name: Swift on: workflow_call: workflow_dispatch: jobs: build: name: ${{ matrix.job_name }} runs-on: macos-15 permissions: contents: write # for attaching the build artifacts to the release id-token: write env: XCODE_VERSION: "16.2" strategy: fail-fast: false matrix: include: - job_name: build-ios rust-targets: aarch64-apple-ios build-script: scripts/build/ios-appstore.sh upload-script: scripts/upload/app-store-connect.sh artifact-file: "Firezone.ipa" platform: iOS - job_name: build-macos-appstore rust-targets: aarch64-apple-darwin x86_64-apple-darwin build-script: scripts/build/macos-appstore.sh upload-script: scripts/upload/app-store-connect.sh artifact-file: "Firezone.pkg" platform: macOS - job_name: build-macos-standalone rust-targets: aarch64-apple-darwin x86_64-apple-darwin build-script: scripts/build/macos-standalone.sh upload-script: scripts/upload/github-release.sh # mark:next-apple-version artifact-file: "firezone-macos-client-1.4.2.dmg" # mark:next-apple-version release-name: macos-client-1.4.2 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-tags: true # Otherwise we cannot embed the correct version into the build. - uses: ./.github/actions/setup-rust with: targets: ${{ matrix.rust-targets }} - uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 name: Restore Swift DerivedData Cache id: cache with: path: ~/Library/Developer/Xcode/DerivedData key: ${{ runner.os }}-${{ hashFiles('swift/*', 'rust/**/*.rs', 'rust/**/*.toml', 'rust/**/*.lock}') }} - run: ${{ matrix.build-script }} env: IOS_APP_PROVISIONING_PROFILE: "${{ secrets.APPLE_IOS_APP_PROVISIONING_PROFILE }}" IOS_NE_PROVISIONING_PROFILE: "${{ secrets.APPLE_IOS_NE_PROVISIONING_PROFILE }}" MACOS_APP_PROVISIONING_PROFILE: "${{ secrets.APPLE_MACOS_APP_PROVISIONING_PROFILE }}" MACOS_NE_PROVISIONING_PROFILE: "${{ secrets.APPLE_MACOS_NE_PROVISIONING_PROFILE }}" STANDALONE_MACOS_APP_PROVISIONING_PROFILE: "${{ secrets.APPLE_STANDALONE_MACOS_APP_PROVISIONING_PROFILE }}" STANDALONE_MACOS_NE_PROVISIONING_PROFILE: "${{ secrets.APPLE_STANDALONE_MACOS_NE_PROVISIONING_PROFILE }}" BUILD_CERT: "${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }}" BUILD_CERT_PASS: "${{ secrets.APPLE_BUILD_CERTIFICATE_P12_PASSWORD }}" INSTALLER_CERT: "${{ secrets.APPLE_MAC_INSTALLER_CERTIFICATE_BASE64 }}" INSTALLER_CERT_PASS: "${{ secrets.APPLE_MAC_INSTALLER_CERTIFICATE_P12_PASSWORD }}" STANDALONE_BUILD_CERT: "${{ secrets.APPLE_STANDALONE_BUILD_CERTIFICATE_BASE64 }}" STANDALONE_BUILD_CERT_PASS: "${{ secrets.APPLE_STANDALONE_BUILD_CERTIFICATE_P12_PASSWORD }}" ARTIFACT_PATH: "${{ runner.temp }}/${{ matrix.artifact-file }}" NOTARIZE: "${{ github.event_name == 'workflow_dispatch' }}" ISSUER_ID: "${{ secrets.APPLE_APP_STORE_CONNECT_ISSUER_ID }}" API_KEY_ID: "${{ secrets.APPLE_APP_STORE_CONNECT_API_KEY_ID }}" API_KEY: "${{ secrets.APPLE_APP_STORE_CONNECT_API_KEY }}" TEMP_DIR: "${{ runner.temp }}" - run: ${{ matrix.upload-script }} if: "${{ github.event_name == 'workflow_dispatch' }}" env: ARTIFACT_PATH: "${{ runner.temp }}/${{ matrix.artifact-file }}" ISSUER_ID: "${{ secrets.APPLE_APP_STORE_CONNECT_ISSUER_ID }}" API_KEY_ID: "${{ secrets.APPLE_APP_STORE_CONNECT_API_KEY_ID }}" API_KEY: "${{ secrets.APPLE_APP_STORE_CONNECT_API_KEY }}" GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" RELEASE_NAME: "${{ matrix.release-name }}" PLATFORM: "${{ matrix.platform }}" - name: Setup sentry CLI if: "${{ github.event_name == 'workflow_dispatch' }}" uses: matbour/setup-sentry-cli@3e938c54b3018bdd019973689ef984e033b0454b #v2.0.0 with: token: ${{ secrets.SENTRY_AUTH_TOKEN }} organization: firezone-inc - name: Upload debug symbols to Sentry if: "${{ github.event_name == 'workflow_dispatch' }}" run: | # Remove the /Applications symlink in the DMG staging directory so Sentry doesn't # attempt to walk it. rm -f "${{ runner.temp }}/dmg/Applications" sentry-cli debug-files upload --log-level info --project apple-client --include-sources ${{ runner.temp }} sentry-cli debug-files upload --log-level info --project apple-client --include-sources ./rust/target - uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 if: ${{ steps.cache.outputs.cache-hit != 'true'}} name: Save Swift DerivedData Cache with: path: ~/Library/Developer/Xcode/DerivedData # Swift benefits heavily from build cache, so aggressively write a new one # on each build on `main` and attempt to restore it in PR builds with broader restore-key. key: ${{ steps.cache.outputs.cache-primary-key }} update-release-draft: name: update-release-draft needs: build runs-on: ubuntu-22.04 env: # mark:next-apple-version RELEASE_NAME: macos-client-1.4.2 steps: - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0 if: "${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' }}" id: update-release-draft with: config-name: release-drafter-macos-client.yml tag: ${{ env.RELEASE_NAME}} version: ${{ env.RELEASE_NAME}} name: ${{ env.RELEASE_NAME}} commitish: ${{ github.sha }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}