# This workflow relies on actions/cache to store the hak dependency artifacts as they take a long time to build # Due to this extra care must be taken to only ever run all build_* scripts against the same branch to ensure # the correct cache scoping, and additional care must be taken to not run untrusted actions on the develop branch. on: workflow_call: secrets: APPLE_ID: required: false APPLE_ID_PASSWORD: required: false APPLE_TEAM_ID: required: false APPLE_CSC_KEY_PASSWORD: required: false APPLE_CSC_LINK: required: false inputs: version: type: string required: false description: "Version string to override the one in package.json, used for non-release builds" sign: type: string required: false description: "Whether to sign & notarise the build, requires 'packages.element.io' environment" base-url: type: string required: false description: "The URL to which the output will be deployed." jobs: build: runs-on: macos-14 # M1 environment: ${{ inputs.sign && 'packages.element.io' || '' }} steps: - uses: actions/checkout@v4 - uses: actions/download-artifact@v4 with: name: webapp - name: Cache .hak id: cache uses: actions/cache@v4 with: key: ${{ runner.os }}-${{ hashFiles('hakHash', 'electronVersion') }} path: | ./.hak - name: Install Rust if: steps.cache.outputs.cache-hit != 'true' run: | rustup toolchain install stable --profile minimal --no-self-update rustup default stable rustup target add aarch64-apple-darwin rustup target add x86_64-apple-darwin # M1 macos-14 comes without Python preinstalled - uses: actions/setup-python@v5 with: python-version: "3.12" - uses: actions/setup-node@v4 with: node-version-file: package.json cache: "yarn" # Does not need branch matching as only analyses this layer - name: Install Deps run: "yarn install --frozen-lockfile" - name: Build Natives if: steps.cache.outputs.cache-hit != 'true' run: | # Python 3.12 drops distutils which keytar relies on pip3 install setuptools yarn build:native:universal - name: "[Nightly] Resolve version" if: inputs.version != '' run: | echo "ED_NIGHTLY=${{ inputs.version }}" >> $GITHUB_ENV # We split these because electron-builder gets upset if we set CSC_LINK even to an empty string - name: "[Signed] Build App" if: inputs.sign != '' run: | yarn build:universal --publish never env: ED_NOTARYTOOL_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} CSC_KEY_PASSWORD: ${{ secrets.APPLE_CSC_KEY_PASSWORD }} CSC_LINK: ${{ secrets.APPLE_CSC_LINK }} - name: Check app was signed & notarised successfully if: inputs.sign != '' run: | hdiutil attach dist/*.dmg -mountpoint /Volumes/Element codesign -dv --verbose=4 /Volumes/Element/*.app spctl -a -vvv -t install /Volumes/Element/*.app hdiutil detach /Volumes/Element - name: "[Unsigned] Build App" if: inputs.sign == '' run: | yarn build:universal --publish never env: CSC_IDENTITY_AUTO_DISCOVERY: false - name: Generate releases.json if: inputs.base-url run: | PKG_JSON_VERSION=$(cat package.json | jq -r .version) LATEST=$(find dist -type f -iname "*-mac.zip" | xargs -0 -n1 -- basename) # Encode spaces in the URL as Squirrel.Mac complains about bad JSON otherwise URL="${{ inputs.base-url }}/update/macos/${LATEST// /%20}" jq -n --arg version "${VERSION:-$PKG_JSON_VERSION}" --arg url "$URL" ' { currentRelease: $version, releases: [{ version: $version, updateTo: { version: $version, url: $url, }, }], } ' > dist/releases.json jq -n --arg url "$URL" ' { url: $url } ' > dist/releases-legacy.json env: VERSION: ${{ inputs.version }} # We exclude mac-universal as the unpacked app takes forever to upload and zip and dmg already contains it - name: Upload Artifacts uses: actions/upload-artifact@v4 with: name: macos path: | dist !dist/mac-universal/** retention-days: 1