ci: GHA to create packages for electron #1785
Conversation
| @@ -21,4 +31,9 @@ jobs: | |||
| - name: Build electron app | |||
| run: npm run build:electron | |||
| - name: build package | |||
| run: npx electron-builder build --x64 --arm64 --publish never | |||
| run: npx electron-builder build --x64 --arm64 --publish always | |||
| - name: Upload built packages | |||
There was a problem hiding this comment.
This is for a checking purpose in each action such as https://github.com/appium/appium-inspector/actions/runs/11700110550. After confirming this works with regular release cycles in the release page, we can remove this.
|
Are the test runs already using the OpenJS certificates? I downloaded the macOS artifact and installed the arm64 dmg file, but it was still returning the same warning about Apple being unable to check it for malicious software. Unsure if this is to be expected. |
|
We will also need to disable the runs in Azure, but I guess that can only be done in the Azure configuration. |
Only https://github.com/appium/appium-inspector/actions/runs/11700110550 , yes. This PR's description is by the package. Other old ones did not have the certificate secrets.
Well, even dmg, I think downloaded content from the internet will be handled as malicious software. Possibly downloaded via GitHub release page is different, though. Invalid certificate case is addressed as a "damaged" content ( https://github.com/appium/appium-inspector/actions/runs/11699133241 is not openjs's one), so I think the certificate itself is fine.
Yea, this PR merge will remove the script for Azure, so after this merge, Azure's script will not run. I'll remove Azure's pipeline itself from the web page after confirming this via GHA package release work |
|
@eglitise @KazuCocoa i think we need to do 'notarization' in addition to code signing to do away with that warning. I think I have the details from OpenJS necessary to make this happen, but not sure how to do the technical notarization steps with electron-builder. |
|
I just tried with the Windows app. The executable is certainly signed now, unlike the current release (on the right): |
|
Maybe we could create a version with the current Azure config, which has the same signature once and compare this result with it |
Do you mean that the new OpenJS certificates were also added to Azure? If not, then the version built there will be completely unsigned, like in my first screenshot. |
|
Yea. I have updated Azure's Then, this PR itself can be merged and what we need to do here (potentially) is the certificate notarization as a followup PR to env var update later? |
|
Sounds good 👍 |
|
FWIW we do not have new windows certs at all. Only macOS certs were provided so far. So it's not surprising that windows doesn't work. |
|
Let me release a new version with this by adding a tag |
|
https://github.com/appium/appium-inspector/releases/tag/untagged-38ffb8027be18a982f9d Packages look fine. |
|
I do it manually. Not sure if it was worth running a release just for this though, since there's not really any other changes. |
|
@jlipps could we also get Windows certs? I think both would be equally important for improving the installation UX. |
|
Yes, I will kick off the process for Windows certs with OpenJSF |
|
I have removed the Azure project. So from now on, our package creation env can be managed in this repository config (env var etc) only |
* Update package.yml * use secrets * apply Prettier * ci: add github token and changes to always
e.g. https://github.com/appium/appium-inspector/actions/runs/11700110550