forge/.github/workflows/bundle-app.yml at main · LayerDynamics/forge · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
name: Bundle App

on:
  workflow_dispatch:
    inputs:
      app_path:
        description: 'Path to app directory (relative to repo root)'
        required: true
        default: 'examples/example-deno-app'
      sign_windows:
        description: 'Sign Windows MSIX package'
        required: false
        default: false
        type: boolean
      sign_macos:
        description: 'Sign and notarize macOS app'
        required: false
        default: false
        type: boolean

env:
  CARGO_TERM_COLOR: always
  APP_PATH: ${{ github.event.inputs.app_path }}

jobs:
  bundle-windows:
    name: Bundle Windows MSIX
    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable

      - name: Install Deno
        uses: denoland/setup-deno@v1
        with:
          deno-version: v1.x

      - name: Cache cargo
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
            target/
          key: ${{ runner.os }}-cargo-bundle-${{ hashFiles('**/Cargo.lock') }}

      - name: Build app
        run: cargo run -p forge_cli -- build ${{ env.APP_PATH }}

      - name: Bundle app
        run: cargo run -p forge_cli -- bundle ${{ env.APP_PATH }}

      - name: Sign MSIX (if requested)
        if: github.event.inputs.sign_windows == 'true'
        run: |
          # Import certificate from secrets
          echo "${{ secrets.WINDOWS_CERTIFICATE }}" | base64 -d > cert.pfx
          cargo run -p forge_cli -- sign --identity cert.pfx ${{ env.APP_PATH }}/bundle/*.msix
          rm cert.pfx
        env:
          FORGE_SIGNING_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}

      - name: Upload MSIX
        uses: actions/upload-artifact@v4
        with:
          name: windows-msix
          path: ${{ env.APP_PATH }}/bundle/*.msix

  bundle-macos:
    name: Bundle macOS DMG
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable

      - name: Install Deno
        uses: denoland/setup-deno@v1
        with:
          deno-version: v1.x

      - name: Cache cargo
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
            target/
          key: ${{ runner.os }}-cargo-bundle-${{ hashFiles('**/Cargo.lock') }}

      - name: Build app
        run: cargo run -p forge_cli -- build ${{ env.APP_PATH }}

      - name: Check if certificates available
        id: check_certs
        if: github.event.inputs.sign_macos == 'true'
        run: |
          if [ -n "${{ secrets.MACOS_CERTIFICATE }}" ]; then
            echo "has_cert=true" >> $GITHUB_OUTPUT
          else
            echo "has_cert=false" >> $GITHUB_OUTPUT
            echo "⚠️ Warning: Code signing requested but MACOS_CERTIFICATE secret is not set"
          fi

      - name: Import signing certificate (if requested)
        if: github.event.inputs.sign_macos == 'true' && steps.check_certs.outputs.has_cert == 'true'
        run: |
          # Create keychain
          security create-keychain -p "" build.keychain
          security set-keychain-settings build.keychain
          security unlock-keychain -p "" build.keychain

          # Import certificate
          echo "$MACOS_CERTIFICATE" | base64 --decode > cert.p12
          security import cert.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
          rm cert.p12

          # Set keychain to be used
          security list-keychains -s build.keychain
          security default-keychain -s build.keychain

          # Allow codesign to access keychain
          security set-key-partition-list -S apple-tool:,apple: -s -k "" build.keychain
        env:
          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
          MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}

      - name: Setup notarization credentials (if requested)
        if: github.event.inputs.sign_macos == 'true' && steps.check_certs.outputs.has_cert == 'true'
        run: |
          if [ -n "$APPLE_ID" ]; then
            xcrun notarytool store-credentials "forge-notarize" \
              --apple-id "$APPLE_ID" \
              --team-id "$APPLE_TEAM_ID" \
              --password "$APPLE_APP_PASSWORD"
          else
            echo "⚠️ Warning: APPLE_ID not set, skipping notarization setup"
          fi
        env:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
          APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }}

      - name: Bundle app
        run: cargo run -p forge_cli -- bundle ${{ env.APP_PATH }}
        env:
          FORGE_SIGNING_IDENTITY: ${{ github.event.inputs.sign_macos == 'true' && secrets.MACOS_SIGNING_IDENTITY || '' }}
          FORGE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
          FORGE_NOTARIZE: ${{ github.event.inputs.sign_macos }}

      - name: Cleanup keychain
        if: always() && github.event.inputs.sign_macos == 'true'
        run: security delete-keychain build.keychain

      - name: Upload DMG
        uses: actions/upload-artifact@v4
        with:
          name: macos-dmg
          path: |
            ${{ env.APP_PATH }}/bundle/*.dmg
            ${{ env.APP_PATH }}/bundle/*.app

  bundle-linux:
    name: Bundle Linux AppImage
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable

      - name: Install Deno
        uses: denoland/setup-deno@v1
        with:
          deno-version: v1.x

      - name: Install system dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y \
            libwebkit2gtk-4.1-dev \
            libgtk-3-dev \
            libayatana-appindicator3-dev \
            squashfs-tools \
            fuse

      - name: Install appimagetool
        run: |
          wget -q https://github.com/AppImage/AppImageKit/releases/download/continuous/appimagetool-x86_64.AppImage
          chmod +x appimagetool-x86_64.AppImage
          sudo mv appimagetool-x86_64.AppImage /usr/local/bin/appimagetool

      - name: Cache cargo
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
            target/
          key: ${{ runner.os }}-cargo-bundle-${{ hashFiles('**/Cargo.lock') }}

      - name: Build app
        run: cargo run -p forge_cli -- build ${{ env.APP_PATH }}

      - name: Bundle app
        run: cargo run -p forge_cli -- bundle ${{ env.APP_PATH }}

      - name: Upload AppImage
        uses: actions/upload-artifact@v4
        with:
          name: linux-appimage
          path: |
            ${{ env.APP_PATH }}/bundle/*.AppImage
            ${{ env.APP_PATH }}/bundle/*.tar.gz