MaxVideoPlayer/.github/workflows/release.yml at 34d258b4570a24a9476ee12cfc457c3a0c27f212 · MaxMB15/MaxVideoPlayer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
name: Release

on:
  push:
    tags:
      - "v*"

env:
  CARGO_TERM_COLOR: always
  CARGO_HOME: /Users/runner/.cargo
  CARGO_INCREMENTAL: 0
  TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
  TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}

jobs:
  release-macos:
    runs-on: macos-latest
    permissions:
      contents: write

    steps:
      - uses: actions/checkout@v4

      - name: Install Rust
        uses: dtolnay/rust-toolchain@stable

      - name: Rust cache
        uses: Swatinem/rust-cache@v2
        with:
          workspaces: ". -> target"
          cache-on-failure: true

      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: npm

      - name: Install frontend deps
        run: npm ci

      - name: Install system deps
        run: |
          # ffmpeg@7 required: mpv 0.40.0 uses FF_PROFILE_* macros removed in ffmpeg 8.x
          brew install meson ninja pkg-config ffmpeg@7 libass libplacebo dylibbundler
          # Make ffmpeg@7 visible to pkg-config (it is keg-only, not linked by default)
          echo "PKG_CONFIG_PATH=$(brew --prefix ffmpeg@7)/lib/pkgconfig${PKG_CONFIG_PATH:+:$PKG_CONFIG_PATH}" >> $GITHUB_ENV

      - name: Build libmpv
        run: ./scripts/build-libmpv.sh macos

      - name: Prepare signing key
        run: |
          # Tauri CLI requires the raw minisign format (starting with "untrusted comment:").
          # The secret may be stored as:
          #   (a) base64-encoded raw key, or
          #   (b) raw key with actual newlines, or
          #   (c) raw key with escaped \n (two chars) instead of real newlines.
          # We normalize to raw format and always write to GITHUB_ENV so the key
          # is guaranteed to have proper newlines when Tauri reads it.
          python3 - << 'EOF'
          import base64, os, sys

          key = os.environ.get("TAURI_SIGNING_PRIVATE_KEY", "")
          print(f"[signing] Key length: {len(key)}, has newlines: {'yes' if chr(10) in key else 'no'}")

          if not key.strip():
              print("[signing] ERROR: no signing key set.")
              sys.exit(1)

          # Normalize literal \n (two chars) to actual newlines
          key = key.replace("\\n", "\n")

          def try_b64(s):
              try:
                  return base64.b64decode(s.strip(), validate=True).decode("utf-8")
              except Exception:
                  return None

          if "untrusted comment:" in key:
              final_key = key
              print("[signing] Raw minisign key detected.")
          else:
              # Try up to 2 levels of base64 decoding to handle both
              # single-encoded and accidentally double-encoded secrets.
              current = key
              final_key = None
              for depth in range(1, 3):
                  decoded = try_b64(current)
                  if decoded is None:
                      print(f"[signing] ERROR: base64 decode failed at depth {depth}.")
                      sys.exit(1)
                  if "untrusted comment:" in decoded:
                      final_key = decoded
                      print(f"[signing] Key decoded at depth {depth}.")
                      break
                  current = decoded
              if final_key is None:
                  print("[signing] ERROR: key is not a valid minisign private key.")
                  sys.exit(1)

          with open(os.environ["GITHUB_ENV"], "a") as f:
              f.write("TAURI_SIGNING_PRIVATE_KEY<<__ENDKEY__\n")
              f.write(final_key.rstrip("\n") + "\n")
              f.write("__ENDKEY__\n")
          print("[signing] Key written to GITHUB_ENV.")
          EOF

      - name: Build Tauri app
        # Build without updater artifacts so bundle_dmg.sh doesn't race with
        # hdiutil over the .app bundle. We create the updater artifacts manually below.
        run: cd apps/desktop && npx tauri build --config '{"bundle":{"createUpdaterArtifacts":false}}'

      - name: Create updater artifacts
        run: |
          set -euo pipefail
          VERSION=$(python3 -c "import json; print(json.load(open('apps/desktop/src-tauri/tauri.conf.json'))['version'])")
          echo "VERSION=$VERSION" >> "$GITHUB_ENV"

          BUNDLE_DIR="target/release/bundle/macos"
          UPDATER="$BUNDLE_DIR/MaxVideoPlayer.app.tar.gz"

          # Create the .tar.gz updater archive from the built .app
          cd "$BUNDLE_DIR"
          tar czf MaxVideoPlayer.app.tar.gz MaxVideoPlayer.app
          cd -

          # tauri signer sign cannot parse raw minisign keys from the env var
          # (it tries base64 decode and fails). Write the key to a temp file
          # and pass it with -k so Tauri reads it as a raw file instead.
          printf '%s' "$TAURI_SIGNING_PRIVATE_KEY" > /tmp/skey.key
          chmod 600 /tmp/skey.key
          if [[ -n "${TAURI_SIGNING_PRIVATE_KEY_PASSWORD:-}" ]]; then
            cd apps/desktop && npx tauri signer sign \
              -k /tmp/skey.key \
              -p "$TAURI_SIGNING_PRIVATE_KEY_PASSWORD" \
              "../../$UPDATER"
            cd -
          else
            cd apps/desktop && npx tauri signer sign \
              -k /tmp/skey.key \
              --no-password \
              "../../$UPDATER"
            cd -
          fi
          rm -f /tmp/skey.key

          # Build latest.json for the auto-updater endpoint
          SIG=$(cat "${UPDATER}.sig")
          python3 - "$VERSION" "$SIG" << 'PYEOF'
          import json, sys
          from datetime import datetime, timezone
          version, sig = sys.argv[1], sys.argv[2]
          data = {
            "version": version,
            "notes": "See the CHANGELOG for details.",
            "pub_date": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
            "platforms": {
              "darwin-aarch64": {
                "signature": sig,
                "url": f"https://github.com/MaxMB15/MaxVideoPlayer/releases/download/v{version}/MaxVideoPlayer_{version}_aarch64.app.tar.gz"
              }
            }
          }
          with open("latest.json", "w") as f:
            json.dump(data, f, indent=2)
          print("latest.json written")
          PYEOF

      - name: Publish GitHub release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          set -euo pipefail
          VERSION="$VERSION"
          DMG="target/release/bundle/dmg/MaxVideoPlayer_${VERSION}_aarch64.dmg"
          UPDATER="target/release/bundle/macos/MaxVideoPlayer.app.tar.gz"

          gh release create "v${VERSION}" \
            --repo "$GITHUB_REPOSITORY" \
            --title "MaxVideoPlayer v${VERSION}" \
            --notes "See the [CHANGELOG](https://github.com/MaxMB15/MaxVideoPlayer/blob/main/CHANGELOG.md) for details." \
            --draft \
            "$DMG" \
            "${UPDATER}#MaxVideoPlayer_${VERSION}_aarch64.app.tar.gz" \
            "${UPDATER}.sig#MaxVideoPlayer_${VERSION}_aarch64.app.tar.gz.sig" \
            "latest.json"