name: Release macOS app on: push: tags: - "v*" workflow_dispatch: permissions: contents: write attestations: write id-token: write env: CREATE_DMG_VERSION: 8.0.0 jobs: build-sign-notarize: runs-on: warp-macos-26-arm64-6x timeout-minutes: 20 steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: submodules: recursive - name: Guard immutable release assets id: guard_release_assets uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const { evaluateReleaseAssetGuard } = require('./scripts/release_asset_guard'); const tag = context.ref.replace('refs/tags/', ''); core.setOutput('skip_all', 'false'); core.setOutput('skip_upload', 'false'); core.setOutput('release_state', 'clear'); try { const release = await github.rest.repos.getReleaseByTag({ owner: context.repo.owner, repo: context.repo.repo, tag, }); const existingAssetNames = (release.data.assets || []).map((asset) => asset.name); const { conflicts, missingImmutableAssets, guardState, hasPartialConflict, shouldSkipBuildAndUpload, } = evaluateReleaseAssetGuard({ existingAssetNames }); core.setOutput('release_state', guardState); if (hasPartialConflict) { core.setFailed( `Release ${tag} has a partial immutable asset state. Existing immutable assets: ` + `${conflicts.join(', ')}. Missing immutable assets: ${missingImmutableAssets.join(', ')}. ` + 'Resolve release assets manually before rerunning.' ); return; } if (shouldSkipBuildAndUpload) { core.notice( `Release ${tag} already contains immutable assets (${conflicts.join(', ')}). ` + 'Skipping build, notarization, and upload to preserve existing signed artifacts.' ); core.setOutput('skip_all', 'true'); core.setOutput('skip_upload', 'true'); return; } core.notice(`Release ${tag} exists but has no immutable release assets yet; continuing.`); } catch (error) { if (error.status === 404) { core.notice(`Release ${tag} does not exist yet; safe to build and publish assets.`); return; } throw error; } - name: Select Xcode if: steps.guard_release_assets.outputs.skip_all != 'true' run: | set -euo pipefail if [ -d "/Applications/Xcode.app/Contents/Developer" ]; then XCODE_DIR="/Applications/Xcode.app/Contents/Developer" else XCODE_APP="$(ls -d /Applications/Xcode*.app 2>/dev/null | head -n 1 || true)" if [ -n "$XCODE_APP" ]; then XCODE_DIR="$XCODE_APP/Contents/Developer" else echo "No Xcode.app found under /Applications" >&2 exit 1 fi fi echo "DEVELOPER_DIR=$XCODE_DIR" >> "$GITHUB_ENV" export DEVELOPER_DIR="$XCODE_DIR" xcodebuild -version xcrun --sdk macosx --show-sdk-path - name: Install build deps if: steps.guard_release_assets.outputs.skip_all != 'true' run: | ZIG_REQUIRED="0.15.2" if command -v zig >/dev/null 2>&1 && zig version 2>/dev/null | grep -q "^${ZIG_REQUIRED}"; then echo "zig ${ZIG_REQUIRED} already installed" else echo "Installing zig ${ZIG_REQUIRED} from tarball" curl -fSL "https://ziglang.org/download/${ZIG_REQUIRED}/zig-aarch64-macos-${ZIG_REQUIRED}.tar.xz" -o /tmp/zig.tar.xz tar xf /tmp/zig.tar.xz -C /tmp sudo mkdir -p /usr/local/bin /usr/local/lib sudo cp -f /tmp/zig-aarch64-macos-${ZIG_REQUIRED}/zig /usr/local/bin/zig sudo cp -rf /tmp/zig-aarch64-macos-${ZIG_REQUIRED}/lib /usr/local/lib/zig export PATH="/usr/local/bin:$PATH" zig version fi npm install --global "create-dmg@${CREATE_DMG_VERSION}" - name: Download pre-built GhosttyKit.xcframework if: steps.guard_release_assets.outputs.skip_all != 'true' run: | ./scripts/download-prebuilt-ghosttykit.sh - name: Cache Swift packages if: steps.guard_release_assets.outputs.skip_all != 'true' uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4 with: path: .spm-cache key: spm-${{ hashFiles('GhosttyTabs.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved') }} restore-keys: spm- - name: Setup Go if: steps.guard_release_assets.outputs.skip_all != 'true' uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version-file: daemon/remote/go.mod - name: Derive Sparkle public key from private key if: steps.guard_release_assets.outputs.skip_all != 'true' env: SPARKLE_PRIVATE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY }} run: | if [ -z "$SPARKLE_PRIVATE_KEY" ]; then echo "Missing SPARKLE_PRIVATE_KEY secret" >&2 exit 1 fi DERIVED_PUBLIC_KEY=$(swift scripts/derive_sparkle_public_key.swift "$SPARKLE_PRIVATE_KEY") echo "Derived Sparkle public key: $DERIVED_PUBLIC_KEY" echo "SPARKLE_PUBLIC_KEY=$DERIVED_PUBLIC_KEY" >> "$GITHUB_ENV" - name: Build universal app (Release) if: steps.guard_release_assets.outputs.skip_all != 'true' run: | xcodebuild -scheme cmux -configuration Release -derivedDataPath build-universal \ -destination 'generic/platform=macOS' \ -clonedSourcePackagesDirPath .spm-cache \ ARCHS="arm64 x86_64" \ ONLY_ACTIVE_ARCH=NO \ CODE_SIGNING_ALLOWED=NO build - name: Verify binary architectures if: steps.guard_release_assets.outputs.skip_all != 'true' run: | set -euo pipefail APP_BINARY="build-universal/Build/Products/Release/cmux.app/Contents/MacOS/cmux" CLI_BINARY="build-universal/Build/Products/Release/cmux.app/Contents/Resources/bin/cmux" HELPER_BINARY="build-universal/Build/Products/Release/cmux.app/Contents/Resources/bin/ghostty" APP_ARCHS="$(lipo -archs "$APP_BINARY")" CLI_ARCHS="$(lipo -archs "$CLI_BINARY")" HELPER_ARCHS="$(lipo -archs "$HELPER_BINARY")" echo "App binary architectures: $APP_ARCHS" echo "CLI binary architectures: $CLI_ARCHS" echo "Ghostty helper architectures: $HELPER_ARCHS" [[ "$APP_ARCHS" == *arm64* && "$APP_ARCHS" == *x86_64* ]] [[ "$CLI_ARCHS" == *arm64* && "$CLI_ARCHS" == *x86_64* ]] [[ "$HELPER_ARCHS" == *arm64* && "$HELPER_ARCHS" == *x86_64* ]] - name: Build remote daemon release assets and inject manifest if: steps.guard_release_assets.outputs.skip_all != 'true' run: | set -euo pipefail APP_PLIST="build-universal/Build/Products/Release/cmux.app/Contents/Info.plist" APP_VERSION=$(/usr/libexec/PlistBuddy -c "Print :CFBundleShortVersionString" "$APP_PLIST") ./scripts/build_remote_daemon_release_assets.sh \ --version "$APP_VERSION" \ --release-tag "$GITHUB_REF_NAME" \ --repo "manaflow-ai/cmux" \ --output-dir "remote-daemon-assets" MANIFEST_JSON="$(python3 -c 'import json,sys; print(json.dumps(json.load(open(sys.argv[1], encoding="utf-8")), separators=(",",":")))' remote-daemon-assets/cmuxd-remote-manifest.json)" plutil -remove CMUXRemoteDaemonManifestJSON "$APP_PLIST" >/dev/null 2>&1 || true plutil -insert CMUXRemoteDaemonManifestJSON -string "$MANIFEST_JSON" "$APP_PLIST" - name: Run CLI version memory guard regression if: steps.guard_release_assets.outputs.skip_all != 'true' run: | set -euo pipefail CLI_BINARY="build-universal/Build/Products/Release/cmux.app/Contents/Resources/bin/cmux" [ -x "$CLI_BINARY" ] || { echo "cmux CLI binary not found at $CLI_BINARY" >&2; exit 1; } CMUX_CLI_BIN="$CLI_BINARY" python3 tests/test_cli_version_memory_guard.py - name: Verify bundled Ghostty theme picker helper if: steps.guard_release_assets.outputs.skip_all != 'true' run: | set -euo pipefail HELPER_BINARY="build-universal/Build/Products/Release/cmux.app/Contents/Resources/bin/ghostty" [ -x "$HELPER_BINARY" ] || { echo "Ghostty theme picker helper not found at $HELPER_BINARY" >&2; exit 1; } - name: Inject Sparkle keys into Info.plist if: steps.guard_release_assets.outputs.skip_all != 'true' run: | APP_PLIST="build-universal/Build/Products/Release/cmux.app/Contents/Info.plist" /usr/libexec/PlistBuddy -c "Delete :SUPublicEDKey" "$APP_PLIST" >/dev/null 2>&1 || true /usr/libexec/PlistBuddy -c "Delete :SUFeedURL" "$APP_PLIST" >/dev/null 2>&1 || true echo "Adding SUPublicEDKey to Info.plist..." /usr/libexec/PlistBuddy -c "Add :SUPublicEDKey string ${SPARKLE_PUBLIC_KEY}" "$APP_PLIST" echo "Adding SUFeedURL to Info.plist..." /usr/libexec/PlistBuddy -c "Add :SUFeedURL string https://github.com/manaflow-ai/cmux/releases/latest/download/appcast.xml" "$APP_PLIST" echo "Verifying:" /usr/libexec/PlistBuddy -c "Print :SUPublicEDKey" "$APP_PLIST" /usr/libexec/PlistBuddy -c "Print :SUFeedURL" "$APP_PLIST" - name: Import signing cert if: steps.guard_release_assets.outputs.skip_all != 'true' env: APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }} APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} run: | if [ -z "$APPLE_CERTIFICATE_BASE64" ]; then echo "Missing APPLE_CERTIFICATE_BASE64 secret" >&2 exit 1 fi if [ -z "$APPLE_CERTIFICATE_PASSWORD" ]; then echo "Missing APPLE_CERTIFICATE_PASSWORD secret" >&2 exit 1 fi KEYCHAIN_PASSWORD="$(uuidgen)" echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > /tmp/cert.p12 security delete-keychain build.keychain >/dev/null 2>&1 || true security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security set-keychain-settings -lut 21600 build.keychain security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security import /tmp/cert.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" build.keychain security list-keychains -d user -s build.keychain - name: Codesign app if: steps.guard_release_assets.outputs.skip_all != 'true' env: APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} run: | if [ -z "$APPLE_SIGNING_IDENTITY" ]; then echo "Missing APPLE_SIGNING_IDENTITY secret" >&2 exit 1 fi APP_PATH="build-universal/Build/Products/Release/cmux.app" ENTITLEMENTS="cmux.entitlements" CLI_PATH="$APP_PATH/Contents/Resources/bin/cmux" HELPER_PATH="$APP_PATH/Contents/Resources/bin/ghostty" if [ -f "$CLI_PATH" ]; then /usr/bin/codesign --force --options runtime --timestamp --sign "$APPLE_SIGNING_IDENTITY" --entitlements "$ENTITLEMENTS" "$CLI_PATH" fi if [ -f "$HELPER_PATH" ]; then /usr/bin/codesign --force --options runtime --timestamp --sign "$APPLE_SIGNING_IDENTITY" --entitlements "$ENTITLEMENTS" "$HELPER_PATH" fi /usr/bin/codesign --force --options runtime --timestamp --sign "$APPLE_SIGNING_IDENTITY" --entitlements "$ENTITLEMENTS" --deep "$APP_PATH" /usr/bin/codesign --verify --deep --strict --verbose=2 "$APP_PATH" - name: Notarize app if: steps.guard_release_assets.outputs.skip_all != 'true' env: APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} run: | if [ -z "$APPLE_ID" ] || [ -z "$APPLE_APP_SPECIFIC_PASSWORD" ] || [ -z "$APPLE_TEAM_ID" ]; then echo "Missing notarization secrets (APPLE_ID, APPLE_APP_SPECIFIC_PASSWORD, APPLE_TEAM_ID)" >&2 exit 1 fi APP_PATH="build-universal/Build/Products/Release/cmux.app" ZIP_SUBMIT="cmux-notary.zip" DMG_RELEASE="cmux-macos.dmg" ditto -c -k --sequesterRsrc --keepParent "$APP_PATH" "$ZIP_SUBMIT" APP_SUBMIT_JSON="$(xcrun notarytool submit "$ZIP_SUBMIT" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --wait --output-format json)" APP_SUBMIT_ID="$(python3 -c 'import json,sys; print(json.load(sys.stdin)["id"])' <<<"$APP_SUBMIT_JSON")" APP_STATUS="$(python3 -c 'import json,sys; print(json.load(sys.stdin)["status"])' <<<"$APP_SUBMIT_JSON")" if [ "$APP_STATUS" != "Accepted" ]; then echo "App notarization failed with status: $APP_STATUS" >&2 xcrun notarytool log "$APP_SUBMIT_ID" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" || true exit 1 fi xcrun stapler staple "$APP_PATH" xcrun stapler validate "$APP_PATH" spctl -a -vv --type execute "$APP_PATH" rm -f "$ZIP_SUBMIT" # create-dmg generates a styled drag-to-install DMG create-dmg \ --identity="$APPLE_SIGNING_IDENTITY" \ "$APP_PATH" \ ./ mv ./cmux*.dmg "$DMG_RELEASE" DMG_SUBMIT_JSON="$(xcrun notarytool submit "$DMG_RELEASE" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --wait --output-format json)" DMG_SUBMIT_ID="$(python3 -c 'import json,sys; print(json.load(sys.stdin)["id"])' <<<"$DMG_SUBMIT_JSON")" DMG_STATUS="$(python3 -c 'import json,sys; print(json.load(sys.stdin)["status"])' <<<"$DMG_SUBMIT_JSON")" if [ "$DMG_STATUS" != "Accepted" ]; then echo "DMG notarization failed with status: $DMG_STATUS" >&2 xcrun notarytool log "$DMG_SUBMIT_ID" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" || true exit 1 fi xcrun stapler staple "$DMG_RELEASE" xcrun stapler validate "$DMG_RELEASE" - name: Upload dSYMs to Sentry if: steps.guard_release_assets.outputs.skip_all != 'true' env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} SENTRY_ORG: manaflow SENTRY_PROJECT: cmuxterm-macos run: | if [ -z "$SENTRY_AUTH_TOKEN" ]; then echo "SENTRY_AUTH_TOKEN not set, skipping dSYM upload" exit 0 fi brew install getsentry/tools/sentry-cli || true sentry-cli debug-files upload --include-sources build-universal/Build/Products/Release/ - name: Generate Sparkle appcast if: steps.guard_release_assets.outputs.skip_all != 'true' env: SPARKLE_PRIVATE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY }} run: | if [ -z "$SPARKLE_PRIVATE_KEY" ]; then echo "Missing SPARKLE_PRIVATE_KEY secret" >&2 exit 1 fi ./scripts/sparkle_generate_appcast.sh cmux-macos.dmg "$GITHUB_REF_NAME" appcast.xml - name: Upload release assets to R2 if: steps.guard_release_assets.outputs.skip_upload != 'true' && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') continue-on-error: true env: AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_SECRET_ACCESS_KEY }} AWS_DEFAULT_REGION: auto R2_ENDPOINT: "https://${{ secrets.CF_R2_ACCOUNT_ID }}.r2.cloudflarestorage.com" run: | set -euo pipefail command -v aws >/dev/null 2>&1 || { echo "Installing AWS CLI..."; brew install awscli; } BUCKET=cmux-binaries # Derive R2 appcast by replacing the download URL prefix. sed "s|https://github.com/manaflow-ai/cmux/releases/download/${GITHUB_REF_NAME}/|https://files.cmux.com/stable/|g" \ appcast.xml > appcast-r2.xml # Upload DMG first so the appcast never references a missing file. aws s3 cp cmux-macos.dmg \ "s3://${BUCKET}/stable/cmux-macos.dmg" \ --endpoint-url "$R2_ENDPOINT" \ --cache-control "no-cache, no-store, must-revalidate" # Upload appcast last (atomic PutObject, no 404 window). aws s3 cp appcast-r2.xml \ "s3://${BUCKET}/stable/appcast.xml" \ --endpoint-url "$R2_ENDPOINT" \ --cache-control "no-cache, no-store, must-revalidate" echo "R2 upload complete: https://files.cmux.com/stable/appcast.xml" - name: Attest remote daemon release assets if: steps.guard_release_assets.outputs.skip_all != 'true' uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-path: | remote-daemon-assets/cmuxd-remote-darwin-arm64 remote-daemon-assets/cmuxd-remote-darwin-amd64 remote-daemon-assets/cmuxd-remote-linux-arm64 remote-daemon-assets/cmuxd-remote-linux-amd64 remote-daemon-assets/cmuxd-remote-checksums.txt remote-daemon-assets/cmuxd-remote-manifest.json - name: Upload build artifacts (dry-run) if: steps.guard_release_assets.outputs.skip_upload != 'true' && github.event_name == 'workflow_dispatch' uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: cmux-release-dry-run path: | cmux-macos.dmg appcast.xml remote-daemon-assets/cmuxd-remote-* if-no-files-found: error - name: Upload release asset if: steps.guard_release_assets.outputs.skip_upload != 'true' && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 with: files: | cmux-macos.dmg appcast.xml remote-daemon-assets/cmuxd-remote-darwin-arm64 remote-daemon-assets/cmuxd-remote-darwin-amd64 remote-daemon-assets/cmuxd-remote-linux-arm64 remote-daemon-assets/cmuxd-remote-linux-amd64 remote-daemon-assets/cmuxd-remote-checksums.txt remote-daemon-assets/cmuxd-remote-manifest.json generate_release_notes: true overwrite_files: false - name: Cleanup keychain if: always() run: | security delete-keychain build.keychain >/dev/null 2>&1 || true rm -f /tmp/cert.p12