pulse-zax/.github/workflows/desktop-release.yml

name: Desktop Release

on:
  workflow_dispatch:
    inputs:
      version:
        description: "Release version (e.g. 0.1.0). Leave empty to use package.json version."
        required: false
        type: string

permissions:
  contents: write

jobs:
  build-desktop:
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: macos-latest
            platform: darwin
            arch: arm64
            make_targets: --platform=darwin --arch=arm64
          - os: ubuntu-latest
            platform: linux
            arch: x64
            make_targets: --platform=linux --arch=x64
          - os: windows-latest
            platform: win32
            arch: x64
            make_targets: --platform=win32 --arch=x64

    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      # Linux: install RPM tooling for MakerRpm
      - name: Install Linux packaging deps
        if: matrix.platform == 'linux'
        run: sudo apt-get update && sudo apt-get install -y rpm

      # macOS: install CMake for native audio modules
      - name: Install CMake (macOS)
        if: matrix.platform == 'darwin'
        run: brew install cmake

      # macOS: import code signing certificate (optional)
      - name: Import code signing certificate
        if: matrix.platform == 'darwin' && env.APPLE_CERTIFICATE_BASE64 != ''
        env:
          APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
        run: |
          CERT_FILE=$(mktemp /tmp/cert.XXXXXX.p12)
          echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > "$CERT_FILE"
          KEYCHAIN=build.keychain
          security create-keychain -p "" "$KEYCHAIN"
          security default-keychain -s "$KEYCHAIN"
          security unlock-keychain -p "" "$KEYCHAIN"
          security import "$CERT_FILE" -k "$KEYCHAIN" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple: -s -k "" "$KEYCHAIN"
          rm "$CERT_FILE"          

      - name: Install dependencies
        run: bun install

      # macOS: build native CoreAudio modules
      - name: Build native modules (macOS)
        if: matrix.platform == 'darwin'
        working-directory: apps/desktop
        run: bun run build:native

      - name: Build desktop app
        working-directory: apps/desktop
        run: bun run build

      - name: Package with Electron Forge
        working-directory: apps/desktop
        env:
          APPLE_IDENTITY: ${{ secrets.APPLE_IDENTITY }}
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        run: bun run forge -- make ${{ matrix.make_targets }}

      # macOS: patch Info.plist for media permissions
      - name: Patch macOS bundle
        if: matrix.platform == 'darwin'
        working-directory: apps/desktop
        run: bash scripts/patch-macos.sh

      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: desktop-${{ matrix.platform }}-${{ matrix.arch }}
          path: |
            apps/desktop/out/make/**/*.dmg
            apps/desktop/out/make/**/*.zip
            apps/desktop/out/make/**/*.deb
            apps/desktop/out/make/**/*.rpm            
          if-no-files-found: error

  release:
    needs: build-desktop
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Determine version
        id: version
        run: |
          if [ -n "${{ inputs.version }}" ]; then
            echo "tag=v${{ inputs.version }}" >> "$GITHUB_OUTPUT"
            echo "name=Desktop v${{ inputs.version }}" >> "$GITHUB_OUTPUT"
          else
            VERSION=$(jq -r .version apps/desktop/package.json)
            echo "tag=desktop-v${VERSION}" >> "$GITHUB_OUTPUT"
            echo "name=Desktop v${VERSION}" >> "$GITHUB_OUTPUT"
          fi          

      - name: Download all artifacts
        uses: actions/download-artifact@v4
        with:
          path: artifacts
          merge-multiple: false

      - name: List artifacts
        run: find artifacts -type f | head -50

      - name: Create GitHub Release
        uses: softprops/action-gh-release@v2
        with:
          tag_name: ${{ steps.version.outputs.tag }}
          name: ${{ steps.version.outputs.name }}
          draft: true
          files: |
            artifacts/**/*.dmg
            artifacts/**/*.zip
            artifacts/**/*.deb
            artifacts/**/*.rpm            
          body: |
            ## Desktop Client

            ### Downloads
            | Platform | File |
            |----------|------|
            | macOS (Apple Silicon) | `.dmg` or `.zip` |
            | Windows | `.zip` |
            | Linux (Debian/Ubuntu) | `.deb` |
            | Linux (Fedora/RHEL) | `.rpm` |

            ### Notes
            (TODO)