release: staged v0.1.4 (#476) #6

Workflow file for this run

.github/workflows/staged-release.yml at 122fc0e

	name: Staged Release

	on:
	push:
	tags:
	- 'staged/v*'

	env:
	CARGO_TERM_COLOR: always
	TAURI_TARGET: aarch64-apple-darwin

	jobs:
	release:
	name: Release
	runs-on: macos-latest
	permissions:
	contents: write
	id-token: write
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

	- uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1

	- run: corepack enable pnpm

	- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
	with:
	workspaces: apps/staged/src-tauri
	key: staged-release-aarch64-apple-darwin

	- name: Validate tag matches staged versions
	id: version
	run: \|
	TAG_VERSION="${GITHUB_REF#refs/tags/staged/v}"
	echo "value=${TAG_VERSION}" >> "${GITHUB_OUTPUT}"
	PACKAGE_VERSION="$(node -p "require('./apps/staged/package.json').version")"
	TAURI_VERSION="$(node -p "require('./apps/staged/src-tauri/tauri.conf.json').version")"
	CARGO_VERSION="$(grep '^version' apps/staged/src-tauri/Cargo.toml \| head -1 \| sed 's/version = "//;s/"//')"

	if [ "$TAG_VERSION" != "$PACKAGE_VERSION" ] \|\| [ "$TAG_VERSION" != "$TAURI_VERSION" ] \|\| [ "$TAG_VERSION" != "$CARGO_VERSION" ]; then
	echo "::error::Tag version ($TAG_VERSION) must match package.json ($PACKAGE_VERSION), tauri.conf.json ($TAURI_VERSION), and Cargo.toml ($CARGO_VERSION)"
	exit 1
	fi

	- name: Validate release secrets
	env:
	STAGED_UPDATER_PUBLIC_KEY: ${{ secrets.STAGED_UPDATER_PUBLIC_KEY }}
	TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
	TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
	OSX_CODESIGN_ROLE: ${{ secrets.OSX_CODESIGN_ROLE }}
	CODESIGN_S3_BUCKET: ${{ secrets.CODESIGN_S3_BUCKET }}
	run: \|
	missing=()
	for name in \
	STAGED_UPDATER_PUBLIC_KEY \
	TAURI_SIGNING_PRIVATE_KEY \
	TAURI_SIGNING_PRIVATE_KEY_PASSWORD \
	OSX_CODESIGN_ROLE \
	CODESIGN_S3_BUCKET; do
	if [ -z "${!name}" ]; then
	missing+=("$name")
	fi
	done

	if [ "${#missing[@]}" -gt 0 ]; then
	echo "::error::Missing required staged release secrets: ${missing[*]}"
	exit 1
	fi

	- name: Install dependencies
	run: \|
	pnpm install --frozen-lockfile
	cd apps/staged/src-tauri && cargo fetch

	- name: Build staged release config
	working-directory: apps/staged
	env:
	STAGED_UPDATER_PUBLIC_KEY: ${{ secrets.STAGED_UPDATER_PUBLIC_KEY }}
	STAGED_UPDATER_ENDPOINT: https://github.com/${{ github.repository }}/releases/download/staged-latest/latest.json
	run: pnpm run tauri:release:config

	- name: Build unsigned Tauri app
	working-directory: apps/staged
	env:
	VITE_UPDATER_ENABLED: 'true'
	run: pnpm tauri build --no-sign --target "$TAURI_TARGET" --config src-tauri/tauri.release.conf.json

	- name: Codesign and Notarize
	id: codesign
	uses: block/apple-codesign-action@v1.1.0
	with:
	osx-codesign-role: ${{ secrets.OSX_CODESIGN_ROLE }}
	codesign-s3-bucket: ${{ secrets.CODESIGN_S3_BUCKET }}
	unsigned-artifact-path: apps/staged/src-tauri/target/aarch64-apple-darwin/release/bundle/dmg/Staged_${{ steps.version.outputs.value }}_aarch64.dmg
	artifact-name: staged-${{ github.sha }}-${{ github.run_id }}-arm64

	- name: Replace DMG and rebuild updater artifacts
	working-directory: apps/staged
	env:
	SIGNED_DMG: ${{ steps.codesign.outputs.signed-dmg-path }}
	SIGNED_APP_ZIP: ${{ steps.codesign.outputs.signed-artifact-path }}
	TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
	TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
	run: \|
	set -euo pipefail

	BUNDLE_DIR="src-tauri/target/${TAURI_TARGET}/release/bundle"
	VERSION="$(node -p "require('./src-tauri/tauri.conf.json').version")"

	# Replace DMG with signed version
	cp "$SIGNED_DMG" "${BUNDLE_DIR}/dmg/Staged_${VERSION}_aarch64.dmg"

	# Extract signed .app and rebuild updater artifacts
	extract_dir="${RUNNER_TEMP}/signed-app-extract"
	mkdir -p "$extract_dir"
	ditto -x -k "$SIGNED_APP_ZIP" "$extract_dir"

	app_dir="${BUNDLE_DIR}/macos"
	rm -rf "${app_dir}/Staged.app"
	cp -R "${extract_dir}/Staged.app" "${app_dir}/Staged.app"

	# Recreate updater archive and re-sign with Tauri updater key
	rm -f "${app_dir}/Staged.app.tar.gz" "${app_dir}/Staged.app.tar.gz.sig"
	(cd "$app_dir" && tar -czf Staged.app.tar.gz Staged.app)
	pnpm tauri signer sign "${app_dir}/Staged.app.tar.gz"

	- name: Create GitHub Release
	env:
	GH_TOKEN: ${{ github.token }}
	run: \|
	if gh release view "$GITHUB_REF_NAME" >/dev/null 2>&1; then
	echo "Release $GITHUB_REF_NAME already exists; skipping creation."
	else
	gh release create "$GITHUB_REF_NAME" \
	--title "Staged $GITHUB_REF_NAME" \
	--notes "See the assets to download and install this version."
	fi

	- name: Publish staged updater alias
	working-directory: apps/staged
	env:
	GH_TOKEN: ${{ github.token }}
	GITHUB_REPOSITORY: ${{ github.repository }}
	run: pnpm run release:updater:publish

	- name: Publish staged DMG alias
	working-directory: apps/staged
	env:
	GH_TOKEN: ${{ github.token }}
	GITHUB_REPOSITORY: ${{ github.repository }}
	run: pnpm run release:dmg:publish

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

release: staged v0.1.4 (#476) #6

Workflow file

release: staged v0.1.4 (#476) #6

Uh oh!

Workflow file for this run