fix: remove signing key password from workflow (key has no password) #20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: | |
| - stable | |
| permissions: | |
| contents: write | |
| jobs: | |
| build-macos: | |
| runs-on: macos-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| version: 10 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Install dependencies | |
| run: pnpm install | |
| - name: Build Tauri app | |
| uses: tauri-apps/tauri-action@v0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} | |
| with: | |
| tagName: 'v__VERSION__' | |
| releaseName: 'Cortex v__VERSION__' | |
| releaseBody: | | |
| ## Cortex v__VERSION__ | |
| Download the `.dmg` file below to install on macOS. | |
| --- | |
| > **macOS Gatekeeper Warning** | |
| > If you see *"Cortex is damaged and can't be opened"*, run the following command in Terminal after moving the app to your Applications folder: | |
| > ``` | |
| > xattr -dr com.apple.quarantine /Applications/Cortex.app | |
| > ``` | |
| > This happens because the app is not yet signed with an Apple Developer certificate. The app is safe to use. | |
| releaseDraft: false | |
| prerelease: false | |
| - name: Sign and upload updater manifest | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} | |
| run: | | |
| VERSION=$(python3 -c "import json; print(json.load(open('src-tauri/tauri.conf.json'))['version'])") | |
| TAR_GZ="src-tauri/target/release/bundle/macos/Cortex.app.tar.gz" | |
| if [ ! -f "$TAR_GZ" ]; then | |
| echo "Bundle not found at $TAR_GZ" | |
| exit 1 | |
| fi | |
| # Sign manually using tauri signer | |
| echo "$TAURI_SIGNING_PRIVATE_KEY" > /tmp/cortex.key | |
| pnpm tauri signer sign --private-key-path /tmp/cortex.key "$TAR_GZ" | |
| rm /tmp/cortex.key | |
| SIG=$(cat "${TAR_GZ}.sig") | |
| UPDATE_URL="https://github.com/${{ github.repository }}/releases/download/v${VERSION}/Cortex_aarch64.app.tar.gz" | |
| PUB_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") | |
| python3 -c " | |
| import json | |
| sig = open('${TAR_GZ}.sig').read().strip() | |
| data = { | |
| 'version': '${VERSION}', | |
| 'notes': '', | |
| 'pub_date': '${PUB_DATE}', | |
| 'platforms': { | |
| 'darwin-aarch64': { | |
| 'signature': sig, | |
| 'url': '${UPDATE_URL}' | |
| } | |
| } | |
| } | |
| print(json.dumps(data, indent=2)) | |
| " > latest.json | |
| gh release upload "v${VERSION}" latest.json --clobber |