fleet/.github/workflows/generate-desktop-targets.yml

name: Generate Fleet Desktop targets for Orbit

on:
  push:
    branches:
      - main
    paths:
      # The workflow can be triggered by modifying FLEET_DESKTOP_VERSION env.
      - '.github/workflows/generate-desktop-targets.yml'
  pull_request:
    paths:
      # The workflow can be triggered by modifying FLEET_DESKTOP_VERSION env.
      - '.github/workflows/generate-desktop-targets.yml'
  workflow_dispatch:

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
  cancel-in-progress: true

defaults:
  run:
    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
    shell: bash

env:
  FLEET_DESKTOP_VERSION: 1.22.0

permissions:
  contents: read

jobs:
  desktop-macos:
    # Set macOS version to '12' (current equivalent to macos-latest) for
    # building the binary. This ensures compatibility with macOS version 13 and
    # later, avoiding runtime errors on systems using macOS 13 or newer.
    #
    # Note: Update this version to '13' once GitHub marks macOS 13 as stable
    # or if we revise our minimum supported macOS version.
    runs-on: macos-12
    steps:

      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit

      - name: Install Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: ${{ vars.GO_VERSION }}

      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

      - name: Import signing keys
        env:
          APPLE_APPLICATION_CERTIFICATE: ${{ secrets.APPLE_APPLICATION_CERTIFICATE }}
          APPLE_APPLICATION_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERTIFICATE_PASSWORD }}
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
        run: |
          echo "$APPLE_APPLICATION_CERTIFICATE" | base64 --decode > certificate.p12
          security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
          security import certificate.p12 -k build.keychain -P $APPLE_APPLICATION_CERTIFICATE_PASSWORD -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
          security find-identity -vv
          rm certificate.p12          

      - name: Generate desktop.app.tar.gz
        env:
          AC_USERNAME: ${{ secrets.APPLE_USERNAME }}
          AC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          AC_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
          CODESIGN_IDENTITY: 51049B247B25B3119FAE7E9C0CC4375A43E47237
        run: |
          AC_USERNAME=$AC_USERNAME \
          AC_PASSWORD=$AC_PASSWORD \
          AC_TEAM_ID=$AC_TEAM_ID \
          FLEET_DESKTOP_APPLE_AUTHORITY=$CODESIGN_IDENTITY \
          FLEET_DESKTOP_NOTARIZE=true \
          FLEET_DESKTOP_VERSION=$FLEET_DESKTOP_VERSION \
          make desktop-app-tar-gz          

      - name: Upload desktop.app.tar.gz
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
        with:
          name: desktop.app.tar.gz
          path: desktop.app.tar.gz

  desktop-windows:
    runs-on: ubuntu-latest
    steps:

      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit

      - name: Install Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: ${{ vars.GO_VERSION }}

      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

      - name: Generate fleet-desktop.exe
        run: |
          FLEET_DESKTOP_VERSION=$FLEET_DESKTOP_VERSION \
          make desktop-windows          

      - name: Upload fleet-desktop.exe
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
        with:
          name: fleet-desktop.exe
          path: fleet-desktop.exe

  desktop-linux:
    runs-on: ubuntu-latest
    steps:

      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit

      - name: Install Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: ${{ vars.GO_VERSION }}

      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

      - name: Generate desktop.tar.gz
        run: |
          FLEET_DESKTOP_VERSION=$FLEET_DESKTOP_VERSION \
          make desktop-linux          

      - name: Upload desktop.tar.gz
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
        with:
          name: desktop.tar.gz
          path: desktop.tar.gz