awesome-bookmarks/goose
3
0
Fork 0
mirror of https://github.com/block/goose.git synced 2026-06-02 06:19:33 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
2bc2b6cd75c6ad979b7dcd06df7e6de7535e8d1a
goose/.github/workflows/bundle-desktop.yml
T
dependabot[bot] 2bc2b6cd75 chore(deps): bump actions/checkout from 4 to 6 (#9264) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-15 14:05:47 -04:00

339 lines
11 KiB
YAML
Raw Blame History

# This is a **reuseable** workflow that bundles the Desktop App for macOS.
# It doesn't get triggered on its own. It gets used in multiple workflows:
# - release.yml
# - canary.yml
# - pr-comment-bundle-desktop.yml
# - bundle-desktop-manual.yml
on:
workflow_call:
inputs:
version:
description: 'Version to set for the build'
required: false
default: ""
type: string
signing:
description: 'Whether to perform signing and notarization'
required: false
default: false
type: boolean
quick_test:
description: 'Whether to perform the quick launch test'
required: false
default: true
type: boolean
ref:
description: 'Git ref to checkout (branch, tag, or SHA). Defaults to main branch if not specified.'
required: false
type: string
default: ''
environment:
description: 'GitHub Environment containing signing secrets (e.g. "signing"). Leave empty to skip.'
required: false
type: string
default: ''
name: Reusable workflow to bundle desktop app
jobs:
build-desktop:
runs-on: macos-latest
name: Build Desktop App on macOS
env:
MACOSX_DEPLOYMENT_TARGET: "12.0"
permissions:
id-token: write
contents: read
steps:
# Debug information about the workflow and inputs
- name: Debug workflow info
env:
WORKFLOW_NAME: ${{ github.workflow }}
WORKFLOW_REF: ${{ github.ref }}
EVENT_NAME: ${{ github.event_name }}
REPOSITORY: ${{ github.repository }}
INPUT_REF: ${{ inputs.ref }}
INPUT_VERSION: ${{ inputs.version }}
INPUT_SIGNING: ${{ inputs.signing }}
INPUT_QUICK_TEST: ${{ inputs.quick_test }}
run: |
echo "=== Workflow Information ==="
echo "Workflow: ${WORKFLOW_NAME}"
echo "Ref: ${WORKFLOW_REF}"
echo "Event: ${EVENT_NAME}"
echo "Repo: ${REPOSITORY}"
echo ""
echo "=== Input Parameters ==="
echo "Build ref: ${INPUT_REF:-<default branch>}"
echo "Version: ${INPUT_VERSION:-not set}"
echo "Signing: ${INPUT_SIGNING:-false}"
echo "Quick test: ${INPUT_QUICK_TEST:-true}"
# Check initial disk space
- name: Check initial disk space
run: df -h
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
# Only pass ref if it's explicitly set, otherwise let checkout action use its default behavior
ref: ${{ inputs.ref != '' && inputs.ref || '' }}
- name: Debug git status
run: |
echo "=== Git Status ==="
git status
echo ""
echo "=== Current Commit ==="
git rev-parse HEAD
git rev-parse --abbrev-ref HEAD
echo ""
echo "=== Recent Commits ==="
git log --oneline -n 5
echo ""
echo "=== Remote Branches ==="
git branch -r
# Update versions before build
- name: Update versions
if: ${{ inputs.version != '' }}
env:
VERSION: ${{ inputs.version }}
run: |
# Update version in Cargo.toml
sed -i.bak "s/^version = \".*\"/version = \"${VERSION}\"/" Cargo.toml
rm -f Cargo.toml.bak
source ./bin/activate-hermit
# Update version in package.json
cd ui/desktop
npm pkg set "version=${VERSION}"
- name: Cache Rust dependencies
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
with:
key: macos-deployment-target-12
# Build the project
- name: Build goosed
run: source ./bin/activate-hermit && cargo build --release -p goose-server
# Post-build cleanup to free space
- name: Post-build cleanup
run: |
echo "Performing post-build cleanup..."
# Remove debug artifacts
rm -rf target/debug || true
# Keep only what's needed for the next steps
rm -rf target/release/deps || true
rm -rf target/release/build || true
rm -rf target/release/incremental || true
# Check disk space after cleanup
df -h
- name: Copy binaries into Electron folder
run: |
cp target/release/goosed ui/desktop/src/bin/goosed
- name: Cache pnpm dependencies
uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
with:
path: |
ui/desktop/node_modules
.hermit/node/cache
key: macos-pnpm-cache-v1-${{ runner.os }}-${{ hashFiles('ui/pnpm-lock.yaml') }}
restore-keys: |
macos-pnpm-cache-v1-${{ runner.os }}-
- name: Install dependencies
run: source ../../bin/activate-hermit && pnpm install --frozen-lockfile
working-directory: ui/desktop
# Check disk space before bundling
- name: Check disk space before bundling
run: df -h
# Build without signing — signing env vars are intentionally omitted
- name: Build App (unsigned)
run: |
source ../../bin/activate-hermit
attempt=0
max_attempts=2
until [ $attempt -ge $max_attempts ]; do
pnpm run bundle:default && break
attempt=$((attempt + 1))
echo "Attempt $attempt failed. Retrying..."
sleep 5
done
if [ $attempt -ge $max_attempts ]; then
echo "Action failed after $max_attempts attempts."
exit 1
fi
working-directory: ui/desktop
- name: Final cleanup before artifact upload
run: |
echo "Performing final cleanup..."
# Remove build artifacts that are no longer needed
rm -rf target || true
# Check disk space after cleanup
df -h
- name: Upload unsigned Desktop artifact
id: upload-app-bundle
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: Goose-darwin-arm64-unsigned
path: ui/desktop/out/Goose-darwin-arm64/
- name: Quick launch test (macOS)
if: ${{ inputs.quick_test }}
run: |
# Ensure no quarantine attributes (if needed)
xattr -cr "ui/desktop/out/Goose-darwin-arm64/Goose.app"
echo "Opening Goose.app..."
open -g "ui/desktop/out/Goose-darwin-arm64/Goose.app"
# Give the app a few seconds to start and write logs
sleep 5
# Check if it's running
if pgrep -f "Goose.app/Contents/MacOS/Goose" > /dev/null; then
echo "App appears to be running."
else
echo "App did not stay open. Possible crash or startup error."
exit 1
fi
# Kill the app to clean up
pkill -f "Goose.app/Contents/MacOS/Goose"
sign-desktop:
needs: build-desktop
if: ${{ inputs.signing }}
runs-on: macos-latest
name: Sign and Notarize Desktop App on macOS
environment: ${{ inputs.environment || '' }}
permissions:
id-token: write
contents: read
outputs:
artifact-url: ${{ steps.upload-signed-bundle.outputs.artifact-url }}
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ inputs.ref != '' && inputs.ref || '' }}
sparse-checkout: |
.github/actions/apple-codesign
ui/desktop/entitlements.plist
- name: Download unsigned artifact
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
name: Goose-darwin-arm64-unsigned
path: app-bundle/
- name: Import Apple signing certificate
uses: ./.github/actions/apple-codesign
with:
certificate-base64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
certificate-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: 22
- name: Install signing tools
run: npm install @electron/osx-sign @electron/notarize
- name: Sign app bundle
env:
KEYCHAIN_PATH: ${{ env.KEYCHAIN_PATH }}
run: |
node -e "
const { signAsync } = require('@electron/osx-sign');
signAsync({
app: 'app-bundle/Goose.app',
keychain: process.env.KEYCHAIN_PATH || undefined,
identity: 'Developer ID Application',
entitlements: 'ui/desktop/entitlements.plist',
entitlementsInherit: 'ui/desktop/entitlements.plist',
}).then(() => {
console.log('Code signing complete.');
}).catch((err) => {
console.error('Code signing failed:', err);
process.exit(1);
});
"
- name: Verify code signature
run: |
codesign --verify --deep --strict --verbose=2 app-bundle/Goose.app
echo "Signature verification passed."
- name: Notarize app bundle
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
run: |
node -e "
const { notarize } = require('@electron/notarize');
notarize({
appPath: 'app-bundle/Goose.app',
appleId: process.env.APPLE_ID,
appleIdPassword: process.env.APPLE_ID_PASSWORD,
teamId: process.env.APPLE_TEAM_ID,
}).then(() => {
console.log('Notarization complete.');
}).catch((err) => {
console.error('Notarization failed:', err);
process.exit(1);
});
"
- name: Staple notarization ticket
run: xcrun stapler staple app-bundle/Goose.app
- name: Create zip for distribution
run: |
cd app-bundle
ditto -c -k --sequesterRsrc --keepParent Goose.app Goose.zip
- name: Upload signed Desktop artifact
id: upload-signed-bundle
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: Goose-darwin-arm64
path: app-bundle/Goose.zip
- name: Clean up signing keychain
if: always()
run: |
if [ -n "$KEYCHAIN_PATH" ] && [ -f "$KEYCHAIN_PATH" ]; then
security delete-keychain "$KEYCHAIN_PATH" || true
fi
# When signing is disabled, publish the unsigned build with the expected artifact name
package-desktop:
needs: build-desktop
if: ${{ !inputs.signing }}
runs-on: ubuntu-latest
name: Package Desktop App (unsigned)
outputs:
artifact-url: ${{ steps.upload-unsigned-bundle.outputs.artifact-url }}
steps:
- name: Download unsigned artifact
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
name: Goose-darwin-arm64-unsigned
path: app-bundle/
- name: Upload Desktop artifact
id: upload-unsigned-bundle
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: Goose-darwin-arm64
path: app-bundle/Goose.zip
Reference in New Issue View Git Blame Copy Permalink