mirror of
https://github.com/MODSetter/SurfSense.git
synced 2026-04-25 00:36:31 +02:00
63739ee737
- Implemented a step to fetch the GitHub OIDC token for Azure signing SDK when signing is enabled. - Updated environment variables for Azure.Identity EnvironmentCredential to support the TrustedSigning PowerShell module.
161 lines
5.8 KiB
YAML
161 lines
5.8 KiB
YAML
name: Desktop Release
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*'
|
|
- 'beta-v*'
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
description: 'Version number (e.g. 0.0.15) — used for dry-run testing without a tag'
|
|
required: true
|
|
default: '0.0.0-test'
|
|
publish:
|
|
description: 'Publish to GitHub Releases'
|
|
required: true
|
|
type: choice
|
|
options:
|
|
- never
|
|
- always
|
|
default: 'never'
|
|
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- os: macos-latest
|
|
platform: --mac
|
|
- os: ubuntu-latest
|
|
platform: --linux
|
|
- os: windows-latest
|
|
platform: --win
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v5
|
|
|
|
- name: Extract version
|
|
id: version
|
|
shell: bash
|
|
run: |
|
|
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
|
|
VERSION="${{ inputs.version }}"
|
|
else
|
|
TAG=${GITHUB_REF#refs/tags/}
|
|
VERSION=${TAG#beta-}
|
|
VERSION=${VERSION#v}
|
|
fi
|
|
if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$'; then
|
|
echo "::error::Version '$VERSION' is not valid semver (expected X.Y.Z). Fix your tag name."
|
|
exit 1
|
|
fi
|
|
echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Detect Windows signing eligibility
|
|
id: sign
|
|
shell: bash
|
|
run: |
|
|
# Sign Windows builds only on production v* tags (not beta-v*, not workflow_dispatch).
|
|
# This matches the single OIDC federated credential configured in Entra ID.
|
|
if [ "${{ matrix.os }}" = "windows-latest" ] \
|
|
&& [ "${{ github.event_name }}" = "push" ] \
|
|
&& [[ "$GITHUB_REF" == refs/tags/v* ]]; then
|
|
echo "enabled=true" >> "$GITHUB_OUTPUT"
|
|
echo "Windows signing: ENABLED (v* tag on windows-latest)"
|
|
else
|
|
echo "enabled=false" >> "$GITHUB_OUTPUT"
|
|
echo "Windows signing: skipped"
|
|
fi
|
|
|
|
- name: Azure login (for Windows signing)
|
|
if: steps.sign.outputs.enabled == 'true'
|
|
uses: azure/login@v2
|
|
with:
|
|
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
|
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
|
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
|
|
|
- name: Fetch GitHub OIDC token for Azure signing SDK
|
|
if: steps.sign.outputs.enabled == 'true'
|
|
id: oidc
|
|
shell: pwsh
|
|
run: |
|
|
$token = (Invoke-RestMethod -Headers @{Authorization = "bearer $env:ACTIONS_ID_TOKEN_REQUEST_TOKEN"} `
|
|
-Uri "$env:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange").value
|
|
Write-Output "::add-mask::$token"
|
|
"token=$token" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
|
|
|
|
- name: Setup pnpm
|
|
uses: pnpm/action-setup@v5
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v5
|
|
with:
|
|
node-version: 22
|
|
cache: 'pnpm'
|
|
cache-dependency-path: |
|
|
surfsense_web/pnpm-lock.yaml
|
|
surfsense_desktop/pnpm-lock.yaml
|
|
|
|
- name: Install web dependencies
|
|
run: pnpm install
|
|
working-directory: surfsense_web
|
|
|
|
- name: Build Next.js standalone
|
|
run: pnpm build
|
|
working-directory: surfsense_web
|
|
env:
|
|
NEXT_PUBLIC_FASTAPI_BACKEND_URL: ${{ vars.NEXT_PUBLIC_FASTAPI_BACKEND_URL }}
|
|
NEXT_PUBLIC_ZERO_CACHE_URL: ${{ vars.NEXT_PUBLIC_ZERO_CACHE_URL }}
|
|
NEXT_PUBLIC_DEPLOYMENT_MODE: ${{ vars.NEXT_PUBLIC_DEPLOYMENT_MODE }}
|
|
NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE: ${{ vars.NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE }}
|
|
NEXT_PUBLIC_POSTHOG_KEY: ${{ secrets.NEXT_PUBLIC_POSTHOG_KEY }}
|
|
|
|
- name: Install desktop dependencies
|
|
run: pnpm install
|
|
working-directory: surfsense_desktop
|
|
|
|
- name: Build Electron
|
|
run: pnpm build
|
|
working-directory: surfsense_desktop
|
|
env:
|
|
HOSTED_FRONTEND_URL: ${{ vars.HOSTED_FRONTEND_URL }}
|
|
POSTHOG_KEY: ${{ secrets.POSTHOG_KEY }}
|
|
POSTHOG_HOST: ${{ vars.POSTHOG_HOST }}
|
|
|
|
- name: Package & Publish
|
|
shell: bash
|
|
run: |
|
|
CMD=(pnpm exec electron-builder ${{ matrix.platform }} \
|
|
--config electron-builder.yml \
|
|
--publish "${{ inputs.publish || 'always' }}" \
|
|
-c.extraMetadata.version="${{ steps.version.outputs.VERSION }}")
|
|
|
|
if [ "${{ steps.sign.outputs.enabled }}" = "true" ]; then
|
|
CMD+=(-c.win.azureSignOptions.publisherName="$WINDOWS_PUBLISHER_NAME")
|
|
CMD+=(-c.win.azureSignOptions.endpoint="$AZURE_CODESIGN_ENDPOINT")
|
|
CMD+=(-c.win.azureSignOptions.codeSigningAccountName="$AZURE_CODESIGN_ACCOUNT")
|
|
CMD+=(-c.win.azureSignOptions.certificateProfileName="$AZURE_CODESIGN_PROFILE")
|
|
fi
|
|
|
|
"${CMD[@]}"
|
|
working-directory: surfsense_desktop
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
WINDOWS_PUBLISHER_NAME: ${{ vars.WINDOWS_PUBLISHER_NAME }}
|
|
AZURE_CODESIGN_ENDPOINT: ${{ vars.AZURE_CODESIGN_ENDPOINT }}
|
|
AZURE_CODESIGN_ACCOUNT: ${{ vars.AZURE_CODESIGN_ACCOUNT }}
|
|
AZURE_CODESIGN_PROFILE: ${{ vars.AZURE_CODESIGN_PROFILE }}
|
|
# Env vars for Azure.Identity EnvironmentCredential used by the TrustedSigning PowerShell module.
|
|
# Only populated when signing is enabled; harmless when empty otherwise.
|
|
AZURE_TENANT_ID: ${{ steps.sign.outputs.enabled == 'true' && secrets.AZURE_TENANT_ID || '' }}
|
|
AZURE_CLIENT_ID: ${{ steps.sign.outputs.enabled == 'true' && secrets.AZURE_CLIENT_ID || '' }}
|
|
AZURE_FEDERATED_TOKEN: ${{ steps.oidc.outputs.token }}
|