local-transcription/.gitea/workflows/build-app-windows.yml

name: Build App (Windows)

on:
  workflow_dispatch:
    inputs:
      tag:
        description: 'Release tag to build (e.g. v1.4.5)'
        required: true

env:
  NODE_VERSION: "20"

jobs:
  build-windows:
    name: Build App (Windows)
    runs-on: windows-latest
    env:
      RELEASE_TAG: "${{ inputs.tag }}"
    steps:
      - name: Show tag
        shell: powershell
        run: |
          Write-Host "Building for tag: $env:RELEASE_TAG"

      - uses: actions/checkout@v4
        with:
          ref: ${{ inputs.tag }}

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}

      - name: Install Rust stable
        shell: powershell
        run: |
          if (Get-Command rustup -ErrorAction SilentlyContinue) {
            rustup default stable
          } else {
            Invoke-WebRequest -Uri https://win.rustup.rs/x86_64 -OutFile rustup-init.exe
            .\rustup-init.exe -y --default-toolchain stable
            echo "$env:USERPROFILE\.cargo\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
          }

      - name: Install npm dependencies
        shell: powershell
        run: npm ci

      - name: Setup Azure Artifact Signing
        shell: powershell
        env:
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_SIGNING_ENDPOINT: ${{ secrets.AZURE_SIGNING_ENDPOINT }}
          AZURE_SIGNING_ACCOUNT: ${{ secrets.AZURE_SIGNING_ACCOUNT }}
          AZURE_CERT_PROFILE: ${{ secrets.AZURE_CERT_PROFILE }}
        run: |
          if (-not $env:AZURE_CLIENT_ID) {
            Write-Host "No Azure signing secrets configured, skipping code signing setup"
            return
          }

          Write-Host "Setting up Azure Artifact Signing..."

          # Install Artifact Signing client tools
          nuget install Microsoft.ArtifactSigning.Client -x -OutputDirectory .\signing-tools
          $dlibPath = (Resolve-Path ".\signing-tools\Microsoft.ArtifactSigning.Client*\bin\x64\Azure.CodeSigning.Dlib.dll").Path

          # Write metadata.json
          @{
            Endpoint = $env:AZURE_SIGNING_ENDPOINT
            CodeSigningAccountName = $env:AZURE_SIGNING_ACCOUNT
            CertificateProfileName = $env:AZURE_CERT_PROFILE
          } | ConvertTo-Json | Out-File -Encoding UTF8 metadata.json
          $metadataPath = (Resolve-Path "metadata.json").Path

          # Inject signCommand into tauri.conf.json for this build
          $conf = Get-Content src-tauri\tauri.conf.json -Raw | ConvertFrom-Json
          $signCmd = "signtool.exe sign /v /fd SHA256 /tr http://timestamp.acs.microsoft.com /td SHA256 /dlib `"$dlibPath`" /dmdf `"$metadataPath`" %1"
          $conf.bundle.windows | Add-Member -NotePropertyName "signCommand" -NotePropertyValue $signCmd -Force
          $conf | ConvertTo-Json -Depth 10 | Set-Content src-tauri\tauri.conf.json -Encoding UTF8

      - name: Build Tauri app
        shell: powershell
        env:
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
        run: npm run tauri build

      - name: Upload to release
        shell: powershell
        env:
          BUILD_TOKEN: ${{ secrets.BUILD_TOKEN }}
        run: |
          $REPO_API = "${{ github.server_url }}/api/v1/repos/${{ github.repository }}"
          $Headers = @{ "Authorization" = "token $env:BUILD_TOKEN" }
          $TAG = $env:RELEASE_TAG
          Write-Host "Release tag: $TAG"

          if (-not $TAG) {
            Write-Host "ERROR: RELEASE_TAG is empty"
            exit 1
          }

          Write-Host "Waiting for release $TAG to be available..."
          $RELEASE_ID = $null

          for ($i = 1; $i -le 30; $i++) {
            try {
              $release = Invoke-RestMethod -Uri "$REPO_API/releases/tags/$TAG" -Headers $Headers -ErrorAction Stop
              $RELEASE_ID = $release.id

              if ($RELEASE_ID) {
                Write-Host "Found release: $TAG (ID: $RELEASE_ID)"
                break
              }
            } catch {}

            Write-Host "Attempt ${i}/30: Release not ready yet, retrying in 10s..."
            Start-Sleep -Seconds 10
          }

          if (-not $RELEASE_ID) {
            Write-Host "ERROR: Failed to find release for tag $TAG after 30 attempts."
            exit 1
          }

          Get-ChildItem -Path src-tauri\target\release\bundle -Recurse -Include *.msi,*-setup.exe | ForEach-Object {
            $filename = $_.Name
            $encodedName = [System.Uri]::EscapeDataString($filename)
            $size = [math]::Round($_.Length / 1MB, 1)
            Write-Host "Uploading $filename ($size MB)..."

            try {
              $assets = Invoke-RestMethod -Uri "$REPO_API/releases/$RELEASE_ID/assets" -Headers $Headers
              $existing = $assets | Where-Object { $_.name -eq $filename }
              if ($existing) {
                Invoke-RestMethod -Uri "$REPO_API/releases/$RELEASE_ID/assets/$($existing.id)" -Method Delete -Headers $Headers
              }
            } catch {}

            $uploadUrl = "$REPO_API/releases/$RELEASE_ID/assets?name=$encodedName"
            $result = curl.exe --fail --silent --show-error `
              -X POST `
              -H "Authorization: token $env:BUILD_TOKEN" `
              -H "Content-Type: application/octet-stream" `
              -T "$($_.FullName)" `
              "$uploadUrl" 2>&1
            if ($LASTEXITCODE -eq 0) {
              Write-Host "Upload successful: $filename"
            } else {
              Write-Host "WARNING: Upload failed for ${filename}: $result"
            }
          }