stello/.github/workflows/build.yml at master · gracious-tech/stello · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# TODO cache playwright browsers

name: Build

# SECURITY Third-party pull requests (thankfully) can't access secrets, so need separate workflow
on:
    push: {}
    workflow_dispatch:
        inputs:
            run_tests:
                description: Whether to run tests
                required: false
                default: 'true'

defaults:
    run:
        shell: bash  # Windows doesn't default to bash

jobs:

    audit_code:
        # This is done separately to speed up build, since ok to do in parallel
        name: Audit types & lint
        runs-on: ubuntu-latest
        if: github.event.inputs.run_tests != 'false'
        steps:
            -   uses: actions/checkout@v4
            -   uses: actions/setup-node@v4
                with:
                    node-version: '25'
                    cache: 'npm'
                    cache-dependency-path: '**/package-lock.json'
            -   run: .bin/all_node npm ci
            -   run: .bin/audit_lint_errors  # TODO Do full linting when ready
            -   run: .bin/audit_types
            -   run: .bin/audit_test


    build_app_base:
        name: Build app base
        runs-on: ubuntu-latest
        steps:
            -   uses: actions/checkout@v4
            -   uses: actions/setup-node@v4
                with:
                    node-version: '25'
                    cache: 'npm'
                    cache-dependency-path: '**/package-lock.json'
            -   run: .bin/all_node npm ci
            -   run: .bin/build_responder_aws
            -   run: .bin/build_displayer
                env:
                    VITE_ROLLBAR_DISPLAYER: ${{ secrets.ROLLBAR_DISPLAYER }}
            -   run: .bin/build_app
                env:
                    VITE_OAUTH_ID_GOOGLE: ${{ secrets.OAUTH_ID_GOOGLE }}
                    VITE_OAUTH_ID_MICROSOFT: ${{ secrets.OAUTH_ID_MICROSOFT }}
                    VITE_OAUTH_SECRET_GOOGLE: ${{ secrets.OAUTH_SECRET_GOOGLE }}
                    VITE_ROLLBAR_APP: ${{ secrets.ROLLBAR_APP }}
                    VITE_ROLLBAR_RESPONDER: ${{ secrets.ROLLBAR_RESPONDER }}
                    VITE_HOSTED_REGION: us-west-2
                    VITE_HOSTED_USER_POOL: us-west-2_35JlR4J4Y
                    VITE_HOSTED_USER_POOL_CLIENT: 6go9el36qqr5egm92s20b8fuer
                    VITE_HOSTED_IDENTITY_POOL: us-west-2:457eead7-c848-47d1-8f09-81cb85f818d0
                    VITE_HOSTED_BUCKET: stello-hosted
                    VITE_HOSTED_API: https://api.encrypted.news/
                    VITE_HOSTED_DOMAIN_BRANDED: stello.news
                    VITE_HOSTED_DOMAIN_UNBRANDED: encrypted.news
            -   if: github.event.inputs.run_tests != 'false'
                name: .bin/audit_e2e_displayer
                run: |
                    npx playwright install --with-deps
                    .bin/audit_e2e_displayer
            -   uses: actions/upload-artifact@v4
                with:
                    name: app_base
                    path: app/dist


    build_electron:
        name: Package the app with Electron for all OSs
        needs: [build_app_base]
        strategy:
            fail-fast: false
            matrix:
                os: [ubuntu-latest, macos-latest, windows-latest]
        runs-on: ${{ matrix.os }}
        steps:
            -   uses: actions/checkout@v4
            -   uses: actions/setup-node@v4
                with:
                    node-version: '25'
                    cache: 'npm'
                    cache-dependency-path: '**/package-lock.json'
            -   run: npm ci
                env:
                    PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
            -   run: npx playwright install --with-deps chromium
            -   run: cd electron; npm ci

            # Use Electron 32 on macOS so can still support macOS 10.15
            # macOS 10.15 is still widely used and supported by Apple as of March 2026
            -   if: runner.os == 'macOS'
                run: cd electron; npm install electron@32

            -   run: .bin/build_electron
                env:
                    ROLLBAR_ELECTRON: ${{ secrets.ROLLBAR_ELECTRON }}
                    HOSTED_API: https://api.encrypted.news/
            -   uses: actions/download-artifact@v4
                with:
                    name: app_base
                    path: electron/dist/app
                # WARN Electron builder will publish (to proposed) before confirming tests pass
                #      This allows ignoring tests if false positives, and still be able to publish
            -   run: .bin/build_electron_package
                env:
                    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
                    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
                    # Only mac needs the following
                    CSC_LINK: ${{ secrets.APPLE_CERT_P12_BASE64 }}
                    CSC_KEY_PASSWORD: abc123  # Public since contents already secret
                    APPLE_ID: ${{ secrets.APPLE_ID_EMAIL }}
                    APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
                    APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
            -   if: github.event.inputs.run_tests != 'false' && runner.os == 'Linux'
                # Disable apparmor so doesn't prevent Electron launching
                run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
            -   if: github.event.inputs.run_tests != 'false'
                run: .bin/audit_e2e_electron