From ca46dfa76db931b627c75f29e08b342e9b3c42ee Mon Sep 17 00:00:00 2001 From: Alexander Zinchuk Date: Fri, 28 Jul 2023 21:36:26 +0200 Subject: [PATCH] Add deploy CI --- .github/workflows/electron-release.yml | 177 +++++++++++++++++++++++++ .gitignore | 2 + 2 files changed, 179 insertions(+) create mode 100644 .github/workflows/electron-release.yml diff --git a/.github/workflows/electron-release.yml b/.github/workflows/electron-release.yml new file mode 100644 index 000000000..74e67ecc8 --- /dev/null +++ b/.github/workflows/electron-release.yml @@ -0,0 +1,177 @@ +name: Electron release + +on: + workflow_dispatch: + push: + branches: master + +env: + APP_NAME: Telegram A + +jobs: + release: + runs-on: macOS-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Use Node.js 18.x + uses: actions/setup-node@v3 + with: + node-version: 18.x + + - name: Cache node modules + id: npm-cache + uses: actions/cache@v3 + with: + path: node_modules + key: ${{ runner.os }}-build-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-build- + + - name: Install dependencies + if: steps.npm-cache.outputs.cache-hit != 'true' + run: npm ci + + - name: Import MacOS Signing Certificate + env: + APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }} + APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} + run: | + KEY_CHAIN=build.keychain + CERTIFICATE_P12=certificate.p12 + echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > $CERTIFICATE_P12 + security create-keychain -p actions $KEY_CHAIN + security default-keychain -s $KEY_CHAIN + security unlock-keychain -p actions $KEY_CHAIN + security import $CERTIFICATE_P12 -k $KEY_CHAIN -P $APPLE_CERTIFICATE_PASSWORD -T /usr/bin/codesign + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k actions $KEY_CHAIN + security find-identity -v -p codesigning $KEY_CHAIN + + - name: Build and release + env: + TELEGRAM_T_API_ID: ${{ secrets.TELEGRAM_API_ID }} + TELEGRAM_T_API_HASH: ${{ secrets.TELEGRAM_API_HASH }} + APPLE_ID: ${{ secrets.APPLE_ID }} + APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} + GH_TOKEN: ${{ secrets.GH_TOKEN }} + PUBLISH_REPO: ${{ vars.PUBLISH_REPO }} + run: | + if [ -z "$PUBLISH_REPO" ]; then + npm run electron:staging + else + npm run deploy:electron + fi + + - uses: actions/upload-artifact@v3 + with: + name: ${{ env.APP_NAME }}-x64.dmg + path: dist-electron/${{ env.APP_NAME }}-x64.dmg + + - uses: actions/upload-artifact@v3 + with: + name: ${{ env.APP_NAME }}-arm64.dmg + path: dist-electron/${{ env.APP_NAME }}-arm64.dmg + + - uses: actions/upload-artifact@v3 + with: + name: ${{ env.APP_NAME }}-x86_64.AppImage + path: dist-electron/${{ env.APP_NAME }}-x86_64.AppImage + + - uses: actions/upload-artifact@v3 + with: + name: ${{ env.APP_NAME }}-x64.exe + path: dist-electron/${{ env.APP_NAME }}-x64.exe + + windowsSigning: + needs: release + runs-on: windows-latest + if: vars.PUBLISH_REPO != '' + env: + GH_TOKEN: ${{ secrets.GH_TOKEN }} + PUBLISH_REPO: ${{ vars.PUBLISH_REPO }} + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Setup Certificate + shell: bash + run: echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 + + - name: Set environment variables + id: variables + shell: bash + run: | + echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT + echo "FILE_NAME=${{ env.APP_NAME }}-x64.exe" >> "$GITHUB_ENV" + echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" + echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" + echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH + echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH + echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH + + - name: Setup SSM KSP + env: + SM_API_KEY: ${{ secrets.SM_API_KEY }} + shell: cmd + run: | + curl.exe -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools.msi + msiexec /i smtools.msi /quiet /qn + smksp_registrar.exe list + smctl.exe keypair ls + C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user + smksp_cert_sync.exe + + - name: Download Windows package + id: download-artifact + uses: actions/download-artifact@v3 + with: + name: ${{ env.FILE_NAME }} + + - name: Signing package + env: + KEYPAIR_ALIAS: ${{ secrets.KEYPAIR_ALIAS }} + FILE_PATH: ${{ steps.download-artifact.outputs.download-path }} + run: smctl.exe sign --keypair-alias=%KEYPAIR_ALIAS% --input "%FILE_PATH%\%FILE_NAME%" + + - uses: actions/upload-artifact@v3 + with: + name: ${{ env.FILE_NAME }} + path: ${{ env.FILE_NAME }} + + - name: Get latest release ID + id: release-id + shell: bash + run: | + RELEASE_ID=$(curl -s -H "Authorization: Bearer $GH_TOKEN" "https://api.github.com/repos/$PUBLISH_REPO/releases?per_page=1" | jq -r '.[0].id') + echo "release_id=$RELEASE_ID" >> $GITHUB_OUTPUT + + - name: Delete existing asset + env: + RELEASE_ID: ${{ steps.release-id.outputs.release_id }} + shell: bash + run: | + PUBLISH_FILE_NAME=${FILE_NAME// /-} # Consistency with electron-builder + ASSET_ID=$(curl -s -H "Authorization: Bearer $GH_TOKEN" "https://api.github.com/repos/$PUBLISH_REPO/releases/$RELEASE_ID/assets" | jq -r --arg PUBLISH_FILE_NAME "$PUBLISH_FILE_NAME" '.[] | select(.name == $PUBLISH_FILE_NAME) | .id') + curl -X DELETE -H "Authorization: Bearer $GH_TOKEN" "https://api.github.com/repos/$PUBLISH_REPO/releases/assets/$ASSET_ID" + + - name: Push new asset + env: + FILE_PATH: ${{ steps.download-artifact.outputs.download-path }} + RELEASE_ID: ${{ steps.release-id.outputs.release_id }} + shell: bash + run: | + PUBLISH_FILE_NAME=${FILE_NAME// /-} # Consistency with electron-builder + curl -X POST -H "Authorization: Bearer $GH_TOKEN" \ + -H "Content-Type: application/octet-stream" \ + --data-binary "@$FILE_PATH\\$FILE_NAME" \ + "https://uploads.github.com/repos/$PUBLISH_REPO/releases/$RELEASE_ID/assets?name=$PUBLISH_FILE_NAME" + + - name: Publish release + env: + RELEASE_ID: ${{ steps.release-id.outputs.release_id }} + shell: bash + run: | + curl -X PATCH -H "Authorization: Bearer $GH_TOKEN" "https://api.github.com/repos/$PUBLISH_REPO/releases/$RELEASE_ID" -d '{"draft": false}' diff --git a/.gitignore b/.gitignore index a2dbced2e..1b5b4b9fe 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,5 @@ tests/ *.iml dev/perf/screenshot* .DS_store +.github/workflows/* +!.github/workflows/electron-release.yml