sidecode/.github/workflows/release-menubar.yml at main · sidecodeapp/sidecode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
name: Release menubar

# Tag-driven release of the Mac menu bar app, draft-first:
#
#   git tag v0.0.2 && git push origin v0.0.2
#     → this workflow builds, signs, notarizes, and uploads
#       dmg + zip + blockmap + latest-mac.yml to a DRAFT GitHub release
#     → smoke-test the draft's dmg locally, then click "Publish release"
#
# electron-updater only sees PUBLISHED releases, so the draft is the safety
# gate: installed apps' periodic checks (electron/updater.ts, 6h) start
# picking the version up only at the moment of manual publish. A bad build
# never reaches users — delete the draft and re-tag.
#
# Required repo secrets (Settings → Secrets and variables → Actions):
#   CSC_LINK           base64 of the Developer ID Application .p12 export
#   CSC_KEY_PASSWORD   password chosen at .p12 export
#   APPLE_API_KEY_P8   base64 of the App Store Connect API .p8 key
#   APPLE_API_KEY_ID   the key's ID
#   APPLE_API_ISSUER   the ASC issuer UUID
# (electron-builder imports the cert into a temp keychain via CSC_LINK and
# notarizes via notarytool with the API key — same env contract as the local
# `package:mac:notarize` script's .env.local.)

on:
  push:
    tags: ["v*"]

permissions:
  contents: write # create the draft release + upload assets

jobs:
  release:
    runs-on: macos-15 # Apple Silicon — we ship arm64-only (V0)
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0 # full history + tags for the commit-log release notes

      - uses: pnpm/action-setup@v4 # version from root package.json `packageManager`

      - uses: actions/setup-node@v4
        with:
          node-version: 24
          cache: pnpm

      - run: pnpm install --frozen-lockfile

      # The feed (latest-mac.yml) advertises the package.json version; if the
      # tag disagrees, installed apps would update to something other than
      # what the tag claims. Fail fast instead.
      - name: Assert tag matches menubar package version
        run: |
          TAG_VERSION="${GITHUB_REF_NAME#v}"
          PKG_VERSION=$(node -p "require('./packages/menubar/package.json').version")
          if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
            echo "::error::tag $GITHUB_REF_NAME but packages/menubar/package.json is $PKG_VERSION — bump the package version (or re-tag) so the update feed stays truthful"
            exit 1
          fi

      - name: Typecheck + tests
        run: |
          pnpm --filter @sidecodeapp/signaling run cf-typegen # gitignored workerd types
          pnpm -r typecheck
          pnpm test

      # Pre-create the draft release BEFORE electron-builder runs. Its GitHub
      # publisher spins up one instance per artifact; when no draft exists yet
      # they race to create one and the v0.0.2 run ended with TWO drafts and
      # the assets split between them. A pre-existing draft (matching tag +
      # version-named title) is found by every instance — no race. The body is
      # the commit log since the previous tag (direct-to-main workflow means
      # GitHub's PR-based auto-notes would be empty); hand-write a short
      # user-facing What's New above it before publishing.
      - name: Create draft release with commit-log notes
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          TAG="$GITHUB_REF_NAME"
          PREV=$(git describe --tags --abbrev=0 "$TAG^" 2>/dev/null || true)
          RANGE="${PREV:+$PREV..}$TAG"
          {
            echo "<!-- Add a short user-facing What's New above the commit list before publishing. -->"
            echo ""
            echo "## Commits${PREV:+ since $PREV}"
            echo ""
            git log --no-merges --pretty='- %s' "$RANGE"
          } > "$RUNNER_TEMP/notes.md"
          gh release create "$TAG" --draft --title "${TAG#v}" --notes-file "$RUNNER_TEMP/notes.md"

      - name: Write App Store Connect API key
        env:
          APPLE_API_KEY_P8: ${{ secrets.APPLE_API_KEY_P8 }}
        run: |
          echo "$APPLE_API_KEY_P8" | base64 --decode > "$RUNNER_TEMP/asc-api-key.p8"
          echo "APPLE_API_KEY=$RUNNER_TEMP/asc-api-key.p8" >> "$GITHUB_ENV"

      - name: Build, sign, notarize, upload to draft release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CSC_LINK: ${{ secrets.CSC_LINK }}
          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
          # APPLE_API_KEY exported by the previous step; its presence flips
          # electron-builder.cjs's `notarize` gate on.
          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
        run: |
          pnpm --filter '@sidecodeapp/menubar...' run build
          pnpm --filter @sidecodeapp/menubar exec electron-builder --mac --arm64 --publish always