name: build-apps on: pull_request: push: branches: - main tags: - 'v[0-9]+.[0-9]+.[0-9]+' env: IS_RELEASE: ${{ github.ref_type == 'tag' && startsWith(github.ref_name, 'v') }} IS_NIGHTLY: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: prepare-files: runs-on: ubuntu-22.04 # seperate job on Ubuntu for easy string manipulations (compared to Windows) outputs: version: ${{ steps.export_version.outputs.version }} notes: ${{ steps.export_notes.outputs.notes }} steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version-file: '.nvmrc' cache: 'npm' - run: npm install - id: filter name: Check for Rust changes uses: dorny/paths-filter@v3 with: filters: | rust: - 'rust/**' - name: Download Wasm Cache id: download-wasm if: ${{ github.event_name == 'pull_request' && steps.filter.outputs.rust == 'false' }} uses: dawidd6/action-download-artifact@v7 continue-on-error: true with: github_token: ${{secrets.GITHUB_TOKEN}} name: wasm-bundle workflow: build-and-store-wasm.yml branch: main path: rust/kcl-wasm-lib/pkg - name: Build WASM condition id: wasm run: | set -euox pipefail # Build wasm if this is a push to main or tag, there are Rust changes, or # downloading from the wasm cache failed. if [[ ${{github.event_name}} == 'push' || ${{steps.filter.outputs.rust}} == 'true' || ${{steps.download-wasm.outcome}} == 'failure' ]]; then echo "should-build-wasm=true" >> $GITHUB_OUTPUT else echo "should-build-wasm=false" >> $GITHUB_OUTPUT fi - name: Use correct Rust toolchain if: ${{ steps.wasm.outputs.should-build-wasm == 'true' }} shell: bash run: | [ -e rust-toolchain.toml ] || cp rust/rust-toolchain.toml ./ - name: Install rust if: ${{ steps.wasm.outputs.should-build-wasm == 'true' }} uses: actions-rust-lang/setup-rust-toolchain@v1 with: cache: false # Configured below. - uses: taiki-e/install-action@d4635f2de61c8b8104d59cd4aede2060638378cc if: ${{ steps.wasm.outputs.should-build-wasm == 'true' }} with: tool: wasm-pack - name: Rust Cache if: ${{ steps.wasm.outputs.should-build-wasm == 'true' }} uses: Swatinem/rust-cache@v2 with: workspaces: rust - name: Run build:wasm if: ${{ steps.wasm.outputs.should-build-wasm == 'true' }} run: "npm run build:wasm" - name: Set nightly version, product name, release notes, and icons if: ${{ env.IS_NIGHTLY == 'true' }} run: | COMMIT=$(git rev-parse --short HEAD) DATE=$(date +'%-y.%-m.%-d') export VERSION=$DATE-main.$COMMIT npm run files:set-version npm run files:flip-to-nightly - name: Set release version if: ${{ env.IS_RELEASE == 'true' }} run: | export VERSION=${GITHUB_REF_NAME#v} npm run files:set-version - uses: actions/upload-artifact@v4 with: name: prepared-files path: | package.json electron-builder.yml rust/kcl-wasm-lib/pkg/kcl_wasm_lib* release-notes.md assets/icon.ico assets/icon.png - id: export_version run: echo "version=`cat package.json | jq -r '.version'`" >> "$GITHUB_OUTPUT" - id: export_notes run: echo "notes=`cat release-notes.md`" >> "$GITHUB_OUTPUT" build-apps: needs: [prepare-files] strategy: fail-fast: false matrix: include: - os: macos-14 platform: mac - os: windows-2022 platform: win - os: ubuntu-22.04 platform: linux runs-on: ${{ matrix.os }} env: VERSION_NO_V: ${{ needs.prepare-files.outputs.version }} steps: - uses: actions/checkout@v4 - uses: actions/download-artifact@v4 name: prepared-files - name: Copy prepared files run: | ls -R prepared-files cp prepared-files/package.json package.json cp prepared-files/electron-builder.yml electron-builder.yml cp prepared-files/rust/kcl-wasm-lib/pkg/kcl_wasm_lib_bg.wasm public mkdir rust/kcl-wasm-lib/pkg cp prepared-files/rust/kcl-wasm-lib/pkg/kcl_wasm_lib* rust/kcl-wasm-lib/pkg cp prepared-files/release-notes.md release-notes.md cp prepared-files/assets/icon.ico assets/icon.ico cp prepared-files/assets/icon.png assets/icon.png - name: Sync node version and setup cache uses: actions/setup-node@v4 with: node-version-file: '.nvmrc' cache: 'npm' # Set this to npm, npm or pnpm. - run: npm install - name: Prepare certificate and variables (Windows only) if: ${{ (env.IS_RELEASE == 'true' || env.IS_NIGHTLY == 'true') && matrix.os == 'windows-2022' }} run: | echo "${{secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 cat /d/Certificate_pkcs12.p12 echo "::set-output name=version::${GITHUB_REF#refs/tags/v}" echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH shell: bash - name: Setup certicate with SSM KSP (Windows only) if: ${{ (env.IS_RELEASE == 'true' || env.IS_NIGHTLY == 'true') && matrix.os == 'windows-2022' }} run: | curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi msiexec /i smtools-windows-x64.msi /quiet /qn smksp_registrar.exe list smctl.exe keypair ls C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user smksp_cert_sync.exe smctl windows certsync # This last line `smctl windows certsync` was added after windows codesign failures started happening # with nightly-v25.4.10. It looks like `smksp_cert_sync.exe` used to do the sync to the local cert store, # but stopped doing it overnight. This extra call that I randomly got from this azure-related doc page # https://docs.digicert.com/en/digicert-keylocker/code-signing/sign-with-third-party-signing-tools/windows-applications/sign-azure-apps-with-signtool-using-ksp-library.html#sync-certificates--windows-only--618365 # seems to be doing that extra sync that we need for scripts/sign-win.js to work. # TODO: we still need to make sign-win.js errors fail the workflow, see issue #6276 shell: cmd - name: Build the app (debug) if: ${{ env.IS_RELEASE == 'false' && env.IS_NIGHTLY == 'false' }} # electron-builder doesn't have a concept of release vs debug, # this is just not doing any codesign or release yml generation, and points to dev infra run: npm run tronb:package:dev - name: Build the app (release) if: ${{ env.IS_RELEASE == 'true' || env.IS_NIGHTLY == 'true' }} env: APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_PASSWORD }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} CSC_LINK: ${{ secrets.APPLE_CERTIFICATE }} CSC_KEY_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} CSC_KEYCHAIN: ${{ secrets.APPLE_SIGNING_IDENTITY }} WINDOWS_CERTIFICATE_THUMBPRINT: ${{ secrets.WINDOWS_CERTIFICATE_THUMBPRINT }} run: npm run tronb:package:prod - name: List artifacts in out/ run: ls -R out - uses: actions/upload-artifact@v4 with: name: out-arm64-${{ matrix.platform }} # first two will pick both Zoo Design Studio-$VERSION-arm64-win.exe and Zoo Design Studio-$VERSION-win.exe path: | out/*-${{ env.VERSION_NO_V }}-win.* out/*-${{ env.VERSION_NO_V }}-arm64-win.* out/*-arm64-mac.* out/*-arm64-linux.* - uses: actions/upload-artifact@v4 with: name: out-x64-${{ matrix.platform }} path: | out/*-x64-win.* out/*-x64-mac.* out/*-x86_64-linux.* - uses: actions/upload-artifact@v4 if: ${{ env.IS_RELEASE == 'true' || env.IS_NIGHTLY == 'true' }} with: name: out-yml-${{ matrix.platform }} path: | out/latest*.yml # TODO: add the 'Build for Mac TestFlight (nightly)' stage back upload-apps-release: runs-on: ubuntu-22.04 permissions: contents: write # Equivalent to IS_RELEASE || IS_NIGHTLY (but we can't access those env vars here) if: ${{ (github.ref_type == 'tag' && startsWith(github.ref_name, 'v')) || (github.event_name == 'push' && github.ref == 'refs/heads/main') }} env: VERSION_NO_V: ${{ needs.prepare-files.outputs.version }} VERSION: ${{ format('v{0}', needs.prepare-files.outputs.version) }} needs: [prepare-files, build-apps] steps: - uses: actions/checkout@v4 - uses: actions/download-artifact@v4 with: name: out-arm64-win path: out - uses: actions/download-artifact@v4 with: name: out-x64-win path: out - uses: actions/download-artifact@v4 with: name: out-yml-win path: out - uses: actions/download-artifact@v4 with: name: out-arm64-mac path: out - uses: actions/download-artifact@v4 with: name: out-x64-mac path: out - uses: actions/download-artifact@v4 with: name: out-yml-mac path: out - uses: actions/download-artifact@v4 with: name: out-arm64-linux path: out - uses: actions/download-artifact@v4 with: name: out-x64-linux path: out - uses: actions/download-artifact@v4 with: name: out-yml-linux path: out - name: Generate the download static endpoint env: NOTES: ${{ needs.prepare-files.outputs.notes }} PUB_DATE: ${{ github.event.repository.updated_at }} WEBSITE_DIR: ${{ env.IS_NIGHTLY == 'true' && 'dl.zoo.dev/releases/modeling-app/nightly' || 'dl.zoo.dev/releases/modeling-app' }} URL_CODED_NAME: ${{ env.IS_NIGHTLY == 'true' && 'Zoo%20Design%20Studio%20%28Nightly%29' || 'Zoo%20Design%20Studio' }} run: | RELEASE_DIR=https://${WEBSITE_DIR} jq --null-input \ --arg version "${VERSION}" \ --arg pub_date "${PUB_DATE}" \ --arg notes "${NOTES}" \ --arg mac_arm64_url "$RELEASE_DIR/${{ env.URL_CODED_NAME }}-${VERSION_NO_V}-arm64-mac.dmg" \ --arg mac_x64_url "$RELEASE_DIR/${{ env.URL_CODED_NAME }}-${VERSION_NO_V}-x64-mac.dmg" \ --arg windows_arm64_url "$RELEASE_DIR/${{ env.URL_CODED_NAME }}-${VERSION_NO_V}-arm64-win.exe" \ --arg windows_x64_url "$RELEASE_DIR/${{ env.URL_CODED_NAME }}-${VERSION_NO_V}-x64-win.exe" \ --arg linux_arm64_url "$RELEASE_DIR/${{ env.URL_CODED_NAME }}-${VERSION_NO_V}-arm64-linux.AppImage" \ --arg linux_x64_url "$RELEASE_DIR/${{ env.URL_CODED_NAME }}-${VERSION_NO_V}-x86_64-linux.AppImage" \ '{ "version": $version, "pub_date": $pub_date, "notes": $notes, "platforms": { "dmg-arm64": { "url": $mac_arm64_url }, "dmg-x64": { "url": $mac_x64_url }, "exe-arm64": { "url": $windows_arm64_url }, "exe-x64": { "url": $windows_x64_url }, "appimage-arm64": { "url": $linux_arm64_url }, "appimage-x64": { "url": $linux_x64_url } } }' > out/last_download.json cat out/last_download.json - uses: actions/upload-artifact@v4 with: name: out-download-json path: out/last_download.json - name: List artifacts run: "ls -R out" - name: Authenticate to Google Cloud if: ${{ env.IS_NIGHTLY == 'true' }} uses: 'google-github-actions/auth@v2.1.8' with: credentials_json: '${{ secrets.GOOGLE_CLOUD_DL_SA }}' - name: Set up Google Cloud SDK if: ${{ env.IS_NIGHTLY == 'true' }} uses: google-github-actions/setup-gcloud@v2.1.4 with: project_id: ${{ env.GOOGLE_CLOUD_PROJECT_ID }} - name: Upload nightly files to public bucket if: ${{ env.IS_NIGHTLY == 'true' }} uses: google-github-actions/upload-cloud-storage@v2.2.2 with: path: out glob: '*' parent: false destination: 'dl.kittycad.io/releases/modeling-app/nightly' - name: Invalidate bucket cache on latest*.yml and last_download.json files if: ${{ env.IS_NIGHTLY == 'true' }} run: npm run files:invalidate-bucket:nightly