ci: build unsigned desktop artifacts on 0.0.0-testing-* tags (#347)

Add a tag-triggered workflow that builds the Electron desktop app (with the
bundled Go daemon) on macOS, Windows, and Linux runners and attaches the
unsigned artifacts to a GitHub prerelease for end-to-end pipeline validation.

Signing/notarization is intentionally off until the certs and secrets exist,
so these builds are for validating packaging, not distribution.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Harshit Singh Bhandari 2026-06-20 21:19:24 +05:30 committed by GitHub
parent 83091ceb4c
commit d9dde9280f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 75 additions and 0 deletions

75
.github/workflows/desktop-testing.yml vendored Normal file
View File

@ -0,0 +1,75 @@
name: Desktop testing build
# Builds UNSIGNED desktop artifacts on a `0.0.0-testing-<sha>` tag and attaches
# them to a GitHub prerelease, so the packaging pipeline can be exercised
# end-to-end before any signing/notarization secrets exist.
#
# Per OS the current electron-forge makers produce:
# - macOS → .zip (the .dmg maker is a follow-up)
# - Windows → Setup.exe + .nupkg + RELEASES (Squirrel)
# - Linux → .deb and .rpm
#
# Each OS builds on its own native runner because build-daemon.mjs compiles the
# bundled `ao` daemon for the build host's platform; cross-OS packaging would
# ship the wrong daemon (issues #235/#256). The macOS runner is arm64, so the
# macOS artifact is arm64-only until per-arch builds are wired.
#
# Signing is intentionally OFF (no CSC_LINK / APPLE_ID / Windows cert), so these
# builds do NOT pass Gatekeeper/SmartScreen. They are for pipeline validation,
# not distribution.
on:
push:
tags:
- "0.0.0-testing-*"
jobs:
build:
strategy:
fail-fast: false
matrix:
os: [macos-latest, windows-latest, ubuntu-latest]
runs-on: ${{ matrix.os }}
permissions:
contents: write
defaults:
run:
working-directory: frontend
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
cache: npm
cache-dependency-path: frontend/package-lock.json
# The daemon is compiled by build-daemon.mjs during premake, so the Go
# toolchain must be present and pinned on every runner.
- uses: actions/setup-go@v5
with:
go-version-file: backend/go.mod
cache-dependency-path: backend/go.sum
# The Linux rpm maker needs rpmbuild, which ubuntu-latest does not ship.
- name: Install rpm tooling (Linux)
if: runner.os == 'Linux'
run: sudo apt-get update && sudo apt-get install -y rpm
- run: npm ci
- name: Build artifacts (unsigned)
run: npm run make
- name: Publish artifacts to the tag's GitHub release
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG: ${{ github.ref_name }}
run: |
set -euo pipefail
# Create the prerelease once. Parallel matrix jobs race here, so a
# second job's "already exists" failure is expected and ignored.
gh release create "$TAG" --prerelease --title "$TAG" \
--notes "Unsigned desktop testing build (pipeline validation only — not signed or notarized)." \
|| true
# Upload every maker output. NUL-delimited to survive spaces in the
# app name ("Agent Orchestrator-..."); --clobber makes re-runs idempotent.
find out/make -type f -print0 | while IFS= read -r -d '' f; do
echo "uploading: $f"
gh release upload "$TAG" "$f" --clobber
done