diff --git a/.github/workflows/frontend-nightly.yml b/.github/workflows/frontend-nightly.yml index 68c79b9b8..b58e1524c 100644 --- a/.github/workflows/frontend-nightly.yml +++ b/.github/workflows/frontend-nightly.yml @@ -49,7 +49,7 @@ jobs: strategy: fail-fast: false matrix: - os: [macos-latest, macos-13, windows-latest, ubuntu-latest] + os: [macos-latest, windows-latest, ubuntu-latest] runs-on: ${{ matrix.os }} permissions: contents: write @@ -93,6 +93,70 @@ jobs: # macOS signing + notarization env is exported by the "macOS signing # setup" step above via $GITHUB_ENV; the cert is in the keychain. + # Dedicated Intel (darwin-x64) nightly build leg, decoupled from the release + # matrix so the scarce macos-13 runner does not block publish-feed. Mirrors + # the release job's macOS steps exactly. publish-feed stays needs: release + # only (three fast legs); the x64 feed entry appears if this job finishes + # first, but the feed is not gated on it. + release-intel: + needs: guard + if: needs.guard.outputs.should_build == 'true' + runs-on: macos-13 + permissions: + contents: write + defaults: + run: + working-directory: frontend + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + cache: npm + cache-dependency-path: frontend/package-lock.json + - uses: actions/setup-go@v5 + with: + go-version-file: backend/go.mod + cache-dependency-path: backend/go.sum + - run: npm ci + - name: Stamp nightly version + shell: bash + env: + NIGHTLY_VERSION: ${{ needs.guard.outputs.version }} + run: | + node -e "const v=process.env.NIGHTLY_VERSION.split('+')[0]; const fs=require('fs'); const p=require('./package.json'); p.version=v; fs.writeFileSync('./package.json', JSON.stringify(p,null,'\t')+'\n');" + - name: macOS signing setup + uses: ./.github/actions/macos-signing-setup + with: + csc-link: ${{ secrets.CSC_LINK }} + csc-key-password: ${{ secrets.CSC_KEY_PASSWORD }} + apple-api-key-base64: ${{ secrets.APPLE_API_KEY_BASE64 }} + apple-api-key-id: ${{ secrets.APPLE_API_KEY_ID }} + apple-api-issuer: ${{ secrets.APPLE_API_ISSUER }} + apple-signing-identity: ${{ secrets.APPLE_SIGNING_IDENTITY }} + - name: Publish + run: npm run publish + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + AO_RELEASE_REPO: ${{ github.repository }} + AO_RELEASE_PRERELEASE: "true" + - name: Upload stable asset aliases (macOS) + shell: bash + run: | + tag="v$(node -p "require('./package.json').version")" + arch="$(uname -m)" + case "$arch" in + arm64) alias_name="agent-orchestrator-darwin-arm64.zip" ;; + x86_64) alias_name="agent-orchestrator-darwin-x64.zip" ;; + *) echo "unsupported macOS arch: $arch" >&2; exit 1 ;; + esac + src="$(ls out/make/zip/darwin/*/*.zip | head -n1)" + if [ -z "$src" ]; then echo "no macOS zip found under out/make/zip/darwin" >&2; exit 1; fi + cp "$src" "$alias_name" + gh release upload "$tag" "$alias_name" --clobber + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Generate the nightly electron-updater feed from the versioned prerelease # assets. The nightly version is only stamped in-memory on the build runners, # so derive the tag from the guard job's computed version, not package.json. diff --git a/.github/workflows/frontend-release.yml b/.github/workflows/frontend-release.yml index 3787b970f..93b8361a8 100644 --- a/.github/workflows/frontend-release.yml +++ b/.github/workflows/frontend-release.yml @@ -39,7 +39,7 @@ jobs: strategy: fail-fast: false matrix: - os: [macos-latest, macos-13, windows-latest, ubuntu-latest] + os: [macos-latest, windows-latest, ubuntu-latest] runs-on: ${{ matrix.os }} permissions: contents: write @@ -150,6 +150,61 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Dedicated Intel (darwin-x64) build leg, decoupled from the release matrix so + # the scarce macos-13 runner does not block publish-feed. publish-feed needs + # only the three fast legs (release); this job uploads the x64 installer and + # stable alias independently. feed.mjs includes the x64 entry if this job + # finishes before publish-feed, but the feed is not gated on it. + release-intel: + runs-on: macos-13 + permissions: + contents: write + defaults: + run: + working-directory: frontend + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + cache: npm + cache-dependency-path: frontend/package-lock.json + - uses: actions/setup-go@v5 + with: + go-version-file: backend/go.mod + cache-dependency-path: backend/go.sum + - run: npm ci + - name: macOS signing setup + uses: ./.github/actions/macos-signing-setup + with: + csc-link: ${{ secrets.CSC_LINK }} + csc-key-password: ${{ secrets.CSC_KEY_PASSWORD }} + apple-api-key-base64: ${{ secrets.APPLE_API_KEY_BASE64 }} + apple-api-key-id: ${{ secrets.APPLE_API_KEY_ID }} + apple-api-issuer: ${{ secrets.APPLE_API_ISSUER }} + apple-signing-identity: ${{ secrets.APPLE_SIGNING_IDENTITY }} + - name: Publish + run: npm run publish + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + AO_RELEASE_REPO: ${{ github.repository }} + - name: Upload stable asset aliases (macOS) + shell: bash + run: | + tag="v$(node -p "require('./package.json').version")" + arch="$(uname -m)" + case "$arch" in + arm64) alias_name="agent-orchestrator-darwin-arm64.zip" ;; + x86_64) alias_name="agent-orchestrator-darwin-x64.zip" ;; + *) echo "unsupported macOS arch: $arch" >&2; exit 1 ;; + esac + src="$(ls out/make/zip/darwin/*/*.zip | head -n1)" + if [ -z "$src" ]; then echo "no macOS zip found under out/make/zip/darwin" >&2; exit 1; fi + cp "$src" "$alias_name" + gh release upload "$tag" "$alias_name" --clobber + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # After every platform has built and uploaded its installers, generate the # electron-updater feed (latest*.yml + .blockmap sidecars) from the versioned # assets and upload them to the same release. Runs once, on Linux: it only