Merge pull request #167 from teaxyz/notorize

notarize as its own job
2025-06-07 07:40:27 +03:00 · 2023-01-21 08:46:47 +08:00 · 2023-01-21 08:46:47 +08:00 · e6bf74cd71
commit e6bf74cd71
parent ed0bfbb66a c6ab5962ff
3 changed files with 255 additions and 126 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -1,7 +1,6 @@
 name: "test"
 on: [pull_request]

-
 jobs:
  changes:
    runs-on: ubuntu-latest
@ -108,112 +107,178 @@ jobs:
        platform:
          - os: macos-11
            name: darwin+x86-64
-            id: mac_latest
          - os: ubuntu-latest
            name: linux+x86-64
-            id: linux
          - os: [self-hosted, macOS, ARM64]
            name: darwin+aarch64
-            id: mac_m1
          # err: Package atk was not found in the pkg-config search path.
          # requires atk >= 2.18
          # - os: [self-hosted, linux, ARM64]
          #   name: linux+aarch64
-    container: ${{ matrix.platform.container }}
    steps:
-      - uses: actions/checkout@v3
+    - uses: actions/checkout@v3
+    - uses: teaxyz/setup@v0
+      if: startsWith(matrix.platform.name, 'darwin')

-      - name: build tauri for MacOS
-        # uses: teaxyz/setup@v0
-        if: startsWith(matrix.platform.name, 'darwin')
-        # FROM: https://tauri.app/v1/guides/distribution/sign-macos
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          ENABLE_CODE_SIGNING: ${{ secrets.GUI_APPLE_CERTIFICATE }}
-          APPLE_CERTIFICATE: ${{ secrets.GUI_APPLE_CERTIFICATE }}
-          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.GUI_APPLE_CERTIFICATE_PASSWORD }}
-          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
-          # TODO: uncomment once isolated m1 runner is setup with latest xcode
-          # only used for notarization
-          # APPLE_ID: ${{ secrets.APPLE_ID }}
-          # APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
-        run: |
-          sh <(curl https://tea.xyz) -ES xc build
+    - name: build tauri for MacOS
+      if: startsWith(matrix.platform.name, 'darwin')
+      # FROM: https://tauri.app/v1/guides/distribution/sign-macos
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        ENABLE_CODE_SIGNING: ${{ secrets.GUI_APPLE_CERTIFICATE }}
+        APPLE_CERTIFICATE: ${{ secrets.GUI_APPLE_CERTIFICATE }}
+        APPLE_CERTIFICATE_PASSWORD: ${{ secrets.GUI_APPLE_CERTIFICATE_PASSWORD }}
+        APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+      run: tea -ES xc build

-      - name: build tauri for Linux
-        # uses: teaxyz/setup@v0
-        if: startsWith(matrix.platform.name, 'linux')
-        # TODO: https://tauri.app/v1/guides/distribution/sign-linux
-        uses: docker://getneil/tea-builder:latest
-      
-      - name: build platform output
-        id: build_platform
-        env:
-          platform: ${{ matrix.platform.name }}
-        run: |
-          EXTENSION=dmg
-          BUILD_PLATFORM=$(echo $platform | sed -e "s/darwin+//g" | sed -e "s/linux+//g")
-          [[ $BUILD_PLATFORM = "x86-64" ]] && BUILD_PLATFORM="x64" || BUILD_PLATFORM=$BUILD_PLATFORM
-          [[ $platform = "linux+x86-64" ]] && BUILD_PLATFORM="amd64" || BUILD_PLATFORM=$BUILD_PLATFORM
-          [[ $platform = "linux+x86-64" ]] && EXTENSION="deb"
-          echo "build_platform=$BUILD_PLATFORM" >> $GITHUB_OUTPUT
-          echo "extension=$EXTENSION" >> $GITHUB_OUTPUT
+    - name: build tauri for Linux
+      if: startsWith(matrix.platform.name, 'linux')
+      # TODO: https://tauri.app/v1/guides/distribution/sign-linux
+      uses: docker://getneil/tea-builder:latest

-      - name: zip .app for MacOS
-        if: matrix.platform.name == 'darwin+x86-64' || matrix.platform.name == 'darwin+aarch64'
-        run: |
-          cd ./modules/gui/src-tauri/target/release/bundle/macos/ && zip -r tea.zip tea.app
+    - run: tar -czvf artifacts.tgz -C ./modules/gui/src-tauri/target/release/bundle .

-      - uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
+    - name: upload artifacts
+      uses: actions/upload-artifact@v3
+      with:
+        name: ${{ matrix.platform.name }}
+        path: artifacts.tgz
+        if-no-files-found: error

-      - name: cp package images from prod to preview bucket
-        env:
-          prefix: ${{ needs.changes.outputs.preview_folder }}
-          platform: ${{ steps.build_platform.outputs.build_platform }}
-          extension: ${{ steps.build_platform.outputs.extension }}
-        run: |
-          aws s3 cp "./modules/gui/src-tauri/target/release/bundle/$extension/tea_0.1.0_$platform.$extension" \
-            "s3://preview.gui.tea.xyz/$prefix/tea_$platform.$extension"
-  
-      - name: cp package zip for MacOS
-        if: matrix.platform.name == 'darwin+x86-64' || matrix.platform.name == 'darwin+aarch64'
-        env:
-          prefix: ${{ needs.changes.outputs.preview_folder }}
-          platform: ${{ steps.build_platform.outputs.build_platform }}
-        run: |
-          aws s3 cp ./modules/gui/src-tauri/target/release/bundle/macos/tea.zip "s3://preview.gui.tea.xyz/$prefix/tea_$platform.zip"
+  notorize_tauri:
+    needs: [build_tauri]
+    runs-on: macos-11
+    strategy:
+      matrix:
+        platform:
+          - darwin+x86-64
+          - darwin+aarch64
+    steps:
+    - uses: actions/download-artifact@v3
+      with:
+        name: ${{ matrix.platform }}

-      - name: comment install for Linux
-        if: startsWith(matrix.platform.name, 'linux')
-        uses: mshick/add-pr-comment@v2
-        with:
-          message-id: ${{ matrix.platform.id }}-comment
-          message: |
-            **installer for Linux ${{ matrix.platform.name }} is at**: 
-            <a href="http://preview.gui.tea.xyz.s3-website-us-east-1.amazonaws.com/${{ needs.changes.outputs.preview_folder }}/tea_${{steps.build_platform.outputs.build_platform}}.${{steps.build_platform.outputs.extension}}" target="_blank">here</a>
+    - run: tar xzf artifacts.tgz

-            ```bash
-            http://preview.gui.tea.xyz.s3-website-us-east-1.amazonaws.com/${{ needs.changes.outputs.preview_folder }}/tea_${{ steps.build_platform.outputs.build_platform }}.${{ steps.build_platform.outputs.extension }}
-            ```
-            copy-paste into a browser to download
+    - run: cd ./macos/ && zip -r tea.zip tea.app

-      - name: comment install for MacOS
-        if: startsWith(matrix.platform.name, 'darwin')
-        uses: mshick/add-pr-comment@v2
-        with:
-          message-id: ${{ matrix.platform.id }}-comment
-          message: |
-            **installers for MacOS ${{ matrix.platform.name }} is at**: 
-            <a href="http://preview.gui.tea.xyz.s3-website-us-east-1.amazonaws.com/${{ needs.changes.outputs.preview_folder }}/tea_${{steps.build_platform.outputs.build_platform}}.zip" target="_blank">.zip</a>
-            or
-            <a href="http://preview.gui.tea.xyz.s3-website-us-east-1.amazonaws.com/${{ needs.changes.outputs.preview_folder }}/tea_${{steps.build_platform.outputs.build_platform}}.dmg" target="_blank">.dmg</a>
+    # Notarize. Can take up to 10 minutes (and fail) asynchronously
+    - run: xcrun altool --notarize-app --username "$APPLE_ID" --password "$APPLE_PASSWORD" --primary-bundle-id "com.tea.xyz" --file ./macos/tea.zip
+      env:
+        APPLE_ID: ${{ secrets.APPLE_ID }}
+        APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}

-            ```bash
-            http://preview.gui.tea.xyz.s3-website-us-east-1.amazonaws.com/${{ needs.changes.outputs.preview_folder }}/tea_${{ steps.build_platform.outputs.build_platform }}.zip
-            http://preview.gui.tea.xyz.s3-website-us-east-1.amazonaws.com/${{ needs.changes.outputs.preview_folder }}/tea_${{ steps.build_platform.outputs.build_platform }}.dmg
-            ```
-            copy-paste into a browser to download
+  upload:
+    needs: [build_tauri, notorize_tauri]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        platform:
+          - name: darwin+x86-64
+            id: mac_latest
+          - name: linux+x86-64
+            id: linux
+          - name: darwin+aarch64
+            id: mac_m1
+          # - name: linux+aarch64
+          #   id: linux_arm64
+    steps:
+    - uses: actions/download-artifact@v3
+      with:
+        name: ${{ matrix.platform.name }}
+
+    - run: tar xzf artifacts.tgz
+
+    - name: build platform output
+      id: build_platform
+      env:
+        platform: ${{ matrix.platform.name }}
+      run: |
+        BUILD_PLATFORM=$(echo $platform | sed -e "s/darwin+//g" | sed -e "s/linux+//g")
+        EXTENSION=dmg
+        case $platform in
+          "linux+x86-64")
+            BUILD_PLATFORM="amd64"
+            EXTENSION="deb"
+            ;;
+          "linux+aarch64")
+            BUILD_PLATFORM="aarch64"
+            EXTENSION="deb"
+            ;;
+          "darwin+aarch64")
+            BUILD_PLATFORM="aarch64"
+            EXTENSION="dmg"
+            ;;
+          "darwin+x86-64")
+            BUILD_PLATFORM="x64"
+            EXTENSION="dmg"
+            ;;
+          *)
+            echo "Unknown platform $platform"
+            exit 1
+            ;;
+        esac
+        echo "build_platform=$BUILD_PLATFORM" >> $GITHUB_OUTPUT
+        echo "extension=$EXTENSION" >> $GITHUB_OUTPUT
+
+    - name: zip .app for MacOS
+      if: startsWith(matrix.platform.name, 'darwin+')
+      run: |
+        cd ./macos/
+        zip -r tea.zip tea.app
+
+    - uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: us-east-1
+
+    - name: cp package images from prod to preview bucket
+      env:
+        prefix: ${{ needs.changes.outputs.preview_folder }}
+        platform: ${{ steps.build_platform.outputs.build_platform }}
+        extension: ${{ steps.build_platform.outputs.extension }}
+      run: |
+        aws s3 cp \
+          "./$extension/tea_0.1.0_$platform.$extension" \
+          "s3://preview.gui.tea.xyz/$prefix/tea_$platform.$extension"
+
+    - name: cp package zip for MacOS
+      if: startsWith(matrix.platform.name, 'darwin')
+      env:
+        prefix: ${{ needs.changes.outputs.preview_folder }}
+        platform: ${{ steps.build_platform.outputs.build_platform }}
+      run: |
+        aws s3 cp \
+          ./macos/tea.zip "s3://preview.gui.tea.xyz/$prefix/tea_$platform.zip"
+
+    - name: comment install for Linux
+      if: startsWith(matrix.platform.name, 'linux')
+      uses: mshick/add-pr-comment@v2
+      with:
+        message-id: ${{ matrix.platform.id }}-comment
+        message: |
+          **installer for Linux ${{ matrix.platform.name }} is at**:
+          <a href="http://preview.gui.tea.xyz.s3-website-us-east-1.amazonaws.com/${{ needs.changes.outputs.preview_folder }}/tea_${{steps.build_platform.outputs.build_platform}}.${{steps.build_platform.outputs.extension}}" target="_blank">here</a>
+
+          ```bash
+          http://preview.gui.tea.xyz.s3-website-us-east-1.amazonaws.com/${{ needs.changes.outputs.preview_folder }}/tea_${{ steps.build_platform.outputs.build_platform }}.${{ steps.build_platform.outputs.extension }}
+          ```
+          copy-paste into a browser to download
+
+    - name: comment install for MacOS
+      if: startsWith(matrix.platform.name, 'darwin')
+      uses: mshick/add-pr-comment@v2
+      with:
+        message-id: ${{ matrix.platform.id }}-comment
+        message: |
+          **installers for MacOS ${{ matrix.platform.name }} is at**:
+          <a href="http://preview.gui.tea.xyz.s3-website-us-east-1.amazonaws.com/${{ needs.changes.outputs.preview_folder }}/tea_${{steps.build_platform.outputs.build_platform}}.zip" target="_blank">.zip</a>
+          or
+          <a href="http://preview.gui.tea.xyz.s3-website-us-east-1.amazonaws.com/${{ needs.changes.outputs.preview_folder }}/tea_${{steps.build_platform.outputs.build_platform}}.dmg" target="_blank">.dmg</a>
+
+          ```bash
+          http://preview.gui.tea.xyz.s3-website-us-east-1.amazonaws.com/${{ needs.changes.outputs.preview_folder }}/tea_${{ steps.build_platform.outputs.build_platform }}.zip
+          http://preview.gui.tea.xyz.s3-website-us-east-1.amazonaws.com/${{ needs.changes.outputs.preview_folder }}/tea_${{ steps.build_platform.outputs.build_platform }}.dmg
+          ```
+          copy-paste into a browser to download
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -5,7 +5,6 @@ on:
    branches:
      - main

-
 jobs:
  changes:
    runs-on: ubuntu-latest
@ -56,36 +55,79 @@ jobs:
            name: darwin+aarch64
          # - os: [self-hosted, linux, ARM64]
          #   name: linux+aarch64
-    container: ${{ matrix.platform.container }}
    steps:
    - uses: actions/checkout@v3
+    - uses: teaxyz/setup@v0
+      if: startsWith(matrix.platform.name, 'darwin')

    - name: build tauri for MacOS
-      # uses: teaxyz/setup@v0
      if: startsWith(matrix.platform.name, 'darwin')
-      # FROM: https://tauri.app/v1/guides/distribution/sign-macos
+      run: tea -ES xc build
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        ENABLE_CODE_SIGNING: ${{ secrets.GUI_APPLE_CERTIFICATE }}
        APPLE_CERTIFICATE: ${{ secrets.GUI_APPLE_CERTIFICATE }}
        APPLE_CERTIFICATE_PASSWORD: ${{ secrets.GUI_APPLE_CERTIFICATE_PASSWORD }}
        APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
-        # todo: uncomment when m1 with latest xcode is deployed
-        # this only helps in notarization
-        # APPLE_ID: ${{ secrets.APPLE_ID }}
-        # APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
-      run: |
-        sh <(curl https://tea.xyz) -ES xc build

    - name: build tauri for Linux
-      # uses: teaxyz/setup@v0
      if: startsWith(matrix.platform.name, 'linux')
      # TODO: https://tauri.app/v1/guides/distribution/sign-linux
      uses: docker://getneil/tea-builder:latest

+    - run: tar -czvf artifacts.tgz -C ./modules/gui/src-tauri/target/release/bundle .
+
+    - name: upload artifacts
+      uses: actions/upload-artifact@v3
+      with:
+        name: ${{ matrix.platform.name }}
+        path: artifacts.tgz
+        if-no-files-found: error
+
+  notorize_tauri:
+    needs: [build_tauri]
+    runs-on: macos-11
+    strategy:
+      matrix:
+        platform:
+          - darwin+x86-64
+          - darwin+aarch64
+    steps:
+    - uses: actions/download-artifact@v3
+      with:
+        name: ${{ matrix.platform }}
+
+    - run: tar xzf artifacts.tgz
+
+    - run: cd ./macos/ && zip -r tea.zip tea.app
+
+    # Notarize. Can take up to 10 minutes (and fail) asynchronously
+    - run: xcrun altool --notarize-app --username "$APPLE_ID" --password "$APPLE_PASSWORD" --primary-bundle-id "com.tea.xyz" --file ./macos/tea.zip
+      env:
+        APPLE_ID: ${{ secrets.APPLE_ID }}
+        APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
+
+  upload:
+    needs: [build_tauri, notorize_tauri]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        platform:
+          - darwin+x86-64
+          - linux+x86-64
+          - darwin+aarch64
+          # - linux+aarch64
+    steps:
+    - uses: actions/download-artifact@v3
+      with:
+        name: ${{ matrix.platform }}
+
+    - run: tar xzf artifacts.tgz
+
    - name: Get current unix ts - seconds
      id: date
      run: echo "unix_seconds=$(date +'%s')" >> $GITHUB_OUTPUT
+
    - uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@ -95,37 +137,59 @@ jobs:
    - name: build platform output
      id: build_platform
      env:
-        platform: ${{ matrix.platform.name }}
+        platform: ${{ matrix.platform }}
      run: |
        BUILD_PLATFORM=$(echo $platform | sed -e "s/darwin+//g" | sed -e "s/linux+//g")
        EXTENSION=dmg
-        [[ $BUILD_PLATFORM = "x86-64" ]] && BUILD_PLATFORM="x64" || BUILD_PLATFORM=$BUILD_PLATFORM
-        [[ $platform = "linux+x86-64" ]] && BUILD_PLATFORM="amd64" || BUILD_PLATFORM=$BUILD_PLATFORM
-        [[ $platform = "linux+x86-64" ]] && EXTENSION="deb"
+        case $platform in
+          "linux+x86-64")
+            BUILD_PLATFORM="amd64"
+            EXTENSION="deb"
+            ;;
+          "linux+aarch64")
+            BUILD_PLATFORM="aarch64"
+            EXTENSION="deb"
+            ;;
+          "darwin+aarch64")
+            BUILD_PLATFORM="aarch64"
+            EXTENSION="dmg"
+            ;;
+          "darwin+x86-64")
+            BUILD_PLATFORM="x64"
+            EXTENSION="dmg"
+            ;;
+          *)
+            echo "Unknown platform $platform"
+            exit 1
+            ;;
+        esac
        echo "build_platform=$BUILD_PLATFORM" >> $GITHUB_OUTPUT
        echo "extension=$EXTENSION" >> $GITHUB_OUTPUT
-  
+
    - name: zip .app for MacOS
-      if: startsWith(matrix.platform.name, 'darwin')
+      if: startsWith(matrix.platform, 'darwin+')
      run: |
-        cd ./modules/gui/src-tauri/target/release/bundle/macos/ && zip -r tea.zip tea.app
+        cd ./modules/gui/src-tauri/target/release/bundle/macos/
+        zip -r tea.zip tea.app

    - name:  cp package images from prod to gui bucket
      env:
        platform: ${{ steps.build_platform.outputs.build_platform }}
-        build_platform: ${{ matrix.platform.name }}
+        build_platform: ${{ matrix.platform }}
        extension: ${{steps.build_platform.outputs.extension}}
      run: |
-        aws s3 cp "./modules/gui/src-tauri/target/release/bundle/$extension/tea_0.1.0_$platform.$extension" \
+        aws s3 cp \
+          "./$extension/tea_0.1.0_$platform.$extension" \
          "s3://preview.gui.tea.xyz/release/tea_${{ steps.date.outputs.unix_seconds }}_$platform.$extension"

    - name: cp package zip for MacOS
-      if: startsWith(matrix.platform.name, 'darwin')
+      if: startsWith(matrix.platform, 'darwin')
      env:
        platform: ${{ steps.build_platform.outputs.build_platform }}
-        build_platform: ${{ matrix.platform.name }}
+        build_platform: ${{ matrix.platform }}
      run: |
-        aws s3 cp ./modules/gui/src-tauri/target/release/bundle/macos/tea.zip "s3://preview.gui.tea.xyz/release/tea_${{ steps.date.outputs.unix_seconds }}_$platform.zip"
+        aws s3 cp ./macos/tea.zip \
+          "s3://preview.gui.tea.xyz/release/tea_${{ steps.date.outputs.unix_seconds }}_$platform.zip"
    - uses: actions/setup-node@v3
      with:
        node-version: 18
@ -133,15 +197,15 @@ jobs:
      run: ./.github/notify-slack.js
      env:
        SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-        PLATFORM: ${{ matrix.platform.name }}
+        PLATFORM: ${{ matrix.platform }}
        EXT: ${{ steps.build_platform.outputs.extension }}
        DOWNLOAD_URL:  http://preview.gui.tea.xyz.s3-website-us-east-1.amazonaws.com/release/tea_${{ steps.date.outputs.unix_seconds }}_${{ steps.build_platform.outputs.build_platform }}.${{ steps.build_platform.outputs.extension }}

    - name: Slack Notification for .app Mac
      run: ./.github/notify-slack.js
-      if: startsWith(matrix.platform.name, 'darwin')
+      if: startsWith(matrix.platform, 'darwin')
      env:
        SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-        PLATFORM: ${{ matrix.platform.name }}
+        PLATFORM: ${{ matrix.platform }}
        EXT: .zip(.app)
        DOWNLOAD_URL:  http://preview.gui.tea.xyz.s3-website-us-east-1.amazonaws.com/release/tea_${{ steps.date.outputs.unix_seconds }}_${{ steps.build_platform.outputs.build_platform }}.zip
--- a/modules/gui/src-tauri/src/main.rs
+++ b/modules/gui/src-tauri/src/main.rs
@ -1,15 +1,15 @@
 #![cfg_attr(
-  all(not(debug_assertions), target_os = "windows"),
-  windows_subsystem = "windows"
+    all(not(debug_assertions), target_os = "windows"),
+    windows_subsystem = "windows"
 )]

 mod handlers;

 fn main() {
-  tauri::Builder::default()
-    .invoke_handler(tauri::generate_handler![
-      handlers::packages::install_package,
-    ])
-    .run(tauri::generate_context!())
-    .expect("error while running tauri application");
+    tauri::Builder::default()
+        .invoke_handler(tauri::generate_handler![
+            handlers::packages::install_package,
+        ])
+        .run(tauri::generate_context!())
+        .expect("error while running tauri application");
 }