Handle Release #37
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Handle Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| do_github_release: | |
| description: "Perform a GitHub release?" | |
| required: true | |
| type: boolean | |
| default: false | |
| do_crates_release: | |
| description: "Perform a crates.io release?" | |
| required: true | |
| type: boolean | |
| default: false | |
| push: | |
| tags: | |
| - "v*" | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| build-windows: | |
| runs-on: windows-latest | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Build | |
| run: | | |
| cargo build --release --bin aplang | |
| - name: Upload build artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: windows-binary | |
| path: target/release/aplang.exe | |
| build-macos: | |
| runs-on: macos-latest | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Add Targets | |
| run: | | |
| rustup target add aarch64-apple-darwin | |
| rustup target add x86_64-apple-darwin | |
| - name: Build x86_64 | |
| run: | | |
| cargo build --release --bin aplang --target x86_64-apple-darwin | |
| - name: Build aarch64 | |
| run: | | |
| cargo build --release --bin aplang --target aarch64-apple-darwin | |
| - name: Create Fat Binary | |
| run: | | |
| mkdir -p out | |
| lipo -create -output out/aplang target/x86_64-apple-darwin/release/aplang target/aarch64-apple-darwin/release/aplang | |
| - name: Upload build artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: macos-binary | |
| path: out/aplang | |
| # --- JOB: create-pkg --- | |
| create-pkg: | |
| name: Create MacOS `.pkg` | |
| runs-on: macos-latest | |
| needs: build-macos | |
| steps: | |
| - name: Install Apple Certificates to Keychain | |
| env: | |
| APPLICATION_CERT_BASE64: ${{ secrets.APPLE_APPLICATION_CERT }} | |
| INSTALLER_CERT_BASE64: ${{ secrets.APPLE_INSTALLER_CERT }} | |
| CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }} | |
| TEMP_KEYCHAIN_PASSWORD: temp_password | |
| run: | | |
| echo "$APPLICATION_CERT_BASE64" | base64 --decode > application_cert.p12 | |
| echo "$INSTALLER_CERT_BASE64" | base64 --decode > installer_cert.p12 | |
| # Create a temporary keychain with a temporary password | |
| security create-keychain -p "$TEMP_KEYCHAIN_PASSWORD" temp.keychain | |
| security unlock-keychain -p "$TEMP_KEYCHAIN_PASSWORD" temp.keychain | |
| # Set temp.keychain as default keychain | |
| security default-keychain -s temp.keychain | |
| # Import certificates into the temporary keychain | |
| security import application_cert.p12 -k temp.keychain -P "$CERT_PASSWORD" -T /usr/bin/codesign | |
| security import installer_cert.p12 -k temp.keychain -P "$CERT_PASSWORD" -T /usr/bin/codesign | |
| # Set the key partition list with explicit unlocking | |
| security set-key-partition-list -S apple-tool:,apple: -s -k "$TEMP_KEYCHAIN_PASSWORD" temp.keychain | |
| - name: List Certs | |
| run: | | |
| security find-identity -v temp.keychain | |
| - name: Download macOS binary | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: macos-binary | |
| path: package-root/ | |
| - name: Setup Build | |
| run: | | |
| mkdir -p package-root/ | |
| chmod +x package-root/aplang | |
| TAG_VERSION="${GITHUB_REF_NAME#v}" | |
| TAG_VERSION="${TAG_VERSION:-0.0.0}" | |
| echo "TAG_VERSION=$TAG_VERSION" >> $GITHUB_ENV | |
| - name: Sign Application Binary | |
| run: | | |
| codesign --keychain temp.keychain --sign "Developer ID Application: Patrick Unick (423YZUTX3G)" --options runtime --deep --force package-root/aplang | |
| - name: Create `.pkg` Installer | |
| run: | | |
| pkgbuild --root package-root --identifier snowfoxsh.aplang --version "$TAG_VERSION" --install-location /usr/local/bin aplang-unsigned.pkg | |
| - name: Sign the package | |
| run: | | |
| # productsign --sign "Developer ID Installer: Patrick Unick (423YZUTX3G)" aplang-unsigned.pkg aplang.pkg | |
| productsign --keychain $(pwd)/temp.keychain --sign "Developer ID Installer: Patrick Unick (423YZUTX3G)" aplang-unsigned.pkg aplang.pkg | |
| - name: Notarize the package | |
| env: | |
| APPLE_ID_EMAIL: ${{ secrets.APPLE_ID_EMAIL }} | |
| APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} | |
| run: | | |
| # Submit notary | |
| xcrun notarytool submit aplang.pkg --apple-id "$APPLE_ID_EMAIL" --team-id "423YZUTX3G" --password "$APPLE_APP_SPECIFIC_PASSWORD" --wait | |
| # Staple the notary | |
| xcrun stapler staple aplang.pkg | |
| - name: Upload `.pkg` Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: macos-pkg | |
| path: aplang.pkg | |
| release: | |
| name: Create GitHub Release | |
| if: ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.event.inputs.do_github_release == 'true') }} | |
| runs-on: ubuntu-latest | |
| needs: [build-windows, build-macos, create-pkg] | |
| steps: | |
| - name: Download Windows binary | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: windows-binary | |
| path: artifacts/windows/ | |
| - name: Download macOS binary | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: macos-binary | |
| path: artifacts/macos/ | |
| - name: List Downloaded Files | |
| run: ls -R artifacts | |
| - name: Download macOS binary | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: macos-pkg | |
| path: artifacts/macos | |
| - name: Create GitHub Release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| prerelease: true | |
| generate_release_notes: true | |
| draft: ${{ github.event_name != 'push' }} | |
| files: | | |
| artifacts/windows/aplang.exe | |
| artifacts/macos/aplang | |
| artifacts/macos/aplang.pkg | |
| cargo-publish: | |
| name: Publish to Crates.io | |
| runs-on: ubuntu-latest | |
| if: ${{ startsWith(github.ref, 'refs/tags/v') || (github.event_name == 'workflow_dispatch' && github.event.inputs.do_crates_release == 'true') }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Read version from Cargo.toml | |
| id: cargo_toml_version | |
| uses: SebRollen/toml-action@v1.2.0 | |
| with: | |
| file: Cargo.toml | |
| field: package.version | |
| - name: Ensure Cargo.toml version matches tag | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| run: | | |
| TAG_VERSION="${GITHUB_REF_NAME#v}" | |
| CARGO_VERSION="${{ steps.cargo_toml_version.outputs.value }}" | |
| if [ "$TAG_VERSION" != "$CARGO_VERSION" ]; then | |
| echo "Error: Tag version ($TAG_VERSION) does not match Cargo.toml version ($CARGO_VERSION)" | |
| exit 1 | |
| fi | |
| - name: Publish to crates.io | |
| env: | |
| CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} | |
| # allow dirty is to make sure the Cargo.lock is always submited | |
| run: cargo publish --allow-dirty |