firezone/.github/workflows/_swift.yml

name: Build macOS/iOS app
on:
  workflow_call:
  workflow_dispatch:

jobs:
  update-release-draft:
    name: update-release-draft
    runs-on: ubuntu-24.04
    env:
      # mark:next-apple-version
      RELEASE_NAME: macos-client-1.5.10
    steps:
      - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
        if: "${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' }}"
        id: update-release-draft
        with:
          config-name: release-drafter-macos-client.yml
          tag: ${{ env.RELEASE_NAME}}
          version: ${{ env.RELEASE_NAME}}
          name: ${{ env.RELEASE_NAME}}
          commitish: ${{ github.sha }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  build:
    name: ${{ matrix.job_name }}
    needs: update-release-draft
    runs-on: macos-15
    env:
      XCODE_VERSION: "26.0"
    permissions:
      contents: write # for attaching the build artifacts to the release
      id-token: write
    strategy:
      fail-fast: ${{ github.event_name == 'merge_group' }}
      matrix:
        include:
          - job_name: build-ios
            rust-targets: aarch64-apple-ios
            build-script: scripts/build/ios-appstore.sh
            upload-script: scripts/upload/app-store-connect.sh
            artifact-file: "Firezone.ipa"
            platform: iOS

          - job_name: build-macos-appstore
            rust-targets: aarch64-apple-darwin x86_64-apple-darwin
            build-script: scripts/build/macos-appstore.sh
            upload-script: scripts/upload/app-store-connect.sh
            artifact-file: "Firezone.pkg"
            platform: macOS

          - job_name: build-macos-standalone
            rust-targets: aarch64-apple-darwin x86_64-apple-darwin
            build-script: scripts/build/macos-standalone.sh
            upload-script: scripts/upload/github-release.sh
            # mark:next-apple-version
            artifact-file: "firezone-macos-client-1.5.10.dmg"
            # mark:next-apple-version
            pkg-artifact-file: "firezone-macos-client-1.5.10.pkg"
            # mark:next-apple-version
            release-name: macos-client-1.5.10
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-tags: true # Otherwise we cannot embed the correct version into the build.
      - uses: ./.github/actions/setup-rust
        with:
          targets: ${{ matrix.rust-targets }}
          sccache_azure_connection_string: ${{ secrets.SCCACHE_AZURE_CONNECTION_STRING }}
      - run: ${{ matrix.build-script }}
        env:
          IOS_APP_PROVISIONING_PROFILE: "${{ secrets.APPLE_IOS_APP_PROVISIONING_PROFILE }}"
          IOS_NE_PROVISIONING_PROFILE: "${{ secrets.APPLE_IOS_NE_PROVISIONING_PROFILE }}"
          MACOS_APP_PROVISIONING_PROFILE: "${{ secrets.APPLE_MACOS_APP_PROVISIONING_PROFILE }}"
          MACOS_NE_PROVISIONING_PROFILE: "${{ secrets.APPLE_MACOS_NE_PROVISIONING_PROFILE }}"
          STANDALONE_MACOS_APP_PROVISIONING_PROFILE: "${{ secrets.APPLE_STANDALONE_MACOS_APP_PROVISIONING_PROFILE }}"
          STANDALONE_MACOS_NE_PROVISIONING_PROFILE: "${{ secrets.APPLE_STANDALONE_MACOS_NE_PROVISIONING_PROFILE }}"
          BUILD_CERT: "${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }}"
          BUILD_CERT_PASS: "${{ secrets.APPLE_BUILD_CERTIFICATE_P12_PASSWORD }}"
          INSTALLER_CERT: "${{ secrets.APPLE_MAC_INSTALLER_CERTIFICATE_BASE64 }}"
          INSTALLER_CERT_PASS: "${{ secrets.APPLE_MAC_INSTALLER_CERTIFICATE_P12_PASSWORD }}"
          STANDALONE_BUILD_CERT: "${{ secrets.APPLE_STANDALONE_BUILD_CERTIFICATE_BASE64 }}"
          STANDALONE_BUILD_CERT_PASS: "${{ secrets.APPLE_STANDALONE_BUILD_CERTIFICATE_P12_PASSWORD }}"
          STANDALONE_INSTALLER_CERT: "${{ secrets.APPLE_STANDALONE_MAC_INSTALLER_CERTIFICATE_BASE64 }}"
          STANDALONE_INSTALLER_CERT_PASS: "${{ secrets.APPLE_STANDALONE_MAC_INSTALLER_CERTIFICATE_P12_PASSWORD }}"
          ARTIFACT_PATH: "${{ runner.temp }}/${{ matrix.artifact-file }}"
          PKG_ARTIFACT_PATH: "${{ runner.temp }}/${{ matrix.pkg-artifact-file }}"
          NOTARIZE: "${{ github.event_name == 'workflow_dispatch' }}"
          ISSUER_ID: "${{ secrets.APPLE_APP_STORE_CONNECT_ISSUER_ID }}"
          API_KEY_ID: "${{ secrets.APPLE_APP_STORE_CONNECT_API_KEY_ID }}"
          API_KEY: "${{ secrets.APPLE_APP_STORE_CONNECT_API_KEY }}"
          TEMP_DIR: "${{ runner.temp }}"
      - name: Upload .dmg artifact
        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        if: "${{ github.event_name == 'workflow_dispatch' && matrix.job_name == 'build-macos-standalone' }}"
        with:
          name: macos-client-standalone-dmg
          path: "${{ runner.temp }}/${{ matrix.artifact-file }}"
      - name: Upload .pkg artifact
        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        if: "${{ github.event_name == 'workflow_dispatch' && matrix.job_name == 'build-macos-standalone' }}"
        with:
          name: macos-client-standalone-pkg
          path: "${{ runner.temp }}/${{ matrix.pkg-artifact-file }}"
      - run: ${{ matrix.upload-script }}
        if: "${{ github.event_name == 'workflow_dispatch' && (github.ref_name == 'main' || matrix.job_name != 'build-macos-standalone') }}"
        env:
          ARTIFACT_PATH: "${{ runner.temp }}/${{ matrix.artifact-file }}"
          ISSUER_ID: "${{ secrets.APPLE_APP_STORE_CONNECT_ISSUER_ID }}"
          API_KEY_ID: "${{ secrets.APPLE_APP_STORE_CONNECT_API_KEY_ID }}"
          API_KEY: "${{ secrets.APPLE_APP_STORE_CONNECT_API_KEY }}"
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          RELEASE_NAME: "${{ matrix.release-name }}"
          PLATFORM: "${{ matrix.platform }}"
      # We also publish a pkg file for MDMs that don't like our DMG (Intune error 0x87D30139)
      - run: ${{ matrix.upload-script }}
        if: "${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' && matrix.job_name == 'build-macos-standalone' }}"
        env:
          ARTIFACT_PATH: "${{ runner.temp }}/${{ matrix.pkg-artifact-file }}"
          ISSUER_ID: "${{ secrets.APPLE_APP_STORE_CONNECT_ISSUER_ID }}"
          API_KEY_ID: "${{ secrets.APPLE_APP_STORE_CONNECT_API_KEY_ID }}"
          API_KEY: "${{ secrets.APPLE_APP_STORE_CONNECT_API_KEY }}"
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          RELEASE_NAME: "${{ matrix.release-name }}"
          PLATFORM: "${{ matrix.platform }}"
      - name: Setup sentry CLI
        if: "${{ github.event_name == 'workflow_dispatch' }}"
        uses: matbour/setup-sentry-cli@3e938c54b3018bdd019973689ef984e033b0454b #v2.0.0
        with:
          token: ${{ secrets.SENTRY_AUTH_TOKEN }}
          organization: firezone-inc
      - name: Upload debug symbols to Sentry
        if: "${{ github.event_name == 'workflow_dispatch' }}"
        run: |
          # Remove the /Applications symlink in the DMG staging directory so Sentry doesn't
          # attempt to walk it.
          rm -f "${{ runner.temp }}/dmg/Applications"

          sentry-cli debug-files upload --log-level info --project apple-client --include-sources ${{ runner.temp }}
          sentry-cli debug-files upload --log-level info --project apple-client --include-sources ./rust/target