release.yml
1 name: Release 2 3 on: 4 push: 5 tags: 6 - 'v*.*.*' 7 workflow_dispatch: 8 9 permissions: 10 contents: write 11 12 jobs: 13 release: 14 name: ${{ matrix.os }} 15 runs-on: ${{ matrix.os }} 16 strategy: 17 fail-fast: false 18 matrix: 19 os: 20 - macos-latest # arm64 (Apple Silicon) 21 - windows-latest # x64 22 - ubuntu-latest # x64 23 24 steps: 25 - uses: actions/checkout@v4 26 27 - uses: actions/setup-node@v4 28 with: 29 node-version: '20' 30 cache: 'npm' 31 32 # Cache Electron binaries — downloaded during npm ci, large and slow 33 - name: Cache Electron 34 uses: actions/cache@v4 35 with: 36 path: | 37 ~/.cache/electron 38 ~/.cache/electron-builder 39 ~/AppData/Local/electron/Cache 40 ~/AppData/Local/electron-builder/Cache 41 key: electron-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} 42 restore-keys: | 43 electron-${{ runner.os }}- 44 45 - name: Install dependencies 46 run: npm ci 47 48 # Sync package.json version with the pushed tag (strips leading 'v') 49 - name: Set version from tag 50 if: startsWith(github.ref, 'refs/tags/v') 51 shell: bash 52 run: npm version "${GITHUB_REF_NAME#v}" --no-git-tag-version 53 54 - name: Import Apple certificate 55 if: runner.os == 'macOS' && env.APPLE_CERTIFICATE_BASE64 != '' 56 env: 57 APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }} 58 APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} 59 run: | 60 CERTIFICATE_PATH="$RUNNER_TEMP/certificate.p12" 61 KEYCHAIN_PATH="$RUNNER_TEMP/signing.keychain-db" 62 KEYCHAIN_PASSWORD="$(openssl rand -base64 32)" 63 64 echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode -o "$CERTIFICATE_PATH" 65 66 security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" 67 security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" 68 security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" 69 70 security import "$CERTIFICATE_PATH" \ 71 -P "$APPLE_CERTIFICATE_PASSWORD" \ 72 -A -t cert -f pkcs12 \ 73 -k "$KEYCHAIN_PATH" 74 75 security set-key-partition-list \ 76 -S apple-tool:,apple:,codesign: \ 77 -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" 78 79 security list-keychains -d user -s "$KEYCHAIN_PATH" login.keychain-db 80 81 - name: Publish 82 env: 83 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 84 GH_CLIENT_SECRET: ${{ secrets.GH_CLIENT_SECRET }} 85 APPLE_ID: ${{ runner.os == 'macOS' && secrets.APPLE_ID || '' }} 86 APPLE_ID_PASSWORD: ${{ runner.os == 'macOS' && secrets.APPLE_ID_PASSWORD || '' }} 87 APPLE_TEAM_ID: ${{ runner.os == 'macOS' && secrets.APPLE_TEAM_ID || '' }} 88 run: npm run publish 89 90 - name: Cleanup Apple certificate 91 if: runner.os == 'macOS' && always() 92 run: | 93 KEYCHAIN_PATH="$RUNNER_TEMP/signing.keychain-db" 94 if [ -f "$KEYCHAIN_PATH" ]; then 95 security delete-keychain "$KEYCHAIN_PATH" 96 fi 97 98 - name: Update Homebrew tap 99 if: startsWith(github.ref, 'refs/tags/v') && matrix.os == 'macos-latest' 100 env: 101 HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }} 102 shell: bash 103 run: | 104 VERSION="${GITHUB_REF_NAME#v}" 105 ZIP="Gnosis-darwin-arm64-${VERSION}.zip" 106 curl -sL "https://github.com/oddur/gnosis/releases/download/${GITHUB_REF_NAME}/${ZIP}" -o /tmp/gnosis.zip 107 SHA=$(shasum -a 256 /tmp/gnosis.zip | awk '{print $1}') 108 git clone "https://x-access-token:${HOMEBREW_TAP_TOKEN}@github.com/oddur/homebrew-gnosis.git" /tmp/homebrew-tap 109 sed -i '' "s/version \".*\"/version \"${VERSION}\"/" /tmp/homebrew-tap/Casks/gnosis.rb 110 sed -i '' "s/sha256 \".*\"/sha256 \"${SHA}\"/" /tmp/homebrew-tap/Casks/gnosis.rb 111 cd /tmp/homebrew-tap 112 git config user.email "github-actions[bot]@users.noreply.github.com" 113 git config user.name "github-actions[bot]" 114 git commit -am "chore: bump gnosis to ${VERSION}" 115 git push