name: build-sign-notarize on: workflow_call: inputs: platform: required: true type: string s3-prefix: required: true type: string debug: required: true type: string sync-translation: required: false type: string outputs: s3-electron-dist-key: description: "The S3 build key includes the installer files: [zip, dmg, etc, yml] from electron" value: ${{ jobs.build.outputs.s3-artifacts-key }} s3-custom-notarized-installers-key: description: "The S3 build key includes the installer files: [zip, dmg, etc, yml] from notarization strategy done outside of electron" value: ${{ jobs.build.outputs.s3-artifacts-key }} jobs: verify: runs-on: ubuntu-latest outputs: is-updated: ${{ steps.check_version.outputs.updated }} steps: - uses: teaxyz/setup@v0 with: version: 0.35.7 - uses: actions/checkout@v3 with: fetch-depth: 5 - name: Check if version in package.json was updated id: check_version run: | # Get the current version from package.json CURRENT_VERSION=$(jq -r .version package.json) # Get the list of changed files between HEAD and the previous commit CHANGED_FILES=$(git diff --name-only HEAD^ HEAD) # If package.json is in the list of changed files, check the old version if echo "$CHANGED_FILES" | grep -q "package.json"; then OLD_VERSION=$(git show "HEAD^:package.json" | jq -r .version 2>/dev/null) else OLD_VERSION=$CURRENT_VERSION fi if [[ "$OLD_VERSION" != "$CURRENT_VERSION" ]] && [[ "$CURRENT_VERSION" > "$OLD_VERSION" ]]; then echo "updated=true" >> $GITHUB_OUTPUT else echo "updated=false" >> $GITHUB_OUTPUT fi - name: Check if PR is from fork id: check-fork run: | echo "::set-output name=isFork::$(if [ \"${{ github.event.pull_request.head.repo.full_name }}\" != \"${{ github.repository }}\" ]; then echo true; else echo false; fi)" shell: bash build: needs: verify if: needs.verify.outputs.is-updated == 'true' runs-on: macos-latest outputs: s3-artifacts-key: ${{ steps.s3-artifact-uploader.outputs.key }} build-version: ${{ steps.gui-version.outputs.version }} steps: - uses: teaxyz/setup@v0 with: version: 0.35.7 - uses: actions/checkout@v3 - name: cache node_modules build # TODO: cache issue in our self-hosted macos runner ESPIPE: invalid seek, read # but its ok to ignore, its still the fastest builder # NOTE: enabling cache in the self hosted runner slows down the pipeline by 4m because post-cache builder error ^ if: startsWith(inputs.platform, 'linux') || matrix.platform.name == 'darwin+x86-64' uses: actions/cache@v3 with: key: ${{ runner.os }}-npm path: ./node_modules - name: cache electron build uses: actions/cache@v3 with: key: ${{ runner.os }}-electron path: | ./svelte/.svelte-kit ./svelte/build - name: build run: tea -SE xc dist env: NOTARIZE: true PUBLIC_MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_PROJECT_TOKEN }} DEBUG_BUILD: ${{ inputs.debug }} PUBLIC_VERSION: ${{ steps.gui-version.outputs.version }} USE_HARD_LINKS: false CSC_FOR_PULL_REQUEST: true CSC_LINK: ${{ secrets.GUI_APPLE_CERTIFICATE }} CSC_KEY_PASSWORD: ${{ secrets.GUI_APPLE_CERTIFICATE_PASSWORD }} CSC_NAME: ${{ secrets.APPLE_IDENTITY_NO_PREFIX }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_PASSWORD }} PUSHY_APP_ID: ${{ secrets.PUSHY_APP_ID }} SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} - name: build artifacts for publishing and notarization run: | mkdir -p target cp ./dist/*.{zip,dmg,yml,blockmap} ./target/ tar -czvf artifacts.tgz -C ./target/ . - uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-east-1 - name: s3 artifact upload id: s3-artifact-uploader env: prefix: ${{ inputs.s3-prefix }} run: | S3_KEY=s3://preview.gui.tea.xyz/$prefix/artifacts.tgz aws s3 cp artifacts.tgz $S3_KEY echo key=$S3_KEY >> $GITHUB_OUTPUT