Merge pull request #93 from cooklang/updated #22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# based on https://github.com/starship/starship workflow | |
name: Release | |
on: | |
push: | |
branches: | |
- main | |
env: | |
CARGO_INCREMENTAL: 0 | |
CARGO_NET_RETRY: 10 | |
RUST_BACKTRACE: short | |
RUSTUP_MAX_RETRIES: 5 | |
MACOSX_DEPLOYMENT_TARGET: 10.7 | |
permissions: | |
contents: write | |
pull-requests: write | |
jobs: | |
# Update release PR | |
release_please: | |
name: Release Please | |
runs-on: ubuntu-latest | |
if: github.repository == 'cooklang/cookcli' | |
outputs: | |
release_created: ${{ steps.release.outputs.release_created }} | |
tag_name: ${{ steps.release.outputs.tag_name }} | |
steps: | |
- uses: google-github-actions/release-please-action@v3 | |
id: release | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
release-type: rust | |
draft: true | |
# Build sources for every OS | |
github_build: | |
name: Build release binaries | |
needs: release_please | |
if: ${{ needs.release_please.outputs.release_created == 'true' }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- target: x86_64-unknown-linux-gnu | |
os: ubuntu-latest | |
name: cook-x86_64-unknown-linux-gnu.tar.gz | |
- target: x86_64-unknown-linux-musl | |
os: ubuntu-latest | |
name: cook-x86_64-unknown-linux-musl.tar.gz | |
- target: i686-unknown-linux-musl | |
os: ubuntu-latest | |
name: cook-i686-unknown-linux-musl.tar.gz | |
- target: aarch64-unknown-linux-musl | |
os: ubuntu-latest | |
name: cook-aarch64-unknown-linux-musl.tar.gz | |
- target: arm-unknown-linux-musleabihf | |
os: ubuntu-latest | |
name: cook-arm-unknown-linux-musleabihf.tar.gz | |
- target: x86_64-apple-darwin | |
os: macOS-11 | |
name: cook-x86_64-apple-darwin.tar.gz | |
- target: aarch64-apple-darwin | |
os: macOS-11 | |
name: cook-aarch64-apple-darwin.tar.gz | |
- target: x86_64-pc-windows-msvc | |
os: windows-latest | |
name: cook-x86_64-pc-windows-msvc.zip | |
rustflags: -C target-feature=+crt-static | |
- target: i686-pc-windows-msvc | |
os: windows-latest | |
name: cook-i686-pc-windows-msvc.zip | |
rustflags: -C target-feature=+crt-static | |
- target: aarch64-pc-windows-msvc | |
os: windows-latest | |
name: cook-aarch64-pc-windows-msvc.zip | |
rustflags: -C target-feature=+crt-static | |
- target: x86_64-unknown-freebsd | |
os: ubuntu-latest | |
name: cook-x86_64-unknown-freebsd.tar.gz | |
runs-on: ${{ matrix.os }} | |
continue-on-error: true | |
env: | |
RUSTFLAGS: ${{ matrix.rustflags || '' }} | |
steps: | |
- name: Setup | Checkout | |
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4 | |
- uses: pnpm/action-setup@v2 | |
with: | |
version: 8 | |
run_install: true | |
- name: Build UI | |
shell: "bash" | |
run: | | |
cd ui | |
pnpm run build | |
- name: Setup | Rust | |
uses: dtolnay/rust-toolchain@master | |
with: | |
toolchain: stable | |
target: ${{ matrix.target }} | |
- name: Setup | Cache | |
uses: Swatinem/rust-cache@v2 | |
- name: Setup | Install cargo-wix [Windows] | |
continue-on-error: true | |
# aarch64 is only supported in wix 4.0 development builds | |
if: matrix.os == 'windows-latest' && matrix.target != 'aarch64-pc-windows-msvc' | |
run: cargo install --version 0.3.4 cargo-wix | |
env: | |
# cargo-wix does not require static crt | |
RUSTFLAGS: "" | |
- name: Setup | Install cross [Linux] | |
if: matrix.os == 'ubuntu-latest' | |
uses: taiki-e/install-action@cross | |
- name: Build | Build [Cargo] | |
if: matrix.os != 'ubuntu-latest' | |
run: cargo build --release --locked --target ${{ matrix.target }} | |
- name: Build | Build [Cross] | |
if: matrix.os == 'ubuntu-latest' | |
run: cross build --release --locked --target ${{ matrix.target }} | |
- name: Build | Installer [Windows] | |
continue-on-error: true | |
if: matrix.os == 'windows-latest' && matrix.target != 'aarch64-pc-windows-msvc' | |
run: > | |
cargo wix -v --no-build --nocapture -I install/windows/main.wxs | |
--target ${{ matrix.target }} | |
--output target/wix/cook-${{ matrix.target }}.msi | |
- name: Post Build | Prepare artifacts [Windows] | |
if: matrix.os == 'windows-latest' | |
run: | | |
cd target/${{ matrix.target }}/release | |
7z a ../../../${{ matrix.name }} cook.exe | |
cd - | |
- name: Post Build | Prepare artifacts [-nix] | |
if: matrix.os != 'windows-latest' | |
run: | | |
cd target/${{ matrix.target }}/release | |
tar czvf ../../../${{ matrix.name }} cook | |
cd - | |
- name: Release | Upload artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ${{ matrix.name }} | |
path: ${{ matrix.name }} | |
- name: Release | Upload installer artifacts [Windows] | |
continue-on-error: true | |
if: matrix.os == 'windows-latest' && matrix.target != 'aarch64-pc-windows-msvc' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: cook-${{ matrix.target }}.msi | |
path: target/wix/cook-${{ matrix.target }}.msi | |
# Notarize cook binaries for MacOS and build notarized pkg installers | |
notarize: | |
runs-on: macos-latest | |
continue-on-error: true | |
needs: [github_build] | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- target: x86_64-apple-darwin | |
arch: x86_64 | |
name: cook-x86_64-apple-darwin.tar.gz | |
- target: aarch64-apple-darwin | |
arch: aarch64 | |
name: cook-aarch64-apple-darwin.tar.gz | |
env: | |
KEYCHAIN_FILENAME: app-signing.keychain-db | |
KEYCHAIN_ENTRY: AC_PASSWORD | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4 | |
- name: Notarize | Set up secrets | |
env: | |
APP_CERTIFICATE_BASE64: ${{ secrets.APPLEDEV_APPSIGNKEY_BASE64 }} | |
P12_PASSWORD: ${{ secrets.APPLEDEV_SIGNKEY_PASS }} | |
KEYCHAIN_PASSWORD: ${{ secrets.APPLEDEV_SIGNKEY_PASS }} | |
APPLEID_USERNAME: ${{ secrets.APPLEDEV_ID_NAME }} | |
APPLEID_TEAMID: ${{ secrets.APPLEDEV_TEAM_ID }} | |
APPLEID_PASSWORD: ${{ secrets.APPLEDEV_PASSWORD }} | |
run: | | |
APP_CERTIFICATE_PATH="$RUNNER_TEMP/app_certificate.p12" | |
KEYCHAIN_PATH="$RUNNER_TEMP/$KEYCHAIN_FILENAME" | |
# import certificates from secrets | |
echo -n "$APP_CERTIFICATE_BASE64" | base64 --decode --output $APP_CERTIFICATE_PATH | |
# create temporary keychain | |
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" | |
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" | |
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" | |
# import certificates to keychain | |
security import $APP_CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
security list-keychain -d user -s $KEYCHAIN_PATH | |
# Add Apple Developer ID credentials to keychain | |
xcrun notarytool store-credentials "$KEYCHAIN_ENTRY" --team-id "$APPLEID_TEAMID" --apple-id "$APPLEID_USERNAME" --password "$APPLEID_PASSWORD" --keychain "$KEYCHAIN_PATH" | |
- name: Notarize | Download artifacts | |
uses: actions/download-artifact@v3 | |
with: | |
name: ${{ matrix.name }} | |
path: artifacts | |
- name: Notarize | Unpack Binaries | |
run: tar xf artifacts/${{ matrix.name }} | |
- name: Notarize | Build, Sign, and Notarize Pkg | |
env: | |
APPLICATION_KEY_IDENT: ${{ secrets.APPLEDEV_KEY_IDENT }} | |
run: | | |
KEYCHAIN_PATH="$RUNNER_TEMP/$KEYCHAIN_FILENAME" | |
echo ">>>> Signing binary" | |
codesign --timestamp --keychain $KEYCHAIN_PATH --sign "$APPLICATION_KEY_IDENT" --verbose -f -o runtime cook | |
# Make ZIP file to notarize binary | |
zip cook.zip cook | |
echo ">>>> Submitting binary for notarization" | |
xcrun notarytool submit cook.zip --keychain-profile "$KEYCHAIN_ENTRY" --wait | |
- name: Notarize | Package Notarized Binary | |
run: tar czvf ${{ matrix.name }} cook | |
- name: Notarize | Upload Notarized Binary | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ${{ matrix.name }} | |
path: ${{ matrix.name }} | |
- name: Cleanup Secrets | |
if: ${{ always() }} | |
run: | | |
KEYCHAIN_PATH="$RUNNER_TEMP/$KEYCHAIN_FILENAME" | |
security delete-keychain $KEYCHAIN_PATH | |
# Create GitHub release with Rust build targets and release notes | |
upload_artifacts: | |
name: Add Build Artifacts to Release | |
needs: [release_please, github_build, notarize] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Setup | Artifacts | |
uses: actions/download-artifact@v3 | |
- name: Setup | Checksums | |
run: for file in cook-*/cook-*; do openssl dgst -sha256 -r "$file" | awk '{print $1}' > "${file}.sha256"; done | |
- name: Setup | Publish Release | |
run: gh release edit ${{ needs.release_please.outputs.tag_name }} --draft=false --repo=cooklang/cookcli | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build | Add Artifacts to Release | |
uses: softprops/action-gh-release@v1 | |
with: | |
files: cook-*/cook-* | |
tag_name: ${{ needs.release_please.outputs.tag_name }} | |