ci: update phcode version to 5.1.4 #53
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'generate production draft GitHub release' | |
| on: | |
| push: | |
| branches: [ prod ] | |
| jobs: | |
| create-release: | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| release_id: ${{ steps.create-release.outputs.result }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: setup node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 24 | |
| - name: get version | |
| run: | | |
| echo "PACKAGE_VERSION=$(node -p "require('./package.json').version")" >> $GITHUB_ENV | |
| echo "GIT_TAG_NAME=prod-app-v$(node -p "require('./package.json').version")" >> $GITHUB_ENV | |
| - name: create release | |
| id: create-release | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const { data } = await github.rest.repos.createRelease({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| tag_name: `${process.env.GIT_TAG_NAME}`, | |
| target_commitish: 'prod', | |
| name: `Phoenix Code Stable Release v${process.env.PACKAGE_VERSION}`, | |
| body: `**Phoenix Code Release Notes**\n\nPlease include detailed release notes here, highlighting new features, bug fixes, and improvements. Ensure to make these notes informative and clear for end-users.\n\n**For Maintainers:**\nTo distribute these release notes through the desktop application:\n1. Wait for a pull request with the updated release notes.\n3. Once the pull request is merged, merge to the update-notifications branch and the release notes will be automatically shown in the desktop builds.`, | |
| draft: true, | |
| prerelease: false | |
| }) | |
| return data.id | |
| build-mac-m1-node-modules: | |
| permissions: | |
| contents: write | |
| timeout-minutes: 15 | |
| runs-on: macos-15 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: macos hardware info | |
| run: system_profiler SPSoftwareDataType SPHardwareDataType | |
| - name: setup node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 24 | |
| - name: install frontend dependencies | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| PRO_REPO_URL: ${{ secrets.PRO_REPO_URL }} | |
| PRO_REPO_ACCESS_TOKEN: ${{ secrets.PRO_REPO_ACCESS_TOKEN }} | |
| run: | | |
| npm ci | |
| npm run _ci-cloneAndBuildPhoenix | |
| npm run _ci_make_src-node | |
| cd src-tauri | |
| mv src-node src-node-darwin-arm64 | |
| tar -czvf src-node-darwin-arm64.tar.gz src-node-darwin-arm64 | |
| mv src-node-darwin-arm64 src-node | |
| cd .. | |
| - name: Upload src-node.tar.gz with installed mac bins | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: src-node-darwin-arm64.tar.gz | |
| path: src-tauri/src-node-darwin-arm64.tar.gz | |
| build-tauri: | |
| needs: [create-release, build-mac-m1-node-modules] | |
| permissions: | |
| contents: write | |
| timeout-minutes: 60 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| platform: [ macos-15-intel, windows-latest ] | |
| runs-on: ${{ matrix.platform }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: get Git Tag | |
| shell: bash | |
| run: echo "GIT_TAG_NAME=prod-app-v$(node -p "require('./package.json').version")" >> $GITHUB_ENV | |
| - name: setup node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 24 | |
| - name: Download src-node built on mac arm (Mac only) | |
| if: matrix.platform == 'macos-15-intel' | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: src-node-darwin-arm64.tar.gz | |
| path: /tmp/src-node-darwin-arm64.tar.gz | |
| - name: install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: 1.85.1 | |
| - name: install frontend dependencies | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| PRO_REPO_URL: ${{ secrets.PRO_REPO_URL }} | |
| PRO_REPO_ACCESS_TOKEN: ${{ secrets.PRO_REPO_ACCESS_TOKEN }} | |
| run: | | |
| npm ci | |
| npm run _ci-release:prod | |
| - name: setup src-node built on mac arm (Mac only) | |
| if: matrix.platform == 'macos-15-intel' | |
| run: | | |
| ls /tmp/src-node-darwin-arm64.tar.gz | |
| rm -rf src-node | |
| tar -xzvf /tmp/src-node-darwin-arm64.tar.gz/src-node-darwin-arm64.tar.gz | |
| ls src-node-darwin-arm64 | |
| mv src-node-darwin-arm64 src-node | |
| - name: install AzureSignTool (windows only) | |
| if: matrix.platform == 'windows-latest' | |
| run: | | |
| dotnet tool install --global AzureSignTool | |
| - name: import certificate for signing (windows only) | |
| if: matrix.platform == 'windows-latest' | |
| run: | | |
| echo "${{ secrets.AZURE_EV_CERT }}" > secret.cer | |
| Import-Certificate -FilePath .\secret.cer -CertStoreLocation Cert:\LocalMachine\My | |
| shell: powershell | |
| - name: patch signTool (windows only) | |
| if: matrix.platform == 'windows-latest' | |
| run: Start-Process -FilePath .\src-build\win\copy_sign_tool.exe -Verb RunAs | |
| shell: powershell | |
| - name: setup env for signing (windows only) | |
| if: matrix.platform == 'windows-latest' | |
| env: | |
| TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }} | |
| TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }} | |
| AZURE_KEY_VAULT_URI: ${{ secrets.AZURE_KEY_VAULT_URI }} | |
| AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
| AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
| AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} | |
| AZURE_CERT_NAME: ${{ secrets.AZURE_CERT_NAME }} | |
| AZURE_COMPANY_NAME: ${{ secrets.AZURE_COMPANY_NAME }} | |
| run: | | |
| $jsonContent = @{ | |
| "AZURE_KEY_VAULT_URI" = $env:AZURE_KEY_VAULT_URI | |
| "AZURE_CLIENT_ID" = $env:AZURE_CLIENT_ID | |
| "AZURE_TENANT_ID" = $env:AZURE_TENANT_ID | |
| "AZURE_CLIENT_SECRET" = $env:AZURE_CLIENT_SECRET | |
| "AZURE_CERT_NAME" = $env:AZURE_CERT_NAME | |
| "AZURE_COMPANY_NAME" = $env:AZURE_COMPANY_NAME | |
| } | |
| $jsonContent | ConvertTo-Json | Out-File -FilePath ./secrets.json -Encoding utf8 | |
| # Load content from the file | |
| $content = Get-Content -Path "./secrets.json" -Raw | |
| # Replace \r\n with \n | |
| $content = $content -replace "`r`n", "`n" | |
| # Write the content back to the file | |
| Set-Content -Path "./secrets.json" -Value $content | |
| shell: powershell | |
| - name: Sign embedded executables for (Mac Only) | |
| if: matrix.platform == 'macos-15-intel' | |
| env : | |
| APPLE_KEY_IDENTITY_NAME: ${{ secrets.APPLE_KEY_IDENTITY_NAME }} | |
| APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} | |
| APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| run: | | |
| echo "Listing all files in src-tauri/src-node" | |
| echo "=======================================" | |
| find src-tauri/src-node -type f | |
| echo "=======================================" | |
| echo "Listing all files in src-node/" | |
| echo "=======================================" | |
| find src-node/ -type f | |
| certificate_encoded="$APPLE_CERTIFICATE" | |
| certificate_password="$APPLE_CERTIFICATE_PASSWORD" | |
| echo "Setting up keychain from environment variables..." | |
| # Creating a temporary directory | |
| tmp_dir=$(mktemp -d) | |
| cert_path="$tmp_dir/cert.p12" | |
| # Decode the encoded certificate and write it to the cert_path | |
| echo "$certificate_encoded" | base64 --decode > "$cert_path" | |
| # Generate a random password for the keychain | |
| KEYCHAIN_PASSWORD=$(openssl rand -base64 16) | |
| # Create a new keychain with the random password | |
| security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain | |
| security import "$cert_path" -k build.keychain -P "$certificate_password" -T /usr/bin/codesign | |
| security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" build.keychain | |
| # Sign the files specified in src-build/mac/filesToSign | |
| while IFS= read -r file; do | |
| if [ -f "$file" ]; then | |
| codesign --sign "$APPLE_KEY_IDENTITY_NAME" --keychain build.keychain --timestamp --options runtime "$file" | |
| else | |
| echo "File to sign not found, ignoring: $file" | |
| fi | |
| done < src-build/mac/filesToSign | |
| # Clean up | |
| security delete-keychain build.keychain | |
| rm -rf "$tmp_dir" # removes the temporary directory and the certificate file within it | |
| shell: bash | |
| - name: Run Tauri Action (Attempt 1) | |
| id: tauri_attempt_1 | |
| continue-on-error: true | |
| uses: tauri-apps/tauri-action@v0 | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }} | |
| TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }} | |
| ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }} | |
| APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} | |
| APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| PRO_REPO_URL: ${{ secrets.PRO_REPO_URL }} | |
| PRO_REPO_ACCESS_TOKEN: ${{ secrets.PRO_REPO_ACCESS_TOKEN }} | |
| with: | |
| releaseId: ${{ needs.create-release.outputs.release_id }} | |
| updaterJsonPreferNsis: true | |
| tagName: ${{ env.GIT_TAG_NAME }} | |
| - name: Run Tauri Action (Attempt 2) | |
| id: tauri_attempt_2 | |
| if: steps.tauri_attempt_1.outcome == 'failure' | |
| continue-on-error: true | |
| uses: tauri-apps/tauri-action@v0 | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }} | |
| TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }} | |
| ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }} | |
| APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} | |
| APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| PRO_REPO_URL: ${{ secrets.PRO_REPO_URL }} | |
| PRO_REPO_ACCESS_TOKEN: ${{ secrets.PRO_REPO_ACCESS_TOKEN }} | |
| with: | |
| releaseId: ${{ needs.create-release.outputs.release_id }} | |
| updaterJsonPreferNsis: true | |
| tagName: ${{ env.GIT_TAG_NAME }} | |
| - name: Run Tauri Action (Attempt 3 - Final) | |
| id: tauri_attempt_3 | |
| if: steps.tauri_attempt_2.outcome == 'failure' | |
| uses: tauri-apps/tauri-action@v0 | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }} | |
| TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }} | |
| ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }} | |
| APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} | |
| APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| PRO_REPO_URL: ${{ secrets.PRO_REPO_URL }} | |
| PRO_REPO_ACCESS_TOKEN: ${{ secrets.PRO_REPO_ACCESS_TOKEN }} | |
| with: | |
| releaseId: ${{ needs.create-release.outputs.release_id }} | |
| updaterJsonPreferNsis: true | |
| tagName: ${{ env.GIT_TAG_NAME }} | |
| - name: inject src-node built on mac arm (Mac only) | |
| if: matrix.platform == 'macos-15-intel' | |
| run: | | |
| ls src-node | |
| rm -rf src-tauri/src-node | |
| mv src-node src-tauri/src-node | |
| ls src-tauri/src-node | |
| - name: setup env for mac arm (Mac only) | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| if: matrix.platform == 'macos-15-intel' | |
| run: | | |
| rustup target add aarch64-apple-darwin | |
| npm run installNodeArmDarwin | |
| - name: build for mac arm (Mac only) | |
| if: matrix.platform == 'macos-15-intel' | |
| uses: tauri-apps/tauri-action@v0 | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }} | |
| TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }} | |
| ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }} | |
| APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} | |
| APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| PRO_REPO_URL: ${{ secrets.PRO_REPO_URL }} | |
| PRO_REPO_ACCESS_TOKEN: ${{ secrets.PRO_REPO_ACCESS_TOKEN }} | |
| with: | |
| releaseId: ${{ needs.create-release.outputs.release_id }} | |
| args: --target aarch64-apple-darwin | |
| tagName: ${{ env.GIT_TAG_NAME }} | |
| build-linux-bins: | |
| needs: [ create-release ] | |
| permissions: | |
| contents: write | |
| timeout-minutes: 60 | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: get Git Tag | |
| shell: bash | |
| run: echo "GIT_TAG_NAME=prod-app-v$(node -p "require('./package.json').version")" >> $GITHUB_ENV | |
| - name: setup node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 24 | |
| - name: install frontend dependencies | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| PRO_REPO_URL: ${{ secrets.PRO_REPO_URL }} | |
| PRO_REPO_ACCESS_TOKEN: ${{ secrets.PRO_REPO_ACCESS_TOKEN }} | |
| run: | | |
| npm ci | |
| npm run _ci-release:prod | |
| npm run _ci-releaseElectronApp | |
| ls -alh ./src-electron/dist/ | |
| echo "OUTPUT_FILENAME=$(ls ./src-electron/dist/*.AppImage | head -1 | xargs basename)" >> $GITHUB_ENV | |
| - name: Sign AppImage with minisign | |
| env: | |
| TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }} | |
| TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }} | |
| run: | | |
| # Download and install minisign | |
| wget https://github.com/jedisct1/minisign/releases/download/0.11/minisign-0.11-linux.tar.gz | |
| tar -xzf minisign-0.11-linux.tar.gz | |
| sudo mv minisign-linux/x86_64/minisign /usr/local/bin/ | |
| minisign -v | |
| # Decode base64-encoded private key | |
| echo "$TAURI_PRIVATE_KEY" | base64 -d > /tmp/tauri_private.key | |
| # Debug: show key file info (not contents) | |
| echo "Key file size: $(wc -c < /tmp/tauri_private.key) bytes" | |
| echo "Key file lines: $(wc -l < /tmp/tauri_private.key)" | |
| # Sign the AppImage | |
| APPIMAGE_PATH="./src-electron/dist/${{ env.OUTPUT_FILENAME }}" | |
| echo "$TAURI_KEY_PASSWORD" | minisign -S -s /tmp/tauri_private.key -m "$APPIMAGE_PATH" -t "$(date +%s) file:${{ env.OUTPUT_FILENAME }}" | |
| # Clean up private key | |
| rm /tmp/tauri_private.key | |
| # Show signature file | |
| echo "Signature file contents:" | |
| cat "${APPIMAGE_PATH}.minisig" | |
| # Rename .minisig to .sig for consistency | |
| mv "${APPIMAGE_PATH}.minisig" "${APPIMAGE_PATH}.sig" | |
| - name: Upload Release Asset | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: | | |
| ./src-electron/dist/${{ env.OUTPUT_FILENAME }} | |
| ./src-electron/dist/${{ env.OUTPUT_FILENAME }}.sig | |
| tag_name: ${{ env.GIT_TAG_NAME }} | |
| draft: true | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| publish-release: | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-22.04 | |
| needs: [ create-release, build-tauri, build-linux-bins ] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: get Git Tag | |
| run: echo "GIT_TAG_NAME=prod-app-v$(node -p "require('./package.json').version")" >> $GITHUB_ENV | |
| - name: publish release | |
| id: publish-release | |
| uses: actions/github-script@v7 | |
| env: | |
| release_id: ${{ needs.create-release.outputs.release_id }} | |
| with: | |
| script: | | |
| github.rest.repos.updateRelease({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| tag_name: `${process.env.GIT_TAG_NAME}`, | |
| target_commitish: 'prod', | |
| release_id: process.env.release_id, | |
| draft: true, | |
| prerelease: false | |
| }) |