KodoCode/.github/workflows/patch-windows-release.yml at main · boggedbrush/KodoCode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
name: Patch Windows Release

on:
  workflow_dispatch:
    inputs:
      version:
        description: "Release version to rebuild and replace (for example 0.0.1 or v0.0.1)"
        required: true
        type: string
      ref:
        description: "Git ref to rebuild from (defaults to the release tag)"
        required: false
        default: ""
        type: string

permissions:
  contents: write
  id-token: write

jobs:
  patch_windows_release:
    name: Patch Windows x64 Assets
    runs-on: windows-2022
    timeout-minutes: 45
    steps:
      - id: release_meta
        name: Resolve release version
        shell: bash
        run: |
          raw="${{ github.event.inputs.version }}"
          checkout_ref="${{ github.event.inputs.ref }}"
          version="${raw#v}"
          if [[ ! "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z.-]+)?$ ]]; then
            echo "Invalid release version: $raw" >&2
            exit 1
          fi

          echo "version=$version" >> "$GITHUB_OUTPUT"
          echo "tag=v$version" >> "$GITHUB_OUTPUT"
          if [[ -z "$checkout_ref" ]]; then
            checkout_ref="refs/tags/v$version"
          fi
          echo "checkout_ref=$checkout_ref" >> "$GITHUB_OUTPUT"

      - name: Checkout release source
        uses: actions/checkout@v6
        with:
          ref: ${{ steps.release_meta.outputs.checkout_ref }}
          fetch-depth: 0

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version-file: package.json

      - name: Setup Node
        uses: actions/setup-node@v6
        with:
          node-version-file: package.json

      - name: Cache Bun and Turbo
        uses: actions/cache@v5
        with:
          path: |
            ~/.bun/install/cache
            .turbo
          key: ${{ runner.os }}-bun-${{ hashFiles('bun.lock') }}-${{ hashFiles('turbo.json', 'apps/*/turbo.jsonc') }}
          restore-keys: |
            ${{ runner.os }}-bun-${{ hashFiles('bun.lock') }}-

      - name: Cache Electron builder artifacts
        uses: actions/cache@v5
        with:
          path: |
            ~/.cache/electron
            ~/.cache/electron-builder
          key: ${{ runner.os }}-electron-builder-${{ hashFiles('bun.lock') }}
          restore-keys: |
            ${{ runner.os }}-electron-builder-

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Align package versions to release version
        run: node scripts/update-release-package-versions.ts "${{ steps.release_meta.outputs.version }}"

      - name: Build Windows desktop artifacts
        shell: bash
        env:
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
          AZURE_TRUSTED_SIGNING_ENDPOINT: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
          AZURE_TRUSTED_SIGNING_ACCOUNT_NAME: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
          AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME }}
          AZURE_TRUSTED_SIGNING_PUBLISHER_NAME: ${{ secrets.AZURE_TRUSTED_SIGNING_PUBLISHER_NAME }}
        run: |
          has_all() {
            for value in "$@"; do
              if [[ -z "$value" ]]; then
                return 1
              fi
            done
            return 0
          }

          if has_all \
            "$AZURE_TENANT_ID" \
            "$AZURE_CLIENT_ID" \
            "$AZURE_CLIENT_SECRET" \
            "$AZURE_TRUSTED_SIGNING_ENDPOINT" \
            "$AZURE_TRUSTED_SIGNING_ACCOUNT_NAME" \
            "$AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME" \
            "$AZURE_TRUSTED_SIGNING_PUBLISHER_NAME"; then
            echo "Windows signing enabled (Azure Trusted Signing)."
            signed_flag=--signed
          else
            echo "Windows signing disabled (missing one or more Azure Trusted Signing secrets)."
            signed_flag=
          fi

          for target in nsis zip; do
            args=(
              --platform win
              --target "$target"
              --arch x64
              --build-version "${{ steps.release_meta.outputs.version }}"
              --verbose
            )

            if [[ -n "$signed_flag" ]]; then
              args+=("$signed_flag")
            fi

            bun run dist:desktop:artifact -- "${args[@]}"
          done

      - name: Collect patched Windows release assets
        shell: bash
        run: |
          set -euo pipefail
          mkdir -p release-publish

          shopt -s nullglob
          for pattern in \
            "release/*.exe" \
            "release/*.zip" \
            "release/*.blockmap" \
            "release/latest.yml"; do
            for file in $pattern; do
              cp "$file" release-publish/
            done
          done

          shopt -u nullglob
          ls -la release-publish

      - name: Upload patched Windows assets to existing release
        shell: bash
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          gh release upload "${{ steps.release_meta.outputs.tag }}" release-publish/* --clobber