name: Release on: push: tags: - "v*" permissions: contents: write security-events: write packages: read actions: read env: TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} STABLE_RELEASE: "true" jobs: security-scan: if: github.repository == 'zhom/donutbrowser' name: Security Vulnerability Scan uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3 with: scan-args: |- -r --skip-git --lockfile=pnpm-lock.yaml --lockfile=src-tauri/Cargo.lock ./ permissions: security-events: write contents: read actions: read lint-js: if: github.repository == 'zhom/donutbrowser' name: Lint JavaScript/TypeScript uses: ./.github/workflows/lint-js.yml secrets: inherit permissions: contents: read lint-rust: if: github.repository == 'zhom/donutbrowser' name: Lint Rust uses: ./.github/workflows/lint-rs.yml secrets: inherit permissions: contents: read codeql: if: github.repository == 'zhom/donutbrowser' name: CodeQL uses: ./.github/workflows/codeql.yml secrets: inherit permissions: security-events: write contents: read packages: read actions: read spellcheck: if: github.repository == 'zhom/donutbrowser' name: Spell Check uses: ./.github/workflows/spellcheck.yml secrets: inherit permissions: contents: read release: if: github.repository == 'zhom/donutbrowser' needs: [security-scan, lint-js, lint-rust, codeql, spellcheck] permissions: contents: write strategy: fail-fast: false matrix: include: - platform: "macos-latest" args: "--target aarch64-apple-darwin --verbose" arch: "aarch64" target: "aarch64-apple-darwin" pkg_target: "latest-macos-arm64" - platform: "macos-latest" args: "--target x86_64-apple-darwin --verbose" arch: "x86_64" target: "x86_64-apple-darwin" pkg_target: "latest-macos-x64" - platform: "ubuntu-22.04" args: "--target x86_64-unknown-linux-gnu --verbose" arch: "x86_64" target: "x86_64-unknown-linux-gnu" pkg_target: "latest-linux-x64" - platform: "ubuntu-22.04-arm" args: "--target aarch64-unknown-linux-gnu --verbose" arch: "aarch64" target: "aarch64-unknown-linux-gnu" pkg_target: "latest-linux-arm64" - platform: "windows-latest" args: "--target x86_64-pc-windows-msvc --verbose" arch: "x86_64" target: "x86_64-pc-windows-msvc" pkg_target: "latest-win-x64" runs-on: ${{ matrix.platform }} steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 - name: Setup pnpm uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0 with: run_install: false - name: Setup Node.js uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f #v6.1.0 with: node-version-file: .node-version cache: "pnpm" - name: Setup Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 #master with: toolchain: stable targets: ${{ matrix.target }} - name: Install dependencies (Ubuntu only) if: matrix.platform == 'ubuntu-22.04' || matrix.platform == 'ubuntu-22.04-arm' run: | sudo apt-get update sudo apt-get install -y libwebkit2gtk-4.1-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev libxdo-dev pkg-config xdg-utils - name: Rust cache uses: swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 #v2.9.1 with: workdir: ./src-tauri - name: Install frontend dependencies run: pnpm install --frozen-lockfile - name: Build frontend run: pnpm exec next build - name: Verify frontend dist exists shell: bash run: | if [ ! -d "dist" ]; then echo "Error: dist directory not found after build" ls -la exit 1 fi echo "Frontend dist directory verified at $(pwd)/dist" echo "Checking from src-tauri perspective:" ls -la src-tauri/../dist || echo "Warning: dist not accessible from src-tauri" - name: Build sidecar binaries shell: bash working-directory: ./src-tauri run: | cargo build --bin donut-proxy --target ${{ matrix.target }} --release cargo build --bin donut-daemon --target ${{ matrix.target }} --release - name: Copy sidecar binaries to Tauri binaries shell: bash run: | mkdir -p src-tauri/binaries if [[ "${{ matrix.platform }}" == "windows-latest" ]]; then cp src-tauri/target/${{ matrix.target }}/release/donut-proxy.exe src-tauri/binaries/donut-proxy-${{ matrix.target }}.exe cp src-tauri/target/${{ matrix.target }}/release/donut-daemon.exe src-tauri/binaries/donut-daemon-${{ matrix.target }}.exe else cp src-tauri/target/${{ matrix.target }}/release/donut-proxy src-tauri/binaries/donut-proxy-${{ matrix.target }} cp src-tauri/target/${{ matrix.target }}/release/donut-daemon src-tauri/binaries/donut-daemon-${{ matrix.target }} chmod +x src-tauri/binaries/donut-proxy-${{ matrix.target }} chmod +x src-tauri/binaries/donut-daemon-${{ matrix.target }} fi - name: Import Apple certificate if: matrix.platform == 'macos-latest' env: APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} APPLE_CERTIFICATE_KEY: ${{ secrets.APPLE_CERTIFICATE_KEY }} run: | CERT_PATH=$RUNNER_TEMP/cert.cer KEY_PATH=$RUNNER_TEMP/cert.key PEM_PATH=$RUNNER_TEMP/cert.pem P12_PATH=$RUNNER_TEMP/build_certificate.p12 KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db KEYCHAIN_PASSWORD=$(openssl rand -base64 32) P12_PASSWORD=$(openssl rand -base64 32) echo "$APPLE_CERTIFICATE" | base64 --decode > $CERT_PATH echo "$APPLE_CERTIFICATE_KEY" | base64 --decode > $KEY_PATH openssl x509 -inform DER -in $CERT_PATH -out $PEM_PATH openssl pkcs12 -export -out $P12_PATH -inkey $KEY_PATH -in $PEM_PATH -passout pass:$P12_PASSWORD security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security set-keychain-settings -lut 21600 $KEYCHAIN_PATH security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security import $P12_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security list-keychain -d user -s $KEYCHAIN_PATH login.keychain-db echo "Available signing identities:" security find-identity -v -p codesigning $KEYCHAIN_PATH rm -f $CERT_PATH $KEY_PATH $PEM_PATH $P12_PATH - name: Build Tauri app uses: tauri-apps/tauri-action@84b9d35b5fc46c1e45415bdb6144030364f7ebc5 #v0.6.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} with: projectPath: ./src-tauri tagName: ${{ github.ref_name }} releaseName: "Donut Browser ${{ github.ref_name }}" releaseBody: "See the assets to download this version and install." releaseDraft: false prerelease: false args: ${{ matrix.args }} - name: Clean up Apple certificate if: matrix.platform == 'macos-latest' && always() run: | security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true rm -f $RUNNER_TEMP/build_certificate.p12 || true changelog: if: github.repository == 'zhom/donutbrowser' needs: [release] runs-on: ubuntu-latest permissions: contents: write steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: ref: main fetch-depth: 0 - name: Generate changelog env: TAG: ${{ github.ref_name }} run: | PREV_TAG=$(git tag --sort=-version:refname \ | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \ | grep -v "^${TAG}$" \ | head -n 1) if [ -z "$PREV_TAG" ]; then PREV_TAG=$(git rev-list --max-parents=0 HEAD) fi echo "Generating changelog: ${PREV_TAG}..${TAG}" features="" fixes="" refactors="" perf="" docs="" maintenance="" other="" strip_prefix() { echo "$1" | sed -E 's/^[a-z]+(\([^)]*\))?: //'; } while IFS= read -r msg; do [ -z "$msg" ] && continue case "$msg" in feat\(*\):*|feat:*) features="${features}- $(strip_prefix "$msg")"$'\n' ;; fix\(*\):*|fix:*) fixes="${fixes}- $(strip_prefix "$msg")"$'\n' ;; refactor\(*\):*|refactor:*) refactors="${refactors}- $(strip_prefix "$msg")"$'\n' ;; perf\(*\):*|perf:*) perf="${perf}- $(strip_prefix "$msg")"$'\n' ;; docs\(*\):*|docs:*) docs="${docs}- $(strip_prefix "$msg")"$'\n' ;; build*|ci*|chore*|test*) maintenance="${maintenance}- ${msg}"$'\n' ;; *) other="${other}- ${msg}"$'\n' ;; esac done < <(git log --pretty=format:"%s" "${PREV_TAG}..${TAG}" --no-merges) { echo "## ${TAG} ($(date -u +%Y-%m-%d))" echo "" [ -n "$features" ] && printf "### Features\n\n%s\n" "$features" [ -n "$fixes" ] && printf "### Bug Fixes\n\n%s\n" "$fixes" [ -n "$refactors" ] && printf "### Refactoring\n\n%s\n" "$refactors" [ -n "$perf" ] && printf "### Performance\n\n%s\n" "$perf" [ -n "$docs" ] && printf "### Documentation\n\n%s\n" "$docs" [ -n "$maintenance" ] && printf "### Maintenance\n\n%s\n" "$maintenance" [ -n "$other" ] && printf "### Other\n\n%s\n" "$other" } > /tmp/release-changelog.md echo "Generated changelog:" cat /tmp/release-changelog.md - name: Update CHANGELOG.md run: | if [ -f CHANGELOG.md ]; then # Insert new entry after the "# Changelog" header (first 2 lines) { head -n 2 CHANGELOG.md echo "" cat /tmp/release-changelog.md tail -n +3 CHANGELOG.md } > CHANGELOG.tmp mv CHANGELOG.tmp CHANGELOG.md else { echo "# Changelog" echo "" cat /tmp/release-changelog.md } > CHANGELOG.md fi - name: Commit CHANGELOG.md run: | git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" git add CHANGELOG.md if git diff --cached --quiet; then echo "No changelog changes to commit" else git commit -m "docs: update CHANGELOG.md for ${{ github.ref_name }} [skip ci]" git push origin main fi - name: Update release notes env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} TAG: ${{ github.ref_name }} run: | gh release edit "$TAG" --notes-file /tmp/release-changelog.md notify-discord: if: github.repository == 'zhom/donutbrowser' needs: [release] runs-on: ubuntu-latest steps: - name: Send Discord notification env: DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_STABLE_WEBHOOK_URL }} run: | VERSION="${GITHUB_REF_NAME}" RELEASE_URL="https://github.com/${GITHUB_REPOSITORY}/releases/tag/${VERSION}" curl -fsSL -H "Content-Type: application/json" \ -d "{ \"embeds\": [{ \"title\": \"Donut Browser ${VERSION} Released\", \"url\": \"${RELEASE_URL}\", \"description\": \"A new stable release of Donut Browser is available.\", \"color\": 5814783 }] }" \ "$DISCORD_WEBHOOK_URL"