03dc055138
# Conflicts: # CLI/cmux.swift # Sources/Panels/BrowserPanel.swift # Sources/TabManager.swift # Sources/Workspace.swift # cmuxTests/GhosttyConfigTests.swift
340 lines
16 KiB
YAML
340 lines
16 KiB
YAML
name: Release macOS app
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- "v*"
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: write
|
|
attestations: write
|
|
id-token: write
|
|
|
|
env:
|
|
CREATE_DMG_VERSION: 8.0.0
|
|
|
|
jobs:
|
|
build-sign-notarize:
|
|
runs-on: depot-macos-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
with:
|
|
submodules: recursive
|
|
|
|
- name: Guard immutable release assets
|
|
id: guard_release_assets
|
|
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
|
|
with:
|
|
script: |
|
|
const { evaluateReleaseAssetGuard } = require('./scripts/release_asset_guard');
|
|
const tag = context.ref.replace('refs/tags/', '');
|
|
core.setOutput('skip_all', 'false');
|
|
core.setOutput('skip_upload', 'false');
|
|
core.setOutput('release_state', 'clear');
|
|
try {
|
|
const release = await github.rest.repos.getReleaseByTag({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
tag,
|
|
});
|
|
const existingAssetNames = (release.data.assets || []).map((asset) => asset.name);
|
|
const {
|
|
conflicts,
|
|
missingImmutableAssets,
|
|
guardState,
|
|
hasPartialConflict,
|
|
shouldSkipBuildAndUpload,
|
|
} = evaluateReleaseAssetGuard({ existingAssetNames });
|
|
|
|
core.setOutput('release_state', guardState);
|
|
|
|
if (hasPartialConflict) {
|
|
core.setFailed(
|
|
`Release ${tag} has a partial immutable asset state. Existing immutable assets: ` +
|
|
`${conflicts.join(', ')}. Missing immutable assets: ${missingImmutableAssets.join(', ')}. ` +
|
|
'Resolve release assets manually before rerunning.'
|
|
);
|
|
return;
|
|
}
|
|
|
|
if (shouldSkipBuildAndUpload) {
|
|
core.notice(
|
|
`Release ${tag} already contains immutable assets (${conflicts.join(', ')}). ` +
|
|
'Skipping build, notarization, and upload to preserve existing signed artifacts.'
|
|
);
|
|
core.setOutput('skip_all', 'true');
|
|
core.setOutput('skip_upload', 'true');
|
|
return;
|
|
}
|
|
|
|
core.notice(`Release ${tag} exists but has no immutable release assets yet; continuing.`);
|
|
} catch (error) {
|
|
if (error.status === 404) {
|
|
core.notice(`Release ${tag} does not exist yet; safe to build and publish assets.`);
|
|
return;
|
|
}
|
|
throw error;
|
|
}
|
|
|
|
- name: Select Xcode
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
run: |
|
|
set -euo pipefail
|
|
if [ -d "/Applications/Xcode.app/Contents/Developer" ]; then
|
|
XCODE_DIR="/Applications/Xcode.app/Contents/Developer"
|
|
else
|
|
XCODE_APP="$(ls -d /Applications/Xcode*.app 2>/dev/null | head -n 1 || true)"
|
|
if [ -n "$XCODE_APP" ]; then
|
|
XCODE_DIR="$XCODE_APP/Contents/Developer"
|
|
else
|
|
echo "No Xcode.app found under /Applications" >&2
|
|
exit 1
|
|
fi
|
|
fi
|
|
echo "DEVELOPER_DIR=$XCODE_DIR" >> "$GITHUB_ENV"
|
|
export DEVELOPER_DIR="$XCODE_DIR"
|
|
xcodebuild -version
|
|
xcrun --sdk macosx --show-sdk-path
|
|
|
|
- name: Install build deps
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
run: |
|
|
if ! command -v zig >/dev/null 2>&1; then
|
|
brew install zig
|
|
fi
|
|
npm install --global "create-dmg@${CREATE_DMG_VERSION}"
|
|
|
|
- name: Download pre-built GhosttyKit.xcframework
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
run: |
|
|
./scripts/download-prebuilt-ghosttykit.sh
|
|
|
|
- name: Cache Swift packages
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
|
|
with:
|
|
path: .spm-cache
|
|
key: spm-${{ hashFiles('GhosttyTabs.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved') }}
|
|
restore-keys: spm-
|
|
|
|
- name: Setup Go
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
|
|
with:
|
|
go-version-file: daemon/remote/go.mod
|
|
|
|
- name: Derive Sparkle public key from private key
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
env:
|
|
SPARKLE_PRIVATE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY }}
|
|
run: |
|
|
if [ -z "$SPARKLE_PRIVATE_KEY" ]; then
|
|
echo "Missing SPARKLE_PRIVATE_KEY secret" >&2
|
|
exit 1
|
|
fi
|
|
DERIVED_PUBLIC_KEY=$(swift scripts/derive_sparkle_public_key.swift "$SPARKLE_PRIVATE_KEY")
|
|
echo "Derived Sparkle public key: $DERIVED_PUBLIC_KEY"
|
|
echo "SPARKLE_PUBLIC_KEY=$DERIVED_PUBLIC_KEY" >> "$GITHUB_ENV"
|
|
|
|
- name: Build app (Release)
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
run: |
|
|
xcodebuild -scheme cmux -configuration Release -derivedDataPath build \
|
|
-clonedSourcePackagesDirPath .spm-cache \
|
|
CODE_SIGNING_ALLOWED=NO build
|
|
|
|
- name: Build remote daemon release assets and inject manifest
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
run: |
|
|
set -euo pipefail
|
|
APP_PLIST="build/Build/Products/Release/cmux.app/Contents/Info.plist"
|
|
APP_VERSION=$(/usr/libexec/PlistBuddy -c "Print :CFBundleShortVersionString" "$APP_PLIST")
|
|
./scripts/build_remote_daemon_release_assets.sh \
|
|
--version "$APP_VERSION" \
|
|
--release-tag "$GITHUB_REF_NAME" \
|
|
--repo "manaflow-ai/cmux" \
|
|
--output-dir "remote-daemon-assets"
|
|
MANIFEST_JSON="$(python3 -c 'import json,sys; print(json.dumps(json.load(open(sys.argv[1], encoding="utf-8")), separators=(",",":")))' remote-daemon-assets/cmuxd-remote-manifest.json)"
|
|
plutil -remove CMUXRemoteDaemonManifestJSON "$APP_PLIST" >/dev/null 2>&1 || true
|
|
plutil -insert CMUXRemoteDaemonManifestJSON -string "$MANIFEST_JSON" "$APP_PLIST"
|
|
|
|
- name: Run CLI version memory guard regression
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
run: |
|
|
set -euo pipefail
|
|
CLI_BINARY="build/Build/Products/Release/cmux.app/Contents/Resources/bin/cmux"
|
|
[ -x "$CLI_BINARY" ] || { echo "cmux CLI binary not found at $CLI_BINARY" >&2; exit 1; }
|
|
CMUX_CLI_BIN="$CLI_BINARY" python3 tests/test_cli_version_memory_guard.py
|
|
|
|
- name: Verify bundled Ghostty theme picker helper
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
run: |
|
|
set -euo pipefail
|
|
HELPER_BINARY="build/Build/Products/Release/cmux.app/Contents/Resources/bin/ghostty"
|
|
[ -x "$HELPER_BINARY" ] || { echo "Ghostty theme picker helper not found at $HELPER_BINARY" >&2; exit 1; }
|
|
|
|
- name: Inject Sparkle keys into Info.plist
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
run: |
|
|
APP_PLIST="build/Build/Products/Release/cmux.app/Contents/Info.plist"
|
|
/usr/libexec/PlistBuddy -c "Delete :SUPublicEDKey" "$APP_PLIST" >/dev/null 2>&1 || true
|
|
/usr/libexec/PlistBuddy -c "Delete :SUFeedURL" "$APP_PLIST" >/dev/null 2>&1 || true
|
|
echo "Adding SUPublicEDKey to Info.plist..."
|
|
/usr/libexec/PlistBuddy -c "Add :SUPublicEDKey string ${SPARKLE_PUBLIC_KEY}" "$APP_PLIST"
|
|
echo "Adding SUFeedURL to Info.plist..."
|
|
/usr/libexec/PlistBuddy -c "Add :SUFeedURL string https://github.com/manaflow-ai/cmux/releases/latest/download/appcast.xml" "$APP_PLIST"
|
|
echo "Verifying:"
|
|
/usr/libexec/PlistBuddy -c "Print :SUPublicEDKey" "$APP_PLIST"
|
|
/usr/libexec/PlistBuddy -c "Print :SUFeedURL" "$APP_PLIST"
|
|
|
|
- name: Import signing cert
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
env:
|
|
APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
|
|
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
|
|
run: |
|
|
if [ -z "$APPLE_CERTIFICATE_BASE64" ]; then
|
|
echo "Missing APPLE_CERTIFICATE_BASE64 secret" >&2
|
|
exit 1
|
|
fi
|
|
if [ -z "$APPLE_CERTIFICATE_PASSWORD" ]; then
|
|
echo "Missing APPLE_CERTIFICATE_PASSWORD secret" >&2
|
|
exit 1
|
|
fi
|
|
KEYCHAIN_PASSWORD="$(uuidgen)"
|
|
echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > /tmp/cert.p12
|
|
security delete-keychain build.keychain >/dev/null 2>&1 || true
|
|
security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
|
|
security set-keychain-settings -lut 21600 build.keychain
|
|
security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
|
|
security import /tmp/cert.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
|
|
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" build.keychain
|
|
security list-keychains -d user -s build.keychain
|
|
|
|
- name: Codesign app
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
env:
|
|
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
|
|
run: |
|
|
if [ -z "$APPLE_SIGNING_IDENTITY" ]; then
|
|
echo "Missing APPLE_SIGNING_IDENTITY secret" >&2
|
|
exit 1
|
|
fi
|
|
APP_PATH="build/Build/Products/Release/cmux.app"
|
|
ENTITLEMENTS="cmux.entitlements"
|
|
CLI_PATH="$APP_PATH/Contents/Resources/bin/cmux"
|
|
HELPER_PATH="$APP_PATH/Contents/Resources/bin/ghostty"
|
|
if [ -f "$CLI_PATH" ]; then
|
|
/usr/bin/codesign --force --options runtime --timestamp --sign "$APPLE_SIGNING_IDENTITY" --entitlements "$ENTITLEMENTS" "$CLI_PATH"
|
|
fi
|
|
if [ -f "$HELPER_PATH" ]; then
|
|
/usr/bin/codesign --force --options runtime --timestamp --sign "$APPLE_SIGNING_IDENTITY" --entitlements "$ENTITLEMENTS" "$HELPER_PATH"
|
|
fi
|
|
/usr/bin/codesign --force --options runtime --timestamp --sign "$APPLE_SIGNING_IDENTITY" --entitlements "$ENTITLEMENTS" --deep "$APP_PATH"
|
|
/usr/bin/codesign --verify --deep --strict --verbose=2 "$APP_PATH"
|
|
|
|
- name: Notarize app
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
env:
|
|
APPLE_ID: ${{ secrets.APPLE_ID }}
|
|
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
|
|
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
|
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
|
|
run: |
|
|
if [ -z "$APPLE_ID" ] || [ -z "$APPLE_APP_SPECIFIC_PASSWORD" ] || [ -z "$APPLE_TEAM_ID" ]; then
|
|
echo "Missing notarization secrets (APPLE_ID, APPLE_APP_SPECIFIC_PASSWORD, APPLE_TEAM_ID)" >&2
|
|
exit 1
|
|
fi
|
|
APP_PATH="build/Build/Products/Release/cmux.app"
|
|
ZIP_SUBMIT="cmux-notary.zip"
|
|
DMG_RELEASE="cmux-macos.dmg"
|
|
ditto -c -k --sequesterRsrc --keepParent "$APP_PATH" "$ZIP_SUBMIT"
|
|
APP_SUBMIT_JSON="$(xcrun notarytool submit "$ZIP_SUBMIT" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --wait --output-format json)"
|
|
APP_SUBMIT_ID="$(python3 -c 'import json,sys; print(json.load(sys.stdin)["id"])' <<<"$APP_SUBMIT_JSON")"
|
|
APP_STATUS="$(python3 -c 'import json,sys; print(json.load(sys.stdin)["status"])' <<<"$APP_SUBMIT_JSON")"
|
|
if [ "$APP_STATUS" != "Accepted" ]; then
|
|
echo "App notarization failed with status: $APP_STATUS" >&2
|
|
xcrun notarytool log "$APP_SUBMIT_ID" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" || true
|
|
exit 1
|
|
fi
|
|
xcrun stapler staple "$APP_PATH"
|
|
xcrun stapler validate "$APP_PATH"
|
|
spctl -a -vv --type execute "$APP_PATH"
|
|
rm -f "$ZIP_SUBMIT"
|
|
# create-dmg generates a styled drag-to-install DMG
|
|
create-dmg \
|
|
--identity="$APPLE_SIGNING_IDENTITY" \
|
|
"$APP_PATH" \
|
|
./
|
|
mv ./cmux*.dmg "$DMG_RELEASE"
|
|
DMG_SUBMIT_JSON="$(xcrun notarytool submit "$DMG_RELEASE" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --wait --output-format json)"
|
|
DMG_SUBMIT_ID="$(python3 -c 'import json,sys; print(json.load(sys.stdin)["id"])' <<<"$DMG_SUBMIT_JSON")"
|
|
DMG_STATUS="$(python3 -c 'import json,sys; print(json.load(sys.stdin)["status"])' <<<"$DMG_SUBMIT_JSON")"
|
|
if [ "$DMG_STATUS" != "Accepted" ]; then
|
|
echo "DMG notarization failed with status: $DMG_STATUS" >&2
|
|
xcrun notarytool log "$DMG_SUBMIT_ID" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" || true
|
|
exit 1
|
|
fi
|
|
xcrun stapler staple "$DMG_RELEASE"
|
|
xcrun stapler validate "$DMG_RELEASE"
|
|
|
|
- name: Upload dSYMs to Sentry
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
env:
|
|
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
|
|
SENTRY_ORG: manaflow
|
|
SENTRY_PROJECT: cmuxterm-macos
|
|
run: |
|
|
if [ -z "$SENTRY_AUTH_TOKEN" ]; then
|
|
echo "SENTRY_AUTH_TOKEN not set, skipping dSYM upload"
|
|
exit 0
|
|
fi
|
|
brew install getsentry/tools/sentry-cli || true
|
|
sentry-cli debug-files upload --include-sources build/Build/Products/Release/
|
|
|
|
- name: Generate Sparkle appcast
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
env:
|
|
SPARKLE_PRIVATE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY }}
|
|
run: |
|
|
if [ -z "$SPARKLE_PRIVATE_KEY" ]; then
|
|
echo "Missing SPARKLE_PRIVATE_KEY secret" >&2
|
|
exit 1
|
|
fi
|
|
./scripts/sparkle_generate_appcast.sh cmux-macos.dmg "$GITHUB_REF_NAME" appcast.xml
|
|
|
|
- name: Attest remote daemon release assets
|
|
if: steps.guard_release_assets.outputs.skip_all != 'true'
|
|
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
|
|
with:
|
|
subject-path: |
|
|
remote-daemon-assets/cmuxd-remote-darwin-arm64
|
|
remote-daemon-assets/cmuxd-remote-darwin-amd64
|
|
remote-daemon-assets/cmuxd-remote-linux-arm64
|
|
remote-daemon-assets/cmuxd-remote-linux-amd64
|
|
remote-daemon-assets/cmuxd-remote-checksums.txt
|
|
remote-daemon-assets/cmuxd-remote-manifest.json
|
|
|
|
- name: Upload release asset
|
|
if: steps.guard_release_assets.outputs.skip_upload != 'true'
|
|
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
|
|
with:
|
|
files: |
|
|
cmux-macos.dmg
|
|
appcast.xml
|
|
remote-daemon-assets/cmuxd-remote-darwin-arm64
|
|
remote-daemon-assets/cmuxd-remote-darwin-amd64
|
|
remote-daemon-assets/cmuxd-remote-linux-arm64
|
|
remote-daemon-assets/cmuxd-remote-linux-amd64
|
|
remote-daemon-assets/cmuxd-remote-checksums.txt
|
|
remote-daemon-assets/cmuxd-remote-manifest.json
|
|
generate_release_notes: true
|
|
overwrite_files: false
|
|
|
|
- name: Cleanup keychain
|
|
if: always()
|
|
run: |
|
|
security delete-keychain build.keychain >/dev/null 2>&1 || true
|
|
rm -f /tmp/cert.p12
|