chore(release): bump 1.0.75 + changelog #30
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| pull_request: | |
| workflow_dispatch: | |
| jobs: | |
| test: | |
| name: Test (${{ matrix.name }}) | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - name: Linux | |
| os: ubuntu-latest | |
| - name: macOS Apple Silicon | |
| os: macos-15 | |
| - name: macOS Intel | |
| os: macos-15-intel | |
| - name: Windows | |
| os: windows-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - run: npm ci | |
| - run: npm run ci | |
| notarized-macos-release: | |
| name: Notarized macOS Release | |
| runs-on: macos-15 | |
| if: startsWith(github.ref, 'refs/tags/v') && vars.ENABLE_MACOS_NOTARIZED_RELEASE == 'true' | |
| env: | |
| CSC_LINK: ${{ secrets.MACOS_CSC_LINK }} | |
| CSC_KEY_PASSWORD: ${{ secrets.MACOS_CSC_KEY_PASSWORD }} | |
| CSC_NAME: ${{ secrets.MACOS_CSC_NAME }} | |
| APPLE_KEYCHAIN_PROFILE: ${{ secrets.APPLE_KEYCHAIN_PROFILE }} | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - run: npm ci | |
| - run: npm run security:deps | |
| - run: npm run build:mac:notarized | |
| - name: Verify notarized macOS artifacts | |
| run: | | |
| set -euo pipefail | |
| test -d "dist/mac-universal/TaskWraith.app" | |
| codesign --verify --deep --strict --verbose=2 "dist/mac-universal/TaskWraith.app" | |
| spctl --assess --type execute --verbose=4 "dist/mac-universal/TaskWraith.app" | |
| xcrun stapler validate "dist/mac-universal/TaskWraith.app" | |
| for artifact in dist/*.dmg; do | |
| test -f "$artifact" | |
| xcrun stapler validate "$artifact" | |
| done | |
| signed-windows-release: | |
| name: Signed Windows Release | |
| runs-on: windows-latest | |
| if: startsWith(github.ref, 'refs/tags/v') && vars.ENABLE_WINDOWS_SIGNED_RELEASE == 'true' | |
| env: | |
| CSC_LINK: ${{ secrets.WINDOWS_CSC_LINK }} | |
| CSC_KEY_PASSWORD: ${{ secrets.WINDOWS_CSC_KEY_PASSWORD }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - run: npm ci | |
| - run: npm run security:deps | |
| - run: npm run build:win:signed | |
| - name: Verify signed Windows artifacts | |
| shell: pwsh | |
| run: | | |
| $ErrorActionPreference = "Stop" | |
| $installers = Get-ChildItem -Path dist -Filter "TaskWraith-*-win-*-setup.exe" | |
| if ($installers.Count -lt 2) { | |
| throw "Expected signed x64 and arm64 Windows installers in dist/." | |
| } | |
| foreach ($installer in $installers) { | |
| $signature = Get-AuthenticodeSignature -FilePath $installer.FullName | |
| if ($signature.Status -ne "Valid") { | |
| throw "Invalid Authenticode signature for $($installer.Name): $($signature.Status)" | |
| } | |
| } | |
| if (!(Test-Path "dist/latest-win-x64.yml")) { | |
| throw "Missing dist/latest-win-x64.yml" | |
| } | |
| if (!(Test-Path "dist/latest-win-arm64.yml")) { | |
| throw "Missing dist/latest-win-arm64.yml" | |
| } |