name: Build and release to TestFlight and GitHub on: workflow_dispatch: inputs: build_ios: description: 'Build iOS (TestFlight)' type: boolean default: true build_tvos: description: 'Build tvOS (TestFlight)' type: boolean default: true build_mac_beta: description: 'Build macOS (TestFlight)' type: boolean default: false build_mac_notarized: description: 'Build macOS (notarized Developer ID + Sparkle appcast)' type: boolean default: true release_channel: description: 'Sparkle / Developer ID channel (also toggles GitHub prerelease flag)' type: choice options: - beta - stable default: beta create_release: description: 'Create GitHub release' type: boolean default: true concurrency: group: release cancel-in-progress: false env: APP_NAME: Yattee FASTLANE_USER: ${{ secrets.FASTLANE_USER }} FASTLANE_PASSWORD: ${{ secrets.FASTLANE_PASSWORD }} ITC_TEAM_ID: ${{ secrets.ITC_TEAM_ID }} TEAM_ID: ${{ secrets.TEAM_ID }} DEVELOPER_KEY_ID: ${{ secrets.DEVELOPER_KEY_ID }} DEVELOPER_KEY_ISSUER_ID: ${{ secrets.DEVELOPER_KEY_ISSUER_ID }} DEVELOPER_KEY_CONTENT: ${{ secrets.DEVELOPER_KEY_CONTENT }} TEMP_KEYCHAIN_USER: ${{ secrets.TEMP_KEYCHAIN_USER }} TEMP_KEYCHAIN_PASSWORD: ${{ secrets.TEMP_KEYCHAIN_PASSWORD }} DEVELOPER_APP_IDENTIFIER: ${{ secrets.DEVELOPER_APP_IDENTIFIER }} GIT_AUTHORIZATION: ${{ secrets.GIT_AUTHORIZATION }} MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }} CERTIFICATES_GIT_URL: ${{ secrets.CERTIFICATES_GIT_URL }} TESTFLIGHT_EXTERNAL_GROUPS: ${{ secrets.TESTFLIGHT_EXTERNAL_GROUPS }} jobs: determine_build_number: name: Determine build number runs-on: macos-26 outputs: build_number: ${{ steps.calc.outputs.build_number }} version_number: ${{ steps.version.outputs.version_number }} steps: - uses: actions/checkout@v4 - uses: ruby/setup-ruby@v1 with: ruby-version: '3.4' bundler-cache: true cache-version: 1 - uses: maierj/fastlane-action@v3.0.0 with: lane: latest_build_number - name: Calculate next build number id: calc run: | LATEST=$(cat latest_build_number.txt) NEXT=$((LATEST + 1)) echo "build_number=$NEXT" >> $GITHUB_OUTPUT - name: Read version number id: version run: | VERSION=$(grep -m 1 MARKETING_VERSION Yattee.xcodeproj/project.pbxproj | cut -d' ' -f3 | sed 's/;//g') echo "version_number=$VERSION" >> $GITHUB_OUTPUT ios_beta: if: ${{ inputs.build_ios }} needs: [determine_build_number] name: Release iOS to TestFlight runs-on: macos-26 steps: - uses: actions/checkout@v4 - uses: ruby/setup-ruby@v1 with: ruby-version: '3.4' bundler-cache: true cache-version: 1 - name: Set build number run: | sed -i '' 's/CURRENT_PROJECT_VERSION = [0-9]*/CURRENT_PROJECT_VERSION = ${{ needs.determine_build_number.outputs.build_number }}/' Yattee.xcodeproj/project.pbxproj - name: Clear SPM cache run: rm -rf ~/Library/Caches/org.swift.swiftpm/artifacts - uses: maierj/fastlane-action@v3.0.0 with: lane: ios beta - uses: actions/upload-artifact@v4 with: name: ios-beta-build path: fastlane/builds/**/*.ipa if-no-files-found: ignore tvos_beta: if: ${{ inputs.build_tvos }} needs: [determine_build_number] name: Release tvOS to TestFlight runs-on: macos-26 steps: - uses: actions/checkout@v4 - uses: ruby/setup-ruby@v1 with: ruby-version: '3.4' bundler-cache: true cache-version: 1 - name: Set build number run: | sed -i '' 's/CURRENT_PROJECT_VERSION = [0-9]*/CURRENT_PROJECT_VERSION = ${{ needs.determine_build_number.outputs.build_number }}/' Yattee.xcodeproj/project.pbxproj - name: Clear SPM cache run: rm -rf ~/Library/Caches/org.swift.swiftpm/artifacts - uses: maierj/fastlane-action@v3.0.0 with: lane: tvos beta - uses: actions/upload-artifact@v4 with: name: tvos-beta-build path: fastlane/builds/**/*.ipa if-no-files-found: ignore mac_beta: if: ${{ inputs.build_mac_beta }} needs: [determine_build_number] name: Release macOS to TestFlight runs-on: macos-26 steps: - uses: actions/checkout@v4 - uses: ruby/setup-ruby@v1 with: ruby-version: '3.4' bundler-cache: true cache-version: 1 - name: Set build number run: | sed -i '' 's/CURRENT_PROJECT_VERSION = [0-9]*/CURRENT_PROJECT_VERSION = ${{ needs.determine_build_number.outputs.build_number }}/' Yattee.xcodeproj/project.pbxproj - name: Clear SPM cache run: rm -rf ~/Library/Caches/org.swift.swiftpm/artifacts - uses: maierj/fastlane-action@v3.0.0 with: lane: mac beta - uses: actions/upload-artifact@v4 with: name: mac-beta-build path: fastlane/builds/**/*.pkg if-no-files-found: ignore mac_notarized: if: ${{ inputs.build_mac_notarized }} needs: [determine_build_number] name: Build and notarize macOS app runs-on: macos-26 env: BUILD_NUMBER: ${{ needs.determine_build_number.outputs.build_number }} VERSION_NUMBER: ${{ needs.determine_build_number.outputs.version_number }} steps: - uses: actions/checkout@v4 - uses: ruby/setup-ruby@v1 with: ruby-version: '3.4' bundler-cache: true cache-version: 1 - name: Set build number run: | sed -i '' 's/CURRENT_PROJECT_VERSION = [0-9]*/CURRENT_PROJECT_VERSION = ${{ env.BUILD_NUMBER }}/' Yattee.xcodeproj/project.pbxproj - name: Clear SPM cache run: rm -rf ~/Library/Caches/org.swift.swiftpm/artifacts - uses: maierj/fastlane-action@v3.0.0 with: lane: mac build_and_notarize - name: Resolve artifact paths run: | DIR="fastlane/builds/${{ env.VERSION_NUMBER }}-${{ env.BUILD_NUMBER }}/macOS" echo "APP_PATH=$DIR/Yattee.app" >> $GITHUB_ENV echo "ZIP_PATH=$DIR/Yattee-${{ env.VERSION_NUMBER }}-macOS.zip" >> $GITHUB_ENV echo "DMG_PATH=$DIR/Yattee-${{ env.VERSION_NUMBER }}-macOS.dmg" >> $GITHUB_ENV - uses: actions/upload-artifact@v4 with: name: mac-notarized-build path: | ${{ env.ZIP_PATH }} ${{ env.DMG_PATH }} if-no-files-found: error release: if: ${{ inputs.create_release && !cancelled() && !failure() }} needs: [determine_build_number, ios_beta, tvos_beta, mac_beta, mac_notarized] name: Create GitHub release runs-on: ubuntu-latest permissions: contents: write outputs: tag: ${{ steps.compute_tag.outputs.tag }} env: BUILD_NUMBER: ${{ needs.determine_build_number.outputs.build_number }} VERSION_NUMBER: ${{ needs.determine_build_number.outputs.version_number }} RELEASE_CHANNEL: ${{ inputs.release_channel }} steps: - uses: actions/checkout@v4 with: token: ${{ secrets.REPO_TOKEN }} - name: Commit build number run: | git config --local user.email "github-actions[bot]@users.noreply.github.com" git config --local user.name "github-actions[bot]" sed -i 's/CURRENT_PROJECT_VERSION = [0-9]*/CURRENT_PROJECT_VERSION = ${{ env.BUILD_NUMBER }}/' Yattee.xcodeproj/project.pbxproj git add Yattee.xcodeproj/project.pbxproj git diff --cached --quiet && echo "Build number already up to date" || { git commit -m "Bump build number to ${{ env.BUILD_NUMBER }}" git push origin ${{ github.ref_name }} } - uses: actions/download-artifact@v4 with: path: artifacts - name: Compute release tag id: compute_tag run: | if [ "$RELEASE_CHANNEL" = "beta" ]; then echo "tag=${VERSION_NUMBER}-beta.${BUILD_NUMBER}" >> "$GITHUB_OUTPUT" echo "prerelease=true" >> "$GITHUB_OUTPUT" else echo "tag=${VERSION_NUMBER}-${BUILD_NUMBER}" >> "$GITHUB_OUTPUT" echo "prerelease=false" >> "$GITHUB_OUTPUT" fi - uses: ncipollo/release-action@v1 with: artifacts: artifacts/**/*.ipa,artifacts/**/*.zip,artifacts/**/*.pkg,artifacts/**/*.dmg commit: ${{ github.ref_name }} tag: ${{ steps.compute_tag.outputs.tag }} prerelease: ${{ steps.compute_tag.outputs.prerelease }} bodyFile: CHANGELOG.md publish_appcast: if: ${{ inputs.build_mac_notarized && inputs.create_release && !cancelled() && !failure() }} needs: [determine_build_number, mac_notarized, release] name: Publish Sparkle appcast runs-on: macos-26 permissions: contents: write env: BUILD_NUMBER: ${{ needs.determine_build_number.outputs.build_number }} VERSION_NUMBER: ${{ needs.determine_build_number.outputs.version_number }} RELEASE_CHANNEL: ${{ inputs.release_channel }} RELEASE_TAG: ${{ needs.release.outputs.tag }} SPARKLE_ED_PRIVATE_KEY: ${{ secrets.SPARKLE_ED_PRIVATE_KEY }} REPO: ${{ github.repository }} steps: - name: Guard — secret configured run: | if [ -z "$SPARKLE_ED_PRIVATE_KEY" ]; then echo "::error::SPARKLE_ED_PRIVATE_KEY secret is not set. Configure it with the base64-encoded private key exported via 'generate_keys -x'." exit 1 fi - uses: actions/checkout@v4 with: token: ${{ secrets.REPO_TOKEN }} - name: Download notarized mac artifact uses: actions/download-artifact@v4 with: name: mac-notarized-build path: mac-artifacts - name: Locate sign_update binary id: find_sign_update run: | # Sparkle's `sign_update` ships as a package artifact. We need SPM to # resolve the Sparkle package so the binary is present on disk. xcodebuild -resolvePackageDependencies -project Yattee.xcodeproj -scheme Yattee >/dev/null SIGN=$(find "$HOME/Library/Developer/Xcode/DerivedData" -name sign_update -type f 2>/dev/null | head -1) if [ -z "$SIGN" ]; then SIGN=$(find ~ -name sign_update -type f 2>/dev/null | head -1) fi if [ -z "$SIGN" ]; then echo "::error::Could not locate sign_update binary" exit 1 fi echo "sign_update=$SIGN" >> "$GITHUB_OUTPUT" - name: Checkout gh-pages (create if missing) run: | git fetch origin gh-pages || true if git rev-parse --verify origin/gh-pages >/dev/null 2>&1; then git worktree add gh-pages origin/gh-pages else # First run — create orphan gh-pages with only appcast scaffolding. git worktree add --detach gh-pages HEAD cd gh-pages git checkout --orphan gh-pages git rm -rf . >/dev/null 2>&1 || true cp ../scripts/sparkle/appcast_template.xml appcast.xml cd .. fi - name: Write private key to a temp file id: ed_key run: | KEY_FILE=$(mktemp) printf '%s' "$SPARKLE_ED_PRIVATE_KEY" > "$KEY_FILE" echo "path=$KEY_FILE" >> "$GITHUB_OUTPUT" - name: Sign update and update appcast.xml run: | ZIP=$(find mac-artifacts -name '*.zip' | head -1) if [ -z "$ZIP" ]; then echo "::error::No .zip found in mac-artifacts" exit 1 fi ./scripts/sparkle/update_appcast.rb \ --zip "$ZIP" \ --version "$VERSION_NUMBER" \ --build "$BUILD_NUMBER" \ --channel "$RELEASE_CHANNEL" \ --tag "$RELEASE_TAG" \ --sign-update-bin "${{ steps.find_sign_update.outputs.sign_update }}" \ --ed-key-file "${{ steps.ed_key.outputs.path }}" \ --appcast gh-pages/appcast.xml \ --repo "$REPO" - name: Scrub private key if: always() run: rm -f "${{ steps.ed_key.outputs.path }}" - name: Commit & push appcast.xml run: | cd gh-pages git config --local user.email "github-actions[bot]@users.noreply.github.com" git config --local user.name "github-actions[bot]" git add appcast.xml if git diff --cached --quiet; then echo "No appcast changes to publish" else git commit -m "Publish Sparkle appcast: ${VERSION_NUMBER} (${BUILD_NUMBER}) [${RELEASE_CHANNEL}]" git push origin gh-pages fi update_altstore: needs: [release] uses: ./.github/workflows/update-altstore.yml