.github/workflows/release-codesigned.yaml

name: "publish"
on:
  push:
    branches:
      - release-codesigned-testing

jobs:
  publish-tauri:
    permissions:
      contents: write
    strategy:
      fail-fast: false
      matrix:
        platform: [windows-2019, macos-11, ubuntu-20.04]
    env:
      MACOSX_DEPLOYMENT_TARGET: 10.13

    runs-on: ${{ matrix.platform }}
    steps:
      - uses: actions/checkout@v2
      - name: setup node
        uses: actions/setup-node@v1
        with:
          node-version: 16
      - name: install Rust stable
        uses: actions-rs/toolchain@v1
        with:
          override: true
          toolchain: stable
      - name: install Go stable
        uses: actions/setup-go@v4
        with:
          go-version: 'stable'
      - name: install app dependencies and info
        run: npm install && npm run tauri info

      - name: install dependencies (ubuntu only)
        if: matrix.platform == 'ubuntu-20.04'
        run: |
          sudo apt-get update
          sudo apt-get install -y libwebkit2gtk-4.0-dev libcanberra-gtk-module libcanberra-gtk3-module build-essential curl wget libssl-dev libgtk-3-dev squashfs-tools libgtksourceview-3.0-dev libappindicator3-dev patchelf librsvg2-dev ayatana-indicator-application

      - name: generate dist folder
        run: npm run dist

      - name: build the app (macOS and Linux only)
        if: matrix.platform == 'ubuntu-20.04' || matrix.platform == 'macos-11' # HELP remove this line if Windows code signing is NOT wanted
        uses: tauri-apps/tauri-action@dev
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
          TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}

        with:
          projectPath: src-tauri # specifying to prevent action from looking for artifacts in crates/hc_launch/src-tauri
          tagName: v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version
          releaseName: "hc-stress-test v__VERSION__"
          releaseBody: "See assets below to download and install this version."
          releaseDraft: true
          prerelease: true
          args: --verbose


      ### Everything below this line is code signing for Windows via azure key vault, following these instructions:
      ### https://melatonin.dev/blog/how-to-code-sign-windows-installers-with-an-ev-cert-on-github-actions/
      ### HELP Remove everything below if Windows code signing is NOT wanted.

      - name: build and sign the app (Windows only)
        if: matrix.platform == 'windows-2019'
        run: |

          npm run dist
          npm run tauri -- build --verbose # building in verbose mode to get reasonable logging output in case of failure

          dotnet tool install --global AzureSignTool

          # replace-me -- HELP
          # 1. replace all occurrences of [[GITHUB_REPO_NAME]] with the name you of your GitHub repository
          # 2. replace all occurrences of [[productName]] with the productName field in tauri.conf.json
          # 3. replace all occurrences of [[version]] with the version field in tauri.conf.json
          # !! NOTE: The version field needs to be updated manually here with each new version of your app, otherwise the Windows build will fail.

          # sign the .msi file
          AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi"
          # sign the .exe file
          AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\nsis\hc-stress-test_0.0.2_x64-setup.exe"

          # # Uncomment the lines below if you have the updater enabled
          # # =========================================================
          # # remove the .msi.zip and .msi.zip.sig files generated by tauri's build command as they are not code signed
          # rm "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip"
          # rm "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip.sig"

          # # zip and sign the code signed .msi
          # 7z a -mx=0 "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip" "D:\a\holochain-kangaroo\holochain-kangaroo\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi"
          # npm run tauri signer sign "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip" -- -k ${{ secrets.TAURI_PRIVATE_KEY }} -p "${{ secrets.TAURI_KEY_PASSWORD }}"
          # # =========================================================

          # log hashes before and after code signing to verify that the uploaded assets are the right ones
          CertUtil -hashfile "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi" SHA256
          CertUtil -hashfile "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\nsis\hc-stress-test_0.0.2_x64-setup.exe" SHA256

          # # Uncomment the lines below if you have the updater enabled
          # CertUtil -hashfile "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip" SHA256
          # CertUtil -hashfile "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip.sig" SHA256

        env:
          TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
          TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}


      - name: upload signed .msi, .exe, .msi.zip, .msi.zip.sig files to github release (Windows only)
        uses: matthme/tauri-action-ev-signing@upload-only
        if: matrix.platform == 'windows-2019'
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          projectPath: src-tauri # specifying to prevent action from looking for artifacts in crates/hc_launch/src-tauri
          tagName: v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version
          releaseName: "hc-stress-test v__VERSION__"
          releaseBody: "See assets below to download and install this version."
          releaseDraft: true
          prerelease: true
          args: --verbose