name: Desktop macOS Branch Build on: workflow_dispatch: push: branches: - electron-app jobs: build-macos: name: Build macOS desktop artifact runs-on: macos-latest permissions: contents: write steps: - name: Checkout uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 persist-credentials: false - name: Set up Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 22 cache: npm - name: Install dependencies run: npm ci env: GITHUB_TOKEN: ${{ github.token }} - name: Typecheck run: npm run typecheck - name: Resolve artifact metadata id: artifact run: | SAFE_REF="$(printf '%s' "${GITHUB_REF_NAME}" | tr -c 'A-Za-z0-9._-' '-')" echo "name=CloudCLI-macOS-${SAFE_REF}-${GITHUB_RUN_NUMBER}" >> "$GITHUB_OUTPUT" echo "server_bundle_tag=cloudcli-local-server-${SAFE_REF}" >> "$GITHUB_OUTPUT" - name: Configure branch server bundle source run: printf '{"releaseTag":"%s"}\n' "${{ steps.artifact.outputs.server_bundle_tag }}" > electron/server-bundle-config.json - name: Verify signing secrets are configured run: | test -n "$CSC_LINK" test -n "$CSC_KEY_PASSWORD" test -n "$APPLE_ID" test -n "$APPLE_APP_SPECIFIC_PASSWORD" test -n "$APPLE_TEAM_ID" env: CSC_LINK: ${{ secrets.CSC_LINK }} CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} - name: Build signed and notarized macOS artifacts run: npm run desktop:dist:mac -- --publish never env: CLOUDCLI_SEMANTICS_BUILD_REQUIRED: "1" CSC_LINK: ${{ secrets.CSC_LINK }} CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} - name: Build branch server bundle run: node scripts/release/build-server-bundle.js - name: Verify branch server runtime artifacts run: | test -n "$(find release/local-server -maxdepth 1 -name 'cloudcli-local-server-*.tar.gz' -print -quit)" test -n "$(find release/local-server -maxdepth 1 -name 'cloudcli-local-server-*.tar.gz.sha256' -print -quit)" - name: Publish branch server bundle uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 with: tag_name: ${{ steps.artifact.outputs.server_bundle_tag }} name: CloudCLI Internal Local Runtime (${{ github.ref_name }}) body: | Internal runtime assets for CloudCLI Desktop branch builds. Users should download the desktop app from the workflow artifact. The desktop app downloads these runtime bundles automatically when local mode is enabled. prerelease: true fail_on_unmatched_files: false overwrite_files: true files: | release/local-server/* - name: Verify macOS artifacts run: | test -n "$(find release/desktop -maxdepth 1 -name '*.dmg' -print -quit)" test -n "$(find release/desktop -maxdepth 1 -name '*.zip' -print -quit)" shasum -a 256 release/desktop/*.{dmg,zip} > release/SHASUMS256.txt cat release/SHASUMS256.txt - name: Upload branch build artifacts uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: ${{ steps.artifact.outputs.name }} path: | release/desktop/*.dmg release/desktop/*.zip release/desktop/*.yml release/desktop/*.blockmap release/SHASUMS256.txt if-no-files-found: error retention-days: 14