tabby/.github/workflows/build.yml

name: Package-Build
on: [push, pull_request]
jobs:
  Lint:
    runs-on: ubuntu-24.04

    steps:
    - name: Checkout
      uses: actions/checkout@v3
      with:
        fetch-depth: 0

    - name: Installing Node
      uses: actions/[email protected]
      with:
        node-version: 22

    - name: Install deps
      run: |
        sudo apt-get update && sudo apt-get install -y libfontconfig1-dev
        npm i -g yarn
        cd app
        yarn
        cd ..
        rm app/node_modules/.yarn-integrity
        yarn

    - name: Build typings
      run: yarn run build:typings

    - name: Lint
      run: yarn run lint

  macOS-Build:
    runs-on: macos-15
    needs: Lint
    strategy:
      matrix:
        include:
          - arch: x86_64
            rust_triple: x86_64-apple-darwin
          - arch: arm64
            rust_triple: aarch64-apple-darwin
      fail-fast: false

    env:
      ARCH: ${{matrix.arch}}
      RUST_TARGET_TRIPLE: ${{matrix.rust_triple}}

    steps:
    - name: Checkout
      uses: actions/checkout@v3
      with:
        fetch-depth: 0

    - name: Installing Node
      uses: actions/[email protected]
      with:
        node-version: 22

    - run: rustup target add ${{matrix.rust_triple}}

    - name: Install deps
      run: |
        yarn --network-timeout 1000000
      env:
        ARCH: ${{matrix.arch}}

    - name: Webpack
      run: yarn run build

    - name: Prepackage plugins
      run: scripts/prepackage-plugins.mjs
      env:
        ARCH: ${{matrix.arch}}

    - run: sed -i '' 's/updateInfo = await/\/\/updateInfo = await/g' node_modules/app-builder-lib/out/targets/ArchiveTarget.js

    # Work around electron-builder beta bug
    - run: ln -s ../../node_modules/electron app/node_modules

    - name: Build and sign packages
      run: scripts/build-macos.mjs
      if: github.event_name == 'push' && (github.ref_protected || startsWith(github.ref, 'refs/tags'))
      env:
        ARCH: ${{matrix.arch}}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        KEYGEN_TOKEN: ${{ secrets.KEYGEN_TOKEN }}
        CSC_LINK: ${{ secrets.CSC_LINK }}
        CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
        APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        APPSTORE_USERNAME: ${{ secrets.APPSTORE_USERNAME }}
        APPSTORE_PASSWORD: ${{ secrets.APPSTORE_PASSWORD }}
        USE_HARD_LINKS: false
        # DEBUG: electron-builder,electron-builder:*

    - name: Build packages without signing
      run: scripts/build-macos.mjs
      if: "! (github.event_name == 'push' && (github.ref_protected || startsWith(github.ref, 'refs/tags')))"
      env:
        ARCH: ${{matrix.arch}}
        # DEBUG: electron-builder,electron-builder:*

    - name: Upload symbols
      run: |
        sudo npm install -g @sentry/cli --unsafe-perm
        ./scripts/sentry-upload.mjs
      env:
        SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
        SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
        SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}

    - name: Package artifacts
      run: |
        mkdir artifact-dmg
        mv dist/*.dmg artifact-dmg/
        mkdir artifact-zip
        mv dist/*.zip artifact-zip/

    - uses: actions/upload-artifact@master
      name: Upload DMG
      with:
        name: macOS .dmg (${{matrix.arch}})
        path: artifact-dmg

    - uses: actions/upload-artifact@master
      name: Upload ZIP
      with:
        name: macOS .zip (${{matrix.arch}})
        path: artifact-zip

  Linux-Build:
    runs-on: ${{matrix.os}}
    needs: Lint
    strategy:
      matrix:
        include:
          - build-arch: x64
            arch: amd64
            rust_triple: x86_64-unknown-linux-gnu
            os: ubuntu-24.04
          - build-arch: arm64
            arch: arm64
            rust_triple: aarch64-unknown-linux-gnu
            triplet: aarch64-linux-gnu-
            os: ubuntu-24.04-arm
          - build-arch: arm
            arch: armhf
            rust_triple: arm-unknown-linux-gnueabihf
            triplet: arm-linux-gnueabihf-
            os: ubuntu-24.04
      fail-fast: false

    env:
      CC: ${{matrix.triplet}}gcc
      CXX: ${{matrix.triplet}}g++
      ARCH: ${{matrix.build-arch}}
      npm_config_arch: ${{matrix.build-arch}}
      npm_config_target_arch: ${{matrix.build-arch}}
      RUST_TARGET_TRIPLE: ${{matrix.rust_triple}}

    steps:
    - name: Checkout
      uses: actions/checkout@v3
      with:
        fetch-depth: 0

    - name: Install Node
      uses: actions/[email protected]
      with:
        node-version: 22

    - name: Install FPM
      run: |
        sudo gem install fpm

    - run: rustup target add ${{matrix.rust_triple}}

    - name: Install dependencies
      run: |
        sudo apt-get update
        sudo apt-get install libfontconfig1-dev libarchive-tools zsh crossbuild-essential-${{matrix.arch}}

    - name: Setup tar to run as root
      run: sudo chmod u+s "$(command -v tar)"
      if: matrix.build-arch == 'arm'

    - name: Download cached sysroot
      uses: actions/cache@v3
      id: dl-cached-sysroot
      if: matrix.build-arch == 'arm'
      with:
        key: sysroot-${{matrix.build-arch}}
        path: /${{matrix.build-arch}}-sysroot

    - name: Setup crossbuild sysroot
      run: |
        sudo apt-get update -y && sudo apt-get install debootstrap qemu-user-static binfmt-support -y
        sudo qemu-debootstrap --include=libfontconfig1-dev,libsecret-1-dev,libnss3,libatk1.0-0,libatk-bridge2.0-0,libgdk-pixbuf2.0-0,libgtk-3-0,libgbm1 --variant=buildd --exclude=snapd --components=main,restricted,universe,multiverse --extractor=dpkg-deb --arch ${{matrix.arch}} bionic /${{matrix.build-arch}}-sysroot/ http://ports.ubuntu.com/ubuntu-ports/
        sudo find /${{matrix.build-arch}}-sysroot -type l -lname '/*' -exec sh -c 'file="$0"; dir=$(dirname "$file"); target=$(readlink "$0"); prefix=$(dirname "$dir" | sed 's@[^/]*@\.\.@g'); newtarget="$prefix$target"; ln -snf $newtarget $file' {} \; ;
      if: matrix.build-arch == 'arm' && steps.dl-cached-sysroot.outputs.cache-hit != 'true'

    - name: Setup env to use ${{matrix.build-arch}} sysroot
      run: |
        echo "CFLAGS=--sysroot=/${{matrix.build-arch}}-sysroot/" >> $GITHUB_ENV
        echo "CXXFLAGS=--sysroot=/${{matrix.build-arch}}-sysroot/" >> $GITHUB_ENV
        echo "LDFLAGS=--sysroot=/${{matrix.build-arch}}-sysroot/" >> $GITHUB_ENV

        [[ ${npm_config_arch} == 'arm' ]] && echo "npm_config_arch=armv7l" >> $GITHUB_ENV

        if [[ ${{matrix.arch}} == 'armhf' ]]; then
          echo "PKG_CONFIG_PATH=/${{matrix.build-arch}}-sysroot/usr/lib/pkgconfig/:/${{matrix.build-arch}}-sysroot/usr/lib/arm-linux-gnueabihf/pkgconfig/" >> $GITHUB_ENV
        elif [[ ${{matrix.arch}} == 'arm64' ]]; then
          echo "PKG_CONFIG_PATH=/${{matrix.build-arch}}-sysroot/usr/lib/pkgconfig/:/${{matrix.build-arch}}-sysroot/usr/lib/aarch64-linux-gnu/pkgconfig/" >> $GITHUB_ENV
        fi
      if: matrix.build-arch == 'arm'

    - name: Install npm_modules (native)
      run: |
        npm i -g yarn node-gyp
        yarn --network-timeout 1000000 --arch=${{matrix.build-arch}} --target-arch=${{matrix.build-arch}}

    - name: Webpack (${{matrix.arch}})
      run: yarn run build --arch=${{matrix.build-arch}} --target_arch=${{matrix.build-arch}}

    - name: Prepackage plugins (${{matrix.arch}})
      run: scripts/prepackage-plugins.mjs

    - name: Build packages (${{matrix.arch}})
      run: scripts/build-linux.mjs
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        KEYGEN_TOKEN: ${{ secrets.KEYGEN_TOKEN }}
        USE_HARD_LINKS: false
        USE_SYSTEM_FPM: true
        # DEBUG: electron-builder,electron-builder:*

    - name: Build web resources (amd64 only)
      run: zsh -c 'tar czf tabby-web.tar.gz (tabby-*|web)/dist'
      if: matrix.build-arch == 'x64'

    - name: Upload symbols (amd64 only)
      run: |
        sudo npm install -g @sentry/cli --unsafe-perm
        ./scripts/sentry-upload.mjs
      if: matrix.build-arch == 'x64'
      env:
        SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
        SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
        SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}

    - name: Upload packages to packagecloud.io
      uses: TykTechnologies/packagecloud-action@main
      if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
      env:
        PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
      with:
        repo: 'eugeny/tabby'
        dir: 'dist'
        rpmvers: 'el/9 el/8 ol/6 ol/7'
        debvers: 'ubuntu/bionic ubuntu/focal ubuntu/hirsute ubuntu/impish ubuntu/jammy ubuntu/kinetic ubuntu/noble ubuntu/oracular debian/jessie debian/stretch debian/buster'

    - uses: actions/upload-artifact@master
      name: Upload AppImage (${{matrix.arch}})
      with:
        name: Linux AppImage (${{matrix.arch}})
        path: dist/*.AppImage

    - uses: actions/upload-artifact@master
      name: Upload DEB (${{matrix.arch}})
      with:
        name: Linux DEB (${{matrix.arch}})
        path: dist/*.deb

    - uses: actions/upload-artifact@master
      name: Upload RPM (${{matrix.arch}})
      with:
        name: Linux RPM (${{matrix.arch}})
        path: dist/*.rpm

    - uses: actions/upload-artifact@master
      name: Upload Pacman Package (${{matrix.arch}})
      with:
        name: Linux Pacman (${{matrix.arch}})
        path: dist/*.pacman

    - uses: actions/upload-artifact@master
      name: Upload Linux tarball (${{matrix.arch}})
      with:
        name: Linux tarball (${{matrix.arch}})
        path: dist/*.tar.gz

    - uses: actions/upload-artifact@master
      name: Upload web tarball (amd64 only)
      with:
        name: Web tarball
        path: tabby-web.tar.gz
      if: matrix.build-arch == 'x64'

  Windows-Build:
    runs-on: windows-latest
    needs: Lint
    strategy:
      matrix:
        include:
          - arch: x64
            rust_triple: x86_64-pc-windows-msvc
          - arch: arm64
            rust_triple: aarch64-pc-windows-msvc
      fail-fast: false

    env:
      RUST_TARGET_TRIPLE: ${{matrix.rust_triple}}
      ARCH: ${{matrix.arch}}

    steps:
    - name: Checkout
      uses: actions/checkout@v3
      with:
        fetch-depth: 0

    - name: Code signing with Software Trust Manager
      uses: digicert/[email protected]
      if: github.event_name == 'push' && (startsWith(github.ref, 'refs/tags'))

    - name: Installing Node
      uses: actions/[email protected]
      with:
        node-version: 22

    - run: npm i -g npx
    - run: rustup target add ${{matrix.rust_triple}}

    - name: Update node-gyp
      run: |
        npm install --global [email protected]
        npm prefix -g | % {npm config set node_gyp "$_\node_modules\node-gyp\bin\node-gyp.js"}

    - name: Build
      shell: powershell
      run: |
        npm i -g yar node-gyp
        yarn --network-timeout 1000000
        yarn run build
        node scripts/prepackage-plugins.mjs
      env:
        ARCH: ${{matrix.arch}}

    - name: Decode certificate
      if: github.event_name == 'push' && (startsWith(github.ref, 'refs/tags'))
      env:
        SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
      run: |
        SM_CLIENT_CERT_FILE=$RUNNER_TEMP/certificate.p12
        echo "$SM_CLIENT_CERT_FILE_B64" | base64 --decode > $SM_CLIENT_CERT_FILE
        echo "SM_CLIENT_CERT_FILE=$SM_CLIENT_CERT_FILE" >> "$GITHUB_ENV"
      shell: bash

    - name: Build and sign packages
      if: github.event_name == 'push' && (startsWith(github.ref, 'refs/tags'))
      shell: powershell
      run: |
        Get-FileHash $env:SM_CLIENT_CERT_FILE -Algorithm MD5
        smksp_registrar.exe list
        smctl.exe healthcheck
        smctl.exe keypair ls
        smctl windows certsync --keypair-alias $env:SM_KEYPAIR_ALIAS
        smctl.exe certificate ls
        C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
        smksp_cert_sync.exe

        # not used but necessary for electron-builder to run
        $env:WIN_CSC_LINK=$env:SM_CLIENT_CERT_FILE
        $env:WIN_CSC_KEY_PASSWORD=$env:SM_CLIENT_CERT_PASSWORD
        node scripts/build-windows.mjs
      env:
        ARCH: ${{matrix.arch}}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        KEYGEN_TOKEN: ${{ secrets.KEYGEN_TOKEN }}
        SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
        SM_PUBLISHER_NAME: ${{ secrets.SM_PUBLISHER_NAME }}
        SM_API_KEY: ${{ secrets.SM_API_KEY }}
        SM_HOST: ${{ vars.SM_HOST }}
        SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ vars.SM_CODE_SIGNING_CERT_SHA1_HASH }}
        SM_KEYPAIR_ALIAS: ${{ vars.SM_KEYPAIR_ALIAS }}
        # DEBUG: electron-builder,electron-builder:*

    - name: Build packages without signing
      run: node scripts/build-windows.mjs
      if: "! (github.event_name == 'push' && (startsWith(github.ref, 'refs/tags')))"
      env:
        ARCH: ${{matrix.arch}}

    - name: Upload symbols
      run: |
        npm install @sentry/cli
        node scripts/sentry-upload.mjs
      env:
        SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
        SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
        SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}

    - name: Package artifacts
      run: |
        mkdir artifact-setup
        mv dist/*-setup-*.exe artifact-setup/
        mkdir artifact-portable
        mv dist/*-portable-*.zip artifact-portable/

    - uses: actions/upload-artifact@master
      name: Upload installer
      with:
        name: Windows installer (${{matrix.arch}})
        path: artifact-setup

    - uses: actions/upload-artifact@master
      name: Upload portable build
      with:
        name: Windows portable build (${{matrix.arch}})
        path: artifact-portable