Bump yauzl from 2.10.0 to 3.2.1 #385
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "build" | |
| on: | |
| push: | |
| pull_request: | |
| workflow_dispatch: | |
| env: | |
| SKIP_TESTS: 1 | |
| jobs: | |
| build-linux: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@master | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: '22' | |
| - name: Install dependencies | |
| run: | | |
| npm ci | |
| - name: Type check | |
| run: | | |
| npm run ts-check | |
| - name: Build and package | |
| run: | | |
| node release/package-all.js --os linux --arch amd64 | |
| - name: Create tarball to preserve permissions | |
| if: github.event_name == 'workflow_dispatch' | |
| run: | | |
| cd artifacts/linux-amd64 | |
| tar -cf ../linux-amd64.tar . | |
| - name: Upload artifact | |
| if: github.event_name == 'workflow_dispatch' | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: ${{ github.ref_type == 'tag' && !endsWith(github.ref_name, '-canary') && 'itch' || 'kitch' }}-${{ github.ref_name }}-linux-amd64 | |
| path: artifacts/linux-amd64.tar | |
| build-windows: | |
| runs-on: windows-latest | |
| steps: | |
| - uses: actions/checkout@master | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: '22' | |
| - name: Install dependencies | |
| run: | | |
| npm ci | |
| - name: Type check | |
| run: | | |
| npm run ts-check | |
| - name: Build and package | |
| run: | | |
| node release/package-all.js --os windows --arch amd64 | |
| - name: Upload unsigned artifact | |
| if: github.event_name == 'workflow_dispatch' | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: windows-amd64-unsigned | |
| path: artifacts/windows-amd64/ | |
| sign-windows: | |
| needs: [build-windows] | |
| if: github.event_name == 'workflow_dispatch' | |
| runs-on: windows-latest | |
| environment: signing-windows | |
| steps: | |
| - name: Download unsigned artifact | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: windows-amd64-unsigned | |
| path: artifacts/windows-amd64/ | |
| - name: Sign with Azure Code Signing | |
| uses: azure/artifact-signing-action@v1 | |
| with: | |
| azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} | |
| endpoint: https://wus2.codesigning.azure.net | |
| signing-account-name: itchio | |
| certificate-profile-name: itchio | |
| files: ${{ github.workspace }}/artifacts/windows-amd64/*.exe | |
| file-digest: SHA256 | |
| timestamp-rfc3161: http://timestamp.acs.microsoft.com | |
| timestamp-digest: SHA256 | |
| - name: Verify signature | |
| shell: pwsh | |
| run: | | |
| $exeFiles = Get-ChildItem -Path "artifacts/windows-amd64/*.exe" | |
| foreach ($file in $exeFiles) { | |
| $sig = Get-AuthenticodeSignature -FilePath $file.FullName | |
| if ($sig.Status -ne "Valid") { | |
| Write-Error "Signature verification failed for $($file.Name): $($sig.Status)" | |
| exit 1 | |
| } | |
| Write-Host "Signature verified for $($file.Name)" | |
| } | |
| - name: Upload signed artifact | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: ${{ github.ref_type == 'tag' && !endsWith(github.ref_name, '-canary') && 'itch' || 'kitch' }}-${{ github.ref_name }}-windows-amd64 | |
| path: artifacts/windows-amd64/ | |
| build-macos-x64: | |
| runs-on: macos-latest | |
| steps: | |
| - uses: actions/checkout@master | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: '22' | |
| - uses: actions/setup-go@v6 | |
| with: | |
| go-version: '^1.22.1' | |
| - name: Install dependencies | |
| run: | | |
| npm ci | |
| - name: Type check | |
| run: | | |
| npm run ts-check | |
| - name: Build and package (x64) | |
| run: | | |
| node release/package-all.js --os darwin --arch amd64 | |
| - name: Create tarball to preserve symlinks | |
| if: github.event_name == 'workflow_dispatch' | |
| run: | | |
| cd artifacts/darwin-amd64 | |
| tar -cf ../darwin-amd64.tar . | |
| - name: Upload unsigned artifact | |
| if: github.event_name == 'workflow_dispatch' | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: darwin-amd64-unsigned | |
| path: artifacts/darwin-amd64.tar | |
| build-macos-arm64: | |
| runs-on: macos-latest | |
| steps: | |
| - uses: actions/checkout@master | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: '22' | |
| - uses: actions/setup-go@v6 | |
| with: | |
| go-version: '^1.22.1' | |
| - name: Install dependencies | |
| run: | | |
| npm ci | |
| - name: Type check | |
| run: | | |
| npm run ts-check | |
| - name: Build and package (arm64) | |
| run: | | |
| node release/package-all.js --os darwin --arch arm64 | |
| - name: Create tarball to preserve symlinks | |
| if: github.event_name == 'workflow_dispatch' | |
| run: | | |
| cd artifacts/darwin-arm64 | |
| tar -cf ../darwin-arm64.tar . | |
| - name: Upload unsigned artifact | |
| if: github.event_name == 'workflow_dispatch' | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: darwin-arm64-unsigned | |
| path: artifacts/darwin-arm64.tar | |
| sign-macos: | |
| needs: [build-macos-x64, build-macos-arm64] | |
| if: github.event_name == 'workflow_dispatch' | |
| runs-on: macos-latest | |
| environment: signing-macos | |
| steps: | |
| - uses: actions/checkout@master | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: '22' | |
| - name: Download unsigned x64 artifact | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: darwin-amd64-unsigned | |
| path: artifacts/ | |
| - name: Download unsigned arm64 artifact | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: darwin-arm64-unsigned | |
| path: artifacts/ | |
| - name: Extract tarballs (preserves symlinks) | |
| run: | | |
| mkdir -p artifacts/darwin-amd64 artifacts/darwin-arm64 | |
| tar -xf artifacts/darwin-amd64.tar -C artifacts/darwin-amd64 | |
| tar -xf artifacts/darwin-arm64.tar -C artifacts/darwin-arm64 | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Import signing certificate | |
| env: | |
| APPLE_CERTIFICATE_P12_BASE64: ${{ secrets.APPLE_CERTIFICATE_P12_BASE64 }} | |
| APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| run: | | |
| # Create temporary keychain | |
| KEYCHAIN_PATH=$RUNNER_TEMP/signing.keychain-db | |
| KEYCHAIN_PASSWORD=$(openssl rand -base64 32) | |
| security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" | |
| security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" | |
| security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" | |
| # Import certificate | |
| CERT_PATH=$RUNNER_TEMP/certificate.p12 | |
| echo "$APPLE_CERTIFICATE_P12_BASE64" | base64 --decode > "$CERT_PATH" | |
| security import "$CERT_PATH" -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" | |
| rm "$CERT_PATH" | |
| # Set keychain search list | |
| security list-keychain -d user -s "$KEYCHAIN_PATH" | |
| # Allow codesign to access the keychain | |
| security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" | |
| - name: Sign and notarize apps | |
| env: | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| run: | | |
| node release/sign-macos.js --arch amd64 | |
| node release/sign-macos.js --arch arm64 | |
| - name: Create signed tarballs (preserves symlinks) | |
| run: | | |
| tar -cf artifacts/darwin-amd64-signed.tar -C artifacts/darwin-amd64 . | |
| tar -cf artifacts/darwin-arm64-signed.tar -C artifacts/darwin-arm64 . | |
| - name: Upload signed x64 artifact | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: ${{ github.ref_type == 'tag' && !endsWith(github.ref_name, '-canary') && 'itch' || 'kitch' }}-${{ github.ref_name }}-darwin-amd64 | |
| path: artifacts/darwin-amd64-signed.tar | |
| - name: Upload signed arm64 artifact | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: ${{ github.ref_type == 'tag' && !endsWith(github.ref_name, '-canary') && 'itch' || 'kitch' }}-${{ github.ref_name }}-darwin-arm64 | |
| path: artifacts/darwin-arm64-signed.tar | |
| create-github-release: | |
| if: github.event_name == 'workflow_dispatch' && startsWith(github.ref, 'refs/tags/') | |
| needs: [build-linux, sign-windows, sign-macos] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Download all artifacts | |
| uses: actions/download-artifact@v7 | |
| with: | |
| path: artifacts | |
| pattern: "{itch,kitch}-*" | |
| - name: Create archives | |
| run: | | |
| set -e | |
| cd artifacts | |
| for dir in */; do | |
| dirname=$(basename "$dir") | |
| if ls "$dir"/*.tar 1> /dev/null 2>&1; then | |
| # Compress existing tar (preserves permissions and symlinks) | |
| gzip -c "$dir"/*.tar > "${dirname}.tar.gz" | |
| else | |
| # For platforms without a pre-built tar (e.g. Windows) | |
| tar -czf "${dirname}.tar.gz" -C "$dir" . | |
| fi | |
| done | |
| ls -lh *.tar.gz | |
| - name: Create GitHub Release and upload artifacts | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: artifacts/*.tar.gz | |
| draft: false | |
| prerelease: ${{ contains(github.ref_name, 'canary') }} | |
| publish-to-itchio: | |
| if: github.event_name == 'workflow_dispatch' && startsWith(github.ref, 'refs/tags/') | |
| needs: [build-linux, sign-windows, sign-macos] | |
| runs-on: ubuntu-latest | |
| environment: butler-publish | |
| steps: | |
| - uses: actions/checkout@master | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: '22' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Download all artifacts | |
| uses: actions/download-artifact@v7 | |
| with: | |
| path: artifacts | |
| pattern: "{itch,kitch}-*" | |
| - name: Extract tarballs (preserves permissions and symlinks) | |
| run: | | |
| cd artifacts | |
| for dir in */; do | |
| if ls "$dir"/*.tar 1> /dev/null 2>&1; then | |
| tar -xf "$dir"/*.tar -C "$dir" | |
| rm "$dir"/*.tar | |
| fi | |
| done | |
| - name: Verify macOS bundle structure | |
| run: | | |
| # The auto-updater expects Contents/ at the archive root, not app.app/Contents/ | |
| # Butler push on a .app directory achieves this, but let's verify the structure | |
| for dir in artifacts/*darwin*; do | |
| if [ -d "$dir" ]; then | |
| app_bundle=$(find "$dir" -maxdepth 1 -name "*.app" -type d | head -1) | |
| if [ -z "$app_bundle" ]; then | |
| echo "ERROR: No .app bundle found in $dir" | |
| exit 1 | |
| fi | |
| # Verify expected structure exists | |
| if [ ! -f "$app_bundle/Contents/Info.plist" ]; then | |
| echo "ERROR: Missing Contents/Info.plist in $app_bundle" | |
| exit 1 | |
| fi | |
| if [ ! -d "$app_bundle/Contents/MacOS" ]; then | |
| echo "ERROR: Missing Contents/MacOS in $app_bundle" | |
| exit 1 | |
| fi | |
| if [ ! -d "$app_bundle/Contents/Frameworks" ]; then | |
| echo "ERROR: Missing Contents/Frameworks in $app_bundle" | |
| exit 1 | |
| fi | |
| echo "OK: $app_bundle has correct bundle structure" | |
| fi | |
| done | |
| - name: Deploy to itch.io | |
| env: | |
| BUTLER_API_KEY: ${{ secrets.BUTLER_API_KEY }} | |
| run: node release/deploy.js |