Merge pull request #1285 from MODSetter/dev #14

Workflow file for this run

.github/workflows/desktop-release.yml at e421342

	name: Desktop Release

	on:
	push:
	tags:
	- 'v*'
	- 'beta-v*'
	workflow_dispatch:
	inputs:
	version:
	description: 'Version number (e.g. 0.0.15) — used for dry-run testing without a tag'
	required: true
	default: '0.0.0-test'
	publish:
	description: 'Publish to GitHub Releases'
	required: true
	type: choice
	options:
	- never
	- always
	default: 'never'

	permissions:
	contents: write
	id-token: write

	jobs:
	build:
	runs-on: ${{ matrix.os }}
	strategy:
	fail-fast: false
	matrix:
	include:
	- os: macos-latest
	platform: --mac
	- os: ubuntu-latest
	platform: --linux
	- os: windows-latest
	platform: --win

	steps:
	- name: Checkout
	uses: actions/checkout@v5

	- name: Extract version
	id: version
	shell: bash
	run: \|
	if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
	VERSION="${{ inputs.version }}"
	else
	TAG=${GITHUB_REF#refs/tags/}
	VERSION=${TAG#beta-}
	VERSION=${VERSION#v}
	fi
	if ! echo "$VERSION" \| grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$'; then
	echo "::error::Version '$VERSION' is not valid semver (expected X.Y.Z). Fix your tag name."
	exit 1
	fi
	echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT"

	- name: Detect Windows signing eligibility
	id: sign
	shell: bash
	run: \|
	# Sign Windows builds only on production v* tags (not beta-v*, not workflow_dispatch).
	# This matches the single OIDC federated credential configured in Entra ID.
	if [ "${{ matrix.os }}" = "windows-latest" ] \
	&& [ "${{ github.event_name }}" = "push" ] \
	&& [[ "$GITHUB_REF" == refs/tags/v* ]]; then
	echo "enabled=true" >> "$GITHUB_OUTPUT"
	echo "Windows signing: ENABLED (v* tag on windows-latest)"
	else
	echo "enabled=false" >> "$GITHUB_OUTPUT"
	echo "Windows signing: skipped"
	fi

	- name: Azure login (for Windows signing)
	if: steps.sign.outputs.enabled == 'true'
	uses: azure/login@v2
	with:
	client-id: ${{ secrets.AZURE_CLIENT_ID }}
	tenant-id: ${{ secrets.AZURE_TENANT_ID }}
	subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

	- name: Fetch GitHub OIDC token for Azure signing SDK
	if: steps.sign.outputs.enabled == 'true'
	id: oidc
	shell: pwsh
	run: \|
	$token = (Invoke-RestMethod -Headers @{Authorization = "bearer $env:ACTIONS_ID_TOKEN_REQUEST_TOKEN"} `
	-Uri "$env:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange").value
	Write-Output "::add-mask::$token"
	"token=$token" \| Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append

	- name: Setup pnpm
	uses: pnpm/action-setup@v5

	- name: Setup Node.js
	uses: actions/setup-node@v5
	with:
	node-version: 22
	cache: 'pnpm'
	cache-dependency-path: \|
	surfsense_web/pnpm-lock.yaml
	surfsense_desktop/pnpm-lock.yaml

	- name: Install web dependencies
	run: pnpm install
	working-directory: surfsense_web

	- name: Build Next.js standalone
	run: pnpm build
	working-directory: surfsense_web
	env:
	NEXT_PUBLIC_FASTAPI_BACKEND_URL: ${{ vars.NEXT_PUBLIC_FASTAPI_BACKEND_URL }}
	NEXT_PUBLIC_ZERO_CACHE_URL: ${{ vars.NEXT_PUBLIC_ZERO_CACHE_URL }}
	NEXT_PUBLIC_DEPLOYMENT_MODE: ${{ vars.NEXT_PUBLIC_DEPLOYMENT_MODE }}
	NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE: ${{ vars.NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE }}
	NEXT_PUBLIC_POSTHOG_KEY: ${{ secrets.NEXT_PUBLIC_POSTHOG_KEY }}

	- name: Install desktop dependencies
	run: pnpm install
	working-directory: surfsense_desktop

	- name: Build Electron
	run: pnpm build
	working-directory: surfsense_desktop
	env:
	HOSTED_FRONTEND_URL: ${{ vars.HOSTED_FRONTEND_URL }}
	POSTHOG_KEY: ${{ secrets.POSTHOG_KEY }}
	POSTHOG_HOST: ${{ vars.POSTHOG_HOST }}

	- name: Package & Publish
	shell: bash
	run: \|
	CMD=(pnpm exec electron-builder ${{ matrix.platform }} \
	--config electron-builder.yml \
	--publish "${{ inputs.publish \|\| 'always' }}" \
	-c.extraMetadata.version="${{ steps.version.outputs.VERSION }}")

	if [ "${{ steps.sign.outputs.enabled }}" = "true" ]; then
	CMD+=(-c.win.azureSignOptions.publisherName="$WINDOWS_PUBLISHER_NAME")
	CMD+=(-c.win.azureSignOptions.endpoint="$AZURE_CODESIGN_ENDPOINT")
	CMD+=(-c.win.azureSignOptions.codeSigningAccountName="$AZURE_CODESIGN_ACCOUNT")
	CMD+=(-c.win.azureSignOptions.certificateProfileName="$AZURE_CODESIGN_PROFILE")
	fi

	"${CMD[@]}"
	working-directory: surfsense_desktop
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	WINDOWS_PUBLISHER_NAME: ${{ vars.WINDOWS_PUBLISHER_NAME }}
	AZURE_CODESIGN_ENDPOINT: ${{ vars.AZURE_CODESIGN_ENDPOINT }}
	AZURE_CODESIGN_ACCOUNT: ${{ vars.AZURE_CODESIGN_ACCOUNT }}
	AZURE_CODESIGN_PROFILE: ${{ vars.AZURE_CODESIGN_PROFILE }}
	# Env vars for Azure.Identity EnvironmentCredential used by the TrustedSigning PowerShell module.
	# Only populated when signing is enabled; harmless when empty otherwise.
	AZURE_TENANT_ID: ${{ steps.sign.outputs.enabled == 'true' && secrets.AZURE_TENANT_ID \|\| '' }}
	AZURE_CLIENT_ID: ${{ steps.sign.outputs.enabled == 'true' && secrets.AZURE_CLIENT_ID \|\| '' }}
	AZURE_FEDERATED_TOKEN: ${{ steps.oidc.outputs.token }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Merge pull request #1285 from MODSetter/dev #14

Workflow file

Merge pull request #1285 from MODSetter/dev #14

Uh oh!

Workflow file for this run