name: "Build Electron App" description: "Builds and packages the Electron app for different platforms" inputs: os: description: "One of the supported platforms: macos, linux, windows" required: true arch: description: "The architecture to build for: x64, arm64" required: true shell: description: "Which shell to use" required: true forge_platform: description: "The --platform to pass to Electron Forge" required: true runs: using: composite steps: # Certificate setup - name: Import Apple certificates if: inputs.os == 'macos' uses: apple-actions/import-codesign-certs@v5 with: p12-file-base64: ${{ env.APPLE_APP_CERTIFICATE_BASE64 }} p12-password: ${{ env.APPLE_APP_CERTIFICATE_PASSWORD }} keychain: build-app-${{ github.run_id }} keychain-password: ${{ github.run_id }} - name: Install Installer certificate if: inputs.os == 'macos' uses: apple-actions/import-codesign-certs@v5 with: p12-file-base64: ${{ env.APPLE_INSTALLER_CERTIFICATE_BASE64 }} p12-password: ${{ env.APPLE_INSTALLER_CERTIFICATE_PASSWORD }} keychain: build-installer-${{ github.run_id }} keychain-password: ${{ github.run_id }} - name: Verify certificates if: inputs.os == 'macos' shell: ${{ inputs.shell }} run: | echo "Available signing identities in app keychain:" security find-identity -v -p codesigning build-app-${{ github.run_id }}.keychain echo "Available signing identities in installer keychain:" security find-identity -v -p codesigning build-installer-${{ github.run_id }}.keychain # Make the keychains searchable security list-keychains -d user -s build-app-${{ github.run_id }}.keychain build-installer-${{ github.run_id }}.keychain $(security list-keychains -d user | tr -d '"') security default-keychain -s build-app-${{ github.run_id }}.keychain security unlock-keychain -p ${{ github.run_id }} build-app-${{ github.run_id }}.keychain security unlock-keychain -p ${{ github.run_id }} build-installer-${{ github.run_id }}.keychain security set-keychain-settings -t 3600 -l build-app-${{ github.run_id }}.keychain security set-keychain-settings -t 3600 -l build-installer-${{ github.run_id }}.keychain - name: Set up Python and other macOS dependencies if: ${{ inputs.os == 'macos' }} shell: ${{ inputs.shell }} run: | brew install python-setuptools brew install create-dmg - name: Install dependencies for RPM and Flatpak package building if: ${{ inputs.os == 'linux' }} shell: ${{ inputs.shell }} run: | sudo apt-get update && sudo apt-get install rpm flatpak-builder elfutils flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo FLATPAK_ARCH=$(if [[ ${{ inputs.arch }} = 'arm64' ]]; then echo 'aarch64'; else echo 'x86_64'; fi) FLATPAK_VERSION='24.08' flatpak install --user --no-deps --arch $FLATPAK_ARCH --assumeyes runtime/org.freedesktop.Platform/$FLATPAK_ARCH/$FLATPAK_VERSION runtime/org.freedesktop.Sdk/$FLATPAK_ARCH/$FLATPAK_VERSION org.electronjs.Electron2.BaseApp/$FLATPAK_ARCH/$FLATPAK_VERSION # Build setup - name: Install dependencies shell: ${{ inputs.shell }} run: npm ci - name: Update build info shell: ${{ inputs.shell }} run: npm run chore:update-build-info # Critical debugging configuration - name: Run electron-forge build with enhanced logging shell: ${{ inputs.shell }} env: # Pass through required environment variables for signing and notarization APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} APPLE_ID: ${{ env.APPLE_ID }} APPLE_ID_PASSWORD: ${{ env.APPLE_ID_PASSWORD }} WINDOWS_SIGN_EXECUTABLE: ${{ env.WINDOWS_SIGN_EXECUTABLE }} TRILIUM_ARTIFACT_NAME_HINT: TriliumNextNotes-${{ github.ref_name }}-${{ inputs.os }}-${{ inputs.arch }} run: npm run electron-forge:make -- --arch=${{ inputs.arch }} --platform=${{ inputs.forge_platform }} # Add DMG signing step - name: Sign DMG if: inputs.os == 'macos' shell: ${{ inputs.shell }} run: | echo "Signing DMG file..." dmg_file=$(find ./dist -name "*.dmg" -print -quit) if [ -n "$dmg_file" ]; then echo "Found DMG: $dmg_file" # Get the first valid signing identity from the keychain SIGNING_IDENTITY=$(security find-identity -v -p codesigning build-app-${{ github.run_id }}.keychain | grep "Developer ID Application" | head -1 | sed -E 's/.*"([^"]+)".*/\1/') if [ -z "$SIGNING_IDENTITY" ]; then echo "Error: No valid Developer ID Application certificate found in keychain" exit 1 fi echo "Using signing identity: $SIGNING_IDENTITY" # Sign the DMG codesign --force --sign "$SIGNING_IDENTITY" --options runtime --timestamp "$dmg_file" # Notarize the DMG xcrun notarytool submit "$dmg_file" --apple-id "$APPLE_ID" --password "$APPLE_ID_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait # Staple the notarization ticket xcrun stapler staple "$dmg_file" else echo "No DMG found to sign" fi - name: Verify code signing if: inputs.os == 'macos' shell: ${{ inputs.shell }} run: | echo "Verifying code signing for all artifacts..." # First check the .app bundle echo "Looking for .app bundle..." app_bundle=$(find ./dist -name "*.app" -print -quit) if [ -n "$app_bundle" ]; then echo "Found app bundle: $app_bundle" echo "Verifying app bundle signing..." codesign --verify --deep --strict --verbose=2 "$app_bundle" echo "Displaying app bundle signing info..." codesign --display --verbose=2 "$app_bundle" echo "Checking entitlements..." codesign --display --entitlements :- "$app_bundle" echo "Checking notarization status..." xcrun stapler validate "$app_bundle" || echo "Warning: App bundle not notarized yet" else echo "No .app bundle found to verify" fi # Then check DMG if it exists echo "Looking for DMG..." dmg_file=$(find ./dist -name "*.dmg" -print -quit) if [ -n "$dmg_file" ]; then echo "Found DMG: $dmg_file" echo "Verifying DMG signing..." codesign --verify --deep --strict --verbose=2 "$dmg_file" echo "Displaying DMG signing info..." codesign --display --verbose=2 "$dmg_file" echo "Checking DMG notarization..." xcrun stapler validate "$dmg_file" || echo "Warning: DMG not notarized yet" else echo "No DMG found to verify" fi # Finally check ZIP if it exists echo "Looking for ZIP..." zip_file=$(find ./dist -name "*.zip" -print -quit) if [ -n "$zip_file" ]; then echo "Found ZIP: $zip_file" echo "Note: ZIP files are not code signed, but their contents should be" fi