diff --git a/.github/actions/build_desktop/action.yml b/.github/actions/build_desktop/action.yml index d6d276b..9a2e72b 100644 --- a/.github/actions/build_desktop/action.yml +++ b/.github/actions/build_desktop/action.yml @@ -44,6 +44,15 @@ inputs: apple_team_id: required: false description: 'Apple team ID' + azure_client_id: + required: false + description: 'Azure app registration client ID for Windows code signing' + azure_client_secret: + required: false + description: 'Azure app registration client secret for Windows code signing' + azure_tenant_id: + required: false + description: 'Azure tenant ID for Windows code signing' tauri_signing_private_key: required: false description: 'Tauri updater signing private key' @@ -186,6 +195,20 @@ runs: echo "APPLE_TEAM_ID=${{ inputs.apple_team_id }}" >> $GITHUB_ENV fi + - name: Set Windows signing environment variables + shell: bash + if: inputs.sign_app == 'true' && runner.os == 'Windows' && inputs.azure_client_id != '' + run: | + echo "AZURE_CLIENT_ID=${{ inputs.azure_client_id }}" >> $GITHUB_ENV + echo "AZURE_CLIENT_SECRET=${{ inputs.azure_client_secret }}" >> $GITHUB_ENV + echo "AZURE_TENANT_ID=${{ inputs.azure_tenant_id }}" >> $GITHUB_ENV + echo "SIGNTOOL_PATH=C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" >> $GITHUB_ENV + + - name: Install trusted-signing-cli (Windows) + if: inputs.sign_app == 'true' && runner.os == 'Windows' && inputs.azure_client_id != '' + shell: bash + run: cargo install trusted-signing-cli + - name: Set Tauri signing environment variables shell: bash run: | diff --git a/.github/workflows/build_desktop_all.yml b/.github/workflows/build_desktop_all.yml index 520a9fe..b03fb3e 100644 --- a/.github/workflows/build_desktop_all.yml +++ b/.github/workflows/build_desktop_all.yml @@ -179,11 +179,12 @@ jobs: target_branch: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.ref != '' && github.event.inputs.ref) || (github.event_name == 'repository_dispatch' && github.event.client_payload.sha != '' && github.event.client_payload.sha) || 'main' }} profile: ${{ (github.event_name == 'workflow_dispatch' && (github.event.inputs.custom_profile || github.event.inputs.profile)) || (github.event_name == 'repository_dispatch' && github.event.client_payload.profile) || 'preview' }} site_url: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.site_url) || (github.event_name == 'repository_dispatch' && github.event.client_payload.site_url) || 'https://staging.songdrive.app' }} - publish_version: ${{ ((github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true') || (github.event_name == 'repository_dispatch' && github.event.action == 'new-commit-on-main')) && needs.compute_publish_version.outputs.publish_version || '' }} + publish_version: ${{ ((github.event_name == 'workflow_dispatch' && (github.event.inputs.publish == 'true' || github.event.inputs.sign_app == 'true')) || (github.event_name == 'repository_dispatch' && github.event.action == 'new-commit-on-main')) && needs.compute_publish_version.outputs.publish_version || '' }} # enable_debug: true enable_debug: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.enable_debug == 'true') }} enable_custom_site_url: false enable_tauri_updates: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true') || (github.event_name == 'repository_dispatch' && github.event.action == 'new-commit-on-main') }} + publish_to_r2: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true') || (github.event_name == 'repository_dispatch' && github.event.action == 'new-commit-on-main') }} publish_latest_manifest: if: (github.event_name == 'repository_dispatch' && github.event.action == 'new-commit-on-main') || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true') diff --git a/.github/workflows/build_desktop_common.yml b/.github/workflows/build_desktop_common.yml index b400566..aa5e5e6 100644 --- a/.github/workflows/build_desktop_common.yml +++ b/.github/workflows/build_desktop_common.yml @@ -46,6 +46,10 @@ on: required: false type: boolean default: false + publish_to_r2: + required: false + type: boolean + default: false jobs: build_tauri: @@ -95,6 +99,9 @@ jobs: apple_id: ${{ secrets.APPLE_ID }} apple_password: ${{ secrets.APPLE_PASSWORD }} apple_team_id: ${{ secrets.APPLE_TEAM_ID }} + azure_client_id: ${{ secrets.AZURE_CLIENT_ID }} + azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }} + azure_tenant_id: ${{ secrets.AZURE_TENANT_ID }} github_token: ${{ secrets.GITHUB_TOKEN }} enable_debug: ${{ inputs.enable_debug }} enable_custom_site_url: ${{ inputs.enable_custom_site_url }} @@ -173,7 +180,7 @@ jobs: echo "Sanitized filename: $SANITIZED_FILENAME" echo "Final filename: $NEW_FILENAME" - elif [[ "${{ inputs.platform }}" == "windows-latest" || "${{ inputs.platform }}" == "windows-"* ]]; then + elif [[ "${{ inputs.platform }}" == "windows-"* ]]; then echo "Processing Windows platform..." # Find EXE file with priority order: setup files first, then any exe @@ -210,7 +217,7 @@ jobs: else echo "ERROR: Unsupported platform: ${{ inputs.platform }}" - echo "Supported platforms: macos-latest, windows-latest (and variants)" + echo "Supported platforms: macos-latest, windows-11-arm (and other windows-* variants)" exit 1 fi @@ -264,7 +271,7 @@ jobs: echo "Staged updater payload: staging/$UPDATER_PAYLOAD_FILENAME" echo "Staged updater signature: staging/$UPDATER_SIGNATURE_FILENAME" - elif [[ "${{ inputs.platform }}" == "windows-latest" || "${{ inputs.platform }}" == "windows-"* ]]; then + elif [[ "${{ inputs.platform }}" == "windows-"* ]]; then echo "Locating Windows updater signature for selected installer..." EXE_SIG_FILE="${EXE_FILE}.sig" @@ -292,7 +299,7 @@ jobs: echo "Installer extraction completed successfully!" - name: Upload installer to S3 compatible - if: inputs.publish_version != '' + if: inputs.publish_to_r2 uses: shallwefootball/s3-upload-action@master with: aws_key_id: ${{ secrets.R2_DESKTOP_APP_KEY_ID }} @@ -401,13 +408,13 @@ jobs: path: updater-platform-manifest - name: Send Discord message - if: inputs.publish_version != '' + if: inputs.publish_to_r2 shell: bash run: | # Determine platform name for Discord message if [[ "${{ inputs.platform }}" == "macos-latest" || "${{ inputs.platform }}" == "macos-"* ]]; then PLATFORM_NAME="macOS" - elif [[ "${{ inputs.platform }}" == "windows-latest" || "${{ inputs.platform }}" == "windows-"* ]]; then + elif [[ "${{ inputs.platform }}" == "windows-"* ]]; then PLATFORM_NAME="Windows" else PLATFORM_NAME="${{ inputs.platform }}" diff --git a/.github/workflows/tauri_e2e.yml b/.github/workflows/tauri_e2e.yml index eb30f31..e157d8d 100644 --- a/.github/workflows/tauri_e2e.yml +++ b/.github/workflows/tauri_e2e.yml @@ -42,7 +42,7 @@ jobs: - name: Build Tauri App uses: ./.github/composite-actions/.github/actions/build_desktop with: - platform: ${{ matrix.os == 'ubuntu-latest' && 'ubuntu-22.04' || 'windows-latest' }} + platform: ${{ matrix.os == 'ubuntu-latest' && 'ubuntu-22.04' || matrix.os }} tauri_args: '' tauri_target: '' sign_app: false @@ -84,7 +84,7 @@ jobs: # ---- Windows-only bits: EdgeDriver + (optional) WebView2 runtime ---- - name: Install matching EdgeDriver - if: matrix.os == 'windows-latest' + if: runner.os == 'Windows' shell: bash run: | cargo install --git https://github.com/chippers/msedgedriver-tool @@ -93,14 +93,14 @@ jobs: # Optional WebView2 # - name: Install WebView2 Runtime (silent) - # if: matrix.os == 'windows-latest' + # if: runner.os == 'Windows' # shell: bash # run: | # curl -L -o webview2.exe https://go.microsoft.com/fwlink/p/?LinkId=2124703 # ./webview2.exe /silent /install - name: Run E2E via start-server-and-test - if: matrix.os == 'windows-latest' + if: runner.os == 'Windows' shell: bash run: | npx --yes start-server-and-test@2 \