithm-bin push origin HEAD | |
| # Step 3: Build macOS artifacts for every created release | |
| build-macos: | |
| needs: release-please | |
| if: ${{ needs.release-please.outputs.release_created }} | |
| permissions: | |
| contents: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - platform: macos-latest | |
| target: aarch64-apple-darwin | |
| - platform: macos-latest | |
| target: x86_64-apple-darwin | |
| runs-on: ${{ matrix.platform }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: ${{ matrix.target }} | |
| - name: Rust cache | |
| uses: swatinem/rust-cache@v2 | |
| with: | |
| workspaces: './src-tauri -> target' | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: 22 | |
| cache: 'npm' | |
| - name: Install frontend dependencies | |
| run: npm ci | |
| - name: Install FFmpeg (macOS) | |
| run: brew install ffmpeg | |
| - name: Sync release version across app files | |
| shell: bash | |
| env: | |
| RELEASE_VERSION: ${{ needs.release-please.outputs.version }} | |
| run: | | |
| python - <<'PY' | |
| import json | |
| import os | |
| import re | |
| from pathlib import Path | |
| version = os.environ["RELEASE_VERSION"] | |
| tauri_conf_path = Path("src-tauri/tauri.conf.json") | |
| tauri_conf = json.loads(tauri_conf_path.read_text(encoding="utf-8")) | |
| tauri_conf["version"] = version | |
| tauri_conf_path.write_text(json.dumps(tauri_conf, indent=2) + "\n", encoding="utf-8") | |
| cargo_toml_path = Path("src-tauri/Cargo.toml") | |
| cargo_toml = cargo_toml_path.read_text(encoding="utf-8") | |
| cargo_toml, replacements = re.subn( | |
| r'(?m)^version = "[^"]+"$', | |
| f'version = "{version}"', | |
| cargo_toml, | |
| count=1, | |
| ) | |
| if replacements != 1: | |
| raise SystemExit("Failed to update package.version in src-tauri/Cargo.toml") | |
| cargo_toml_path.write_text(cargo_toml, encoding="utf-8") | |
| print(f"Synchronized release version {version}") | |
| PY | |
| - name: Validate updater signing secrets | |
| shell: bash | |
| env: | |
| TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} | |
| TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} | |
| run: | | |
| if [ -z "$TAURI_SIGNING_PRIVATE_KEY" ] || [ -z "$TAURI_SIGNING_PRIVATE_KEY_PASSWORD" ]; then | |
| echo "::error::Missing TAURI_SIGNING_PRIVATE_KEY and/or TAURI_SIGNING_PRIVATE_KEY_PASSWORD secrets." | |
| echo "::error::Generate them with: npm run tauri signer generate -- -w ~/.tauri/cliprithm.key" | |
| echo "::error::Store the private key content or path in TAURI_SIGNING_PRIVATE_KEY and the passphrase in TAURI_SIGNING_PRIVATE_KEY_PASSWORD." | |
| exit 1 | |
| fi | |
| - name: Build Tauri app | |
| uses: tauri-apps/tauri-action@action-v0.6.2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} | |
| TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} | |
| with: | |
| tagName: ${{ needs.release-please.outputs.tag_name }} | |
| releaseName: 'Cliprithm ${{ needs.release-please.outputs.version }}' | |
| releaseBody: '' | |
| releaseDraft: false | |
| prerelease: false | |
| args: --target ${{ matrix.target }} |