algorandfoundation · PatrickDinh · Jan 22, 2025 · Jan 22, 2025
diff --git a/.github/actions/build-linux/action.yaml b/.github/actions/build-linux/action.yaml
@@ -1,18 +1,46 @@
 name: 'Build for Linux'
 description: 'Build for Linux'
 inputs:
+  production-release:
+    description: 'Whether this is a production release'
+    required: true
   release-version:
     description: 'The release version'
+    required: true
+  release-tag:
+    description: 'The release tag'
+    required: true
+  crabnebula-release-id:
+    description: 'The CrabNebula release ID'
+    required: true
+  tauri-signing-private-key:
+    description: 'The Tauri signing private key'
+    required: true
+  tauri-signing-private-key-password:
+    description: 'The Tauri signing private key password'
+    required: true
+  tauri-signing-public-key:
+    description: 'The Tauri signing public key'
+    required: true
+  crabnebula-org-name:
+    description: 'The CrabNebula org name'
+    required: true
+  crabnebula-app-name:
+    description: 'The CrabNebula app name'
+    required: true
+  crabnebula-api-key:
+    description: 'The CrabNebula API key'
+    required: true
+  appimage-signing-private-key:
+    description: 'The AppImage signing private key'
+    required: true
+  appimage-signing-private-key-password:
+    description: 'The AppImage signing private key password'
+    required: true
 
 runs:
   using: 'composite'
   steps:
-    - name: Get artifact name
-      id: set-env
-      run: |
-        echo "artifact_name=algokit-lora-linux-${{ runner.arch }}" >> $GITHUB_OUTPUT
-      shell: bash
-
     - name: Install dependencies
       run: |
         sudo apt-get update
@@ -24,42 +52,49 @@ runs:
           libxdo-dev \
           libssl-dev \
           libayatana-appindicator3-dev \
-          librsvg2-dev
+          librsvg2-dev \
+          gnupg2
       shell: bash
 
-    - name: Bump version in tauri.conf.json
+    - name: Setup tauri.conf.json
       if: ${{ inputs.release-version != '' }}
       run: |
-        sed -i "s/\"version\": \"0.0.0\"/\"version\": \"${{ inputs.release-version }}\"/g" "src-tauri/tauri.conf.json"
+        sed -i "s/\"version\": \"0.1.0\"/\"version\": \"${{ inputs.release-version }}\"/g" "src-tauri/tauri.conf.json"
+        sed -i "s/\"createUpdaterArtifacts\": false/\"createUpdaterArtifacts\": true/g" "src-tauri/tauri.conf.json"
+        sed -i "s/CN_ORG_NAME/${{ inputs.crabnebula-org-name }}/g" "src-tauri/tauri.conf.json"
+        sed -i "s/CN_APP_NAME/${{ inputs.crabnebula-app-name }}/g" "src-tauri/tauri.conf.json"
+        sed -i "s/CN_CHANNEL/${{ inputs.production-release != 'true' && '?channel=beta' || '' }}/g" "src-tauri/tauri.conf.json"
+        sed -i "s/TAURI_SIGNING_PUBLIC_KEY/${{ inputs.tauri-signing-public-key }}/g" "src-tauri/tauri.conf.json"
       shell: bash
 
-    - name: Build tauri app
+    - name: Import AppImage signing key
       run: |
-        npm run tauri build
+        echo "${{ inputs.appimage-signing-private-key }}" > appimage.key
+        gpg2 --batch --passphrase ${{ inputs.appimage-signing-private-key-password }} --import appimage.key
       shell: bash
 
-    - name: Create icons and desktop file
-      run: |
-        chmod +x ./scripts/snap/create-desktop-file.sh
-        ./scripts/snap/create-desktop-file.sh ${{ github.workspace }}/src-tauri/target/release
-        cp ${{ github.workspace }}/src-tauri/icons ${{ github.workspace }}/src-tauri/target/release/icons -r
-      shell: bash
-
-    - name: Zip to preserve permissions
+    - name: Build tauri app
       run: |
-        cd src-tauri/target/release
-        tar -czvf ${{ github.workspace }}/${{ steps.set-env.outputs.artifact_name }}.tar.gz --exclude=bundle --exclude=build --exclude=deps .
+        npm run tauri build -- --bundles appimage
       shell: bash
+      env:
+        TAURI_SIGNING_PRIVATE_KEY: ${{ inputs.tauri-signing-private-key }}
+        TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ inputs.tauri-signing-private-key-password }}
+        SIGN: 1
+        APPIMAGETOOL_SIGN_PASSPHRASE: ${{ inputs.appimage-signing-private-key-password }}
+        APPIMAGETOOL_FORCE_SIGN: 1
 
-    - name: Upload binary as artifact
-      id: upload-artifact
-      uses: actions/upload-artifact@v4
+    - name: Upload artifacts to release
+      uses: softprops/action-gh-release@v1
       with:
-        if-no-files-found: error
-        name: ${{ steps.set-env.outputs.artifact_name }}
-        path: ${{ github.workspace }}/${{ steps.set-env.outputs.artifact_name }}.tar.gz
+        fail_on_unmatched_files: true
+        files: |
+          src-tauri/target/release/bundle/appimage/algokit-lora*.AppImage
+        tag_name: ${{ inputs.release-tag }}
+        prerelease: ${{ inputs.production-release != 'true' }}
 
-outputs:
-  artifact-name:
-    description: 'The name of the artifact'
-    value: ${{ steps.set-env.outputs.artifact_name }}.tar.gz
+    - name: Upload artifacts to CrabNebula
+      uses: crabnebula-dev/[email protected]
+      with:
+        command: release upload "${{ inputs.crabnebula-org-name }}/${{ inputs.crabnebula-app-name }}" --framework tauri ${{ inputs.production-release != 'true' && '--channel beta' || '' }}
+        api-key: ${{ inputs.crabnebula-api-key }}
diff --git a/.github/actions/build-mac/action.yaml b/.github/actions/build-mac/action.yaml
@@ -2,37 +2,117 @@ name: 'Build for Mac'
 description: 'Build for Mac'
 inputs:
   production-release:
-    description: 'Production release?'
+    description: 'Whether this is a production release'
     required: true
   release-version:
     description: 'The release version'
+    required: true
+  release-tag:
+    description: 'The release tag'
+    required: true
+  crabnebula-release-id:
+    description: 'The CrabNebula release ID'
+    required: true
+  apple-certificate:
+    description: 'The Apple certificate'
+    required: true
+  apple-certificate-password:
+    description: 'The Apple certificate password'
+    required: true
+  keychain-password:
+    description: 'The keychain password'
+    required: true
+  apple-id:
+    description: 'The Apple ID'
+    required: true
+  apple-password:
+    description: 'The Apple password'
+    required: true
+  apple-team-id:
+    description: 'The Apple team ID'
+    required: true
+  tauri-signing-private-key:
+    description: 'The Tauri signing private key'
+    required: true
+  tauri-signing-private-key-password:
+    description: 'The Tauri signing private key password'
+    required: true
+  tauri-signing-public-key:
+    description: 'The Tauri signing public key'
+    required: true
+  crabnebula-org-name:
+    description: 'The CrabNebula org name'
+    required: true
+  crabnebula-app-name:
+    description: 'The CrabNebula app name'
+    required: true
+  crabnebula-api-key:
+    description: 'The CrabNebula API key'
+    required: true
 
 runs:
   using: 'composite'
   steps:
-    #  TODO: set up signing certs here when releasing to production
-
-    - name: Get artifact name
-      id: set-env
+    - name: Import Apple Developer Certificate
+      env:
+        APPLE_CERTIFICATE: ${{ inputs.apple-certificate }}
+        APPLE_CERTIFICATE_PASSWORD: ${{ inputs.apple-certificate-password }}
+        KEYCHAIN_PASSWORD: ${{ inputs.keychain-password }}
+      shell: bash
       run: |
-        echo "artifact_name=algokit-lora-mac-${{ runner.arch }}" >> $GITHUB_OUTPUT
+        echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
+        security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+        security default-keychain -s build.keychain
+        security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+        security set-keychain-settings -t 3600 -u build.keychain
+        security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
+        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
+        security find-identity -v -p codesigning build.keychain
+
+    - name: Verify Certificate
       shell: bash
+      run: |
+        CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application")
+        CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
+        echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
+        echo "Certificate imported."
 
-    - name: Bump version in tauri.conf.json
+    - name: Setup tauri.conf.json
       if: ${{ inputs.release-version != '' }}
       run: |
-        sed -i '' "s/\"version\": \"0.0.0\"/\"version\": \"${{ inputs.release-version }}\"/g" "src-tauri/tauri.conf.json"
+        sed -i '' "s/\"version\": \"0.1.0\"/\"version\": \"${{ inputs.release-version }}\"/g" "src-tauri/tauri.conf.json"
+        sed -i '' "s/\"createUpdaterArtifacts\": false/\"createUpdaterArtifacts\": true/g" "src-tauri/tauri.conf.json"
+        sed -i '' "s/CN_ORG_NAME/${{ inputs.crabnebula-org-name }}/g" "src-tauri/tauri.conf.json"
+        sed -i '' "s/CN_APP_NAME/${{ inputs.crabnebula-app-name }}/g" "src-tauri/tauri.conf.json"
+        sed -i '' "s/CN_CHANNEL/${{ inputs.production-release != 'true' && '?channel=beta' || '' }}/g" "src-tauri/tauri.conf.json"
+        sed -i '' "s/TAURI_SIGNING_PUBLIC_KEY/${{ inputs.tauri-signing-public-key }}/g" "src-tauri/tauri.conf.json"
       shell: bash
 
     - name: Build tauri app
       run: |
         npm run tauri build
       shell: bash
+      env:
+        APPLE_CERTIFICATE: ${{ inputs.apple-certificate }}
+        APPLE_CERTIFICATE_PASSWORD: ${{ inputs.apple-certificate-password }}
+        APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
+        APPLE_ID: ${{ inputs.apple-id }}
+        APPLE_PASSWORD: ${{ inputs.apple-password }}
+        APPLE_TEAM_ID: ${{ inputs.apple-team-id }}
+        TAURI_SIGNING_PRIVATE_KEY: ${{ inputs.tauri-signing-private-key }}
+        TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ inputs.tauri-signing-private-key-password }}
+
+    - name: Upload artifacts to release
+      uses: softprops/action-gh-release@v1
+      with:
+        fail_on_unmatched_files: true
+        files: |
+          src-tauri/target/release/bundle/dmg/algokit-lora_*.dmg
+        tag_name: ${{ inputs.release-tag }}
+        prerelease: ${{ inputs.production-release != 'true' }}
 
-    - name: Upload binary as artifact
-      id: upload-artifact
-      uses: actions/upload-artifact@v4
+    - name: Upload artifacts to CrabNebula
+      uses: crabnebula-dev/[email protected]
       with:
-        if-no-files-found: error
-        name: ${{ steps.set-env.outputs.artifact_name }}
-        path: src-tauri/target/release/bundle/dmg/algokit-lora_*.dmg
+        command: release upload "${{ inputs.crabnebula-org-name }}/${{ inputs.crabnebula-app-name }}" --framework tauri ${{ inputs.production-release != 'true' && '--channel beta' || '' }}
+        api-key: ${{ inputs.crabnebula-api-key }}
diff --git a/.github/actions/build-windows/action.yaml b/.github/actions/build-windows/action.yaml
@@ -2,12 +2,16 @@ name: 'Build for Windows'
 description: 'Build for Windows'
 inputs:
   production-release:
-    description: 'Production release?'
+    description: 'Whether this is a production release'
     required: true
   release-version:
     description: 'The release version'
-  package_name:
-    description: 'The name of the package'
+    required: true
+  release-tag:
+    description: 'The release tag'
+    required: true
+  crabnebula-release-id:
+    description: 'The CrabNebula release ID'
     required: true
   azure_tenant_id:
     description: 'The Microsoft Entra tenant (directory) ID.'
@@ -18,23 +22,39 @@ inputs:
   azure_client_secret:
     description: 'A client secret that was generated for the App Registration.'
     required: true
+  tauri-signing-private-key:
+    description: 'The Tauri signing private key'
+    required: true
+  tauri-signing-private-key-password:
+    description: 'The Tauri signing private key password'
+    required: true
+  tauri-signing-public-key:
+    description: 'The Tauri signing public key'
+    required: true
+  crabnebula-org-name:
+    description: 'The CrabNebula org name'
+    required: true
+  crabnebula-app-name:
+    description: 'The CrabNebula app name'
+    required: true
+  crabnebula-api-key:
+    description: 'The CrabNebula API key'
+    required: true
 
 runs:
   using: 'composite'
   steps:
-    - name: Get artifact name
-      id: set-env
-      run: |
-        echo "artifact_name=algokit-lora-windows-${{ runner.arch }}" >> $GITHUB_OUTPUT
-      shell: bash
-
-    - name: Bump version in tauri.conf.json and Cargo files
+    - name: Setup tauri.conf.json
       if: ${{ inputs.release-version != '' }}
       run: |
-        version="${{ inputs.release-version }}"
-        sed -i "s/\"version\": \"0.0.0\"/\"version\": \"$version\"/g" "src-tauri/tauri.conf.json"
-        sed -i "s/version = \"0.0.0\"/version = \"$version\"/g" "src-tauri/Cargo.toml"
-        sed -i "s/version = \"0.0.0\"/version = \"$version\"/g" "src-tauri/Cargo.lock"
+        input_version="${{ inputs.release-version }}"
+        version="${input_version/beta./""}"
+        sed -i "s/\"version\": \"0.1.0\"/\"version\": \"$version\"/g" "src-tauri/tauri.conf.json"
+        sed -i "s/\"createUpdaterArtifacts\": false/\"createUpdaterArtifacts\": true/g" "src-tauri/tauri.conf.json"
+        sed -i "s/CN_ORG_NAME/${{ inputs.crabnebula-org-name }}/g" "src-tauri/tauri.conf.json"
+        sed -i "s/CN_APP_NAME/${{ inputs.crabnebula-app-name }}/g" "src-tauri/tauri.conf.json"
+        sed -i "s/CN_CHANNEL/${{ inputs.production-release != 'true' && '?channel=beta' || '' }}/g" "src-tauri/tauri.conf.json"
+        sed -i "s/TAURI_SIGNING_PUBLIC_KEY/${{ inputs.tauri-signing-public-key }}/g" "src-tauri/tauri.conf.json"
       shell: bash
 
     # Create a dummy file to sign, so we can install the signing tools without any errors
@@ -76,6 +96,8 @@ runs:
         AZURE_TENANT_ID: ${{ inputs.azure_tenant_id }}
         AZURE_CLIENT_ID: ${{ inputs.azure_client_id }}
         AZURE_CLIENT_SECRET: ${{ inputs.azure_client_secret }}
+        TAURI_SIGNING_PRIVATE_KEY: ${{ inputs.tauri-signing-private-key }}
+        TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ inputs.tauri-signing-private-key-password }}
       run: |
         npm run tauri build
       shell: pwsh
@@ -95,9 +117,18 @@ runs:
         timestamp-rfc3161: http://timestamp.acs.microsoft.com
         timestamp-digest: SHA256
 
-    - name: Upload installer artifact
-      uses: actions/upload-artifact@v4
+    - name: Upload artifacts to release
+      uses: softprops/action-gh-release@v1
+      with:
+        fail_on_unmatched_files: true
+        files: |
+          src-tauri/target/release/bundle/msi/algokit-lora*.msi
+          src-tauri/target/release/bundle/nsis/algokit-lora*.exe
+        tag_name: ${{ inputs.release-tag }}
+        prerelease: ${{ inputs.production-release != 'true' }}
+
+    - name: Upload artifacts to CrabNebula
+      uses: crabnebula-dev/[email protected]
       with:
-        if-no-files-found: error
-        name: ${{ steps.set-env.outputs.artifact_name }}
-        path: ${{ github.workspace }}\src-tauri\target\release\bundle\msi\algokit-lora*.msi
+        command: release upload "${{ inputs.crabnebula-org-name }}/${{ inputs.crabnebula-app-name }}" "${{ inputs.crabnebula-release-id }}" --framework tauri ${{ inputs.production-release != 'true' && '--channel beta' || '' }}
+        api-key: ${{ inputs.crabnebula-api-key }}
diff --git a/.github/actions/create-release/action.yaml b/.github/actions/create-release/action.yaml
@@ -39,23 +39,15 @@ runs:
 
     - name: Get next version (dry run)
       id: get-next-version
-      run: npx semantic-release --dry-run
+      run: npx semantic-release --dry-run ${{ inputs.production-release == 'true' && '--branches main' || '' }}
       env:
         GITHUB_TOKEN: ${{ inputs.github-token }}
       shell: bash
 
-    - name: Create release - beta
-      if: ${{ inputs.production-release != 'true' }}
+    - name: Create release ${{ inputs.production-release == 'true' && '' || 'beta' }}
       env:
         GITHUB_TOKEN: ${{ inputs.github-token }}
-      run: 'npx semantic-release'
-      shell: bash
-
-    - name: Create release
-      if: ${{ inputs.production-release == 'true' }}
-      env:
-        GITHUB_TOKEN: ${{ inputs.github-token }}
-      run: 'npx semantic-release --branches main'
+      run: npx semantic-release ${{ inputs.production-release == 'true' && '--branches main' || '' }}
       shell: bash
 
     - name: Get release tag
@@ -73,6 +65,6 @@ runs:
           const { data } = await github.rest.repos.getReleaseByTag({
             owner: context.repo.owner,
             repo: context.repo.repo,
-            tag: "${{ steps.get-release-tag.outputs.release-tag }}"
+            tag: "${{ steps.get-next-version.outputs.new-release-git-tag }}"
           })
           return data.id