daonanchao/vibe-kanban
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4e5cc459bda5c134ec0b94ab708d1c0e845e2bd1
vibe-kanban/.github/workflows/pre-release.yml
Anastasiia Solop 4e5cc459bd Code signing in CI (#28) 
* add code-signing

* bump version

* use key json instead of separate secrets

* sign and notarize separately

* fix typos

* fix double zipping

* skip npm zipping for mac

* zip file instead of a folder

* fix zip names

* windows fix

* minor fixes

* try to fix zipping issue

* use zip -j flag to avoid folder structure

* fix mcp binary name for linux-arm64

* normalize mcp binary name
2025-07-01 11:35:05 +02:00

390 lines
12 KiB
YAML
Raw Blame History

# To pre-release:
# ```
# git tag -a v0.1.0 -m "Release 0.1.0"
# git push origin v0.1.0
# ```
name: Create GitHub Pre-Release
on:
push:
tags:
- "v*.*.*"
concurrency:
group: release
cancel-in-progress: true
permissions:
contents: write
packages: write
pull-requests: write
env:
NODE_VERSION: 22
PNPM_VERSION: 10.8.1
TAG_REGEX: '^v[0-9]+\.[0-9]+\.[0-9]+$'
RUST_TOOLCHAIN: nightly-2025-05-18
jobs:
tag-check:
runs-on: ubuntu-latest
if: github.ref_type == 'tag'
steps:
- uses: actions/checkout@v4
- name: Validate tag matches package.json version
shell: bash
run: |
set -euo pipefail
echo "::group::Tag validation"
# 1. Must be a tag and match the regex
[[ "${GITHUB_REF_TYPE}" == "tag" ]] \
|| { echo "❌ Not a tag push"; exit 1; }
[[ "${GITHUB_REF_NAME}" =~ ${TAG_REGEX} ]] \
|| { echo "❌ Tag '${GITHUB_REF_NAME}' != ${TAG_REGEX}"; exit 1; }
# 2. Extract versions
tag_ver="${GITHUB_REF_NAME#v}"
package_ver="$(node -p "require('./package.json').version")"
cli_package_ver="$(node -p "require('./npx-cli/package.json').version")"
# 3. Compare
[[ "${tag_ver}" == "${package_ver}" ]] \
|| { echo "❌ Tag ${tag_ver} ≠ package.json ${package_ver}"; exit 1; }
# 4. Compare tag with npx-cli package.json
[[ "${tag_ver}" == "${cli_package_ver}" ]] \
|| { echo "❌ Tag ${tag_ver} ≠ npx-cli package.json ${cli_package_ver}"; exit 1; }
echo "✅ Tag and package.json agree (${tag_ver})"
echo "::endgroup::"
build-frontend:
needs: tag-check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node
uses: ./.github/actions/setup-node
- name: Install dependencies
run: pnpm install
- name: Lint frontend
run: cd frontend && npm run lint
- name: Type check frontend
run: cd frontend && npx tsc --noEmit
- name: Build frontend
run: npm run frontend:build
- name: Upload frontend artifact
uses: actions/upload-artifact@v4
with:
name: frontend-dist
path: frontend/dist/
retention-days: 1
build-backend:
needs: [tag-check, build-frontend]
runs-on: ${{ matrix.os }}
if: github.ref_type == 'tag'
strategy:
# Platform matrix - keep target/name in sync with package-npx-cli job
matrix:
include:
- target: x86_64-unknown-linux-gnu
os: ubuntu-latest
name: linux-x64
- target: x86_64-pc-windows-msvc
os: windows-latest-l
name: windows-x64
- target: x86_64-apple-darwin
os: macos-13
name: macos-x64
- target: aarch64-apple-darwin
os: macos-14
name: macos-arm64
- target: aarch64-pc-windows-msvc
os: windows-latest-l
name: windows-arm64
- target: aarch64-unknown-linux-gnu
os: ubuntu-latest
name: linux-arm64
steps:
- uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
toolchain: ${{ env.RUST_TOOLCHAIN }}
targets: ${{ matrix.target }}
components: rustfmt, clippy
- name: Cache Rust dependencies
uses: Swatinem/rust-cache@v2
with:
workspaces: "."
key: ${{ matrix.target }}
cache-on-failure: true
shared-key: "shared"
cache-all-crates: true
- name: Download frontend artifact
uses: actions/download-artifact@v4
with:
name: frontend-dist
path: frontend/dist/
- name: Install system dependencies (Linux)
if: matrix.os == 'ubuntu-latest'
run: |
sudo apt-get update
sudo apt-get install -y pkg-config libssl-dev
- name: Install ARM64 cross-compilation dependencies (Linux)
if: matrix.os == 'ubuntu-latest' && matrix.target == 'aarch64-unknown-linux-gnu'
run: |
sudo apt-get install -y gcc-aarch64-linux-gnu g++-aarch64-linux-gnu libc6-dev-arm64-cross
- name: Build backend for target
run: |
cargo build --release --target ${{ matrix.target }} -p vibe-kanban
cargo build --release --target ${{ matrix.target }} --bin mcp_task_server
env:
CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: ${{ matrix.target == 'aarch64-unknown-linux-gnu' && 'aarch64-linux-gnu-gcc' || '' }}
- name: Prepare binaries (non-macOS)
if: runner.os != 'macOS'
shell: bash
run: |
mkdir -p dist
if [[ "${{ matrix.os }}" == "windows-latest-l" ]]; then
cp target/${{ matrix.target }}/release/vibe-kanban.exe dist/vibe-kanban-${{ matrix.name }}.exe
cp target/${{ matrix.target }}/release/mcp_task_server.exe dist/vibe-kanban-mcp-${{ matrix.name }}.exe
else
cp target/${{ matrix.target }}/release/vibe-kanban dist/vibe-kanban-${{ matrix.name }}
cp target/${{ matrix.target }}/release/mcp_task_server dist/vibe-kanban-mcp-${{ matrix.name }}
fi
# Code signing for macOS only
- name: Prepare Apple certificate (macOS)
if: runner.os == 'macOS'
run: |
echo "${{ secrets.APPLE_CERTIFICATE_P12_BASE64 }}" | base64 --decode > certificate.p12
- name: Write API Key to file
env:
API_KEY: ${{ secrets.APP_STORE_API_KEY }}
run: echo $API_KEY > app_store_key.json
- name: Sign main binary (macOS)
if: runner.os == 'macOS'
uses: indygreg/apple-code-sign-action@v1
with:
input_path: target/${{ matrix.target }}/release/vibe-kanban
output_path: vibe-kanban
p12_file: certificate.p12
p12_password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
sign: true
sign_args: "--code-signature-flags=runtime"
- name: Package main binary (macOS)
if: runner.os == 'macOS'
run: zip vibe-kanban.zip vibe-kanban
- name: Notarize signed binary (macOS)
if: runner.os == 'macOS'
uses: indygreg/apple-code-sign-action@v1
continue-on-error: true
with:
input_path: vibe-kanban.zip
sign: false
notarize: true
app_store_connect_api_key_json_file: app_store_key.json
- name: Sign MCP binary (macOS)
if: runner.os == 'macOS'
uses: indygreg/apple-code-sign-action@v1
with:
input_path: target/${{ matrix.target }}/release/mcp_task_server
output_path: vibe-kanban-mcp
p12_file: certificate.p12
p12_password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
sign: true
sign_args: "--code-signature-flags=runtime"
- name: Package MCP binary (macOS)
if: runner.os == 'macOS'
run: zip vibe-kanban-mcp.zip vibe-kanban-mcp
- name: Notarize signed MCP binary (macOS)
if: runner.os == 'macOS'
uses: indygreg/apple-code-sign-action@v1
continue-on-error: true
with:
input_path: vibe-kanban-mcp.zip
sign: false
notarize: true
app_store_connect_api_key_json_file: app_store_key.json
- name: Prepare signed binaries (macOS)
if: runner.os == 'macOS'
run: |
mkdir -p dist
cp vibe-kanban.zip dist/vibe-kanban-${{ matrix.name }}.zip
cp vibe-kanban-mcp.zip dist/vibe-kanban-mcp-${{ matrix.name }}.zip
- name: Clean up certificates (macOS)
if: runner.os == 'macOS'
run: |
rm -f certificate.p12
rm -rf private_keys/
- name: Upload binary artifact
uses: actions/upload-artifact@v4
with:
name: backend-binary-${{ matrix.name }}
path: dist/
retention-days: 1
package-npx-cli:
needs: [build-frontend, build-backend]
runs-on: ubuntu-latest
strategy:
# NOTE: This matrix must be kept in sync with build-backend job above
# GitHub Actions doesn't support YAML anchors, so duplication is unavoidable
matrix:
include:
- target: x86_64-unknown-linux-gnu
name: linux-x64
binary: vibe-kanban
mcp_binary: vibe-kanban-mcp
- target: x86_64-pc-windows-msvc
name: windows-x64
binary: vibe-kanban.exe
mcp_binary: vibe-kanban-mcp.exe
- target: x86_64-apple-darwin
name: macos-x64
binary: vibe-kanban
mcp_binary: vibe-kanban-mcp
- target: aarch64-apple-darwin
name: macos-arm64
binary: vibe-kanban
mcp_binary: vibe-kanban-mcp
- target: aarch64-pc-windows-msvc
name: windows-arm64
binary: vibe-kanban.exe
mcp_binary: vibe-kanban-mcp.exe
- target: aarch64-unknown-linux-gnu
name: linux-arm64
binary: vibe-kanban
mcp_binary: vibe-kanban-mcp
steps:
- uses: actions/checkout@v4
- name: Download frontend artifact
uses: actions/download-artifact@v4
with:
name: frontend-dist
path: frontend/dist/
- name: Download backend binary artifact
uses: actions/download-artifact@v4
with:
name: backend-binary-${{ matrix.name }}
path: dist/
- name: List downloaded artifacts
run: |
echo "Downloaded backend binaries:"
find dist/
- name: Create platform package
if: matrix.name != 'macos-arm64' && matrix.name != 'macos-x64'
run: |
mkdir -p npx-cli/dist/${{ matrix.name }}
mkdir vibe-kanban-${{ matrix.name }}
mkdir vibe-kanban-mcp-${{ matrix.name }}
cp dist/vibe-kanban-${{ matrix.name }}* vibe-kanban-${{ matrix.name }}/${{ matrix.binary }}
cp dist/vibe-kanban-mcp-${{ matrix.name }}* vibe-kanban-mcp-${{ matrix.name }}/${{ matrix.mcp_binary }}
zip -j npx-cli/dist/${{ matrix.name }}/vibe-kanban.zip vibe-kanban-${{ matrix.name }}/${{ matrix.binary }}
zip -j npx-cli/dist/${{ matrix.name }}/vibe-kanban-mcp.zip vibe-kanban-mcp-${{ matrix.name }}/${{ matrix.mcp_binary }}
# MacOS notarization step already produced .zip files
- name: Create platform package
if: matrix.name == 'macos-arm64' || matrix.name == 'macos-x64'
run: |
mkdir -p npx-cli/dist/${{ matrix.name }}
mkdir vibe-kanban-${{ matrix.name }}
cp dist/vibe-kanban-${{ matrix.name }}* npx-cli/dist/${{ matrix.name }}/vibe-kanban.zip
cp dist/vibe-kanban-mcp-${{ matrix.name }}* npx-cli/dist/${{ matrix.name }}/vibe-kanban-mcp.zip
- name: Upload platform package artifact
uses: actions/upload-artifact@v4
with:
name: npx-platform-${{ matrix.name }}
path: npx-cli/dist/
retention-days: 1
create-prerelease:
needs: [build-frontend, build-backend, package-npx-cli]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Get version from tag
id: get-version
run: echo "version=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
- name: Download frontend artifact
uses: actions/download-artifact@v4
with:
name: frontend-dist
path: frontend/dist/
- name: Download backend npx-cli zips
uses: actions/download-artifact@v4
with:
pattern: npx-platform-*
path: npx-cli/dist/
merge-multiple: true
- name: List downloaded artifacts
run: |
echo "Backend dist:"
find npx-cli/dist
echo "Frontend dist:"
find frontend/dist
- name: Zip frontend
run: |
mkdir vibe-kanban-${{ github.ref_name }}
mv frontend/dist vibe-kanban-${{ github.ref_name }}
zip -r vibe-kanban-${{ github.ref_name }}.zip vibe-kanban-${{ github.ref_name }}
- name: Setup Node for npm pack
uses: ./.github/actions/setup-node
- name: Pack
run: |
cd npx-cli
npm pack
- name: Create GitHub Pre-Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.ref_name }}
name: Pre-release ${{ github.ref_name }}
prerelease: true
generate_release_notes: true
files: |
vibe-kanban-${{ github.ref_name }}.zip
npx-cli/vibe-kanban-*.tgz
Reference in New Issue View Git Blame Copy Permalink