gui/.github/workflows/build-sign-notarize.yml

name: build-sign-notarize

on:
  workflow_call:
    inputs:
      platform:
        required: true
        type: string
      s3-prefix:
        required: true
        type: string
      debug:
        required: true
        type: string
      sync-translation:
        required: false
        type: string
    outputs:
      s3-electron-dist-key:
        description: "The S3 build key includes the installer files: [zip, dmg, etc, yml] from electron"
        value: ${{ jobs.build.outputs.s3-artifacts-key }}
      s3-custom-notarized-installers-key:
        description: "The S3 build key includes the installer files: [zip, dmg, etc, yml] from notarization strategy done outside of electron"
        value: ${{ jobs.build.outputs.s3-artifacts-key }}
jobs:
  verify:
    runs-on: ubuntu-latest
    outputs:
      is-updated: ${{ steps.check_version.outputs.updated }}
    steps:
      - uses: teaxyz/setup@v0
        with:
          version: 0.35.7
      - uses: actions/checkout@v3
        with:
          fetch-depth: 5
      - name: Check if version in package.json was updated
        id: check_version
        run: |
          # Get the current version from package.json
          CURRENT_VERSION=$(jq -r .version package.json)

          # Get the list of changed files between HEAD and the previous commit
          CHANGED_FILES=$(git diff --name-only HEAD^ HEAD)

          # If package.json is in the list of changed files, check the old version
          if echo "$CHANGED_FILES" | grep -q "package.json"; then
            OLD_VERSION=$(git show "HEAD^:package.json" | jq -r .version 2>/dev/null)
          else
            OLD_VERSION=$CURRENT_VERSION
          fi

          if [[ "$OLD_VERSION" != "$CURRENT_VERSION" ]] && [[ "$CURRENT_VERSION" > "$OLD_VERSION" ]]; then
            echo "updated=true" >> $GITHUB_OUTPUT
          else
            echo "updated=false" >> $GITHUB_OUTPUT
          fi          
      - name: Check if PR is from fork
        id: check-fork
        run: |
          echo "::set-output name=isFork::$(if [ \"${{ github.event.pull_request.head.repo.full_name }}\" != \"${{ github.repository }}\" ]; then echo true; else echo false; fi)"          
        shell: bash

  build:
    needs: verify
    if: needs.verify.outputs.is-updated == 'true'
    runs-on: macos-latest
    outputs:
      s3-artifacts-key: ${{ steps.s3-artifact-uploader.outputs.key }}
      build-version: ${{ steps.gui-version.outputs.version }}
    steps:
      - uses: teaxyz/setup@v0
        with:
          version: 0.35.7
      - uses: actions/checkout@v3

      - name: cache node_modules build
        # TODO: cache issue in our self-hosted macos runner ESPIPE: invalid seek, read
        # but its ok to ignore, its still the fastest builder
        # NOTE: enabling cache in the self hosted runner slows down the pipeline by 4m because post-cache builder error ^
        if: startsWith(inputs.platform, 'linux') || matrix.platform.name == 'darwin+x86-64'
        uses: actions/cache@v3
        with:
          key: ${{ runner.os }}-npm
          path: ./node_modules
      - name: cache electron build
        uses: actions/cache@v3
        with:
          key: ${{ runner.os }}-electron
          path: |
            ./svelte/.svelte-kit
            ./svelte/build            

      - name: build
        run: tea -SE xc dist
        env:
          NOTARIZE: true
          PUBLIC_MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_PROJECT_TOKEN }}
          DEBUG_BUILD: ${{ inputs.debug }}
          PUBLIC_VERSION: ${{ steps.gui-version.outputs.version }}
          USE_HARD_LINKS: false
          CSC_FOR_PULL_REQUEST: true
          CSC_LINK: ${{ secrets.GUI_APPLE_CERTIFICATE }}
          CSC_KEY_PASSWORD: ${{ secrets.GUI_APPLE_CERTIFICATE_PASSWORD }}
          CSC_NAME: ${{ secrets.APPLE_IDENTITY_NO_PREFIX }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          PUSHY_APP_ID: ${{ secrets.PUSHY_APP_ID }}
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}

      - name: build artifacts for publishing and notarization
        run: |
          mkdir -p target
          cp ./dist/*.{zip,dmg,yml,blockmap} ./target/
          tar -czvf artifacts.tgz -C ./target/ .          

      - uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1

      - name: s3 artifact upload
        id: s3-artifact-uploader
        env:
          prefix: ${{ inputs.s3-prefix }}
        run: |
          S3_KEY=s3://preview.gui.tea.xyz/$prefix/artifacts.tgz
          aws s3 cp artifacts.tgz $S3_KEY
          echo key=$S3_KEY >> $GITHUB_OUTPUT