name: Desktop macOS Branch Build on: workflow_dispatch: push: branches: - electron-app jobs: build-macos: name: Build macOS desktop artifact runs-on: macos-latest permissions: contents: write steps: - name: Checkout uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 persist-credentials: false - name: Set up Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 22 cache: npm - name: Install dependencies run: npm ci env: GITHUB_TOKEN: ${{ github.token }} - name: Typecheck run: npm run typecheck - name: Resolve artifact metadata id: artifact run: | SAFE_REF="$(printf '%s' "${GITHUB_REF_NAME}" | tr -c 'A-Za-z0-9._-' '-')" echo "name=CloudCLI-macOS-${SAFE_REF}-${GITHUB_RUN_NUMBER}" >> "$GITHUB_OUTPUT" echo "server_bundle_tag=cloudcli-local-server-${SAFE_REF}" >> "$GITHUB_OUTPUT" - name: Configure branch server bundle source run: printf '{"releaseTag":"%s"}\n' "${{ steps.artifact.outputs.server_bundle_tag }}" > electron/server-bundle-config.json - name: Verify signing secrets are configured run: | test -n "$CSC_LINK" test -n "$CSC_KEY_PASSWORD" test -n "$APPLE_ID" test -n "$APPLE_APP_SPECIFIC_PASSWORD" test -n "$APPLE_TEAM_ID" env: CSC_LINK: ${{ secrets.CSC_LINK }} CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} - name: Build signed and notarized macOS artifacts run: npm run desktop:dist:mac -- --publish never env: CLOUDCLI_SEMANTICS_BUILD_REQUIRED: "1" CSC_LINK: ${{ secrets.CSC_LINK }} CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} - name: Build branch server bundle run: node scripts/release/build-server-bundle.js - name: Verify branch server runtime artifacts run: | test -n "$(find release/local-server -maxdepth 1 -name 'cloudcli-local-server-*.tar.gz' -print -quit)" test -n "$(find release/local-server -maxdepth 1 -name 'cloudcli-local-server-*.tar.gz.sha256' -print -quit)" - name: Publish branch server bundle uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 with: tag_name: ${{ steps.artifact.outputs.server_bundle_tag }} name: CloudCLI Desktop Local Runtime (${{ github.ref_name }}) body: | This prerelease is used by CloudCLI Desktop branch builds to run Local mode. To test this branch, download the desktop app from this workflow run's artifacts. When you open Local CloudCLI, the desktop app automatically downloads the matching runtime from this prerelease. You do not need to download these runtime files manually. prerelease: true fail_on_unmatched_files: false overwrite_files: true files: | release/local-server/* - name: Verify macOS artifacts run: | test -n "$(find release/desktop -maxdepth 1 -name '*.dmg' -print -quit)" shasum -a 256 release/desktop/*.dmg > release/SHASUMS256.txt cat release/SHASUMS256.txt - name: Upload branch build artifacts uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: ${{ steps.artifact.outputs.name }} path: | release/desktop/*.dmg release/SHASUMS256.txt if-no-files-found: error retention-days: 14