mirror of
https://github.com/zhayujie/chatgpt-on-wechat.git
synced 2026-07-17 19:27:11 +08:00
297 lines
12 KiB
YAML
297 lines
12 KiB
YAML
name: Release Desktop
|
|
|
|
# STAGE 1 of the decoupled release pipeline: BUILD ONLY.
|
|
# Builds the desktop client for macOS (arm64 + x64) and Windows (x64), mirrors
|
|
# the installers to R2, and registers them in D1 as UNPUBLISHED (is_latest=0)
|
|
# so the website keeps serving the previous release. It does NOT notarize
|
|
# (Apple's notary service stalls this large bundle for hours) and does NOT
|
|
# create a GitHub Release.
|
|
#
|
|
# Full flow:
|
|
# 1. (this workflow) build + upload to R2 + D1 as unpublished.
|
|
# 2. (local) download the mac dmgs, run desktop/build/notarize-dmg.sh to
|
|
# notarize + staple + re-upload the stapled dmgs to R2.
|
|
# 3. (Publish Desktop workflow) flip D1 is_latest=1 and attach GitHub
|
|
# Release assets — makes the version live on the site.
|
|
#
|
|
# Push a tag like `v1.2.0` (or use workflow_dispatch) to run stage 1.
|
|
on:
|
|
push:
|
|
tags:
|
|
- "v*"
|
|
# Manual trigger for testing the full pipeline without cutting a real tag.
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
description: "Version to stamp (e.g. 1.0.0-test). Used for package.json and R2 path."
|
|
type: string
|
|
default: "0.0.0-dev"
|
|
publish_r2:
|
|
description: "Upload installers to R2 + register in D1 (needs Cloudflare secrets)"
|
|
type: boolean
|
|
default: false
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
build:
|
|
name: Build ${{ matrix.name }}
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
# Don't cancel the other platforms if one fails — we want to see all
|
|
# failures in a single run.
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- name: macOS arm64
|
|
os: macos-14
|
|
platform: mac
|
|
arch: arm64
|
|
eb_flags: --mac --arm64
|
|
- name: macOS x64
|
|
os: macos-15-intel
|
|
platform: mac
|
|
arch: x64
|
|
eb_flags: --mac --x64
|
|
- name: Windows x64
|
|
os: windows-latest
|
|
platform: win
|
|
arch: x64
|
|
eb_flags: --win --x64
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Derive version
|
|
# Tag push: strip the leading "v" from GITHUB_REF_NAME (e.g. v1.2.0).
|
|
# Manual dispatch: use the provided version input.
|
|
id: ver
|
|
shell: bash
|
|
run: |
|
|
if [ "${{ github.event_name }}" = "push" ]; then
|
|
ref="${GITHUB_REF_NAME:-}"
|
|
echo "version=${ref#v}" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "version=${{ github.event.inputs.version }}" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.11"
|
|
|
|
- name: Set up Node
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: "20"
|
|
|
|
- name: Build Python backend (PyInstaller)
|
|
shell: bash
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip install -r desktop/build/requirements-desktop.txt
|
|
pip install pyinstaller
|
|
# Run from repo root so the spec's relative datas resolve correctly.
|
|
pyinstaller desktop/build/cowagent-backend.spec \
|
|
--noconfirm \
|
|
--distpath desktop/build/dist \
|
|
--workpath desktop/build/build-work
|
|
|
|
- name: Install desktop deps
|
|
working-directory: desktop
|
|
run: npm ci
|
|
|
|
- name: Write version into package.json
|
|
working-directory: desktop
|
|
shell: bash
|
|
run: npm version "${{ steps.ver.outputs.version }}" --no-git-tag-version --allow-same-version
|
|
|
|
- name: Build & publish (electron-builder)
|
|
working-directory: desktop
|
|
shell: bash
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
# Signing secrets are passed through as-is; we only export them to the
|
|
# environment below when non-empty. An empty CSC_LINK would make
|
|
# electron-builder try to load a bogus certificate and fail, so unset
|
|
# is the correct state for unsigned builds.
|
|
MAC_CSC_LINK: ${{ secrets.MAC_CSC_LINK }}
|
|
MAC_CSC_KEY_PASSWORD: ${{ secrets.MAC_CSC_KEY_PASSWORD }}
|
|
WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }}
|
|
WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
|
|
run: |
|
|
npm run build
|
|
|
|
# Only export signing vars when provided. Empty strings are NOT the
|
|
# same as unset to electron-builder: an empty CSC_LINK is treated as
|
|
# a (broken) certificate path and aborts the build. Leaving them
|
|
# unset makes electron-builder fall back to an unsigned build.
|
|
if [ -n "$MAC_CSC_LINK" ]; then
|
|
export CSC_LINK="$MAC_CSC_LINK"
|
|
export CSC_KEY_PASSWORD="$MAC_CSC_KEY_PASSWORD"
|
|
fi
|
|
if [ -z "$WIN_CSC_LINK" ]; then
|
|
unset WIN_CSC_LINK WIN_CSC_KEY_PASSWORD
|
|
fi
|
|
|
|
# Never let electron-builder publish: our publish target is a generic
|
|
# (read-only) feed served from R2/D1, which it can't upload to. We mirror
|
|
# installers to R2 and register them in D1 ourselves (publish-r2 job).
|
|
# `--publish never` still emits the latest*.yml files.
|
|
# Use the dynamic config (electron-builder.js): it populates
|
|
# mac.binaries (backend Mach-O files to sign). Notarization is NOT done
|
|
# here — Apple's notary service keeps this large bundle "In Progress"
|
|
# for hours, so it's decoupled into a manual local step
|
|
# (desktop/build/notarize-dmg.sh) run after this build produces the
|
|
# signed dmg. The dmg is signed + hardened-runtime, so it only needs a
|
|
# ticket stapled later.
|
|
npx electron-builder ${{ matrix.eb_flags }} --config electron-builder.js --publish never
|
|
|
|
# Upload artifacts regardless of outcome, so a failed run still surfaces
|
|
# the built installers (and, on success, the notarized+stapled dmg).
|
|
- name: Upload artifacts
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
# One bundle per platform/arch so the publish job can collect them all.
|
|
name: cowagent-${{ matrix.platform }}-${{ matrix.arch }}
|
|
path: |
|
|
desktop/release/*.dmg
|
|
desktop/release/*.exe
|
|
desktop/release/*.yml
|
|
desktop/release/*.blockmap
|
|
if-no-files-found: ignore
|
|
retention-days: 7
|
|
|
|
# Mirror the release installers to R2 (CDN-backed) and register them in D1 so
|
|
# cowagent.ai/download/{platform}/latest can resolve and count downloads.
|
|
# Runs only on tag pushes, and is a no-op (skips) until the Cloudflare secrets
|
|
# are configured, so it never blocks unsigned/dry builds.
|
|
publish-r2:
|
|
name: Publish to R2 + D1
|
|
# Require every platform in the build matrix to succeed before publishing,
|
|
# so a release on R2/D1 is always complete (all installers present) rather
|
|
# than partial. needs: build already gates on all matrix jobs succeeding.
|
|
needs: build
|
|
runs-on: ubuntu-latest
|
|
# Run on a tag push, or on a manual dispatch when publish_r2 is checked.
|
|
if: >-
|
|
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) ||
|
|
(github.event_name == 'workflow_dispatch' && github.event.inputs.publish_r2 == 'true')
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Guard on Cloudflare secrets
|
|
id: guard
|
|
env:
|
|
CF_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
|
|
run: |
|
|
if [ -n "$CF_TOKEN" ]; then
|
|
echo "enabled=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "enabled=false" >> "$GITHUB_OUTPUT"
|
|
echo "::notice::CLOUDFLARE_API_TOKEN not set — skipping R2/D1 publish."
|
|
fi
|
|
|
|
- name: Derive version
|
|
if: steps.guard.outputs.enabled == 'true'
|
|
id: ver
|
|
run: |
|
|
if [ "${{ github.event_name }}" = "push" ]; then
|
|
echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "version=${{ github.event.inputs.version }}" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Download all build artifacts
|
|
if: steps.guard.outputs.enabled == 'true'
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
path: artifacts
|
|
|
|
- name: Stage installers
|
|
if: steps.guard.outputs.enabled == 'true'
|
|
id: stage
|
|
run: |
|
|
mkdir -p dist
|
|
# Flatten installers + their .blockmap (used by electron-updater for
|
|
# differential downloads) from every per-platform artifact dir. The
|
|
# .yml feed is generated dynamically by the /update Function from D1,
|
|
# so the yml files themselves don't need to go to R2.
|
|
find artifacts -type f \( -name '*.dmg' -o -name '*.exe' -o -name '*.blockmap' \) -exec cp {} dist/ \;
|
|
echo "Staged files:"; ls -la dist
|
|
# When the whole matrix failed there's nothing to publish; flag it so
|
|
# the R2/D1 steps skip instead of writing an empty/partial release.
|
|
if [ -n "$(ls -A dist 2>/dev/null)" ]; then
|
|
echo "has_files=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "has_files=false" >> "$GITHUB_OUTPUT"
|
|
echo "::warning::No installers found in any artifact — skipping R2/D1 publish."
|
|
fi
|
|
|
|
- name: Upload installers to R2
|
|
if: steps.guard.outputs.enabled == 'true' && steps.stage.outputs.has_files == 'true'
|
|
env:
|
|
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
|
|
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
|
|
VER: ${{ steps.ver.outputs.version }}
|
|
run: |
|
|
# Reuse the existing cow-skills bucket under a desktop/ prefix; this
|
|
# is served by the cdn.cowagent.ai custom domain.
|
|
for f in dist/*; do
|
|
base="$(basename "$f")"
|
|
key="desktop/v${VER}/${base}"
|
|
echo "==> Uploading $base -> r2://cow-skills/$key"
|
|
npx --yes wrangler@latest r2 object put "cow-skills/$key" \
|
|
--file "$f" --remote
|
|
done
|
|
|
|
- name: Register release rows in D1
|
|
if: steps.guard.outputs.enabled == 'true' && steps.stage.outputs.has_files == 'true'
|
|
env:
|
|
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
|
|
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
|
|
VER: ${{ steps.ver.outputs.version }}
|
|
run: |
|
|
# Map each installer filename to a platform id. dmg arch is in the
|
|
# name (…-arm64.dmg / …-x64.dmg); .exe is the Windows installer.
|
|
sql_file="$(mktemp)"
|
|
|
|
# This build job ALWAYS registers rows as unpublished (is_latest=0), so
|
|
# /download/<p>/latest keeps serving the previous release and the new
|
|
# version stays invisible on the site. macOS dmgs still need to be
|
|
# notarized+stapled locally (build/notarize-dmg.sh) before they're
|
|
# safe to ship. Promotion to latest happens later, only after
|
|
# notarization, via the separate "Publish Desktop" workflow.
|
|
echo "==> Registering $VER as unpublished (is_latest=0)."
|
|
|
|
# Compute sha512 (base64, the format electron-updater validates) from
|
|
# the actual staged files rather than electron-builder's latest*.yml.
|
|
# NOTE: for macOS the dmg is re-hashed later by the publish workflow
|
|
# after stapling (stapling rewrites the dmg bytes), so the sha stored
|
|
# here is a placeholder for mac and authoritative only for win.
|
|
sha_for_file() { openssl dgst -sha512 -binary "$1" | openssl base64 -A; }
|
|
|
|
for f in dist/*; do
|
|
base="$(basename "$f")"
|
|
size="$(stat -c%s "$f")"
|
|
case "$base" in
|
|
*arm64.dmg) platform="mac-arm64" ;;
|
|
*x64.dmg) platform="mac-x64" ;;
|
|
*.exe) platform="win" ;;
|
|
*) echo "Skipping unrecognized artifact: $base"; continue ;;
|
|
esac
|
|
key="v${VER}/${base}"
|
|
sha="$(sha_for_file "$f")"
|
|
# SQL-escape single quotes defensively (base64 has none, but be safe).
|
|
sha="${sha//\'/\'\'}"
|
|
# Never mark latest here — the row is unpublished until the separate
|
|
# publish workflow promotes it after notarization.
|
|
echo "INSERT OR REPLACE INTO releases (version, platform, filename, size, sha512, is_latest) VALUES ('${VER}', '${platform}', '${key}', ${size}, '${sha}', 0);" >> "$sql_file"
|
|
done
|
|
echo "==> D1 statements:"; cat "$sql_file"
|
|
npx --yes wrangler@latest d1 execute cow-desktop --remote --file "$sql_file"
|