5b7746af79
SignPath GitHub Action 不支持 github-artifact-name 参数, 改用 github-artifact-id 并通过 GitHub API 获取 artifact ID。 - 移除 download-artifact 步骤(SignPath 直接从 GitHub 获取) - 添加 get-artifact 步骤通过 API 获取 artifact ID - 使用 github-artifact-id 替代无效的 github-artifact-name
254 lines
9.5 KiB
YAML
254 lines
9.5 KiB
YAML
name: Release Editor App
|
||
|
||
on:
|
||
push:
|
||
tags:
|
||
- 'editor-v*'
|
||
workflow_dispatch:
|
||
inputs:
|
||
version:
|
||
description: 'Release version (e.g., 1.0.0)'
|
||
required: true
|
||
default: '1.0.0'
|
||
|
||
jobs:
|
||
build-tauri:
|
||
strategy:
|
||
fail-fast: false
|
||
matrix:
|
||
include:
|
||
- platform: windows-latest
|
||
target: x86_64-pc-windows-msvc
|
||
arch: x64
|
||
- platform: macos-latest
|
||
target: x86_64-apple-darwin
|
||
arch: x64
|
||
- platform: macos-latest
|
||
target: aarch64-apple-darwin
|
||
arch: arm64
|
||
|
||
runs-on: ${{ matrix.platform }}
|
||
|
||
steps:
|
||
- name: Checkout code
|
||
uses: actions/checkout@v4
|
||
|
||
- name: Install pnpm
|
||
uses: pnpm/action-setup@v4
|
||
|
||
- name: Setup Node.js
|
||
uses: actions/setup-node@v4
|
||
with:
|
||
node-version: '20.x'
|
||
cache: 'pnpm'
|
||
|
||
- name: Install Rust stable
|
||
uses: dtolnay/rust-toolchain@stable
|
||
with:
|
||
targets: ${{ matrix.target }}
|
||
|
||
- name: Rust cache
|
||
uses: Swatinem/rust-cache@v2
|
||
with:
|
||
workspaces: packages/editor-app/src-tauri
|
||
cache-on-failure: true
|
||
|
||
- name: Install dependencies (Ubuntu)
|
||
if: matrix.platform == 'ubuntu-latest'
|
||
run: |
|
||
sudo apt-get update
|
||
sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.0-dev libappindicator3-dev librsvg2-dev patchelf
|
||
|
||
- name: Install frontend dependencies
|
||
run: pnpm install
|
||
|
||
- name: Update version in config files (for manual trigger)
|
||
if: github.event_name == 'workflow_dispatch'
|
||
run: |
|
||
cd packages/editor-app
|
||
node -e "const pkg=require('./package.json'); pkg.version='${{ github.event.inputs.version }}'; require('fs').writeFileSync('./package.json', JSON.stringify(pkg, null, 2)+'\n')"
|
||
node scripts/sync-version.js
|
||
|
||
- name: Install wasm-pack
|
||
run: cargo install wasm-pack
|
||
|
||
# 使用 Turborepo 自动按依赖顺序构建所有包
|
||
# 这会自动处理:core -> asset-system -> editor-core -> ui -> 等等
|
||
- name: Build all packages with Turborepo
|
||
run: pnpm run build
|
||
|
||
- name: Copy WASM files to ecs-engine-bindgen
|
||
shell: bash
|
||
run: |
|
||
mkdir -p packages/ecs-engine-bindgen/src/wasm
|
||
cp packages/engine/pkg/es_engine.js packages/ecs-engine-bindgen/src/wasm/
|
||
cp packages/engine/pkg/es_engine.d.ts packages/ecs-engine-bindgen/src/wasm/
|
||
cp packages/engine/pkg/es_engine_bg.wasm packages/ecs-engine-bindgen/src/wasm/
|
||
cp packages/engine/pkg/es_engine_bg.wasm.d.ts packages/ecs-engine-bindgen/src/wasm/
|
||
|
||
- name: Bundle runtime files for Tauri
|
||
run: |
|
||
cd packages/editor-app
|
||
node scripts/bundle-runtime.mjs
|
||
|
||
- name: Build Tauri app
|
||
id: tauri
|
||
uses: tauri-apps/tauri-action@v0.5
|
||
env:
|
||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
|
||
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
|
||
with:
|
||
projectPath: packages/editor-app
|
||
tagName: ${{ github.event_name == 'workflow_dispatch' && format('editor-v{0}', github.event.inputs.version) || github.ref_name }}
|
||
releaseName: 'ECS Editor v${{ github.event.inputs.version || github.ref_name }}'
|
||
releaseBody: 'See the assets to download this version and install.'
|
||
releaseDraft: true
|
||
prerelease: false
|
||
includeUpdaterJson: true
|
||
updaterJsonKeepUniversal: false
|
||
args: ${{ matrix.platform == 'macos-latest' && format('--target {0}', matrix.target) || '' }}
|
||
|
||
# Windows 构建上传 artifact 供 SignPath 签名
|
||
- name: Upload Windows artifacts for signing
|
||
if: matrix.platform == 'windows-latest'
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: windows-unsigned
|
||
path: |
|
||
packages/editor-app/src-tauri/target/release/bundle/nsis/*.exe
|
||
packages/editor-app/src-tauri/target/release/bundle/msi/*.msi
|
||
retention-days: 1
|
||
|
||
# SignPath 代码签名(Windows)
|
||
# SignPath OSS code signing for Windows
|
||
#
|
||
# 配置步骤 | Setup Steps:
|
||
# 1. 在 SignPath 门户创建项目 | Create project in SignPath portal
|
||
# 2. 导入 .signpath/artifact-configuration.xml | Import artifact configuration
|
||
# 3. 使用 'test-signing' 策略测试 | Use 'test-signing' policy for testing
|
||
# 生产环境改为 'release-signing' | Change to 'release-signing' for production
|
||
# 4. 配置 GitHub Secrets | Configure GitHub Secrets:
|
||
# - SIGNPATH_API_TOKEN: API token from SignPath
|
||
# - SIGNPATH_ORGANIZATION_ID: Your organization ID
|
||
#
|
||
# 文档 | Documentation: https://about.signpath.io/documentation/trusted-build-systems/github
|
||
sign-windows:
|
||
needs: build-tauri
|
||
runs-on: ubuntu-latest
|
||
# 只有在构建成功时才运行 | Only run on successful build
|
||
if: success()
|
||
|
||
steps:
|
||
- name: Check SignPath configuration
|
||
id: check-signpath
|
||
run: |
|
||
if [ -n "${{ secrets.SIGNPATH_API_TOKEN }}" ] && [ -n "${{ secrets.SIGNPATH_ORGANIZATION_ID }}" ]; then
|
||
echo "enabled=true" >> $GITHUB_OUTPUT
|
||
echo "SignPath is configured, proceeding with code signing"
|
||
else
|
||
echo "enabled=false" >> $GITHUB_OUTPUT
|
||
echo "SignPath secrets not configured, skipping code signing"
|
||
echo "To enable: add SIGNPATH_API_TOKEN and SIGNPATH_ORGANIZATION_ID secrets"
|
||
fi
|
||
|
||
- name: Checkout
|
||
if: steps.check-signpath.outputs.enabled == 'true'
|
||
uses: actions/checkout@v4
|
||
|
||
- name: Get artifact ID
|
||
if: steps.check-signpath.outputs.enabled == 'true'
|
||
id: get-artifact
|
||
env:
|
||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||
run: |
|
||
# 获取 windows-unsigned artifact 的 ID
|
||
ARTIFACT_ID=$(gh api \
|
||
-H "Accept: application/vnd.github+json" \
|
||
"/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts" \
|
||
--jq '.artifacts[] | select(.name == "windows-unsigned") | .id')
|
||
|
||
if [ -z "$ARTIFACT_ID" ]; then
|
||
echo "Error: Could not find artifact 'windows-unsigned'"
|
||
exit 1
|
||
fi
|
||
|
||
echo "artifact-id=$ARTIFACT_ID" >> $GITHUB_OUTPUT
|
||
echo "Found artifact ID: $ARTIFACT_ID"
|
||
|
||
- name: Submit to SignPath for code signing
|
||
if: steps.check-signpath.outputs.enabled == 'true'
|
||
id: signpath
|
||
uses: signpath/github-action-submit-signing-request@v1
|
||
with:
|
||
api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
|
||
organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
|
||
project-slug: 'ecs-framework'
|
||
signing-policy-slug: 'test-signing'
|
||
artifact-configuration-slug: 'default'
|
||
github-artifact-id: ${{ steps.get-artifact.outputs.artifact-id }}
|
||
wait-for-completion: true
|
||
wait-for-completion-timeout-in-seconds: 600
|
||
output-artifact-directory: './signed'
|
||
|
||
- name: Upload signed artifacts to release
|
||
if: steps.check-signpath.outputs.enabled == 'true'
|
||
uses: softprops/action-gh-release@v1
|
||
with:
|
||
files: ./signed/*
|
||
tag_name: ${{ github.event_name == 'workflow_dispatch' && format('editor-v{0}', github.event.inputs.version) || github.ref_name }}
|
||
# 保持 Draft 状态,需要手动发布 | Keep as draft, require manual publish
|
||
draft: true
|
||
env:
|
||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||
|
||
# 构建成功后,创建 PR 更新版本号
|
||
# Create PR to update version after successful build
|
||
update-version-pr:
|
||
needs: [build-tauri, sign-windows]
|
||
# 即使签名跳过也要运行 | Run even if signing is skipped
|
||
if: github.event_name == 'workflow_dispatch' && !failure()
|
||
runs-on: ubuntu-latest
|
||
|
||
steps:
|
||
- name: Checkout code
|
||
uses: actions/checkout@v4
|
||
|
||
- name: Setup Node.js
|
||
uses: actions/setup-node@v4
|
||
with:
|
||
node-version: '20.x'
|
||
|
||
- name: Update version files
|
||
run: |
|
||
cd packages/editor-app
|
||
node -e "const pkg=require('./package.json'); pkg.version='${{ github.event.inputs.version }}'; require('fs').writeFileSync('./package.json', JSON.stringify(pkg, null, 2)+'\n')"
|
||
node scripts/sync-version.js
|
||
|
||
- name: Create Pull Request
|
||
uses: peter-evans/create-pull-request@v6
|
||
with:
|
||
token: ${{ secrets.GITHUB_TOKEN }}
|
||
commit-message: "chore(editor): bump version to ${{ github.event.inputs.version }}"
|
||
branch: release/editor-v${{ github.event.inputs.version }}
|
||
delete-branch: true
|
||
title: "chore(editor): Release v${{ github.event.inputs.version }}"
|
||
body: |
|
||
## Release v${{ github.event.inputs.version }}
|
||
|
||
This PR updates the editor version after successful release build.
|
||
|
||
### Changes
|
||
- Updated `packages/editor-app/package.json` → `${{ github.event.inputs.version }}`
|
||
- Updated `packages/editor-app/src-tauri/tauri.conf.json` → `${{ github.event.inputs.version }}`
|
||
|
||
### Release
|
||
- [GitHub Release](https://github.com/${{ github.repository }}/releases/tag/editor-v${{ github.event.inputs.version }})
|
||
|
||
---
|
||
*This PR was automatically created by the release workflow.*
|
||
labels: |
|
||
release
|
||
editor
|
||
automated pr
|