Skip to content
Desktop Release

Merge pull request #1541 from MODSetter/dev #32

Sign in to view logs

Merge pull request #1541 from MODSetter/dev

Merge pull request #1541 from MODSetter/dev #32

Workflow file for this run

.github/workflows/desktop-release.yml at 5b5e959
name: Desktop Release
on:
push:
tags:
- 'v*'
- 'beta-v*'
workflow_dispatch:
inputs:
version:
description: 'Version number (e.g. 0.0.15) — used for dry-run testing without a tag'
required: true
default: '0.0.0-test'
publish:
description: 'Publish to GitHub Releases'
required: true
type: choice
options:
- never
- always
default: 'never'
permissions:
contents: write
id-token: write
jobs:
build:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- os: macos-latest
platform: --mac
- os: ubuntu-latest
platform: --linux
- os: windows-latest
platform: --win
steps:
- name: Checkout
uses: actions/checkout@v5
- name: Extract version
id: version
shell: bash
run: |
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
VERSION="${{ inputs.version }}"
else
TAG=${GITHUB_REF#refs/tags/}
VERSION=${TAG#beta-}
VERSION=${VERSION#v}
fi
if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$'; then
echo "::error::Version '$VERSION' is not valid semver (expected X.Y.Z). Fix your tag name."
exit 1
fi
echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT"
- name: Detect Windows signing eligibility
id: sign
shell: bash
run: |
# Sign Windows builds only on production v* tags (not beta-v*, not workflow_dispatch).
# This matches the single OIDC federated credential configured in Entra ID.
if [ "${{ matrix.os }}" = "windows-latest" ] \
&& [ "${{ github.event_name }}" = "push" ] \
&& [[ "$GITHUB_REF" == refs/tags/v* ]]; then
echo "enabled=true" >> "$GITHUB_OUTPUT"
echo "Windows signing: ENABLED (v* tag on windows-latest)"
else
echo "enabled=false" >> "$GITHUB_OUTPUT"
echo "Windows signing: skipped"
fi
- name: Setup pnpm
uses: pnpm/action-setup@v5
- name: Setup Node.js
uses: actions/setup-node@v5
with:
node-version: 22
cache: 'pnpm'
cache-dependency-path: |
surfsense_web/pnpm-lock.yaml
surfsense_desktop/pnpm-lock.yaml
- name: Install web dependencies
run: pnpm install
working-directory: surfsense_web
- name: Build Next.js standalone
run: pnpm build
working-directory: surfsense_web
env:
NEXT_PUBLIC_FASTAPI_BACKEND_URL: ${{ vars.HOSTED_BACKEND_URL }}
SURFSENSE_BACKEND_INTERNAL_URL: ${{ vars.HOSTED_BACKEND_URL }}
NEXT_PUBLIC_ZERO_CACHE_URL: ${{ vars.NEXT_PUBLIC_ZERO_CACHE_URL }}
NEXT_PUBLIC_DEPLOYMENT_MODE: ${{ vars.NEXT_PUBLIC_DEPLOYMENT_MODE }}
NEXT_PUBLIC_AUTH_TYPE: ${{ vars.NEXT_PUBLIC_AUTH_TYPE }}
NEXT_PUBLIC_ETL_SERVICE: ${{ vars.NEXT_PUBLIC_ETL_SERVICE }}
NEXT_PUBLIC_POSTHOG_KEY: ${{ secrets.NEXT_PUBLIC_POSTHOG_KEY }}
- name: Install desktop dependencies
run: pnpm install
working-directory: surfsense_desktop
- name: Build Electron
run: pnpm build
working-directory: surfsense_desktop
env:
HOSTED_BACKEND_URL: ${{ vars.HOSTED_BACKEND_URL }}
HOSTED_FRONTEND_URL: ${{ vars.HOSTED_FRONTEND_URL }}
GOOGLE_DESKTOP_CLIENT_ID: ${{ vars.GOOGLE_DESKTOP_CLIENT_ID }}
POSTHOG_KEY: ${{ secrets.POSTHOG_KEY }}
POSTHOG_HOST: ${{ vars.POSTHOG_HOST }}
- name: Package & Publish
shell: bash
run: |
CMD=(pnpm exec electron-builder ${{ matrix.platform }} \
--config electron-builder.yml \
--publish "${{ inputs.publish || 'always' }}" \
-c.extraMetadata.version="${{ steps.version.outputs.VERSION }}")
# node-mac-permissions is the only native dependency and is darwin-only.
# electron-builder's internal rebuild would try to node-gyp compile it on
# Windows (no Visual Studio) and Linux, so skip the rebuild there. On macOS
# the rebuild must stay enabled for per-arch (x64/arm64) builds.
if [ "${{ matrix.platform }}" != "--mac" ]; then
CMD+=(-c.npmRebuild=false)
fi
if [ "${{ steps.sign.outputs.enabled }}" = "true" ]; then
CMD+=(-c.win.azureSignOptions.publisherName="$WINDOWS_PUBLISHER_NAME")
CMD+=(-c.win.azureSignOptions.endpoint="$AZURE_CODESIGN_ENDPOINT")
CMD+=(-c.win.azureSignOptions.codeSigningAccountName="$AZURE_CODESIGN_ACCOUNT")
CMD+=(-c.win.azureSignOptions.certificateProfileName="$AZURE_CODESIGN_PROFILE")
fi
"${CMD[@]}"
working-directory: surfsense_desktop
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GOOGLE_DESKTOP_CLIENT_ID: ${{ vars.GOOGLE_DESKTOP_CLIENT_ID }}
WINDOWS_PUBLISHER_NAME: ${{ vars.WINDOWS_PUBLISHER_NAME }}
AZURE_CODESIGN_ENDPOINT: ${{ vars.AZURE_CODESIGN_ENDPOINT }}
AZURE_CODESIGN_ACCOUNT: ${{ vars.AZURE_CODESIGN_ACCOUNT }}
AZURE_CODESIGN_PROFILE: ${{ vars.AZURE_CODESIGN_PROFILE }}
# macOS Developer ID signing + notarization. Only the macos-latest runner
# consumes these; Windows/Linux runners ignore them. CSC_LINK accepts either
# a file path or a base64-encoded .p12 blob — electron-builder auto-detects.
CSC_LINK: ${{ secrets.MAC_CERT_P12_BASE64 }}
CSC_KEY_PASSWORD: ${{ secrets.MAC_CERT_PASSWORD }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
# TEMP DEBUG — remove once the codesign hang on macos-latest is diagnosed.
# Surfaces the exact codesign / notarize commands electron-builder spawns,
# so we can see which subprocess hangs.
DEBUG: electron-builder,electron-osx-sign*,@electron/notarize*
ELECTRON_BUILDER_ALLOW_UNRESOLVED_DEPENDENCIES: "true"
# Service principal credentials for Azure.Identity EnvironmentCredential used by the
# TrustedSigning PowerShell module. Only populated when signing is enabled.
# electron-builder 26 does not yet support OIDC federated tokens for Azure signing,
# so we fall back to client-secret auth. Rotate AZURE_CLIENT_SECRET before expiry.
AZURE_TENANT_ID: ${{ steps.sign.outputs.enabled == 'true' && secrets.AZURE_TENANT_ID || '' }}
AZURE_CLIENT_ID: ${{ steps.sign.outputs.enabled == 'true' && secrets.AZURE_CLIENT_ID || '' }}
AZURE_CLIENT_SECRET: ${{ steps.sign.outputs.enabled == 'true' && secrets.AZURE_CLIENT_SECRET || '' }}