notify/.github/workflows/release.yml at main · maman/notify · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
name: Build, Notarize & Release

on:
  push:
    tags:
      - 'v*'

env:
  XCODE_PROJECT: src/ntfy.xcodeproj
  SCHEME: Notify
  PRODUCT_NAME: Notify
  BUNDLE_ID: me.mahardi.ntfy
  TEAM_ID: DKL5CLP48A

permissions:
  contents: write

jobs:
  build-and-release:
    runs-on: macos-26

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Xcode
        uses: maxim-lobanov/setup-xcode@v1
        with:
          xcode-version: '26.2'

      - name: Extract version from tag
        id: version
        run: |
          VERSION=${GITHUB_REF#refs/tags/v}
          echo "version=$VERSION" >> $GITHUB_OUTPUT
          echo "Building version: $VERSION"

      - name: Install dependencies
        run: brew install create-dmg

      - name: Import Developer ID Certificate
        env:
          DEVELOPER_ID_CERT_BASE64: ${{ secrets.DEVELOPER_ID_CERT_BASE64 }}
          DEVELOPER_ID_CERT_PASSWORD: ${{ secrets.DEVELOPER_ID_CERT_PASSWORD }}
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
        run: |
          # Create variables
          CERTIFICATE_PATH=$RUNNER_TEMP/developer_id.p12
          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

          # Decode certificate
          echo -n "$DEVELOPER_ID_CERT_BASE64" | base64 --decode -o $CERTIFICATE_PATH

          # Create temporary keychain
          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

          # Import certificate to keychain
          security import $CERTIFICATE_PATH -P "$DEVELOPER_ID_CERT_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security list-keychain -d user -s $KEYCHAIN_PATH

      - name: Install Provisioning Profile
        env:
          PROVISIONING_PROFILE_BASE64: ${{ secrets.PROVISIONING_PROFILE_BASE64 }}
        run: |
          # Create profiles directory
          mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles

          # Decode and install provisioning profile
          echo -n "$PROVISIONING_PROFILE_BASE64" | base64 --decode -o ~/Library/MobileDevice/Provisioning\ Profiles/notify.provisionprofile

      - name: Resolve Swift Packages
        run: |
          xcodebuild -resolvePackageDependencies \
            -project $XCODE_PROJECT \
            -scheme $SCHEME

      - name: Build and Archive
        run: |
          xcodebuild archive \
            -project $XCODE_PROJECT \
            -scheme $SCHEME \
            -configuration Release \
            -archivePath $RUNNER_TEMP/$PRODUCT_NAME.xcarchive \
            -allowProvisioningUpdates \
            MARKETING_VERSION=${{ steps.version.outputs.version }} \
            CURRENT_PROJECT_VERSION=${{ github.run_number }} \
            CODE_SIGN_STYLE=Manual \
            DEVELOPMENT_TEAM=$TEAM_ID \
            CODE_SIGN_IDENTITY="Developer ID Application: Achmad Mahardi ($TEAM_ID)"

      - name: Export Archive
        run: |
          cat > $RUNNER_TEMP/ExportOptions.plist << EOF
          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
          <plist version="1.0">
          <dict>
              <key>method</key>
              <string>developer-id</string>
              <key>teamID</key>
              <string>$TEAM_ID</string>
              <key>signingStyle</key>
              <string>manual</string>
              <key>signingCertificate</key>
              <string>Developer ID Application</string>
              <key>provisioningProfiles</key>
              <dict>
                  <key>$BUNDLE_ID</key>
                  <string>Notify macOS Developer ID</string>
              </dict>
          </dict>
          </plist>
          EOF

          xcodebuild -exportArchive \
            -archivePath $RUNNER_TEMP/$PRODUCT_NAME.xcarchive \
            -exportOptionsPlist $RUNNER_TEMP/ExportOptions.plist \
            -exportPath $RUNNER_TEMP/Export

      - name: Notarize App
        env:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
        run: |
          # Create ZIP for notarization
          ditto -c -k --keepParent "$RUNNER_TEMP/Export/$PRODUCT_NAME.app" "$RUNNER_TEMP/$PRODUCT_NAME.zip"

          # Submit for notarization
          xcrun notarytool submit "$RUNNER_TEMP/$PRODUCT_NAME.zip" \
            --apple-id "$APPLE_ID" \
            --password "$APPLE_ID_PASSWORD" \
            --team-id "$TEAM_ID" \
            --wait

          # Staple the app
          xcrun stapler staple "$RUNNER_TEMP/Export/$PRODUCT_NAME.app"

      - name: Create DMG
        run: |
          create-dmg \
            --volname "$PRODUCT_NAME" \
            --window-pos 200 120 \
            --window-size 600 400 \
            --icon-size 100 \
            --icon "$PRODUCT_NAME.app" 150 190 \
            --hide-extension "$PRODUCT_NAME.app" \
            --app-drop-link 450 185 \
            "$RUNNER_TEMP/$PRODUCT_NAME-${{ steps.version.outputs.version }}.dmg" \
            "$RUNNER_TEMP/Export/$PRODUCT_NAME.app" || true

          # create-dmg returns non-zero even on success sometimes, verify file exists
          if [ ! -f "$RUNNER_TEMP/$PRODUCT_NAME-${{ steps.version.outputs.version }}.dmg" ]; then
            echo "DMG creation failed"
            exit 1
          fi

      - name: Sign DMG with codesign
        run: |
          codesign --force --sign "Developer ID Application: Achmad Mahardi ($TEAM_ID)" \
            "$RUNNER_TEMP/$PRODUCT_NAME-${{ steps.version.outputs.version }}.dmg"

      - name: Notarize DMG
        env:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
        run: |
          xcrun notarytool submit "$RUNNER_TEMP/$PRODUCT_NAME-${{ steps.version.outputs.version }}.dmg" \
            --apple-id "$APPLE_ID" \
            --password "$APPLE_ID_PASSWORD" \
            --team-id "$TEAM_ID" \
            --wait

          xcrun stapler staple "$RUNNER_TEMP/$PRODUCT_NAME-${{ steps.version.outputs.version }}.dmg"

      - name: Download Sparkle tools and sign DMG
        env:
          SPARKLE_PRIVATE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY }}
        run: |
          # Download Sparkle tools
          SPARKLE_VERSION="2.6.4"
          curl -L -o $RUNNER_TEMP/Sparkle.tar.xz \
            "https://github.com/sparkle-project/Sparkle/releases/download/$SPARKLE_VERSION/Sparkle-$SPARKLE_VERSION.tar.xz"

          mkdir -p $RUNNER_TEMP/Sparkle
          tar -xf $RUNNER_TEMP/Sparkle.tar.xz -C $RUNNER_TEMP/Sparkle

          # Write private key to temp file
          echo "$SPARKLE_PRIVATE_KEY" > $RUNNER_TEMP/sparkle_private_key

          # Sign the DMG and capture signature
          SIGNATURE=$($RUNNER_TEMP/Sparkle/bin/sign_update \
            "$RUNNER_TEMP/$PRODUCT_NAME-${{ steps.version.outputs.version }}.dmg" \
            --ed-key-file $RUNNER_TEMP/sparkle_private_key)

          echo "SPARKLE_SIGNATURE=$SIGNATURE" >> $GITHUB_ENV

          # Clean up private key
          rm -f $RUNNER_TEMP/sparkle_private_key

      - name: Generate appcast entry
        id: appcast
        run: |
          DMG_PATH="$RUNNER_TEMP/$PRODUCT_NAME-${{ steps.version.outputs.version }}.dmg"
          FILE_SIZE=$(stat -f%z "$DMG_PATH")
          VERSION="${{ steps.version.outputs.version }}"
          BUILD_NUMBER="${{ github.run_number }}"
          PUB_DATE=$(date -u +"%a, %d %b %Y %H:%M:%S %z")

          # Extract edSignature from the signature output
          ED_SIGNATURE=$(echo "$SPARKLE_SIGNATURE" | grep -o 'sparkle:edSignature="[^"]*"' | cut -d'"' -f2)

          # Create appcast entry
          cat > $RUNNER_TEMP/appcast_entry.xml << EOF
              <item>
                  <title>Version $VERSION</title>
                  <pubDate>$PUB_DATE</pubDate>
                  <sparkle:version>$BUILD_NUMBER</sparkle:version>
                  <sparkle:shortVersionString>$VERSION</sparkle:shortVersionString>
                  <sparkle:minimumSystemVersion>15.0</sparkle:minimumSystemVersion>
                  <enclosure
                      url="${{ secrets.R2_PUBLIC_URL }}/releases/$PRODUCT_NAME-$VERSION.dmg"
                      sparkle:edSignature="$ED_SIGNATURE"
                      length="$FILE_SIZE"
                      type="application/octet-stream"/>
              </item>
          EOF

          echo "Generated appcast entry:"
          cat $RUNNER_TEMP/appcast_entry.xml

      - name: Download and update appcast.xml
        env:
          R2_PUBLIC_URL: ${{ secrets.R2_PUBLIC_URL }}
        run: |
          # Try to download existing appcast, or create new one
          curl -sf "$R2_PUBLIC_URL/appcast.xml" -o $RUNNER_TEMP/appcast.xml || true

          if [ ! -f "$RUNNER_TEMP/appcast.xml" ] || [ ! -s "$RUNNER_TEMP/appcast.xml" ]; then
            # Create new appcast
            cat > $RUNNER_TEMP/appcast.xml << EOF
          <?xml version="1.0" encoding="utf-8"?>
          <rss version="2.0" xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle" xmlns:dc="http://purl.org/dc/elements/1.1/">
              <channel>
                  <title>Notify Updates</title>
                  <link>$R2_PUBLIC_URL/appcast.xml</link>
                  <description>Most recent updates to Notify</description>
                  <language>en</language>
              </channel>
          </rss>
          EOF
          fi

          # Insert new entry before </channel> using Python for reliable multiline handling
          python3 << 'PYEOF'
          import os
          entry_file = os.path.join(os.environ['RUNNER_TEMP'], 'appcast_entry.xml')
          appcast_file = os.path.join(os.environ['RUNNER_TEMP'], 'appcast.xml')
          with open(entry_file, 'r') as f:
              entry = f.read()
          with open(appcast_file, 'r') as f:
              appcast = f.read()
          appcast = appcast.replace('</channel>', entry + '\n    </channel>')
          with open(appcast_file, 'w') as f:
              f.write(appcast)
          PYEOF

          echo "Updated appcast.xml:"
          cat $RUNNER_TEMP/appcast.xml

      - name: Upload to Cloudflare R2
        env:
          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
          R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
          R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
          R2_BUCKET: ${{ secrets.R2_BUCKET }}
        run: |
          # Install AWS CLI
          pip install awscli --quiet

          # Configure AWS CLI for R2
          aws configure set aws_access_key_id "$R2_ACCESS_KEY_ID"
          aws configure set aws_secret_access_key "$R2_SECRET_ACCESS_KEY"
          aws configure set default.region auto

          R2_ENDPOINT="https://${R2_ACCOUNT_ID}.r2.cloudflarestorage.com"

          # Upload DMG to releases folder
          aws s3 cp "$RUNNER_TEMP/$PRODUCT_NAME-${{ steps.version.outputs.version }}.dmg" \
            "s3://$R2_BUCKET/releases/$PRODUCT_NAME-${{ steps.version.outputs.version }}.dmg" \
            --endpoint-url "$R2_ENDPOINT"

          # Upload appcast.xml to root
          aws s3 cp "$RUNNER_TEMP/appcast.xml" \
            "s3://$R2_BUCKET/appcast.xml" \
            --endpoint-url "$R2_ENDPOINT" \
            --content-type "application/xml"

          echo "Uploaded to R2 successfully"

      - name: Create GitHub Release
        uses: softprops/action-gh-release@v2
        with:
          files: ${{ runner.temp }}/${{ env.PRODUCT_NAME }}-${{ steps.version.outputs.version }}.dmg
          generate_release_notes: true
          draft: false
          prerelease: false
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Cleanup keychain
        if: always()
        run: |
          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true