name: build-sign-notarize on: workflow_call: inputs: platform: required: true type: string s3-prefix: required: true type: string debug: required: true type: string sync-translation: required: false type: string outputs: s3-electron-dist-key: description: 'The S3 build key includes the installer files: [zip, dmg, etc, yml] from electron' value: ${{ jobs.build.outputs.s3-artifacts-key }} s3-custom-notarized-installers-key: description: 'The S3 build key includes the installer files: [zip, dmg, etc, yml] from notarization strategy done outside of electron' value: ${{ jobs.notarize-mac-installers.outputs.s3-installers-key }} jobs: get-platform: runs-on: ubuntu-latest outputs: os: ${{ steps.platform.outputs.os }} cache-set: ${{ steps.platform.outputs.cache-set }} steps: - uses: teaxyz/brewkit/actions/get-platform@main id: platform with: platform: ${{ inputs.platform }} build: needs: [get-platform] runs-on: ${{ fromJson(needs.get-platform.outputs.os) }} outputs: s3-artifacts-key: ${{ steps.s3-artifact-uploader.outputs.key }} steps: - uses: teaxyz/setup@v0 with: version: 0.26.2 - uses: actions/checkout@v3 - name: get gui version id: gui-version run: | tea +stedolan.github.io/jq export version=$(echo $(cat modules/desktop/package.json) | jq --raw-output .version) export postfix= release="release" if [ $prefix == $release ]; then echo "no postfix" else echo "dev" export postfix=-dev fi echo "version=$version$postfix" >> $GITHUB_OUTPUT env: prefix: ${{ inputs.s3-prefix }} - name: cache node_modules build # TODO: cache issue in our self-hosted macos runner ESPIPE: invalid seek, read # but its ok to ignore, its still the fastest builder # NOTE: enabling cache in the self hosted runner slows down the pipeline by 4m because post-cache builder error ^ if: startsWith(inputs.platform, 'linux') || matrix.platform.name == 'darwin+x86-64' uses: actions/cache@v3 with: key: ${{ runner.os }}-pnpm path: | ./pnpm ./.pnpm-store ./node_modules ./modules/desktop/node_modules ./modules/ui/node_modules - name: cache electron build uses: actions/cache@v3 with: key: ${{ runner.os }}-electron path: | ./modules/desktop/.svelte-kit ./modules/desktop/build - name: build dev if: inputs.s3-prefix != 'release' run: tea -SE xc dist env: SYNC_I18N: 1 PUBLIC_MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_PROJECT_TOKEN }} DEBUG_BUILD: ${{ inputs.debug }} PUBLIC_VERSION: ${{ steps.gui-version.outputs.version }} USE_HARD_LINKS: false CSC_FOR_PULL_REQUEST: true CSC_LINK: ${{ secrets.GUI_APPLE_CERTIFICATE }} CSC_KEY_PASSWORD: ${{ secrets.GUI_APPLE_CERTIFICATE_PASSWORD }} CSC_NAME: ${{ secrets.APPLE_IDENTITY_NO_PREFIX }} # slower build but dmg output is much nicer looking - name: build release if: inputs.s3-prefix == 'release' run: tea -SE xc dist env: SYNC_I18N: 1 PUBLIC_MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_PROJECT_TOKEN }} DEBUG_BUILD: ${{ inputs.debug }} PUBLIC_VERSION: ${{ steps.gui-version.outputs.version }} USE_HARD_LINKS: false CSC_FOR_PULL_REQUEST: true CSC_LINK: ${{ secrets.GUI_APPLE_CERTIFICATE }} CSC_KEY_PASSWORD: ${{ secrets.GUI_APPLE_CERTIFICATE_PASSWORD }} CSC_NAME: ${{ secrets.APPLE_IDENTITY_NO_PREFIX }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_PASSWORD }} - name: build artifacts for publishing and notarization run: | mkdir -p target cp ./modules/desktop/dist/*.{zip,dmg,yml,blockmap} ./target/ tar -czvf artifacts.tgz -C ./target/ . - uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-east-1 - name: s3 artifact upload id: s3-artifact-uploader env: prefix: ${{ inputs.s3-prefix }} run: | S3_KEY=s3://preview.gui.tea.xyz/$prefix/artifacts.tgz aws s3 cp artifacts.tgz $S3_KEY echo key=$S3_KEY >> $GITHUB_OUTPUT - name: sync translation if: inputs.sync-translation == '1' run: | cd modules/desktop && tea -SE node scripts/update-crowdin-source.cjs env: CROWDIN_API_TOKEN: ${{ secrets.CROWDIN_API_TOKEN }} notarize-mac-installers: if: inputs.s3-prefix != 'release' # TODO: run only for mac, create separate Job for linux needs: [get-platform, build] runs-on: macos-11 outputs: s3-installers-key: ${{ steps.s3-installers-upload.outputs.s3-key }} strategy: matrix: platform: # no need for x86-64 - darwin+aarch64 steps: - uses: teaxyz/setup@v0 with: version: 0.26.2 - uses: actions/checkout@v3 - run: rm -rf ./*.{dmg,zip} || true - name: cache node_modules build uses: actions/cache@v3 with: key: darwin+x86-64-pnpm path: | ./pnpm ./.pnpm-store ./node_modules ./modules/desktop/node_modules ./modules/ui/node_modules - uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-east-1 - name: s3 artifact download env: S3_KEY: ${{ needs.build.outputs.s3-artifacts-key }} run: aws s3 cp $S3_KEY artifacts.tgz # prepare folders - run: mkdir dist - run: tar xzf artifacts.tgz -C dist - name: get .zip of arm64 and x86+64 id: app_files working-directory: ./dist run: | ARM64_ZIP=$(ls | grep -Ev blockmap | grep arm64-mac.zip) X86_ZIP=$(ls | grep -Ev blockmap | grep -Ev arm64 | grep mac.zip) ARM64_DMG=$(ls | grep -Ev blockmap | grep arm64.dmg) X86_DMG=$(ls | grep -Ev blockmap | grep -Ev arm64 | grep dmg) echo zip_arm64=$ARM64_ZIP >> $GITHUB_OUTPUT echo zip_x86=$X86_ZIP >> $GITHUB_OUTPUT echo dmg_arm64=$ARM64_DMG >> $GITHUB_OUTPUT echo dmg_x86=$X86_DMG >> $GITHUB_OUTPUT # Notarize. Can take up to 10 minutes (and fail) asynchronously # sometimes this might fail because exact the same zip has been uploaded already - name: notarize .app arm64 run: xcrun altool --notarize-app --username "$APPLE_ID" --password "$APPLE_PASSWORD" --primary-bundle-id "com.tea.xyz" --file dist/$ZIP_FILE || true env: APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} ZIP_FILE: ${{ steps.app_files.outputs.zip_arm64 }} - name: notarize .app x86+64 run: xcrun altool --notarize-app --username "$APPLE_ID" --password "$APPLE_PASSWORD" --primary-bundle-id "com.tea.xyz" --file dist/$ZIP_FILE || true env: APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} ZIP_FILE: ${{ steps.app_files.outputs.zip_x86 }} # prepare for DMG creation - name: prepare installer folders run: | mkdir x86_installer && mkdir arm64_installer tar xzf dist/$ZIP_FILE_X86 -C x86_installer/ tar xzf dist/$ZIP_FILE_ARM64 -C arm64_installer/ env: ZIP_FILE_X86: ${{ steps.app_files.outputs.zip_x86 }} ZIP_FILE_ARM64: ${{ steps.app_files.outputs.zip_arm64 }} - name: create x86 dmg run: | tea +github.com/create-dmg/create-dmg create-dmg \ --volname "Tea Installer" \ --window-pos 200 120 \ --window-size 800 400 \ --icon-size 100 \ --icon "tea.app" 200 190 \ --volicon "./modules/desktop/electron/mac-icon.icns" \ --hide-extension "tea.app" \ --app-drop-link 600 185 \ --sandbox-safe \ "$filename" \ "$installer_folder" env: filename: ${{ steps.app_files.outputs.dmg_x86 }} installer_folder: x86_installer/ - name: create arm64 dmg run: | tea +github.com/create-dmg/create-dmg create-dmg \ --volname "Tea Installer" \ --window-pos 200 120 \ --window-size 800 400 \ --icon-size 100 \ --icon "tea.app" 200 190 \ --volicon "./modules/desktop/electron/mac-icon.icns" \ --hide-extension "tea.app" \ --app-drop-link 600 185 \ --sandbox-safe \ "$filename" \ "$installer_folder" env: filename: ${{ steps.app_files.outputs.dmg_arm64 }} installer_folder: arm64_installer/ # finalize dist artifacts - name: replace old DMG files in dist folder run: | mv $x86dmg dist mv $arm64dmg dist tea -E pnpm install tea -E node .github/create-correct-release-yaml.js ./dist tar -czvf dist.tgz -C dist/ . env: x86dmg: ${{ steps.app_files.outputs.dmg_x86 }} arm64dmg: ${{ steps.app_files.outputs.dmg_arm64 }} - name: s3 installers upload id: s3-installers-upload env: prefix: ${{ inputs.s3-prefix }} run: | export S3_INSTALLERS_KEY=s3://preview.gui.tea.xyz/$prefix/dist.tgz aws s3 cp dist.tgz $S3_INSTALLERS_KEY echo s3-key=$S3_INSTALLERS_KEY >> $GITHUB_OUTPUT