fizzy/.github/workflows/release.yml at main · fizzyedit/fizzy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
name: Release

# Triggered when a tag like v0.0.4 is pushed. Six parallel package jobs (one Velopack
# channel each; some runners use Zig cross-compile to the target triple), then a final job
# stages assets and uploads a draft GitHub release via scripts/release.sh.
#
# Flow:
#   1. Operator edits VERSION, commits, tags v<VERSION>, pushes the tag.
#   2. Matrix builds (Linux ×2, Windows ×2 cross-compiled from Linux, macOS ×2):
#      prefetch with retries, then package per target. Windows targets run on
#      ubuntu-latest with a `zig build msvcup-setup` pre-step (downloads MSVC +
#      Windows SDK into .velopack-msvc/, mounted through ciopfs for the
#      case-insensitive lookups Windows headers/libs assume). Cross-compile
#      from a non-Windows host avoids: (a) translate-c choking on the
#      runner's newer system SDK headers (ui64 literals, ARM64 NEON intrinsics
#      it doesn't auto-include arm_neon.h for); (b) Zig's libcxxabi sub-compile
#      colliding with MSVC's vcruntime_typeinfo.h. Both are upstream Zig 0.16
#      gaps; revisit when those land in a future Zig.
#   3. The assemble job downloads zig-out/<channel>/ from each artifact, runs
#      FIZZY_RELEASE_SKIP_BUILD=1 ./scripts/release.sh (staging + gh release create).
#   4. Operator reviews the draft and publishes when ready (auto-update only after publish).
#
# Signing (optional macOS builds when secrets unset):
#   FIZZY_MACOS_CERT_P12_BASE64 / FIZZY_MACOS_CERT_PASSWORD
#   FIZZY_MACOS_SIGN_APP / FIZZY_MACOS_SIGN_INSTALLER
#   FIZZY_APPLE_ID / FIZZY_APPLE_APP_PASSWORD / FIZZY_APPLE_TEAM_ID
#
on:
  push:
    tags:
      - "v*"
  workflow_dispatch:
    inputs:
      tag:
        description: "Existing tag to release (e.g. v0.0.4)"
        required: true

concurrency:
  group: release-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: false

env:
  ZIG_VERSION: "0.16.0"

jobs:
  # Linux + Windows: no fizzy_release environment (no signing secrets needed).
  package:
    runs-on: ${{ matrix.runner }}
    strategy:
      fail-fast: false
      matrix:
        include:
          - channel: x86-64-linux
            target: x86_64-linux-gnu
            runner: ubuntu-latest
          - channel: arm64-linux
            target: aarch64-linux-gnu
            runner: ubuntu-latest
          # Windows targets cross-compile from Linux. windows-latest doesn't work
          # in Zig 0.16 because of two upstream gaps: translate-c on
          # aarch64-windows-msvc doesn't auto-include <arm_neon.h>, so MSVC ucrt
          # wchar.h's NEON SIMD path fails to translate; and Zig's libcxxabi
          # sub-compile collides with MSVC's vcruntime_typeinfo.h. Cross-compile
          # avoids system MSVC entirely. ubuntu (cheaper than macOS) needs the
          # ciopfs case-insensitive overlay below for the MSI extraction.
          - channel: x86-64-windows
            target: x86_64-windows-msvc
            runner: ubuntu-latest
          - channel: arm64-windows
            target: aarch64-windows-msvc
            runner: ubuntu-latest
    defaults:
      run:
        shell: bash

    env:
      ZIG_GLOBAL_CACHE_DIR: ${{ github.workspace }}/.zig-cache-${{ github.run_id }}-${{ matrix.channel }}
      ZIG_LOCAL_CACHE_DIR: ${{ github.workspace }}/.zig-cache-${{ github.run_id }}-${{ matrix.channel }}-local
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    permissions:
      contents: read

    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.inputs.tag || github.ref }}
          fetch-tags: true
          fetch-depth: 0

      - uses: mlugg/setup-zig@v2
        with:
          version: ${{ env.ZIG_VERSION }}
          use-cache: false

      - name: Pre-create Zig cache tmp/
        run: |
          mkdir -p "$ZIG_GLOBAL_CACHE_DIR/tmp"
          [[ "$ZIG_LOCAL_CACHE_DIR" != "$ZIG_GLOBAL_CACHE_DIR" ]] && mkdir -p "$ZIG_LOCAL_CACHE_DIR/tmp" || true

      - uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "8.0"

      # Prefetch before msvcup/package so lazy deps (e.g. zigwin32 from GitHub) get retry
      # backoff; zig build msvcup-setup alone can hit HttpConnectionClosing with no retries.
      - name: Fetch deps with retries
        run: |
          fetch() {
            local args="$1"
            local n=0
            until [ "$n" -ge 5 ]; do
              zig build --fetch $args && return 0
              n=$((n+1))
              echo "Fetch attempt $n ($args) failed, sleeping $((n*10))s..."
              sleep $((n*10))
            done
            return 1
          }
          fetch "" || exit 1
          fetch "-Dtarget=${{ matrix.target }}" || exit 1

      # MSVC SDK has to materialize on disk BEFORE `zig build package` configures,
      # because applyMsvcIncludesToReachableTranslateC reads zig-libc-*.ini during
      # build() to add -isystem paths to DVUI's translate-c steps. -Dfetch-msvc only
      # schedules msvcup as a build-step dependency, which is too late.
      # MSI extraction on Linux preserves the SDK's mixed-case filenames
      # (kernel32.Lib, Windows.h, …). Downstream C code mixes cases freely:
      # gen_zig_libc_msvc.zig wants kernel32.lib, freetype includes <windows.h>,
      # kernelspecs.h includes "DriverSpecs.h" while disk has driverspecs.h.
      # Lowercase symlinks alone aren't enough (bidirectional mismatches), so
      # mount the install dir through ciopfs — a FUSE case-insensitive overlay
      # used precisely for this Windows-on-Linux scenario. msvcup writes through
      # the mount, files land lowercase on the backing dir, all case-variant
      # lookups by Zig / clang / the linker resolve.
      - name: Setup MSVC SDK (Windows targets)
        if: endsWith(matrix.target, '-windows-msvc')
        run: |
          set -euo pipefail
          sudo apt-get update -qq
          sudo apt-get install -y ciopfs
          mkdir -p .velopack-msvc-real .velopack-msvc
          ciopfs .velopack-msvc-real .velopack-msvc
          # msvcup pulls ~50 cab files from download.visualstudio.microsoft.com;
          # individual TLS handshakes occasionally fail with TlsInitializationFailed.
          # setup-msvc.sh's needs_install check is keyed on kernel32.Lib presence, so
          # retrying resumes from a partial extraction rather than starting over.
          n=0
          until [ "$n" -ge 5 ]; do
            zig build msvcup-setup && break
            n=$((n + 1))
            echo "msvcup-setup attempt $n failed, sleeping $((n * 15))s..."
            sleep $((n * 15))
          done
          [ "$n" -lt 5 ] || { echo "msvcup-setup failed after 5 attempts"; exit 1; }

      - name: Package (${{ matrix.channel }})
        run: |
          set -euo pipefail
          zig build package -Doptimize=ReleaseFast "-Dtarget=${{ matrix.target }}"

      - name: Upload zig-out-${{ matrix.channel }}
        uses: actions/upload-artifact@v4
        with:
          name: zig-out-${{ matrix.channel }}
          path: zig-out/${{ matrix.channel }}
          if-no-files-found: error

  package-macos:
    runs-on: ${{ matrix.runner }}
    environment: fizzy_release
    strategy:
      fail-fast: false
      matrix:
        include:
          - channel: x86-64-macos
            target: x86_64-macos
            runner: macos-latest
          - channel: arm64-macos
            target: aarch64-macos
            runner: macos-latest

    env:
      ZIG_GLOBAL_CACHE_DIR: ${{ github.workspace }}/.zig-cache-${{ github.run_id }}-${{ matrix.channel }}
      ZIG_LOCAL_CACHE_DIR: ${{ github.workspace }}/.zig-cache-${{ github.run_id }}-${{ matrix.channel }}-local
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    permissions:
      contents: read

    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.inputs.tag || github.ref }}
          fetch-tags: true
          fetch-depth: 0

      - uses: mlugg/setup-zig@v2
        with:
          version: ${{ env.ZIG_VERSION }}
          use-cache: false

      - name: Pre-create Zig cache tmp/
        shell: bash
        run: |
          mkdir -p "$ZIG_GLOBAL_CACHE_DIR/tmp"
          [[ "$ZIG_LOCAL_CACHE_DIR" != "$ZIG_GLOBAL_CACHE_DIR" ]] && mkdir -p "$ZIG_LOCAL_CACHE_DIR/tmp" || true

      - uses: actions/setup-dotnet@v4
        with:
          dotnet-version: "8.0"

      - name: Fetch deps with retries
        shell: bash
        run: |
          fetch() {
            local args="$1"
            local n=0
            until [ "$n" -ge 5 ]; do
              zig build --fetch $args && return 0
              n=$((n+1))
              echo "Fetch attempt $n ($args) failed, sleeping $((n*10))s..."
              sleep $((n*10))
            done
            return 1
          }
          fetch "" || exit 1
          fetch "-Dtarget=${{ matrix.target }}" || exit 1

      - name: Check signing config
        id: signing_config
        env:
          HAS_CERT: ${{ secrets.FIZZY_MACOS_CERT_P12_BASE64 != '' }}
          HAS_NOTARY: ${{ secrets.FIZZY_APPLE_ID != '' }}
        run: |
          echo "cert=$HAS_CERT" >> "$GITHUB_OUTPUT"
          echo "notary=$HAS_NOTARY" >> "$GITHUB_OUTPUT"
          if [[ "$HAS_CERT" == "true" ]]; then echo "macOS signing: ENABLED"; else echo "macOS signing: disabled"; fi

      - name: Import signing certificate
        if: steps.signing_config.outputs.cert == 'true'
        uses: apple-actions/import-codesign-certs@v3
        with:
          p12-file-base64: ${{ secrets.FIZZY_MACOS_CERT_P12_BASE64 }}
          p12-password: ${{ secrets.FIZZY_MACOS_CERT_PASSWORD }}
          keychain: fizzy-release-${{ matrix.channel }}
          create-keychain: true

      - name: Configure notarytool credentials
        if: steps.signing_config.outputs.notary == 'true'
        env:
          APPLE_ID: ${{ secrets.FIZZY_APPLE_ID }}
          APPLE_APP_PASSWORD: ${{ secrets.FIZZY_APPLE_APP_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.FIZZY_APPLE_TEAM_ID }}
        run: |
          set -euo pipefail
          xcrun notarytool store-credentials "fizzy-ci-notary-${{ matrix.channel }}" \
            --apple-id "$APPLE_ID" \
            --password "$APPLE_APP_PASSWORD" \
            --team-id "$APPLE_TEAM_ID"
          echo "FIZZY_MACOS_NOTARY_PROFILE=fizzy-ci-notary-${{ matrix.channel }}" >> "$GITHUB_ENV"

      - name: Package (${{ matrix.channel }})
        env:
          FIZZY_MACOS_SIGN_APP: ${{ secrets.FIZZY_MACOS_SIGN_APP }}
          FIZZY_MACOS_SIGN_INSTALLER: ${{ secrets.FIZZY_MACOS_SIGN_INSTALLER }}
        run: |
          set -euo pipefail
          zig build package -Doptimize=ReleaseFast "-Dtarget=${{ matrix.target }}"

      - name: Upload zig-out-${{ matrix.channel }}
        uses: actions/upload-artifact@v4
        with:
          name: zig-out-${{ matrix.channel }}
          path: zig-out/${{ matrix.channel }}
          if-no-files-found: error

  assemble:
    needs: [package, package-macos]
    runs-on: ubuntu-latest

    permissions:
      contents: write

    env:
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.inputs.tag || github.ref }}
          fetch-tags: true
          fetch-depth: 0

      # Each package job uploads zig-out/<channel>; merge into zig-out/<channel>/ for release.sh.
      - name: Download all channel outputs
        uses: actions/download-artifact@v4
        with:
          pattern: zig-out-*
          path: _artifacts
          merge-multiple: false

      - name: Layout zig-out for release script
        run: |
          set -euo pipefail
          mkdir -p zig-out
          for d in _artifacts/zig-out-*; do
            [[ -d "$d" ]] || continue
            base="$(basename "$d")"
            ch="${base#zig-out-}"
            mkdir -p "zig-out/$ch"
            mv "$d"/* "zig-out/$ch/"
          done
          ls -la zig-out/*/

      - name: Run release script (stage + gh release)
        shell: bash
        env:
          FIZZY_RELEASE_SKIP_BUILD: "1"
          FIZZY_RELEASE_PUBLISH: "0"
        run: ./scripts/release.sh