name: Rolling Release on: push: branches: - main permissions: contents: write security-events: write packages: read actions: read env: TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} jobs: security-scan: name: Security Vulnerability Scan uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3 with: scan-args: |- -r --skip-git --lockfile=pnpm-lock.yaml --lockfile=src-tauri/Cargo.lock ./ permissions: security-events: write contents: read actions: read lint-js: name: Lint JavaScript/TypeScript uses: ./.github/workflows/lint-js.yml secrets: inherit permissions: contents: read lint-rust: name: Lint Rust uses: ./.github/workflows/lint-rs.yml secrets: inherit permissions: contents: read codeql: name: CodeQL uses: ./.github/workflows/codeql.yml secrets: inherit permissions: security-events: write contents: read packages: read actions: read spellcheck: name: Spell Check uses: ./.github/workflows/spellcheck.yml secrets: inherit permissions: contents: read rolling-release: needs: [security-scan, lint-js, lint-rust, codeql, spellcheck] permissions: contents: write strategy: fail-fast: false matrix: include: - platform: "macos-latest" args: "--target aarch64-apple-darwin --verbose" arch: "aarch64" target: "aarch64-apple-darwin" pkg_target: "latest-macos-arm64" - platform: "macos-latest" args: "--target x86_64-apple-darwin --verbose" arch: "x86_64" target: "x86_64-apple-darwin" pkg_target: "latest-macos-x64" - platform: "ubuntu-22.04" args: "--target x86_64-unknown-linux-gnu --verbose" arch: "x86_64" target: "x86_64-unknown-linux-gnu" pkg_target: "latest-linux-x64" - platform: "ubuntu-22.04-arm" args: "--target aarch64-unknown-linux-gnu --verbose" arch: "aarch64" target: "aarch64-unknown-linux-gnu" pkg_target: "latest-linux-arm64" - platform: "windows-latest" args: "--target x86_64-pc-windows-msvc --verbose" arch: "x86_64" target: "x86_64-pc-windows-msvc" pkg_target: "latest-win-x64" runs-on: ${{ matrix.platform }} steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 - name: Setup pnpm uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0 with: run_install: false - name: Setup Node.js uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f #v6.1.0 with: node-version-file: .node-version cache: "pnpm" - name: Setup Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 #master with: toolchain: stable targets: ${{ matrix.target }} - name: Install dependencies (Ubuntu only) if: matrix.platform == 'ubuntu-22.04' || matrix.platform == 'ubuntu-22.04-arm' run: | sudo apt-get update sudo apt-get install -y libwebkit2gtk-4.1-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev libxdo-dev pkg-config xdg-utils - name: Rust cache uses: swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 #v2.9.1 with: workdir: ./src-tauri - name: Install frontend dependencies run: pnpm install --frozen-lockfile - name: Build frontend run: pnpm exec next build - name: Verify frontend dist exists shell: bash run: | if [ ! -d "dist" ]; then echo "Error: dist directory not found after build" ls -la exit 1 fi echo "Frontend dist directory verified at $(pwd)/dist" echo "Checking from src-tauri perspective:" ls -la src-tauri/../dist || echo "Warning: dist not accessible from src-tauri" - name: Build sidecar binaries shell: bash working-directory: ./src-tauri run: | cargo build --bin donut-proxy --target ${{ matrix.target }} --release cargo build --bin donut-daemon --target ${{ matrix.target }} --release - name: Copy sidecar binaries to Tauri binaries shell: bash run: | mkdir -p src-tauri/binaries if [[ "${{ matrix.platform }}" == "windows-latest" ]]; then cp src-tauri/target/${{ matrix.target }}/release/donut-proxy.exe src-tauri/binaries/donut-proxy-${{ matrix.target }}.exe cp src-tauri/target/${{ matrix.target }}/release/donut-daemon.exe src-tauri/binaries/donut-daemon-${{ matrix.target }}.exe else cp src-tauri/target/${{ matrix.target }}/release/donut-proxy src-tauri/binaries/donut-proxy-${{ matrix.target }} cp src-tauri/target/${{ matrix.target }}/release/donut-daemon src-tauri/binaries/donut-daemon-${{ matrix.target }} chmod +x src-tauri/binaries/donut-proxy-${{ matrix.target }} chmod +x src-tauri/binaries/donut-daemon-${{ matrix.target }} fi - name: Import Apple certificate if: matrix.platform == 'macos-latest' env: APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} APPLE_CERTIFICATE_KEY: ${{ secrets.APPLE_CERTIFICATE_KEY }} run: | CERT_PATH=$RUNNER_TEMP/cert.cer KEY_PATH=$RUNNER_TEMP/cert.key PEM_PATH=$RUNNER_TEMP/cert.pem P12_PATH=$RUNNER_TEMP/build_certificate.p12 KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db KEYCHAIN_PASSWORD=$(openssl rand -base64 32) P12_PASSWORD=$(openssl rand -base64 32) echo "$APPLE_CERTIFICATE" | base64 --decode > $CERT_PATH echo "$APPLE_CERTIFICATE_KEY" | base64 --decode > $KEY_PATH openssl x509 -inform DER -in $CERT_PATH -out $PEM_PATH openssl pkcs12 -export -out $P12_PATH -inkey $KEY_PATH -in $PEM_PATH -passout pass:$P12_PASSWORD security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security set-keychain-settings -lut 21600 $KEYCHAIN_PATH security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security import $P12_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH security list-keychain -d user -s $KEYCHAIN_PATH login.keychain-db echo "Available signing identities:" security find-identity -v -p codesigning $KEYCHAIN_PATH rm -f $CERT_PATH $KEY_PATH $PEM_PATH $P12_PATH - name: Generate nightly timestamp id: timestamp shell: bash run: | TIMESTAMP=$(date -u +"%Y-%m-%d") COMMIT_HASH=$(echo "${GITHUB_SHA}" | cut -c1-7) echo "timestamp=${TIMESTAMP}-${COMMIT_HASH}" >> $GITHUB_OUTPUT echo "Generated timestamp: ${TIMESTAMP}-${COMMIT_HASH}" - name: Build Tauri app uses: tauri-apps/tauri-action@73fb865345c54760d875b94642314f8c0c894afa #v0.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} BUILD_TAG: "nightly-${{ steps.timestamp.outputs.timestamp }}" GITHUB_REF_NAME: "nightly-${{ steps.timestamp.outputs.timestamp }}" GITHUB_SHA: ${{ github.sha }} APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} with: projectPath: ./src-tauri tagName: "nightly-${{ steps.timestamp.outputs.timestamp }}" releaseName: "Donut Browser Nightly (Build ${{ steps.timestamp.outputs.timestamp }})" releaseBody: "⚠️ **Nightly Release** - This is an automatically generated pre-release build from the latest main branch. Use with caution.\n\nCommit: ${{ github.sha }}\nBuild: ${{ steps.timestamp.outputs.timestamp }}" releaseDraft: false prerelease: true args: ${{ matrix.args }} - name: Clean up Apple certificate if: matrix.platform == 'macos-latest' && always() run: | security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true rm -f $RUNNER_TEMP/build_certificate.p12 || true update-nightly-release: needs: [rolling-release] runs-on: ubuntu-latest permissions: contents: write steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 - name: Generate nightly tag id: tag run: | TIMESTAMP=$(date -u +"%Y-%m-%d") COMMIT_HASH=$(echo "${GITHUB_SHA}" | cut -c1-7) echo "nightly_tag=nightly-${TIMESTAMP}-${COMMIT_HASH}" >> $GITHUB_OUTPUT - name: Update rolling nightly release env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | NIGHTLY_TAG="${{ steps.tag.outputs.nightly_tag }}" ASSETS_DIR="/tmp/nightly-assets" # Download all assets from the per-commit nightly release mkdir -p "$ASSETS_DIR" gh release download "$NIGHTLY_TAG" --dir "$ASSETS_DIR" --clobber # Rename versioned filenames to stable nightly names cd "$ASSETS_DIR" for f in Donut_*_aarch64.dmg; do [ -f "$f" ] && mv "$f" Donut_nightly_aarch64.dmg; done for f in Donut_*_x64.dmg; do [ -f "$f" ] && mv "$f" Donut_nightly_x64.dmg; done for f in Donut_*_x64-setup.exe; do [ -f "$f" ] && mv "$f" Donut_nightly_x64-setup.exe; done for f in Donut_*_aarch64.AppImage; do [ -f "$f" ] && mv "$f" Donut_nightly_aarch64.AppImage; done for f in Donut_*_amd64.AppImage; do [ -f "$f" ] && mv "$f" Donut_nightly_amd64.AppImage; done for f in Donut_*_amd64.deb; do [ -f "$f" ] && mv "$f" Donut_nightly_amd64.deb; done for f in Donut_*_arm64.deb; do [ -f "$f" ] && mv "$f" Donut_nightly_arm64.deb; done for f in Donut-*.x86_64.rpm; do [ -f "$f" ] && mv "$f" Donut_nightly_x86_64.rpm; done for f in Donut-*.aarch64.rpm; do [ -f "$f" ] && mv "$f" Donut_nightly_aarch64.rpm; done cd "$GITHUB_WORKSPACE" # Delete existing rolling nightly release and tag gh release delete nightly --yes 2>/dev/null || true git push --delete origin nightly 2>/dev/null || true # Create new rolling nightly release with all assets gh release create nightly \ "$ASSETS_DIR"/Donut_nightly_* \ "$ASSETS_DIR"/Donut_aarch64.app.tar.gz \ "$ASSETS_DIR"/Donut_x64.app.tar.gz \ --title "Donut Browser Nightly" \ --notes "Automatically updated nightly build from the latest main branch.\n\nCommit: ${GITHUB_SHA}" \ --prerelease