Skip to content
insiders-build

Merge pull request #604 from mountaindude/587 #35

Sign in to view logs

Merge pull request #604 from mountaindude/587

Merge pull request #604 from mountaindude/587 #35

Workflow file for this run

.github/workflows/insiders-build.yaml at ce775f7
name: insiders-build
on:
workflow_dispatch:
push:
branches:
- main
jobs:
insiders-build:
strategy:
matrix:
os: [win-code-sign, mac-build1, ubuntu-latest]
include:
- os: win-code-sign
build: |
cd src
./node_modules/.bin/esbuild "${env:DIST_FILE_NAME}.js" --bundle --outfile=build.cjs --format=cjs --platform=node --target=node23
node --experimental-sea-config sea-config.json
node -e "require('fs').copyFileSync(process.execPath, '${env:DIST_FILE_NAME}.exe')"
pwd
dir
# -------------------
# Remove the signature from the executable
$processOptions1 = @{
FilePath = "C:\Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe"
Wait = $true
ArgumentList = "remove", "/s", "./${env:DIST_FILE_NAME}.exe"
WorkingDirectory = "."
NoNewWindow = $true
}
Start-Process @processOptions1
npx postject "${env:DIST_FILE_NAME}.exe" NODE_SEA_BLOB sea-prep.blob --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2
# -------------------
# Sign the executable
# 1st signing
$processOptions1 = @{
FilePath = "C:\Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe"
Wait = $true
ArgumentList = "sign", "/sha1", "$env:CODESIGN_WIN_THUMBPRINT", "/tr", "http://time.certum.pl", "/td", "sha256", "/fd", "sha1", "/v", "./${env:DIST_FILE_NAME}.exe"
WorkingDirectory = "."
NoNewWindow = $true
}
Start-Process @processOptions1
# -------------------
# 2nd signing
$processOptions2 = @{
FilePath = "C:\Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe"
Wait = $true
ArgumentList = "sign", "/sha1", "$env:CODESIGN_WIN_THUMBPRINT", "/tr", "http://time.certum.pl", "/td", "sha256", "/fd", "sha256", "/v", "./${env:DIST_FILE_NAME}.exe"
WorkingDirectory = "."
NoNewWindow = $true
}
Start-Process @processOptions2
# -------------------
# Create insider's build zip
$compress = @{
Path = "./${env:DIST_FILE_NAME}.exe"
CompressionLevel = "Fastest"
DestinationPath = "${env:DIST_FILE_NAME}--win-x64--${{ github.sha }}.zip"
}
Compress-Archive @compress
# -------------------
# Move the zip file to the root directory
Move-Item "${env:DIST_FILE_NAME}--win-x64--${{ github.sha }}.zip" ..
# -------------------
# Clean up
Remove-Item -Force build.cjs
dir
artifact_insider: butler-sheet-icons--win-x64--${{ github.sha }}.zip
- os: mac-build1
build: |
cd src
./node_modules/.bin/esbuild ${DIST_FILE_NAME}.js --bundle --outfile=build.cjs --format=cjs --platform=node --target=node23
node --experimental-sea-config sea-config.json
cp $(command -v node) ${DIST_FILE_NAME}
npx postject ${DIST_FILE_NAME} NODE_SEA_BLOB sea-prep.blob --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 --macho-segment-name NODE_SEA
security delete-keychain build.keychain || true
pwd
ls -la
# -------------------
# Turn our base64-encoded certificate back to a regular .p12 file
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
# -------------------
# We need to create a new keychain, otherwise using the certificate will prompt
# with a UI dialog asking for the certificate password, which we can't
# use in a headless CI environment
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security list-keychains -d user -s build.keychain
security default-keychain -d user -s build.keychain
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
codesign --force -s "$MACOS_CERTIFICATE_NAME" -v "./${DIST_FILE_NAME}" --deep --strict --options=runtime --timestamp --entitlements ../release-config/${DIST_FILE_NAME}.entitlements
# -------------------
# Notarize
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
# -------------------
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
# Notarize insider binary
echo "Creating temp notarization archive for insider build"
ditto -c -k --keepParent "./${DIST_FILE_NAME}" "./${DIST_FILE_NAME}--macos-x64--${{ github.sha }}.zip"
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious
echo "Notarize insider app"
xcrun notarytool submit "./${DIST_FILE_NAME}--macos-x64--${{ github.sha }}.zip" --keychain-profile "notarytool-profile" --wait
# -------------------
# Move the zip file to the root directory
mv "./${DIST_FILE_NAME}--macos-x64--${{ github.sha }}.zip" ..
# -------------------
# Clean up
# Delete build keychain
security delete-keychain build.keychain
rm build.cjs
ls -la
artifact_insider: butler-sheet-icons--macos-x64--${{ github.sha }}.zip
- os: ubuntu-latest
build: |
cd src
./node_modules/.bin/esbuild ${DIST_FILE_NAME}.js --bundle --outfile=build.cjs --format=cjs --platform=node --target=node23
node --experimental-sea-config sea-config.json
cp $(command -v node) ${DIST_FILE_NAME}
npx postject ${DIST_FILE_NAME} NODE_SEA_BLOB sea-prep.blob --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2
# Compress insider's build
tar -czf "${DIST_FILE_NAME}--linux-x64--${{ github.sha }}.tgz" "${DIST_FILE_NAME}"
ls -la
# -------------------
# Move the zip file to the root directory
mv "${DIST_FILE_NAME}--linux-x64--${{ github.sha }}.tgz" ..
# -------------------
# Clean up
rm build.cjs
ls -la
artifact_insider: butler-sheet-icons--linux-x64--${{ github.sha }}.tgz
runs-on: ${{ matrix.os }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 23
- name: Install tool for creating stand-alone executables
run: |
npm install pkg --location=global
- name: Install dependencies
run: |
pwd
cd src
npm ci --include=prod
- name: Run Snyk to check for vulnerabilities
if: |
github.repository_owner == 'ptarmiganlabs' &&
matrix.os == 'ubuntu-latest'
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --file=./src/package.json --sarif-file-output=snyk.sarif
- name: Upload Snyk result to GitHub Code Scanning
continue-on-error: true
if: |
github.repository_owner == 'ptarmiganlabs' &&
matrix.os == 'ubuntu-latest'
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
- name: Create binaries
env:
DIST_FILE_NAME: butler-sheet-icons
GITHUB_TOKEN: ${{ secrets.PAT }}
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE_BASE64_CODESIGN }}
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_CODESIGN_PWD }}
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_CODESIGN_NAME }}
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
CODESIGN_WIN_THUMBPRINT: ${{ secrets.WIN_CODESIGN_THUMBPRINT}}
run: |
pwd
${{ matrix.build }}
- name: Upload insider build artifacts to GitHub
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.artifact_insider }}
path: ${{ matrix.artifact_insider }}