local-transcription/.gitea/workflows/build-app-macos.yml at e0396df7b096d0b2bb74fe2cfcff4f11ffe94d3a

streamer-tools/local-transcription

Fork 0

Files

Developer e0396df7b0

Tests / Python Backend Tests (push) Successful in 5s

Details

Tests / Frontend Tests (push) Successful in 7s

Details

Tests / Rust Sidecar Tests (push) Successful in 2m4s

Details

Use ad-hoc signing when no Apple certificate is configured

Prevents Tauri from auto-detecting local keychain certificates on the
build machine, which causes SecKeychainItemImport failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-10 19:30:44 -07:00

123 lines

4.4 KiB

YAML

Raw Blame History

 name: Build App (macOS)
 on:
   workflow_dispatch:
     inputs:
       tag:
         description: 'Release tag to build (e.g. v1.4.5)'
         required: true
 jobs:
   build-macos:
     name: Build App (macOS)
     runs-on: macos-latest
     env:
       NODE_VERSION: "20"
       RELEASE_TAG: "${{ inputs.tag }}"
     steps:
       - name: Show tag
         run: |
           echo "Building for tag: ${RELEASE_TAG}"
       - uses: actions/checkout@v4
         with:
           ref: ${{ inputs.tag }}
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
           node-version: ${{ env.NODE_VERSION }}
       - name: Install Rust stable
         run: |
           curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable
           echo "$HOME/.cargo/bin" >> $GITHUB_PATH
       - name: Install system dependencies
         run: brew install --quiet create-dmg || true
       - name: Install npm dependencies
         run: npm ci
       - name: Setup code signing
         env:
           APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
           APPLE_API_KEY_CONTENT: ${{ secrets.APPLE_API_KEY_CONTENT }}
         run: |
           if [ -n "${APPLE_API_KEY_CONTENT}" ]; then
             echo "Setting up notarization API key..."
             mkdir -p ~/private_keys
             echo "${APPLE_API_KEY_CONTENT}" > ~/private_keys/AuthKey_${APPLE_API_KEY}.p8
           else
             echo "No signing secrets configured, skipping code signing setup"
           fi
       - name: Build Tauri app
         env:
           APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
           APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
           APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
           APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
           APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
           APPLE_API_KEY_PATH: ~/private_keys/AuthKey_${{ secrets.APPLE_API_KEY }}.p8
         run: |
           # If no signing identity is configured, use ad-hoc signing to prevent
           # Tauri from auto-detecting local keychain certificates
           if [ -z "${APPLE_SIGNING_IDENTITY}" ]; then
             export APPLE_SIGNING_IDENTITY="-"
           fi
           npm run tauri build
       - name: Upload to release
         env:
           BUILD_TOKEN: ${{ secrets.BUILD_TOKEN }}
         run: |
           which jq || brew install jq
           REPO_API="${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}"
           TAG="${RELEASE_TAG}"
           echo "Release tag: ${TAG}"
           echo "Waiting for release ${TAG} to be available..."
           RELEASE_ID=""
           for i in $(seq 1 30); do
             RELEASE_JSON=$(curl -s -H "Authorization: token ${BUILD_TOKEN}" \
               "${REPO_API}/releases/tags/${TAG}")
             RELEASE_ID=$(echo "$RELEASE_JSON" | jq -r '.id // empty')
             if [ -n "${RELEASE_ID}" ] && [ "${RELEASE_ID}" != "null" ]; then
               echo "Found release: ${TAG} (ID: ${RELEASE_ID})"
               break
             fi
             echo "Attempt ${i}/30: Release not ready yet, retrying in 10s..."
             sleep 10
           done
           if [ -z "${RELEASE_ID}" ] || [ "${RELEASE_ID}" = "null" ]; then
             echo "ERROR: Failed to find release for tag ${TAG} after 30 attempts."
             exit 1
           fi
           find src-tauri/target/release/bundle -type f -name "*.dmg" | while IFS= read -r file; do
             filename=$(basename "$file")
             encoded_name=$(echo "$filename" | sed 's/ /%20/g')
             echo "Uploading ${filename} ($(du -h "$file" | cut -f1))..."
             ASSET_ID=$(curl -s -H "Authorization: token ${BUILD_TOKEN}" \
               "${REPO_API}/releases/${RELEASE_ID}/assets" | jq -r ".[] | select(.name == \"${filename}\") | .id // empty")
             if [ -n "${ASSET_ID}" ]; then
               curl -s -X DELETE -H "Authorization: token ${BUILD_TOKEN}" \
                 "${REPO_API}/releases/${RELEASE_ID}/assets/${ASSET_ID}"
             fi
             HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
               -H "Authorization: token ${BUILD_TOKEN}" \
               -H "Content-Type: application/octet-stream" \
               -T "$file" \
               "${REPO_API}/releases/${RELEASE_ID}/assets?name=${encoded_name}")
             echo "Upload response: HTTP ${HTTP_CODE}"
           done
       - name: Cleanup signing artifacts
         run: rm -rf ~/private_keys

123 lines 4.4 KiB YAML Raw Blame History

123 lines

4.4 KiB

YAML

Raw Blame History