Skip to content

fix(release): MacOS DMG app code-sign Apple Silicon entitlements #83

fix(release): MacOS DMG app code-sign Apple Silicon entitlements

fix(release): MacOS DMG app code-sign Apple Silicon entitlements #83

Workflow file for this run

name: CI
on:
push:
branches: [ master ]
tags-ignore:
- '*'
pull_request:
branches: [ master ]
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
actions: none
checks: none
contents: write
deployments: none
id-token: none
issues: none
packages: none
pages: none
pull-requests: none
repository-projects: none
security-events: none
statuses: none
env:
# secrets.GITHUB_TOKEN is restricted by default instead of permissive, so it does not allow release publishing. We can use a Personal Access Token with limited scope and expiration, or configure the token for this workflow using the 'permissions' key
# GITHUB_TOKEN_RELEASE_PUBLISH: ${{ secrets.RELEASE_PUBLISH }}
GITHUB_TOKEN_RELEASE_PUBLISH: ${{ secrets.GITHUB_TOKEN }}
# Electron Builder workaround
USE_HARD_LINKS: 'false'
jobs:
build:
# if: "!contains(toJSON(github.event.commits.*.message), '[skip-ci]')"
if: "github.event_name == 'pull_request' || !contains(github.event.head_commit.message, 'skip ci')"
# runs-on: ubuntu-latest # / ubuntu-18.04 ... or ubuntu-16.04, ubuntu-20.04
# runs-on: macos-latest # / macos-10.15
# runs-on: windows-2016 # not window-latest / windows-2019, see https://github.com/edrlab/thorium-reader/issues/1591
runs-on: ${{ matrix.runson }}
strategy:
fail-fast: false
matrix:
# windows-arm
osarch: [windows-intel, macos-intel, macos-arm, linux-intel, linux-arm]
include:
- osarch: windows-intel
runson: windows-latest
packname: win
release_tag: latest-windows-intel
# - osarch: windows-arm
# runson: windows-latest
# packname: win
# release_tag: latest-windows-arm
- osarch: macos-intel
runson: macos-13
packname: 'mac:skip-notarize'
release_tag: latest-macos-intel
- osarch: macos-arm
runson: macos-latest
packname: 'mac:skip-notarize'
release_tag: latest-macos-arm
- osarch: linux-intel
runson: ubuntu-20.04
packname: linux
release_tag: latest-linux-intel
- osarch: linux-arm
runson: ubuntu-20.04
packname: linux
release_tag: latest-linux-arm
env:
# OS_NAME_: ${{ matrix.osarch }}
RELEASE_TAG: ${{ matrix.release_tag }}
steps:
# - run: echo 'OS_NAME_:' ${{ env.OS_NAME_ }}
#- run: echo 'RELEASE_TAG=latest-${{ env.OS_NAME_ }}' | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
#- run: echo 'RELEASE_TAG=latest-${{ env.OS_NAME_ }}' >> $GITHUB_ENV
#- run: echo '::set-env name=RELEASE_TAG::latest-${{ env.OS_NAME_ }}'
- run: echo 'RELEASE_TAG:' ${{ env.RELEASE_TAG }}
- run: 'echo "GITHUB_RUN_NUMBER: ${{ github.run_number }}"'
- run: 'echo "GITHUB_RUN_ID: ${{ github.run_id }}"'
- run: 'echo "GITHUB_SHA: ${{ github.sha }}"'
- name: Check sys arch
if: ${{ matrix.osarch != 'windows-intel' }}
run: echo "${{ matrix.osarch }}" && uname -m && arch
- name: Checkout
uses: actions/checkout@v4
# with:
# persist-credentials: false
# - name: Git config global dump (pre)
# run: 'git config --global --list || echo NO_GIT_GLOBAL_CONFIG || true'
# shell: bash
# - name: Git config local dump (pre)
# run: 'git config --list || echo NO_GIT_GLOBAL_CONFIG || true'
# shell: bash
# - name: git HTTP authentication instead SSH (NPM >=7) 1
# run: >
# git config --global url."https://github.com/".insteadOf ssh://git@github.com/
# shell: bash
# - name: git HTTP authentication instead SSH (NPM >=7) 2
# run: >
# git config --global url."https://github.com".insteadOf ssh://git@github.com
# shell: bash
# - name: git HTTP authentication instead SSH (NPM >=7) 3
# run: >
# git config --global url."http://github.com/".insteadOf git@github.com:
# shell: bash
# - name: git HTTP authentication instead SSH (NPM >=7) 4
# run: >
# git config --global url."http://".insteadOf git://
# shell: bash
- name: Git config global dump (post)
run: 'git config --global --list || echo NO_GIT_GLOBAL_CONFIG || true'
shell: bash
- name: Git config local dump (post)
run: 'git config --list || echo NO_GIT_GLOBAL_CONFIG || true'
shell: bash
- uses: actions/setup-node@v4
with:
node-version: '20'
#check-latest: true
- run: node --version && npm --version
- run: npm --global install npm@^10
- run: npm --version
- run: npm --global install yarn@^1
# - run: ((curl -o- -L https://yarnpkg.com/install.sh | bash -s -- --version 1.22.5) || echo "YARN OK")
# - run: export PATH="$HOME/.yarn/bin:$PATH"
- run: yarn --version
- run: yarn config set network-timeout 300000 || echo ok
# - run: yarn --global install asar
- name: package patch 1
run: node build/package-ci-patch.js package.json ${{ github.run_id }} && cat package.json | grep -i VERSION && cat package.json
shell: bash
- name: package patch 2
run: node build/package-ci-patch.js package-asar.json ${{ github.run_id }} && cat package-asar.json | grep -i VERSION && cat package-asar.json
shell: bash
- name: package patch 3
run: node build/package-ci-patch.js package-asar-dev.json ${{ github.run_id }} && cat package-asar-dev.json | grep -i VERSION && cat package-asar-dev.json
shell: bash
#- run: pwd && ls && cd .. && pwd && ls && git clone https://github.com/daisy/ace.git && cd ace && pwd && ls && git checkout ace-next-local-packs && yarn ace-app-prepare && pwd && ls && cd .. && pwd && ls && cd ace-gui && pwd && ls
#- run: rm -f yarn.lock && rm -rf node_modules && yarn install
- run: yarn --frozen-lockfile
- run: git submodule init && git submodule update
- run: git --no-pager diff package.json && git --no-pager diff package-asar.json && git --no-pager diff package-asar-dev.json
- run: git --no-pager diff
- run: npm cache clean --force
- run: npm cache verify
- name: PR action (just build)
if: ${{ github.event_name == 'pull_request' }}
run: yarn build:prod
# && yarn test SEE https://github.com/edrlab/thorium-reader/issues/1697
- name: non-PR action, Windows (build and package)
if: ${{ github.event_name != 'pull_request' && ( matrix.osarch == 'windows-intel' || matrix.osarch == 'windows-arm' ) }}
run: yarn package:${{ matrix.packname }}
- name: non-PR action, non-Windows (build and package)
if: ${{ github.event_name != 'pull_request' && matrix.osarch != 'windows-intel' && matrix.osarch != 'windows-arm' }}
run: echo "${{ matrix.osarch }}" && (if [[ ${{ matrix.osarch }} == 'macos-arm' || ${{ matrix.osarch }} == 'linux-arm' ]]; then uname -m && arch && sed 's/x64/arm64/g' ./package.json > ./package.json.new && mv ./package.json.new ./package.json && yarn package:${{ matrix.packname }} && sed 's/arm64/x64/g' ./package.json > ./package.json.new && mv ./package.json.new ./package.json; else yarn package:${{ matrix.packname }}; fi)
#- run: ls -alsR release
#- run: npm install @octokit/rest
- name: GitHub Tagged Release Delete/ReCreate and Upload Build Artefacts
if: ${{ github.event_name != 'pull_request' }}
run: node build/release-github.mjs
# - name: Upload Artifact
# if: ${{ github.event_name != 'pull_request' }}
# uses: actions/upload-artifact@v2
# with:
# name: Thorium
# path: ./release/*.exe
# - name: Delete Release
# if: ${{ github.event_name != 'pull_request' }}
# uses: author/action-rollback@stable
# with:
# tag: $RELEASE_TAG
# always_delete_tag: true
# - name: GitHub Release
# if: ${{ github.event_name != 'pull_request' }}
# id: create_release
# uses: actions/create-release@v1
# with:
# tag_name: $RELEASE_TAG
# release_name: '[$RELEASE_TAG] continuous test build (prerelease)'
# body: 'GitHub Action build job: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID'
# draft: false
# prerelease: true
# - name: GitHub Release Assets
# if: ${{ github.event_name != 'pull_request' }}
# id: upload-release-asset
# uses: actions/upload-release-asset@v1
# with:
# upload_url: ${{ steps.create_release.outputs.upload_url }}
# asset_path: ./release/*.exe
# asset_name: Thorium.exe
# asset_content_type: application/octet-stream
# - name: GitHub Script Release And Assets
# if: ${{ github.event_name != 'pull_request' }}
# env:
# - GH_RELEASE_ID: ${{ steps.create_release.outputs.id }}
# uses: actions/github-script@v2
# with:
# github-token: ${{ secrets.GITHUB_TOKEN }}
# script: |
# console.log('process.versions', process.versions, process.env.GH_RELEASE_ID);
# const fs = require('fs').promises;
# const { repo: { owner, repo }, sha } = context;
# /*
# const release = await github.repos.createRelease({
# name: `[${process.env.RELEASE_TAG}] continuous test build (prerelease)`,
# body: `GitHub Action build job: ${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}`,
# owner,
# repo,
# tag_name: process.env.RELEASE_TAG,
# draft: false,
# prerelease: true,
# target_commitish: sha
# });
# */
# for (let file of await fs.readdir('release')) {
# if (!file.endsWith('.exe') || !file.endsWith('.AppImage') || !file.endsWith('.msi') || !file.endsWith('.deb') || !file.endsWith('.dmg')) {
# continue;
# }
# await github.repos.uploadReleaseAsset({
# owner,
# repo,
# release_id: process.env.GH_RELEASE_ID, // release.data.id,
# name: file,
# data: await fs.readFile(`./release/${file}`)
# });
# }