name: Build macOS/iOS app on: workflow_call: workflow_dispatch: jobs: update-release-draft: name: update-release-draft runs-on: ubuntu-24.04 env: # mark:next-apple-version RELEASE_NAME: macos-client-1.5.10 steps: - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0 if: "${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' }}" id: update-release-draft with: config-name: release-drafter-macos-client.yml tag: ${{ env.RELEASE_NAME}} version: ${{ env.RELEASE_NAME}} name: ${{ env.RELEASE_NAME}} commitish: ${{ github.sha }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} build: name: ${{ matrix.job_name }} needs: update-release-draft runs-on: macos-15 env: XCODE_VERSION: "26.0" permissions: contents: write # for attaching the build artifacts to the release id-token: write strategy: fail-fast: ${{ github.event_name == 'merge_group' }} matrix: include: - job_name: build-ios rust-targets: aarch64-apple-ios build-script: scripts/build/ios-appstore.sh upload-script: scripts/upload/app-store-connect.sh artifact-file: "Firezone.ipa" platform: iOS - job_name: build-macos-appstore rust-targets: aarch64-apple-darwin x86_64-apple-darwin build-script: scripts/build/macos-appstore.sh upload-script: scripts/upload/app-store-connect.sh artifact-file: "Firezone.pkg" platform: macOS - job_name: build-macos-standalone rust-targets: aarch64-apple-darwin x86_64-apple-darwin build-script: scripts/build/macos-standalone.sh upload-script: scripts/upload/github-release.sh # mark:next-apple-version artifact-file: "firezone-macos-client-1.5.10.dmg" # mark:next-apple-version pkg-artifact-file: "firezone-macos-client-1.5.10.pkg" # mark:next-apple-version release-name: macos-client-1.5.10 steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-tags: true # Otherwise we cannot embed the correct version into the build. - uses: ./.github/actions/setup-rust with: targets: ${{ matrix.rust-targets }} sccache_azure_connection_string: ${{ secrets.SCCACHE_AZURE_CONNECTION_STRING }} - run: ${{ matrix.build-script }} env: IOS_APP_PROVISIONING_PROFILE: "${{ secrets.APPLE_IOS_APP_PROVISIONING_PROFILE }}" IOS_NE_PROVISIONING_PROFILE: "${{ secrets.APPLE_IOS_NE_PROVISIONING_PROFILE }}" MACOS_APP_PROVISIONING_PROFILE: "${{ secrets.APPLE_MACOS_APP_PROVISIONING_PROFILE }}" MACOS_NE_PROVISIONING_PROFILE: "${{ secrets.APPLE_MACOS_NE_PROVISIONING_PROFILE }}" STANDALONE_MACOS_APP_PROVISIONING_PROFILE: "${{ secrets.APPLE_STANDALONE_MACOS_APP_PROVISIONING_PROFILE }}" STANDALONE_MACOS_NE_PROVISIONING_PROFILE: "${{ secrets.APPLE_STANDALONE_MACOS_NE_PROVISIONING_PROFILE }}" BUILD_CERT: "${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }}" BUILD_CERT_PASS: "${{ secrets.APPLE_BUILD_CERTIFICATE_P12_PASSWORD }}" INSTALLER_CERT: "${{ secrets.APPLE_MAC_INSTALLER_CERTIFICATE_BASE64 }}" INSTALLER_CERT_PASS: "${{ secrets.APPLE_MAC_INSTALLER_CERTIFICATE_P12_PASSWORD }}" STANDALONE_BUILD_CERT: "${{ secrets.APPLE_STANDALONE_BUILD_CERTIFICATE_BASE64 }}" STANDALONE_BUILD_CERT_PASS: "${{ secrets.APPLE_STANDALONE_BUILD_CERTIFICATE_P12_PASSWORD }}" STANDALONE_INSTALLER_CERT: "${{ secrets.APPLE_STANDALONE_MAC_INSTALLER_CERTIFICATE_BASE64 }}" STANDALONE_INSTALLER_CERT_PASS: "${{ secrets.APPLE_STANDALONE_MAC_INSTALLER_CERTIFICATE_P12_PASSWORD }}" ARTIFACT_PATH: "${{ runner.temp }}/${{ matrix.artifact-file }}" PKG_ARTIFACT_PATH: "${{ runner.temp }}/${{ matrix.pkg-artifact-file }}" NOTARIZE: "${{ github.event_name == 'workflow_dispatch' }}" ISSUER_ID: "${{ secrets.APPLE_APP_STORE_CONNECT_ISSUER_ID }}" API_KEY_ID: "${{ secrets.APPLE_APP_STORE_CONNECT_API_KEY_ID }}" API_KEY: "${{ secrets.APPLE_APP_STORE_CONNECT_API_KEY }}" TEMP_DIR: "${{ runner.temp }}" - name: Upload .dmg artifact uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 if: "${{ github.event_name == 'workflow_dispatch' && matrix.job_name == 'build-macos-standalone' }}" with: name: macos-client-standalone-dmg path: "${{ runner.temp }}/${{ matrix.artifact-file }}" - name: Upload .pkg artifact uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 if: "${{ github.event_name == 'workflow_dispatch' && matrix.job_name == 'build-macos-standalone' }}" with: name: macos-client-standalone-pkg path: "${{ runner.temp }}/${{ matrix.pkg-artifact-file }}" - run: ${{ matrix.upload-script }} if: "${{ github.event_name == 'workflow_dispatch' && (github.ref_name == 'main' || matrix.job_name != 'build-macos-standalone') }}" env: ARTIFACT_PATH: "${{ runner.temp }}/${{ matrix.artifact-file }}" ISSUER_ID: "${{ secrets.APPLE_APP_STORE_CONNECT_ISSUER_ID }}" API_KEY_ID: "${{ secrets.APPLE_APP_STORE_CONNECT_API_KEY_ID }}" API_KEY: "${{ secrets.APPLE_APP_STORE_CONNECT_API_KEY }}" GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" RELEASE_NAME: "${{ matrix.release-name }}" PLATFORM: "${{ matrix.platform }}" # We also publish a pkg file for MDMs that don't like our DMG (Intune error 0x87D30139) - run: ${{ matrix.upload-script }} if: "${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' && matrix.job_name == 'build-macos-standalone' }}" env: ARTIFACT_PATH: "${{ runner.temp }}/${{ matrix.pkg-artifact-file }}" ISSUER_ID: "${{ secrets.APPLE_APP_STORE_CONNECT_ISSUER_ID }}" API_KEY_ID: "${{ secrets.APPLE_APP_STORE_CONNECT_API_KEY_ID }}" API_KEY: "${{ secrets.APPLE_APP_STORE_CONNECT_API_KEY }}" GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" RELEASE_NAME: "${{ matrix.release-name }}" PLATFORM: "${{ matrix.platform }}" - name: Setup sentry CLI if: "${{ github.event_name == 'workflow_dispatch' }}" uses: matbour/setup-sentry-cli@3e938c54b3018bdd019973689ef984e033b0454b #v2.0.0 with: token: ${{ secrets.SENTRY_AUTH_TOKEN }} organization: firezone-inc - name: Upload debug symbols to Sentry if: "${{ github.event_name == 'workflow_dispatch' }}" run: | # Remove the /Applications symlink in the DMG staging directory so Sentry doesn't # attempt to walk it. rm -f "${{ runner.temp }}/dmg/Applications" sentry-cli debug-files upload --log-level info --project apple-client --include-sources ${{ runner.temp }} sentry-cli debug-files upload --log-level info --project apple-client --include-sources ./rust/target