chore(version): bump 1.0.17 (cicd bugfix) #57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Release macOS | |
| on: | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: write | |
| env: | |
| APPLE_CERT_P12: ${{ secrets.APPLE_CERT_P12 }} | |
| APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| jobs: | |
| release: | |
| runs-on: macos-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Read version from pubspec.yaml | |
| id: version | |
| run: | | |
| FULL_VERSION=$(grep '^version:' pubspec.yaml | sed 's/version: //') | |
| VERSION=$(echo $FULL_VERSION | cut -d'+' -f1) | |
| BUILD=$(echo $FULL_VERSION | cut -d'+' -f2) | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| echo "build=$BUILD" >> $GITHUB_OUTPUT | |
| echo "tag=v$VERSION" >> $GITHUB_OUTPUT | |
| - name: Set up Flutter | |
| uses: subosito/flutter-action@v2 | |
| with: | |
| flutter-version: "3.38.0" | |
| channel: "stable" | |
| - name: Install dependencies & build | |
| run: | | |
| flutter clean | |
| flutter pub get | |
| dart run build_runner build -d | |
| flutter build macos --release | |
| - name: Import Apple Developer ID certificate | |
| run: | | |
| echo "$APPLE_CERT_P12" | base64 --decode > cert.p12 | |
| security create-keychain -p "" build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p "" build.keychain | |
| security import cert.p12 \ | |
| -k build.keychain \ | |
| -P "$APPLE_CERT_PASSWORD" \ | |
| -T /usr/bin/codesign | |
| security set-key-partition-list \ | |
| -S apple-tool:,apple: \ | |
| -s \ | |
| -k "" build.keychain | |
| - name: Code sign macOS app | |
| run: | | |
| codesign --deep --force \ | |
| --options runtime \ | |
| --entitlements macos/Runner/Release.entitlements \ | |
| --sign "Developer ID Application: Thibaut Monin ($APPLE_TEAM_ID)" \ | |
| build/macos/Build/Products/Release/OpenGit.app | |
| - name: Install create-dmg | |
| run: brew install create-dmg | |
| - name: Create Fancy DMG (No background) | |
| run: | | |
| # Création d'un dossier source propre pour le DMG | |
| mkdir -p build/dmg_source | |
| cp -R build/macos/Build/Products/Release/OpenGit.app build/dmg_source/ | |
| # Génération du DMG avec lien Applications et icônes placées | |
| create-dmg \ | |
| --volname "OpenGit" \ | |
| --window-pos 200 120 \ | |
| --window-size 500 300 \ | |
| --icon-size 100 \ | |
| --icon "OpenGit.app" 125 150 \ | |
| --app-drop-link 375 150 \ | |
| --hide-extension "OpenGit.app" \ | |
| "build/macos/Build/Products/Release/OpenGit-${{ steps.version.outputs.version }}.dmg" \ | |
| "build/dmg_source/" | |
| - name: Code sign DMG | |
| run: | | |
| codesign --force \ | |
| --sign "Developer ID Application: Thibaut Monin ($APPLE_TEAM_ID)" \ | |
| build/macos/Build/Products/Release/OpenGit-${{ steps.version.outputs.version }}.dmg | |
| - name: Store notarization credentials | |
| run: | | |
| xcrun notarytool store-credentials "notary-profile" \ | |
| --apple-id "$APPLE_ID" \ | |
| --team-id "$APPLE_TEAM_ID" \ | |
| --password "$APPLE_APP_PASSWORD" | |
| - name: Notarize DMG | |
| run: | | |
| xcrun notarytool submit build/macos/Build/Products/Release/OpenGit-${{ steps.version.outputs.version }}.dmg \ | |
| --keychain-profile "notary-profile" \ | |
| --wait | |
| - name: Staple notarization | |
| run: | | |
| xcrun stapler staple build/macos/Build/Products/Release/OpenGit-${{ steps.version.outputs.version }}.dmg | |
| - name: Install Sparkle tools (Full Distribution) | |
| run: | | |
| curl -L -o sparkle.tar.xz https://github.com/sparkle-project/Sparkle/releases/download/2.6.4/Sparkle-2.6.4.tar.xz | |
| mkdir -p sparkle_dist | |
| tar -xf sparkle.tar.xz -C sparkle_dist | |
| ls -R sparkle_dist/bin | |
| chmod +x ./sparkle_dist/bin/sign_update | |
| - name: Generate Sparkle Signature & Appcast | |
| env: | |
| SPARKLE_PRIVATE_KEY_CONTENT: ${{ secrets.SPARKLE_PRIVATE_KEY }} | |
| run: | | |
| DMG_PATH="build/macos/Build/Products/Release/OpenGit-${{ steps.version.outputs.version }}.dmg" | |
| SIGN_TOOL="./sparkle_dist/bin/sign_update" | |
| echo "--- Préparation de la clé ---" | |
| # On crée un fichier temporaire pour la clé (format brut) | |
| echo "$SPARKLE_PRIVATE_KEY_CONTENT" > sparkle_key.priv | |
| echo "--- Tentative de signature ---" | |
| # On utilise l'argument suggéré par l'erreur : --ed-key-file | |
| # Sparkle 2.x renvoie une ligne du type : sparkle:edSignature="ABC..." length="12345" | |
| RAW_OUTPUT=$($SIGN_TOOL --ed-key-file sparkle_key.priv "$DMG_PATH") | |
| # On extrait uniquement la signature (ce qui est entre les guillemets après edSignature) | |
| SIGNATURE=$(echo "$RAW_OUTPUT" | sed -n 's/.*sparkle:edSignature="\([^"]*\)".*/\1/p') | |
| # On supprime immédiatement la clé privée pour la sécurité | |
| rm sparkle_key.priv | |
| if [ -z "$SIGNATURE" ]; then | |
| echo "❌ ERREUR : Impossible d'extraire la signature du résultat." | |
| echo "Sortie brute du binaire : $RAW_OUTPUT" | |
| exit 1 | |
| fi | |
| echo "✅ Signature générée avec succès : $SIGNATURE" | |
| # --- Génération du fichier appcast.xml --- | |
| FILE_SIZE=$(stat -f%z "$DMG_PATH") | |
| PUB_DATE=$(date -R) | |
| DOWNLOAD_URL="https://github.com/DevThibautMonin/open_git/releases/download/${{ steps.version.outputs.tag }}/OpenGit-${{ steps.version.outputs.version }}.dmg" | |
| cat <<EOF > appcast.xml | |
| <?xml version="1.0" encoding="utf-8"?> | |
| <rss version="2.0" xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle"> | |
| <channel> | |
| <title>OpenGit Updates</title> | |
| <language>en</language> | |
| <item> | |
| <title>Version ${{ steps.version.outputs.version }}</title> | |
| <pubDate>$PUB_DATE</pubDate> | |
| <sparkle:version>${{ steps.version.outputs.build }}</sparkle:version> | |
| <sparkle:shortVersionString>${{ steps.version.outputs.version }}</sparkle:shortVersionString> | |
| <enclosure | |
| url="$DOWNLOAD_URL" | |
| length="$FILE_SIZE" | |
| type="application/octet-stream" | |
| sparkle:edSignature="$SIGNATURE" /> | |
| </item> | |
| </channel> | |
| </rss> | |
| EOF | |
| - name: Push Appcast to Repository | |
| run: | | |
| git config user.name "github-actions" | |
| git config user.email "github-actions@github.com" | |
| # On récupère les dernières modifs au cas où pour éviter les conflits | |
| git pull origin main | |
| git add appcast.xml | |
| # On ne commit que s'il y a un changement (pour éviter d'échouer si on re-run le job) | |
| git diff --quiet --cached || git commit -m "chore: update appcast to v${{ steps.version.outputs.version }}" | |
| git push origin main | |
| - name: Create GitHub Release | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| tag_name: ${{ steps.version.outputs.tag }} | |
| name: Release ${{ steps.version.outputs.version }} | |
| files: build/macos/Build/Products/Release/OpenGit-${{ steps.version.outputs.version }}.dmg | |
| - name: Compute SHA256 (Homebrew step) | |
| id: sha | |
| run: | | |
| SHA=$(shasum -a 256 build/macos/Build/Products/Release/OpenGit-${{ steps.version.outputs.version }}.dmg | awk '{print $1}') | |
| echo "sha=$SHA" >> $GITHUB_OUTPUT | |
| - name: Checkout homebrew-tap | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: DevThibautMonin/homebrew-tap | |
| token: ${{ secrets.HOMEBREW_TAP_TOKEN }} | |
| path: homebrew-tap | |
| - name: Update Homebrew cask | |
| run: | | |
| CASK_FILE=homebrew-tap/Casks/opengit.rb | |
| VERSION=${{ steps.version.outputs.version }} | |
| SHA=${{ steps.sha.outputs.sha }} | |
| sed -i '' "s/version \".*\"/version \"$VERSION\"/" "$CASK_FILE" | |
| sed -i '' "s/sha256 \".*\"/sha256 \"$SHA\"/" "$CASK_FILE" | |
| - name: Show Homebrew cask diff | |
| run: | | |
| cd homebrew-tap | |
| git diff || true | |
| - name: Commit and push cask update | |
| run: | | |
| cd homebrew-tap | |
| git config user.name "github-actions" | |
| git config user.email "github-actions@github.com" | |
| git add Casks/opengit.rb | |
| git diff --cached --quiet && exit 0 | |
| if git diff --quiet --cached; then | |
| echo "No changes to commit" | |
| exit 0 | |
| fi | |
| git commit -m "chore(cask): update opengit to v${{ steps.version.outputs.version }}" | |
| git push |