name: Build Tauri app on: workflow_call: workflow_dispatch: defaults: run: working-directory: ./rust/gui-client env: TSLINK_BUILD: true permissions: contents: "read" id-token: "write" jobs: update-release-draft: permissions: contents: write # for updating the release draft id-token: write name: update-release-draft runs-on: ubuntu-24.04 env: # mark:next-gui-version RELEASE_NAME: gui-client-1.5.9 steps: - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0 if: "${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' }}" id: update-release-draft with: config-name: release-drafter-gui-client.yml tag: ${{ env.RELEASE_NAME }} version: ${{ env.RELEASE_NAME }} name: ${{ env.RELEASE_NAME }} commitish: ${{ github.sha }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} static-analysis: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: ./.github/actions/setup-node with: npmjs-token: ${{ secrets.NPMJS_TOKEN }} lockfile-dir: ./rust/gui-client - run: pnpm install - run: pnpm eslint . # Runs the Tauri client smoke test, built in debug mode. We can't run it in release # mode because of a known issue: smoke-test: name: gui-smoke-test-${{ matrix.runs-on }} strategy: fail-fast: ${{ github.event_name == 'merge_group' }} matrix: runs-on: [ubuntu-22.04, ubuntu-24.04, windows-2022, windows-2025] runs-on: ${{ matrix.runs-on }} defaults: run: # Must be in this dir for `pnpm` to work working-directory: ./rust/gui-client # The Windows client ignores RUST_LOG because it uses a settings file instead steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: ./.github/actions/setup-node with: npmjs-token: ${{ secrets.NPMJS_TOKEN }} lockfile-dir: ./rust/gui-client - uses: ./.github/actions/setup-rust with: sccache_azure_connection_string: ${{ secrets.SCCACHE_AZURE_CONNECTION_STRING }} - uses: ./.github/actions/setup-tauri-v2 timeout-minutes: 15 with: runtime: true - run: pnpm install - run: pnpm vite build - name: Build client run: cargo build -p firezone-gui-client --all-targets - uses: taiki-e/install-action@d31232495ad76f47aad66e3501e47780b49f0f3e # v2.57.5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: tool: dump_syms - name: Run smoke test working-directory: ./rust run: cargo run -p gui-smoke-test timeout-minutes: 2 build-gui: name: build-gui-${{ matrix.runs-on }} needs: update-release-draft runs-on: ${{ matrix.runs-on }} permissions: contents: write # for attaching the build artifacts to the release id-token: write strategy: fail-fast: ${{ github.event_name == 'merge_group' }} matrix: include: - runs-on: ubuntu-22.04 arch: x86_64 os: linux pkg-extension: deb - runs-on: ubuntu-22.04-arm arch: aarch64 os: linux pkg-extension: deb - runs-on: windows-2022 arch: x86_64 os: windows pkg-extension: msi env: # mark:next-gui-version ARTIFACT_SRC: ./rust/gui-client/firezone-client-gui-${{ matrix.os }}_1.5.9_${{ matrix.arch }} # mark:next-gui-version ARTIFACT_DST: firezone-client-gui-${{ matrix.os }}_1.5.9_${{ matrix.arch }} AZURE_KEY_VAULT_URI: ${{ secrets.AZURE_KEY_VAULT_URI }} AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} AZURE_CERT_NAME: ${{ secrets.AZURE_CERT_NAME }} # mark:next-gui-version BINARY_DEST_PATH: firezone-client-gui-${{ matrix.os }}_1.5.9_${{ matrix.arch }} # Seems like there's no way to de-dupe env vars that depend on each other # mark:next-gui-version FIREZONE_GUI_VERSION: 1.5.9 RENAME_SCRIPT: ../../scripts/build/tauri-rename-${{ matrix.os }}.sh TEST_INSTALL_SCRIPT: ../../scripts/tests/gui-client-install-${{ matrix.os }}-${{ matrix.pkg-extension }}.sh TARGET_DIR: ../target UPLOAD_SCRIPT: ../../scripts/build/tauri-upload-${{ matrix.os }}.sh steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-tags: true # Otherwise we cannot embed the correct version into the build. - uses: ./.github/actions/setup-node with: npmjs-token: ${{ secrets.NPMJS_TOKEN }} lockfile-dir: ./rust/gui-client - uses: ./.github/actions/setup-rust with: sccache_azure_connection_string: ${{ secrets.SCCACHE_AZURE_CONNECTION_STRING }} - uses: ./.github/actions/setup-tauri-v2 # Installing new packages can take time timeout-minutes: 15 - uses: matbour/setup-sentry-cli@3e938c54b3018bdd019973689ef984e033b0454b #v2.0.0 with: token: ${{ secrets.SENTRY_AUTH_TOKEN }} organization: firezone-inc - name: Install pnpm deps run: pnpm install - uses: ./.github/actions/setup-azure-sign-tool - name: Build release exe and MSI / deb env: CARGO_PROFILE_RELEASE_LTO: thin # Fat LTO is getting too slow / RAM-hungry on Tauri builds # Signs the exe before bundling it into the MSI run: pnpm build - name: Ensure unmodified Git workspace run: git diff --exit-code # We need to sign the exe inside the MSI. Currently # we do this in a "beforeBundleCommand" hook in tauri.windows.conf.json. # But this will soon be natively supported in Tauri. # TODO: Use Tauri's native MSI signing with support for EV certs # See https://github.com/tauri-apps/tauri/pull/8718 - name: Sign the MSI if: ${{ runner.os == 'Windows' }} shell: bash run: ../../scripts/build/sign.sh ../target/release/bundle/msi/Firezone_${{ env.FIREZONE_GUI_VERSION }}_x64_en-US.msi - name: Rename artifacts and compute SHA256 shell: bash run: ${{ env.RENAME_SCRIPT }} - name: Upload deb / msi package uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: ${{ env.ARTIFACT_DST }}-${{ matrix.pkg-extension }} path: ${{ env.ARTIFACT_SRC }}.${{ matrix.pkg-extension }} if-no-files-found: error - name: Upload rpm package if: "${{ runner.os == 'Linux' }}" uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: ${{ env.ARTIFACT_DST }}-rpm path: ${{ env.ARTIFACT_SRC }}.rpm if-no-files-found: error - name: Test installation if: "${{ github.event_name == 'workflow_dispatch' }}" shell: bash run: ${{ env.TEST_INSTALL_SCRIPT }} - name: Upload debug symbols to Sentry if: "${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' }}" run: | sentry-cli debug-files upload --log-level info --project gui-client --include-sources ../target - name: Upload Release Assets if: "${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' }}" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} REPOSITORY: ${{ github.repository }} TAG_NAME: gui-client-${{ env.FIREZONE_GUI_VERSION }} shell: bash run: ${{ env.UPLOAD_SCRIPT }} - name: Upload to preview repository if: ${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' && runner.os == 'Linux' }} shell: bash run: | az storage blob upload-batch \ --destination apt \ --source . \ --pattern "*.deb" \ --destination-path import-preview \ --overwrite \ --no-progress \ --connection-string "${{ secrets.AZURERM_ARTIFACTS_CONNECTION_STRING }}" regenerate-apt-index: needs: build-gui if: ${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' }} uses: ./.github/workflows/_apt.yml secrets: inherit