firezone/.github/workflows/_tauri.yml

name: Tauri
on:
  workflow_call:
  workflow_dispatch:

defaults:
  run:
    working-directory: ./rust/gui-client

# Never tolerate warnings. Source of truth is `_rust.yml`
env:
  RUSTFLAGS: "-Dwarnings"
  RUSTDOCFLAGS: "-D warnings"

jobs:
  update-release-draft:
    name: update-release-draft
    runs-on: ubuntu-22.04
    env:
      # mark:next-gui-version
      RELEASE_NAME: gui-client-1.4.10
    steps:
      - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
        if: "${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' }}"
        id: update-release-draft
        with:
          config-name: release-drafter-gui-client.yml
          tag: ${{ env.RELEASE_NAME }}
          version: ${{ env.RELEASE_NAME }}
          name: ${{ env.RELEASE_NAME }}
          commitish: ${{ github.sha }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  build-gui:
    name: build-gui-${{ matrix.runs-on }}
    needs: update-release-draft
    runs-on: ${{ matrix.runs-on }}
    permissions:
      contents: write # for attaching the build artifacts to the release
      id-token: write
    strategy:
      fail-fast: false
      matrix:
        include:
          - runs-on: ubuntu-22.04
            arch: x86_64
            os: linux
            pkg-extension: deb
          - runs-on: ubuntu-22.04-arm
            arch: aarch64
            os: linux
            pkg-extension: deb
          - runs-on: windows-2019
            arch: x86_64
            os: windows
            pkg-extension: msi
    env:
      # mark:next-gui-version
      ARTIFACT_SRC: ./rust/gui-client/firezone-client-gui-${{ matrix.os }}_1.4.10_${{ matrix.arch }}
      # mark:next-gui-version
      ARTIFACT_DST: firezone-client-gui-${{ matrix.os }}_1.4.10_${{ matrix.arch }}
      AZURE_KEY_VAULT_URI: ${{ secrets.AZURE_KEY_VAULT_URI }}
      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
      AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
      AZURE_CERT_NAME: ${{ secrets.AZURE_CERT_NAME }}
      # mark:next-gui-version
      BINARY_DEST_PATH: firezone-client-gui-${{ matrix.os }}_1.4.10_${{ matrix.arch }}
      # Seems like there's no way to de-dupe env vars that depend on each other
      # mark:next-gui-version
      FIREZONE_GUI_VERSION: 1.4.10
      RENAME_SCRIPT: ../../scripts/build/tauri-rename-${{ matrix.os }}.sh
      TEST_INSTALL_SCRIPT: ../../scripts/tests/gui-client-install-${{ matrix.os }}-${{ matrix.pkg-extension }}.sh
      TARGET_DIR: ../target
      UPLOAD_SCRIPT: ../../scripts/build/tauri-upload-${{ matrix.os }}.sh
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-tags: true # Otherwise we cannot embed the correct version into the build.
      - uses: ./.github/actions/setup-node
      - uses: ./.github/actions/setup-rust
      - uses: ./.github/actions/setup-tauri-v2
        # Installing new packages can take time
        timeout-minutes: 10
      - uses: matbour/setup-sentry-cli@3e938c54b3018bdd019973689ef984e033b0454b #v2.0.0
        with:
          token: ${{ secrets.SENTRY_AUTH_TOKEN }}
          organization: firezone-inc
      - name: Install pnpm deps
        run: pnpm install
      - name: Install AzureSignTool
        if: ${{ runner.os == 'Windows' }}
        shell: bash
        # AzureSignTool >= 5 needs .NET 8. windows-2019 runner only has .NET 7.
        run: dotnet tool install --global AzureSignTool --version 4.0.1
      - name: Build release exe and MSI / deb
        env:
          CARGO_PROFILE_RELEASE_LTO: thin # Fat LTO is getting too slow / RAM-hungry on Tauri builds
        # Signs the exe before bundling it into the MSI
        run: pnpm build
      - name: Ensure unmodified Git workspace
        run: git diff --exit-code
      # We need to sign the exe inside the MSI. Currently
      # we do this in a "beforeBundleCommand" hook in tauri.windows.conf.json.
      # But this will soon be natively supported in Tauri.
      # TODO: Use Tauri's native MSI signing with support for EV certs
      # See https://github.com/tauri-apps/tauri/pull/8718
      - name: Sign the MSI
        if: ${{ runner.os == 'Windows' }}
        shell: bash
        run: ../../scripts/build/sign.sh ../target/release/bundle/msi/Firezone_${{ env.FIREZONE_GUI_VERSION }}_x64_en-US.msi
      - name: Rename artifacts and compute SHA256
        shell: bash
        run: ${{ env.RENAME_SCRIPT }}
      - name: Upload deb / msi package
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: ${{ env.ARTIFACT_DST }}-pkg
          path: ${{ env.ARTIFACT_SRC }}.${{ matrix.pkg-extension }}
          if-no-files-found: error
      - name: Upload rpm package
        if: "${{ runner.os == 'Linux' }}"
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: ${{ env.ARTIFACT_DST }}-rpm
          path: ${{ env.ARTIFACT_SRC }}.rpm
          if-no-files-found: error
      - name: Test installation
        if: "${{ github.event_name == 'workflow_dispatch' }}"
        shell: bash
        run: ${{ env.TEST_INSTALL_SCRIPT }}

      - name: Upload debug symbols to Sentry
        if: "${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' }}"
        run: |
          sentry-cli debug-files upload --log-level info --project gui-client --include-sources ../target

      - name: Upload Release Assets
        if: "${{ github.event_name == 'workflow_dispatch' && github.ref_name == 'main' }}"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          REPOSITORY: ${{ github.repository }}
          TAG_NAME: gui-client-${{ env.FIREZONE_GUI_VERSION }}
        shell: bash
        run: ${{ env.UPLOAD_SCRIPT }}