Skip to content

chore(release): bump 1.0.75 + changelog #30

chore(release): bump 1.0.75 + changelog

chore(release): bump 1.0.75 + changelog #30

Workflow file for this run

name: CI
on:
push:
pull_request:
workflow_dispatch:
jobs:
test:
name: Test (${{ matrix.name }})
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- name: Linux
os: ubuntu-latest
- name: macOS Apple Silicon
os: macos-15
- name: macOS Intel
os: macos-15-intel
- name: Windows
os: windows-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 22
cache: npm
- run: npm ci
- run: npm run ci
notarized-macos-release:
name: Notarized macOS Release
runs-on: macos-15
if: startsWith(github.ref, 'refs/tags/v') && vars.ENABLE_MACOS_NOTARIZED_RELEASE == 'true'
env:
CSC_LINK: ${{ secrets.MACOS_CSC_LINK }}
CSC_KEY_PASSWORD: ${{ secrets.MACOS_CSC_KEY_PASSWORD }}
CSC_NAME: ${{ secrets.MACOS_CSC_NAME }}
APPLE_KEYCHAIN_PROFILE: ${{ secrets.APPLE_KEYCHAIN_PROFILE }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 22
cache: npm
- run: npm ci
- run: npm run security:deps
- run: npm run build:mac:notarized
- name: Verify notarized macOS artifacts
run: |
set -euo pipefail
test -d "dist/mac-universal/TaskWraith.app"
codesign --verify --deep --strict --verbose=2 "dist/mac-universal/TaskWraith.app"
spctl --assess --type execute --verbose=4 "dist/mac-universal/TaskWraith.app"
xcrun stapler validate "dist/mac-universal/TaskWraith.app"
for artifact in dist/*.dmg; do
test -f "$artifact"
xcrun stapler validate "$artifact"
done
signed-windows-release:
name: Signed Windows Release
runs-on: windows-latest
if: startsWith(github.ref, 'refs/tags/v') && vars.ENABLE_WINDOWS_SIGNED_RELEASE == 'true'
env:
CSC_LINK: ${{ secrets.WINDOWS_CSC_LINK }}
CSC_KEY_PASSWORD: ${{ secrets.WINDOWS_CSC_KEY_PASSWORD }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 22
cache: npm
- run: npm ci
- run: npm run security:deps
- run: npm run build:win:signed
- name: Verify signed Windows artifacts
shell: pwsh
run: |
$ErrorActionPreference = "Stop"
$installers = Get-ChildItem -Path dist -Filter "TaskWraith-*-win-*-setup.exe"
if ($installers.Count -lt 2) {
throw "Expected signed x64 and arm64 Windows installers in dist/."
}
foreach ($installer in $installers) {
$signature = Get-AuthenticodeSignature -FilePath $installer.FullName
if ($signature.Status -ne "Valid") {
throw "Invalid Authenticode signature for $($installer.Name): $($signature.Status)"
}
}
if (!(Test-Path "dist/latest-win-x64.yml")) {
throw "Missing dist/latest-win-x64.yml"
}
if (!(Test-Path "dist/latest-win-arm64.yml")) {
throw "Missing dist/latest-win-arm64.yml"
}