# This workflow relies on actions/cache to store the hak dependency artifacts as they take a long time to build # Due to this extra care must be taken to only ever run all build_* scripts against the same branch to ensure # the correct cache scoping, and additional care must be taken to not run untrusted actions on the develop branch. on: workflow_call: secrets: APPLE_ID: required: false APPLE_ID_PASSWORD: required: false APPLE_TEAM_ID: required: false APPLE_CSC_KEY_PASSWORD: required: false APPLE_CSC_LINK: required: false inputs: version: type: string required: false description: "Version string to override the one in package.json, used for non-release builds" sign: type: string required: false description: "Whether to sign & notarise the build, requires 'packages.element.io' environment" deploy-mode: type: boolean required: false description: "Whether to arrange artifacts in the arrangement needed for deployment, skipping unrelated ones" base-url: type: string required: false description: "The URL to which the output will be deployed, required if deploy-mode is enabled." jobs: build: runs-on: macos-latest environment: ${{ inputs.sign && 'packages.element.io' || '' }} steps: - uses: actions/checkout@v3 - uses: actions/download-artifact@v3 with: name: webapp - name: Cache .hak id: cache uses: actions/cache@v3 with: key: ${{ runner.os }}-${{ hashFiles('hakHash', 'electronVersion') }} path: | ./.hak - name: Install Rust if: steps.cache.outputs.cache-hit != 'true' uses: actions-rs/toolchain@v1 with: default: true toolchain: stable target: aarch64-apple-darwin - uses: actions/setup-node@v3 with: cache: "yarn" # Does not need branch matching as only analyses this layer - name: Install Deps run: "yarn install --frozen-lockfile" - name: Build Natives if: steps.cache.outputs.cache-hit != 'true' run: "yarn build:native:universal" - name: "[Nightly] Resolve version" id: nightly if: inputs.version != '' run: | echo "config-args=--nightly '${{ inputs.version }}'" >> $GITHUB_OUTPUT # We split these because electron-builder gets upset if we set CSC_LINK even to an empty string - name: "[Signed] Build App" if: inputs.sign != '' run: | scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} --notarytool-team-id='${{ secrets.APPLE_TEAM_ID }}' yarn build:universal --publish never --config electron-builder.json env: APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} CSC_KEY_PASSWORD: ${{ secrets.APPLE_CSC_KEY_PASSWORD }} CSC_LINK: ${{ secrets.APPLE_CSC_LINK }} - name: Check app was signed & notarised successfully if: inputs.sign != '' run: | hdiutil attach dist/*.dmg codesign -dv --verbose=4 /Volumes/Element*/*.app spctl -a -vvv -t install /Volumes/Element*/*.app hdiutil detach /Volumes/Element* - name: "[Unsigned] Build App" if: inputs.sign == '' run: | scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} yarn build:universal --publish never --config electron-builder.json env: CSC_IDENTITY_AUTO_DISCOVERY: false - name: Prepare artifacts for deployment if: inputs.deploy-mode run: | mv dist _dist mkdir -p dist/install/macos dist/update/macos mv _dist/*-mac.zip dist/update/macos/ mv _dist/*.dmg dist/install/macos/ PKG_JSON_VERSION=$(cat package.json | jq -r .version) LATEST=$(find dist -type f -iname "*-mac.zip" | xargs -0 -n1 -- basename) # Encode spaces in the URL as Squirrel.Mac complains about bad JSON otherwise URL="${{ inputs.base-url }}/update/macos/${LATEST// /%20}" jq -n --arg version "${VERSION:-$PKG_JSON_VERSION}" --arg url "$URL" ' { currentRelease: $version, releases: [{ version: $version, updateTo: { version: $version, url: $url, }, }], } ' > dist/update/macos/releases.json jq -n --arg url "$URL" ' { url: $url } ' > dist/update/macos/releases-legacy.json env: VERSION: ${{ inputs.version }} # We don't wish to store the installer for every nightly ever, so we only keep the latest - name: "[Nightly] Strip version from installer file" if: inputs.deploy-mode && inputs.version != '' run: | mv dist/install/macos/*.dmg "dist/install/macos/Element Nightly.dmg" - name: "[Release] Prepare release latest symlink" if: inputs.deploy-mode && inputs.version == '' run: | ln -s "$(find . -type f -iname "*.dmg" | xargs -0 -n1 -- basename)" "Element.dmg" working-directory: "dist/install/macos" # We exclude mac-universal as the unpacked app takes forever to upload and zip and dmg already contain it - name: Upload Artifacts uses: actions/upload-artifact@v3 with: name: ${{ inputs.deploy-mode && 'packages.element.io' || 'macos' }} path: | dist !dist/mac-universal/** retention-days: 1