name: Release on: push: tags: - "v*" permissions: contents: write security-events: write packages: read actions: read env: TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} STABLE_RELEASE: "true" jobs: security-scan: if: github.repository == 'zhom/donutbrowser' name: Security Vulnerability Scan uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5 with: scan-args: |- -r --skip-git --lockfile=pnpm-lock.yaml --lockfile=src-tauri/Cargo.lock ./ permissions: security-events: write contents: read actions: read lint-js: if: github.repository == 'zhom/donutbrowser' name: Lint JavaScript/TypeScript uses: ./.github/workflows/lint-js.yml secrets: inherit permissions: contents: read lint-rust: if: github.repository == 'zhom/donutbrowser' name: Lint Rust uses: ./.github/workflows/lint-rs.yml secrets: inherit permissions: contents: read codeql: if: github.repository == 'zhom/donutbrowser' name: CodeQL uses: ./.github/workflows/codeql.yml secrets: inherit permissions: security-events: write contents: read packages: read actions: read spellcheck: if: github.repository == 'zhom/donutbrowser' name: Spell Check uses: ./.github/workflows/spellcheck.yml secrets: inherit permissions: contents: read release: if: github.repository == 'zhom/donutbrowser' needs: [security-scan, lint-js, lint-rust, codeql, spellcheck] permissions: contents: write strategy: fail-fast: false matrix: include: - platform: "macos-latest" args: "--target aarch64-apple-darwin --verbose" arch: "aarch64" target: "aarch64-apple-darwin" pkg_target: "latest-macos-arm64" - platform: "macos-latest" args: "--target x86_64-apple-darwin --verbose" arch: "x86_64" target: "x86_64-apple-darwin" pkg_target: "latest-macos-x64" - platform: "ubuntu-22.04" args: "--target x86_64-unknown-linux-gnu --verbose" arch: "x86_64" target: "x86_64-unknown-linux-gnu" pkg_target: "latest-linux-x64" - platform: "ubuntu-22.04-arm" args: "--target aarch64-unknown-linux-gnu --verbose" arch: "aarch64" target: "aarch64-unknown-linux-gnu" pkg_target: "latest-linux-arm64" - platform: "windows-latest" args: "--target x86_64-pc-windows-msvc --verbose" arch: "x86_64" target: "x86_64-pc-windows-msvc" pkg_target: "latest-win-x64" runs-on: ${{ matrix.platform }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - name: Setup pnpm uses: pnpm/action-setup@078e9d416474b29c0c387560859308974f7e9c53 #v6.0.1 with: run_install: false - name: Setup Node.js uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f #v6.1.0 with: node-version-file: .node-version cache: "pnpm" - name: Setup Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 #master with: toolchain: stable targets: ${{ matrix.target }} - name: Install dependencies (Ubuntu only) if: matrix.platform == 'ubuntu-22.04' || matrix.platform == 'ubuntu-22.04-arm' run: | sudo apt-get update sudo apt-get install -y libwebkit2gtk-4.1-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev libxdo-dev pkg-config xdg-utils - name: Rust cache uses: swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 #v2.9.1 with: workdir: ./src-tauri - name: Install frontend dependencies run: pnpm install --frozen-lockfile - name: Build frontend # NEXT_PUBLIC_* vars are inlined at build time and must be forwarded # from secrets explicitly — they are NOT inherited from the job env. env: NEXT_PUBLIC_TURNSTILE: ${{ secrets.NEXT_PUBLIC_TURNSTILE }} run: pnpm exec next build - name: Verify frontend dist exists shell: bash run: | if [ ! -d "dist" ]; then echo "Error: dist directory not found after build" ls -la exit 1 fi echo "Frontend dist directory verified at $(pwd)/dist" echo "Checking from src-tauri perspective:" ls -la src-tauri/../dist || echo "Warning: dist not accessible from src-tauri" - name: Build sidecar binaries shell: bash working-directory: ./src-tauri run: | cargo build --bin donut-proxy --target ${{ matrix.target }} --release cargo build --bin donut-daemon --target ${{ matrix.target }} --release - name: Copy sidecar binaries to Tauri binaries shell: bash run: | mkdir -p src-tauri/binaries if [[ "${{ matrix.platform }}" == "windows-latest" ]]; then cp src-tauri/target/${{ matrix.target }}/release/donut-proxy.exe src-tauri/binaries/donut-proxy-${{ matrix.target }}.exe cp src-tauri/target/${{ matrix.target }}/release/donut-daemon.exe src-tauri/binaries/donut-daemon-${{ matrix.target }}.exe else cp src-tauri/target/${{ matrix.target }}/release/donut-proxy src-tauri/binaries/donut-proxy-${{ matrix.target }} cp src-tauri/target/${{ matrix.target }}/release/donut-daemon src-tauri/binaries/donut-daemon-${{ matrix.target }} chmod +x src-tauri/binaries/donut-proxy-${{ matrix.target }} chmod +x src-tauri/binaries/donut-daemon-${{ matrix.target }} fi - name: Import Apple certificate if: matrix.platform == 'macos-latest' env: APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} APPLE_CERTIFICATE_KEY: ${{ secrets.APPLE_CERTIFICATE_KEY }} run: | CERT_PATH=$RUNNER_TEMP/cert.cer KEY_PATH=$RUNNER_TEMP/cert.key PEM_PATH=$RUNNER_TEMP/cert.pem P12_PATH=$RUNNER_TEMP/build_certificate.p12 KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db KEYCHAIN_PASSWORD=$(openssl rand -base64 32) P12_PASSWORD=$(openssl rand -base64 32) echo "$APPLE_CERTIFICATE" | base64 --decode > $CERT_PATH echo "$APPLE_CERTIFICATE_KEY" | base64 --decode > $KEY_PATH openssl x509 -inform DER -in $CERT_PATH -out $PEM_PATH openssl pkcs12 -export -out $P12_PATH -inkey $KEY_PATH -in $PEM_PATH -passout pass:$P12_PASSWORD security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security set-keychain-settings -lut 21600 $KEYCHAIN_PATH security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security import $P12_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security list-keychain -d user -s $KEYCHAIN_PATH login.keychain-db echo "Available signing identities:" security find-identity -v -p codesigning $KEYCHAIN_PATH rm -f $CERT_PATH $KEY_PATH $PEM_PATH $P12_PATH - name: Build Tauri app uses: tauri-apps/tauri-action@84b9d35b5fc46c1e45415bdb6144030364f7ebc5 #v0.6.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} # tauri-action invokes `pnpm tauri build`, which runs # `beforeBuildCommand` from tauri.conf.json. That rebuilds the # frontend in its own subprocess, so the env var MUST be forwarded # here or the inner `next build` inlines an empty string and # overwrites the dist the explicit "Build frontend" step produced. NEXT_PUBLIC_TURNSTILE: ${{ secrets.NEXT_PUBLIC_TURNSTILE }} with: projectPath: ./src-tauri tagName: ${{ github.ref_name }} releaseName: "Donut Browser ${{ github.ref_name }}" releaseBody: "See the assets to download this version and install." releaseDraft: false prerelease: false args: ${{ matrix.args }} - name: Create portable Windows ZIP if: matrix.platform == 'windows-latest' shell: bash env: TAG: ${{ github.ref_name }} run: | VERSION="${TAG#v}" PORTABLE_DIR="Donut-Portable" mkdir -p "$PORTABLE_DIR" # Copy main executable cp "src-tauri/target/${{ matrix.target }}/release/donutbrowser.exe" "$PORTABLE_DIR/Donut.exe" # Copy sidecar binaries cp "src-tauri/target/${{ matrix.target }}/release/donut-proxy.exe" "$PORTABLE_DIR/" cp "src-tauri/target/${{ matrix.target }}/release/donut-daemon.exe" "$PORTABLE_DIR/" # Copy WebView2Loader if present if [ -f "src-tauri/target/${{ matrix.target }}/release/WebView2Loader.dll" ]; then cp "src-tauri/target/${{ matrix.target }}/release/WebView2Loader.dll" "$PORTABLE_DIR/" fi # Create .portable marker touch "$PORTABLE_DIR/.portable" # Create ZIP 7z a "Donut_${VERSION}_x64-portable.zip" "$PORTABLE_DIR" - name: Upload portable ZIP to release if: matrix.platform == 'windows-latest' shell: bash env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} TAG: ${{ github.ref_name }} run: | VERSION="${TAG#v}" gh release upload "$TAG" "Donut_${VERSION}_x64-portable.zip" --clobber - name: Clean up Apple certificate if: matrix.platform == 'macos-latest' && always() run: | security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true rm -f $RUNNER_TEMP/build_certificate.p12 || true changelog: if: github.repository == 'zhom/donutbrowser' needs: [release] runs-on: ubuntu-latest permissions: contents: write pull-requests: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: ref: main fetch-depth: 0 - name: Generate changelog env: TAG: ${{ github.ref_name }} run: | PREV_TAG=$(git tag --sort=-version:refname \ | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \ | grep -v "^${TAG}$" \ | head -n 1) if [ -z "$PREV_TAG" ]; then PREV_TAG=$(git rev-list --max-parents=0 HEAD) fi echo "Generating changelog: ${PREV_TAG}..${TAG}" features="" fixes="" refactors="" perf="" docs="" maintenance="" other="" strip_prefix() { echo "$1" | sed -E 's/^[a-z]+(\([^)]*\))?: //'; } while IFS= read -r msg; do [ -z "$msg" ] && continue case "$msg" in feat\(*\):*|feat:*) features="${features}- $(strip_prefix "$msg")"$'\n' ;; fix\(*\):*|fix:*) fixes="${fixes}- $(strip_prefix "$msg")"$'\n' ;; refactor\(*\):*|refactor:*) refactors="${refactors}- $(strip_prefix "$msg")"$'\n' ;; perf\(*\):*|perf:*) perf="${perf}- $(strip_prefix "$msg")"$'\n' ;; docs\(*\):*|docs:*) docs="${docs}- $(strip_prefix "$msg")"$'\n' ;; build*|ci*|chore*|test*) maintenance="${maintenance}- ${msg}"$'\n' ;; *) other="${other}- ${msg}"$'\n' ;; esac done < <(git log --pretty=format:"%s" "${PREV_TAG}..${TAG}" --no-merges) { echo "## ${TAG} ($(date -u +%Y-%m-%d))" echo "" [ -n "$features" ] && printf "### Features\n\n%s\n" "$features" [ -n "$fixes" ] && printf "### Bug Fixes\n\n%s\n" "$fixes" [ -n "$refactors" ] && printf "### Refactoring\n\n%s\n" "$refactors" [ -n "$perf" ] && printf "### Performance\n\n%s\n" "$perf" [ -n "$docs" ] && printf "### Documentation\n\n%s\n" "$docs" [ -n "$maintenance" ] && printf "### Maintenance\n\n%s\n" "$maintenance" [ -n "$other" ] && printf "### Other\n\n%s\n" "$other" } > /tmp/release-changelog.md echo "Generated changelog:" cat /tmp/release-changelog.md - name: Update CHANGELOG.md run: | if [ -f CHANGELOG.md ]; then # Insert new entry after the "# Changelog" header (first 2 lines) { head -n 2 CHANGELOG.md echo "" cat /tmp/release-changelog.md tail -n +3 CHANGELOG.md } > CHANGELOG.tmp mv CHANGELOG.tmp CHANGELOG.md else { echo "# Changelog" echo "" cat /tmp/release-changelog.md } > CHANGELOG.md fi - name: Update README download links env: TAG: ${{ github.ref_name }} run: | VERSION="${TAG#v}" BASE="https://github.com/zhom/donutbrowser/releases/download/${TAG}" # Generate the new install section between markers cat > /tmp/install-links.md << LINKS ### macOS | | Apple Silicon | Intel | |---|---|---| | **DMG** | [Download](${BASE}/Donut_${VERSION}_aarch64.dmg) | [Download](${BASE}/Donut_${VERSION}_x64.dmg) | Or install via Homebrew: \`\`\`bash brew install --cask donut \`\`\` ### Windows [Download Windows Installer (x64)](${BASE}/Donut_${VERSION}_x64-setup.exe) · [Portable (x64)](${BASE}/Donut_${VERSION}_x64-portable.zip) ### Linux | Format | x86_64 | ARM64 | |---|---|---| | **deb** | [Download](${BASE}/Donut_${VERSION}_amd64.deb) | [Download](${BASE}/Donut_${VERSION}_arm64.deb) | | **rpm** | [Download](${BASE}/Donut-${VERSION}-1.x86_64.rpm) | [Download](${BASE}/Donut-${VERSION}-1.aarch64.rpm) | | **AppImage** | [Download](${BASE}/Donut_${VERSION}_amd64.AppImage) | [Download](${BASE}/Donut_${VERSION}_aarch64.AppImage) | LINKS # Strip leading whitespace from heredoc sed -i 's/^ //' /tmp/install-links.md # Replace content between markers in README sed -i '//,//{ //{ p r /tmp/install-links.md } //!d }' README.md - name: Create release docs PR env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} TAG: ${{ github.ref_name }} run: | VERSION="${TAG#v}" BRANCH="docs/release-${VERSION}" git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" git checkout -b "$BRANCH" git add CHANGELOG.md README.md if git diff --cached --quiet; then echo "No changes to commit" else git commit -m "docs: update CHANGELOG.md and README.md for ${TAG} [skip ci]" git push origin "$BRANCH" gh pr create \ --title "docs: release notes for ${TAG}" \ --body "Automated update of CHANGELOG.md and README.md download links for ${TAG}." \ --base main \ --head "$BRANCH" gh pr merge "$BRANCH" --squash --admin fi - name: Update release notes env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} TAG: ${{ github.ref_name }} run: | gh release edit "$TAG" --notes-file /tmp/release-changelog.md notify-discord: if: github.repository == 'zhom/donutbrowser' needs: [release, changelog] runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: ref: main fetch-depth: 0 - name: Generate changelog summary env: TAG: ${{ github.ref_name }} run: | PREV_TAG=$(git tag --sort=-version:refname \ | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \ | grep -v "^${TAG}$" \ | head -n 1) if [ -z "$PREV_TAG" ]; then PREV_TAG=$(git rev-list --max-parents=0 HEAD) fi strip_prefix() { echo "$1" | sed -E 's/^[a-z]+(\([^)]*\))?: //'; } CHANGES="" while IFS= read -r msg; do [ -z "$msg" ] && continue case "$msg" in feat\(*\):*|feat:*) CHANGES="${CHANGES}• $(strip_prefix "$msg")\n" ;; fix\(*\):*|fix:*) CHANGES="${CHANGES}• $(strip_prefix "$msg")\n" ;; refactor\(*\):*|refactor:*) CHANGES="${CHANGES}• $(strip_prefix "$msg")\n" ;; perf\(*\):*|perf:*) CHANGES="${CHANGES}• $(strip_prefix "$msg")\n" ;; esac done < <(git log --pretty=format:"%s" "${PREV_TAG}..${TAG}" --no-merges) # Truncate to fit Discord embed (max 4096 chars) if [ ${#CHANGES} -gt 3900 ]; then CHANGES="${CHANGES:0:3900}\n..." fi if [ -z "$CHANGES" ]; then CHANGES="See the full changelog on GitHub." fi printf '%b' "$CHANGES" > /tmp/discord-changes.txt - name: Send Discord notification env: DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_STABLE_WEBHOOK_URL }} TAG: ${{ github.ref_name }} run: | VERSION="${TAG}" RELEASE_URL="https://github.com/${GITHUB_REPOSITORY}/releases/tag/${VERSION}" CHANGES=$(cat /tmp/discord-changes.txt) # Build JSON with jq to handle escaping PAYLOAD=$(jq -n \ --arg title "Donut Browser ${VERSION} Released" \ --arg url "$RELEASE_URL" \ --arg changes "$CHANGES" \ --arg dl_mac_arm "https://github.com/'"${GITHUB_REPOSITORY}"'/releases/download/'"${VERSION}"'/Donut_'"${VERSION#v}"'_aarch64.dmg" \ --arg dl_mac_intel "https://github.com/'"${GITHUB_REPOSITORY}"'/releases/download/'"${VERSION}"'/Donut_'"${VERSION#v}"'_x64.dmg" \ --arg dl_win "https://github.com/'"${GITHUB_REPOSITORY}"'/releases/download/'"${VERSION}"'/Donut_'"${VERSION#v}"'_x64-setup.exe" \ --arg dl_linux "https://github.com/'"${GITHUB_REPOSITORY}"'/releases/download/'"${VERSION}"'/Donut_'"${VERSION#v}"'_amd64.AppImage" \ '{ embeds: [{ title: $title, url: $url, description: $changes, color: 5814783, fields: [ { name: "Download", value: ("[macOS (Apple Silicon)](" + $dl_mac_arm + ") · [macOS (Intel)](" + $dl_mac_intel + ")\n[Windows x64](" + $dl_win + ") · [Linux x64](" + $dl_linux + ")"), inline: false } ], footer: { text: "donutbrowser.com" } }] }') curl -fsSL -H "Content-Type: application/json" -d "$PAYLOAD" "$DISCORD_WEBHOOK_URL" deploy-website: if: github.repository == 'zhom/donutbrowser' needs: [release] runs-on: ubuntu-latest steps: - name: Trigger Cloudflare Pages deployment run: curl -fsSL -X POST "${{ secrets.CLOUDFLARE_WEB_DEPLOYMENT_HOOK }}" docker: if: github.repository == 'zhom/donutbrowser' needs: [release] uses: ./.github/workflows/docker-sync.yml with: tag: ${{ github.ref_name }} secrets: inherit update-flake: if: github.repository == 'zhom/donutbrowser' needs: [release, changelog] runs-on: ubuntu-latest permissions: contents: write pull-requests: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: ref: main - name: Compute AppImage hashes env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} TAG: ${{ github.ref_name }} run: | VERSION="${TAG#v}" echo "VERSION=${VERSION}" >> "$GITHUB_ENV" AMD64_URL="https://github.com/zhom/donutbrowser/releases/download/${TAG}/Donut_${VERSION}_amd64.AppImage" AARCH64_URL="https://github.com/zhom/donutbrowser/releases/download/${TAG}/Donut_${VERSION}_aarch64.AppImage" echo "Downloading x86_64 AppImage..." curl -fsSL -o /tmp/amd64.AppImage "$AMD64_URL" || { echo "x86_64 AppImage not found"; exit 1; } echo "Downloading aarch64 AppImage..." curl -fsSL -o /tmp/aarch64.AppImage "$AARCH64_URL" || { echo "aarch64 AppImage not found"; exit 1; } # Compute SRI hashes (sha256-) AMD64_HASH="sha256-$(sha256sum /tmp/amd64.AppImage | awk '{print $1}' | xxd -r -p | base64 | tr -d '\n')" AARCH64_HASH="sha256-$(sha256sum /tmp/aarch64.AppImage | awk '{print $1}' | xxd -r -p | base64 | tr -d '\n')" echo "AMD64_HASH=${AMD64_HASH}" >> "$GITHUB_ENV" echo "AARCH64_HASH=${AARCH64_HASH}" >> "$GITHUB_ENV" echo "AMD64_URL=${AMD64_URL}" >> "$GITHUB_ENV" echo "AARCH64_URL=${AARCH64_URL}" >> "$GITHUB_ENV" echo "x86_64 hash: ${AMD64_HASH}" echo "aarch64 hash: ${AARCH64_HASH}" - name: Update flake.nix run: | # Update releaseVersion sed -i "s/releaseVersion = \"[^\"]*\"/releaseVersion = \"${VERSION}\"/" flake.nix # Update x86_64 URL and hash sed -i "s|url = \"https://github.com/zhom/donutbrowser/releases/download/v[^\"]*_amd64.AppImage\"|url = \"${AMD64_URL}\"|" flake.nix sed -i "/amd64.AppImage/{ n; s|hash = \"[^\"]*\"|hash = \"${AMD64_HASH}\"|; }" flake.nix # Update aarch64 URL and hash sed -i "s|url = \"https://github.com/zhom/donutbrowser/releases/download/v[^\"]*_aarch64.AppImage\"|url = \"${AARCH64_URL}\"|" flake.nix sed -i "/aarch64.AppImage/{ n; s|hash = \"[^\"]*\"|hash = \"${AARCH64_HASH}\"|; }" flake.nix echo "Updated flake.nix:" grep -n "releaseVersion\|AppImage\|hash = " flake.nix - name: Create pull request env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | BRANCH="chore/update-flake-${VERSION}" git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" git checkout -b "$BRANCH" git add flake.nix if git diff --cached --quiet; then echo "No flake changes needed" exit 0 fi git commit -m "chore: update flake.nix for v${VERSION} [skip ci]" git push origin "$BRANCH" gh pr create \ --title "chore: update flake.nix for v${VERSION}" \ --body "Automated update of flake.nix with new AppImage hashes for v${VERSION}." \ --base main \ --head "$BRANCH" gh pr merge "$BRANCH" --squash --admin