yaak/.github/workflows/release-app.yml

name: Release App Artifacts
on:
  push:
    tags: [v*]

jobs:
  build-artifacts:
    permissions:
      contents: write

    name: Build
    strategy:
      fail-fast: false
      matrix:
        include:
          - platform: "macos-26" # for Arm-based Macs (M1 and above).
            args: "--target aarch64-apple-darwin"
            yaak_arch: "arm64"
            os: "macos"
            targets: "aarch64-apple-darwin"
          - platform: "macos-26-intel" # for Intel-based Macs.
            args: "--target x86_64-apple-darwin"
            yaak_arch: "x64"
            os: "macos"
            targets: "x86_64-apple-darwin"
          - platform: "ubuntu-22.04"
            args: ""
            yaak_arch: "x64"
            os: "ubuntu"
            targets: ""
          - platform: "ubuntu-22.04-arm"
            args: ""
            yaak_arch: "arm64"
            os: "ubuntu"
            targets: ""
          - platform: "windows-latest"
            args: ""
            yaak_arch: "x64"
            os: "windows"
            targets: ""
          # Windows ARM64
          - platform: "windows-latest"
            args: "--target aarch64-pc-windows-msvc"
            yaak_arch: "arm64"
            os: "windows"
            targets: "aarch64-pc-windows-msvc"
    runs-on: ${{ matrix.platform }}
    timeout-minutes: 40
    steps:
      - name: Checkout yaakapp/app
        uses: actions/checkout@v4

      - name: Setup Node
        uses: actions/setup-node@v4

      - name: install Rust stable
        uses: dtolnay/rust-toolchain@stable
        with:
          targets: ${{ matrix.targets }}

      - uses: Swatinem/rust-cache@v2
        with:
          shared-key: ci
          cache-on-failure: true

      - name: install dependencies (Linux only)
        if: matrix.os == 'ubuntu'
        run: |
          sudo apt-get update
          sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf xdg-utils

      - name: Install Protoc for plugin-runtime
        uses: arduino/setup-protoc@v3
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}

      - name: Install trusted-signing-cli (Windows only)
        if: matrix.os == 'windows'
        shell: pwsh
        run: |
          $ErrorActionPreference = 'Stop'
          $dir = "$env:USERPROFILE\trusted-signing"
          New-Item -ItemType Directory -Force -Path $dir | Out-Null
          $url = "https://github.com/Levminer/trusted-signing-cli/releases/download/0.8.0/trusted-signing-cli.exe"
          $exe = Join-Path $dir "trusted-signing-cli.exe"
          Invoke-WebRequest -Uri $url -OutFile $exe
          echo $dir >> $env:GITHUB_PATH
          & $exe --version

      - run: npm ci
      - run: npm run bootstrap
        env:
          YAAK_TARGET_ARCH: ${{ matrix.yaak_arch }}
      - run: npm run lint
      - name: Run JS Tests
        run: npm test
      - name: Run Rust Tests
        run: cargo test --all

      - name: Set version
        run: npm run replace-version
        env:
          YAAK_VERSION: ${{ github.ref_name }}

      - name: Sign vendored binaries (macOS only)
        if: matrix.os == 'macos'
        env:
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
        run: |
          # Create keychain
          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

          # Import certificate
          echo "$APPLE_CERTIFICATE" | base64 --decode > certificate.p12
          security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security list-keychain -d user -s $KEYCHAIN_PATH

          # Sign vendored binaries with hardened runtime and their specific entitlements
          codesign --force --options runtime --entitlements crates-tauri/yaak-app/macos/entitlements.yaakprotoc.plist --sign "$APPLE_SIGNING_IDENTITY" crates-tauri/yaak-app/vendored/protoc/yaakprotoc || true
          codesign --force --options runtime --entitlements crates-tauri/yaak-app/macos/entitlements.yaaknode.plist --sign "$APPLE_SIGNING_IDENTITY" crates-tauri/yaak-app/vendored/node/yaaknode || true

      - uses: tauri-apps/tauri-action@v0
        env:
          YAAK_TARGET_ARCH: ${{ matrix.yaak_arch }}

          ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}

          # Apple signing stuff
          APPLE_CERTIFICATE: ${{ matrix.os == 'macos' && secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ matrix.os == 'macos' && secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_ID: ${{ matrix.os == 'macos' && secrets.APPLE_ID }}
          APPLE_PASSWORD: ${{ matrix.os == 'macos' && secrets.APPLE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ matrix.os == 'macos' && secrets.APPLE_SIGNING_IDENTITY }}
          APPLE_TEAM_ID: ${{ matrix.os == 'macos' && secrets.APPLE_TEAM_ID }}

          # Windows signing stuff
          AZURE_CLIENT_ID: ${{ matrix.os == 'windows' && secrets.AZURE_CLIENT_ID }}
          AZURE_CLIENT_SECRET: ${{ matrix.os == 'windows' && secrets.AZURE_CLIENT_SECRET }}
          AZURE_TENANT_ID: ${{ matrix.os == 'windows' && secrets.AZURE_TENANT_ID }}
        with:
          tagName: "v__VERSION__"
          releaseName: "Release __VERSION__"
          releaseBody: "[Changelog __VERSION__](https://yaak.app/blog/__VERSION__)"
          releaseDraft: true
          prerelease: true
          args: "${{ matrix.args }} --config ./crates-tauri/yaak-app/tauri.release.conf.json"

      # Build a per-machine NSIS installer for enterprise deployment (PDQ, SCCM, Intune)
      - name: Build and upload machine-wide installer (Windows only)
        if: matrix.os == 'windows'
        shell: pwsh
        env:
          YAAK_TARGET_ARCH: ${{ matrix.yaak_arch }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
        run: |
          Get-ChildItem -Recurse -Path target -File -Filter "*.exe.sig" | Remove-Item -Force
          npx tauri bundle ${{ matrix.args }} --bundles nsis --config ./crates-tauri/yaak-app/tauri.release.conf.json --config '{"bundle":{"createUpdaterArtifacts":true,"windows":{"nsis":{"installMode":"perMachine"}}}}'
          $setup = Get-ChildItem -Recurse -Path target -Filter "*setup*.exe" | Select-Object -First 1
          $setupSig = "$($setup.FullName).sig"
          $dest = $setup.FullName -replace '-setup\.exe$', '-setup-machine.exe'
          $destSig = "$dest.sig"
          Copy-Item $setup.FullName $dest
          Copy-Item $setupSig $destSig
          gh release upload "${{ github.ref_name }}" "$dest" --clobber
          gh release upload "${{ github.ref_name }}" "$destSig" --clobber