cmux/.github/workflows/release.yml

name: Release macOS app

on:
  push:
    tags:
      - "v*"
  workflow_dispatch:

permissions:
  contents: write

jobs:
  build-sign-notarize:
    runs-on: self-hosted
    concurrency:
      group: self-hosted-build
      cancel-in-progress: false
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          submodules: recursive

      - name: Select Xcode
        run: |
          set -euo pipefail
          if [ -d "/Applications/Xcode.app/Contents/Developer" ]; then
            XCODE_DIR="/Applications/Xcode.app/Contents/Developer"
          else
            XCODE_APP="$(ls -d /Applications/Xcode*.app 2>/dev/null | head -n 1 || true)"
            if [ -n "$XCODE_APP" ]; then
              XCODE_DIR="$XCODE_APP/Contents/Developer"
            else
              echo "No Xcode.app found under /Applications" >&2
              exit 1
            fi
          fi
          echo "DEVELOPER_DIR=$XCODE_DIR" >> "$GITHUB_ENV"
          export DEVELOPER_DIR="$XCODE_DIR"
          xcodebuild -version
          xcrun --sdk macosx --show-sdk-path

      - name: Install build deps
        run: |
          brew update
          brew install zig
          npm install --global create-dmg

      - name: Build GhosttyKit.xcframework
        run: |
          cd ghostty
          zig build -Demit-xcframework=true -Demit-macos-app=false -Dxcframework-target=native -Doptimize=ReleaseFast
          cd ..
          rm -rf GhosttyKit.xcframework
          cp -R ghostty/macos/GhosttyKit.xcframework GhosttyKit.xcframework

      - name: Clear SPM cache
        run: |
          rm -rf ~/Library/Caches/org.swift.swiftpm
          rm -rf ~/Library/Developer/Xcode/DerivedData/GhosttyTabs-*

      - name: Configure SwiftPM cache
        run: |
          set -euo pipefail
          CACHE_DIR="${RUNNER_TEMP}/swiftpm-cache/${GITHUB_RUN_ID}"
          rm -rf "$CACHE_DIR"
          mkdir -p "$CACHE_DIR"
          echo "SWIFTPM_CACHE_PATH=$CACHE_DIR" >> "$GITHUB_ENV"

      - name: Derive Sparkle public key from private key
        env:
          SPARKLE_PRIVATE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY }}
        run: |
          if [ -z "$SPARKLE_PRIVATE_KEY" ]; then
            echo "Missing SPARKLE_PRIVATE_KEY secret" >&2
            exit 1
          fi
          DERIVED_PUBLIC_KEY=$(swift scripts/derive_sparkle_public_key.swift "$SPARKLE_PRIVATE_KEY")
          echo "Derived Sparkle public key: $DERIVED_PUBLIC_KEY"
          echo "SPARKLE_PUBLIC_KEY=$DERIVED_PUBLIC_KEY" >> "$GITHUB_ENV"

      - name: Build app (Release)
        run: |
          xcodebuild -scheme cmux -configuration Release -derivedDataPath build CODE_SIGNING_ALLOWED=NO build

      - name: Inject Sparkle keys into Info.plist
        run: |
          APP_PLIST="build/Build/Products/Release/cmux.app/Contents/Info.plist"
          /usr/libexec/PlistBuddy -c "Delete :SUPublicEDKey" "$APP_PLIST" >/dev/null 2>&1 || true
          /usr/libexec/PlistBuddy -c "Delete :SUFeedURL" "$APP_PLIST" >/dev/null 2>&1 || true
          echo "Adding SUPublicEDKey to Info.plist..."
          /usr/libexec/PlistBuddy -c "Add :SUPublicEDKey string ${SPARKLE_PUBLIC_KEY}" "$APP_PLIST"
          echo "Adding SUFeedURL to Info.plist..."
          /usr/libexec/PlistBuddy -c "Add :SUFeedURL string https://github.com/manaflow-ai/cmux/releases/latest/download/appcast.xml" "$APP_PLIST"
          echo "Verifying:"
          /usr/libexec/PlistBuddy -c "Print :SUPublicEDKey" "$APP_PLIST"
          /usr/libexec/PlistBuddy -c "Print :SUFeedURL" "$APP_PLIST"

      - name: Import signing cert
        env:
          APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
        run: |
          if [ -z "$APPLE_CERTIFICATE_BASE64" ]; then
            echo "Missing APPLE_CERTIFICATE_BASE64 secret" >&2
            exit 1
          fi
          if [ -z "$APPLE_CERTIFICATE_PASSWORD" ]; then
            echo "Missing APPLE_CERTIFICATE_PASSWORD secret" >&2
            exit 1
          fi
          KEYCHAIN_PASSWORD="$(uuidgen)"
          echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > /tmp/cert.p12
          security delete-keychain build.keychain >/dev/null 2>&1 || true
          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
          security set-keychain-settings -lut 21600 build.keychain
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
          security import /tmp/cert.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" build.keychain
          security list-keychains -d user -s build.keychain

      - name: Codesign app
        env:
          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
        run: |
          if [ -z "$APPLE_SIGNING_IDENTITY" ]; then
            echo "Missing APPLE_SIGNING_IDENTITY secret" >&2
            exit 1
          fi
          APP_PATH="build/Build/Products/Release/cmux.app"
          ENTITLEMENTS="cmux.entitlements"
          CLI_PATH="$APP_PATH/Contents/Resources/bin/cmux"
          if [ -f "$CLI_PATH" ]; then
            /usr/bin/codesign --force --options runtime --timestamp --sign "$APPLE_SIGNING_IDENTITY" --entitlements "$ENTITLEMENTS" "$CLI_PATH"
          fi
          /usr/bin/codesign --force --options runtime --timestamp --sign "$APPLE_SIGNING_IDENTITY" --entitlements "$ENTITLEMENTS" --deep "$APP_PATH"
          /usr/bin/codesign --verify --deep --strict --verbose=2 "$APP_PATH"

      - name: Notarize app
        env:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
        run: |
          if [ -z "$APPLE_ID" ] || [ -z "$APPLE_APP_SPECIFIC_PASSWORD" ] || [ -z "$APPLE_TEAM_ID" ]; then
            echo "Missing notarization secrets (APPLE_ID, APPLE_APP_SPECIFIC_PASSWORD, APPLE_TEAM_ID)" >&2
            exit 1
          fi
          APP_PATH="build/Build/Products/Release/cmux.app"
          ZIP_SUBMIT="cmux-notary.zip"
          DMG_RELEASE="cmux-macos.dmg"
          ditto -c -k --sequesterRsrc --keepParent "$APP_PATH" "$ZIP_SUBMIT"
          APP_SUBMIT_JSON="$(xcrun notarytool submit "$ZIP_SUBMIT" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --wait --output-format json)"
          APP_SUBMIT_ID="$(python3 -c 'import json,sys; print(json.load(sys.stdin)["id"])' <<<"$APP_SUBMIT_JSON")"
          APP_STATUS="$(python3 -c 'import json,sys; print(json.load(sys.stdin)["status"])' <<<"$APP_SUBMIT_JSON")"
          if [ "$APP_STATUS" != "Accepted" ]; then
            echo "App notarization failed with status: $APP_STATUS" >&2
            xcrun notarytool log "$APP_SUBMIT_ID" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" || true
            exit 1
          fi
          xcrun stapler staple "$APP_PATH"
          xcrun stapler validate "$APP_PATH"
          spctl -a -vv --type execute "$APP_PATH"
          rm -f "$ZIP_SUBMIT"
          # create-dmg generates a styled drag-to-install DMG
          create-dmg \
            --identity="$APPLE_SIGNING_IDENTITY" \
            "$APP_PATH" \
            ./
          mv ./cmux*.dmg "$DMG_RELEASE"
          DMG_SUBMIT_JSON="$(xcrun notarytool submit "$DMG_RELEASE" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --wait --output-format json)"
          DMG_SUBMIT_ID="$(python3 -c 'import json,sys; print(json.load(sys.stdin)["id"])' <<<"$DMG_SUBMIT_JSON")"
          DMG_STATUS="$(python3 -c 'import json,sys; print(json.load(sys.stdin)["status"])' <<<"$DMG_SUBMIT_JSON")"
          if [ "$DMG_STATUS" != "Accepted" ]; then
            echo "DMG notarization failed with status: $DMG_STATUS" >&2
            xcrun notarytool log "$DMG_SUBMIT_ID" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" || true
            exit 1
          fi
          xcrun stapler staple "$DMG_RELEASE"
          xcrun stapler validate "$DMG_RELEASE"

      - name: Generate Sparkle appcast
        env:
          SPARKLE_PRIVATE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY }}
        run: |
          if [ -z "$SPARKLE_PRIVATE_KEY" ]; then
            echo "Missing SPARKLE_PRIVATE_KEY secret" >&2
            exit 1
          fi
          ./scripts/sparkle_generate_appcast.sh cmux-macos.dmg "$GITHUB_REF_NAME" appcast.xml

      - name: Upload release asset
        uses: softprops/action-gh-release@v2
        with:
          files: |
            cmux-macos.dmg
            appcast.xml
          generate_release_notes: true

      - name: Cleanup keychain
        if: always()
        run: |
          security delete-keychain build.keychain >/dev/null 2>&1 || true
          rm -f /tmp/cert.p12