gui/.github/workflows/build-sign-notarize.yml

name: build-sign-notarize

on:
  workflow_call:
    inputs:
      platform:
        required: true
        type: string
      s3-prefix:
        required: true
        type: string
      debug:
        required: true
        type: string
      sync-translation:
        required: false
        type: string
    outputs:
      s3-electron-dist-key:
        description: 'The S3 build key includes the installer files: [zip, dmg, etc, yml] from electron'
        value: ${{ jobs.build.outputs.s3-artifacts-key }}
      s3-custom-notarized-installers-key:
        description: 'The S3 build key includes the installer files: [zip, dmg, etc, yml] from notarization strategy done outside of electron'
        value: ${{ jobs.notarize-mac-installers.outputs.s3-installers-key }}
jobs:
  verify:
    runs-on: ubuntu-latest
    outputs:
      is-updated: ${{ steps.check_version.outputs.updated }}
    steps:
      - uses: teaxyz/setup@v0
        with:
          version: 0.35.7
      - uses: actions/checkout@v3
        with:
          fetch-depth: 5
      - name: Check if version in package.json was updated
        id: check_version
        run: |
          # Get the current version from package.json
          CURRENT_VERSION=$(jq -r .version modules/desktop/package.json)

          # Get the list of changed files between HEAD and the previous commit
          CHANGED_FILES=$(git diff --name-only HEAD^ HEAD)

          # If package.json is in the list of changed files, check the old version
          if echo "$CHANGED_FILES" | grep -q "desktop/package.json"; then
            OLD_VERSION=$(git show "HEAD^:modules/desktop/package.json" | jq -r .version 2>/dev/null)
          else
            OLD_VERSION=$CURRENT_VERSION
          fi

          if [[ "$OLD_VERSION" != "$CURRENT_VERSION" ]] && [[ "$CURRENT_VERSION" > "$OLD_VERSION" ]]; then
            echo "updated=true" >> $GITHUB_OUTPUT
          else
            echo "updated=false" >> $GITHUB_OUTPUT
          fi          
      - name: Check if PR is from fork
        id: check-fork
        run: |
          echo "::set-output name=isFork::$(if [ \"${{ github.event.pull_request.head.repo.full_name }}\" != \"${{ github.repository }}\" ]; then echo true; else echo false; fi)"          
        shell: bash

  build:
    needs: verify
    if: needs.verify.outputs.is-updated == 'true'
    runs-on: macos-latest
    outputs:
      s3-artifacts-key: ${{ steps.s3-artifact-uploader.outputs.key }}
      build-version: ${{ steps.gui-version.outputs.version }}
    steps:
      - uses: teaxyz/setup@v0
        with:
          version: 0.35.7
      - uses: actions/checkout@v3

      - name: cache node_modules build
        # TODO: cache issue in our self-hosted macos runner ESPIPE: invalid seek, read
        # but its ok to ignore, its still the fastest builder
        # NOTE: enabling cache in the self hosted runner slows down the pipeline by 4m because post-cache builder error ^
        if: startsWith(inputs.platform, 'linux') || matrix.platform.name == 'darwin+x86-64'
        uses: actions/cache@v3
        with:
          key: ${{ runner.os }}-pnpm
          path: |
            ./pnpm
            ./.pnpm-store
            ./node_modules
            ./modules/desktop/node_modules
            ./modules/ui/node_modules            
      - name: cache electron build
        uses: actions/cache@v3
        with:
          key: ${{ runner.os }}-electron
          path: |
            ./modules/desktop/.svelte-kit
            ./modules/desktop/build            

      - name: build dev
        if: inputs.s3-prefix != 'release'
        run: tea -SE xc dist
        env:
          SYNC_I18N: 1
          PUBLIC_MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_PROJECT_TOKEN }}
          DEBUG_BUILD: ${{ inputs.debug }}
          USE_HARD_LINKS: false
          CSC_FOR_PULL_REQUEST: true
          CSC_LINK: ${{ secrets.GUI_APPLE_CERTIFICATE }}
          CSC_KEY_PASSWORD: ${{ secrets.GUI_APPLE_CERTIFICATE_PASSWORD }}
          CSC_NAME: ${{ secrets.APPLE_IDENTITY_NO_PREFIX }}
          PUBLISH_URL: "https://gui.tea.xyz/dev"

      # slower build but dmg output is much nicer looking
      - name: build release
        if: inputs.s3-prefix == 'release'
        run: tea -SE xc dist
        env:
          SYNC_I18N: 1
          PUBLIC_MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_PROJECT_TOKEN }}
          DEBUG_BUILD: ${{ inputs.debug }}
          PUBLIC_VERSION: ${{ steps.gui-version.outputs.version }}
          USE_HARD_LINKS: false
          CSC_FOR_PULL_REQUEST: true
          CSC_LINK: ${{ secrets.GUI_APPLE_CERTIFICATE }}
          CSC_KEY_PASSWORD: ${{ secrets.GUI_APPLE_CERTIFICATE_PASSWORD }}
          CSC_NAME: ${{ secrets.APPLE_IDENTITY_NO_PREFIX }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          PUSHY_APP_ID: ${{ secrets.PUSHY_APP_ID }}
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

      - name: build artifacts for publishing and notarization
        run: |
          mkdir -p target
          cp ./modules/desktop/dist/*.{zip,dmg,yml,blockmap} ./target/
          tar -czvf artifacts.tgz -C ./target/ .          

      - uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1

      - name: s3 artifact upload
        id: s3-artifact-uploader
        env:
          prefix: ${{ inputs.s3-prefix }}
        run: |
          S3_KEY=s3://preview.gui.tea.xyz/$prefix/artifacts.tgz
          aws s3 cp artifacts.tgz $S3_KEY
          echo key=$S3_KEY >> $GITHUB_OUTPUT          

  notarize-mac-installers:
    if: inputs.s3-prefix != 'release' && needs.verify.outputs.is-updated == 'true'
    # TODO: run only for mac, create separate Job for linux
    needs: [build, verify]
    runs-on: macos-11
    outputs:
      s3-installers-key: ${{ steps.s3-installers-upload.outputs.s3-key }}
    strategy:
      matrix:
        platform:
          # no need for x86-64
          - darwin+aarch64
    steps:
    - uses: teaxyz/setup@v0
      with:
        version: 0.35.7
    - uses: actions/checkout@v3
    - run: rm -rf ./*.{dmg,zip} || true

    - name: cache node_modules build
      uses: actions/cache@v3
      with:
        key: darwin+x86-64-pnpm
        path: |
          ./pnpm
          ./.pnpm-store
          ./node_modules
          ./modules/desktop/node_modules
          ./modules/ui/node_modules          
    - uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-1

    - name: s3 artifact download
      env:
        S3_KEY: ${{ needs.build.outputs.s3-artifacts-key }}
      run: aws s3 cp $S3_KEY artifacts.tgz

    # prepare folders
    - run: mkdir dist
    - run: tar xzf artifacts.tgz -C dist

    - name: get .zip of arm64 and x86+64
      id: app_files
      working-directory: ./dist
      run: |
        ARM64_ZIP=$(ls | grep -Ev blockmap | grep arm64-mac.zip)
        X86_ZIP=$(ls | grep -Ev blockmap | grep -Ev arm64 | grep mac.zip)
        ARM64_DMG=$(ls | grep -Ev blockmap | grep arm64.dmg)
        X86_DMG=$(ls | grep -Ev blockmap | grep -Ev arm64 | grep dmg)
        echo zip_arm64=$ARM64_ZIP >> $GITHUB_OUTPUT
        echo zip_x86=$X86_ZIP >> $GITHUB_OUTPUT
        echo dmg_arm64=$ARM64_DMG >> $GITHUB_OUTPUT
        echo dmg_x86=$X86_DMG >> $GITHUB_OUTPUT        

    # Notarize. Can take up to 10 minutes (and fail) asynchronously
    # sometimes this might fail because exact the same zip has been uploaded already

    - name: notarize .app arm64
      # run: xcrun notarytool submit dist/$ZIP_FILE --keychain-profile "xyz.tea.gui" --apple-id "$APPLE_ID" --password "$APPLE_PASSWORD" --wait
      run: xcrun altool --notarize-app --username "$APPLE_ID" --password "$APPLE_PASSWORD" --primary-bundle-id "xyz.tea.gui" --file dist/$ZIP_FILE || true
      env:
        APPLE_ID: ${{ secrets.APPLE_ID }}
        APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
        ZIP_FILE: ${{ steps.app_files.outputs.zip_arm64 }}

    - name: notarize .app x86+64
      # run: xcrun notarytool submit dist/$ZIP_FILE --keychain-profile "xyz.tea.gui" --apple-id "$APPLE_ID" --password "$APPLE_PASSWORD" --wait
      run: xcrun altool --notarize-app --username "$APPLE_ID" --password "$APPLE_PASSWORD" --primary-bundle-id "xyz.tea.gui" --file dist/$ZIP_FILE || true
      env:
        APPLE_ID: ${{ secrets.APPLE_ID }}
        APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
        ZIP_FILE: ${{ steps.app_files.outputs.zip_x86 }}

    # prepare for DMG creation
    - name: prepare installer folders
      run: |
        mkdir x86_installer && mkdir arm64_installer
        tar xzf dist/$ZIP_FILE_X86 -C x86_installer/
        tar xzf dist/$ZIP_FILE_ARM64 -C arm64_installer/        
      env:
        ZIP_FILE_X86: ${{ steps.app_files.outputs.zip_x86 }}
        ZIP_FILE_ARM64: ${{ steps.app_files.outputs.zip_arm64 }}

    - name: create x86 dmg
      run: |
        tea +github.com/create-dmg/create-dmg create-dmg \
        --volname "Tea Installer" \
        --window-pos 200 120 \
        --window-size 800 400 \
        --icon-size 100 \
        --icon "tea.app" 200 190 \
        --volicon "./modules/desktop/electron/icon.icns" \
        --hide-extension "tea.app" \
        --app-drop-link 600 185 \
        --sandbox-safe \
        "$filename" \
        "$installer_folder"        
      env:
        filename: ${{ steps.app_files.outputs.dmg_x86 }}
        installer_folder: x86_installer/

    - name: create arm64 dmg
      run: |
        tea +github.com/create-dmg/create-dmg create-dmg \
        --volname "Tea Installer" \
        --window-pos 200 120 \
        --window-size 800 400 \
        --icon-size 100 \
        --icon "tea.app" 200 190 \
        --volicon "./modules/desktop/electron/icon.icns" \
        --hide-extension "tea.app" \
        --app-drop-link 600 185 \
        --sandbox-safe \
        "$filename" \
        "$installer_folder"        
      env:
        filename: ${{ steps.app_files.outputs.dmg_arm64 }}
        installer_folder: arm64_installer/

    # finalize dist artifacts
    - name: replace old DMG files in dist folder
      run: |
        mv $x86dmg dist
        mv $arm64dmg dist
        tea -E pnpm install
        tea -E node .github/create-correct-release-yaml.js ./dist
        tar -czvf dist.tgz -C dist/ .        
      env:
        x86dmg: ${{ steps.app_files.outputs.dmg_x86 }}
        arm64dmg: ${{ steps.app_files.outputs.dmg_arm64 }}

    - name: s3 installers upload
      id: s3-installers-upload
      env:
        prefix: ${{ inputs.s3-prefix }}
      run: |
        export S3_INSTALLERS_KEY=s3://preview.gui.tea.xyz/$prefix/dist.tgz
        aws s3 cp dist.tgz $S3_INSTALLERS_KEY
        echo s3-key=$S3_INSTALLERS_KEY >> $GITHUB_OUTPUT