FutrixDev
diff --git a/‎.github/workflows/package-dispatch.yml‎
Lines changed: 312 additions & 0 deletions b/‎.github/workflows/package-dispatch.yml‎
Lines changed: 312 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 65 additions & 0 deletions b/‎README.md‎
Lines changed: 65 additions & 0 deletions
@@ -0,0 +1,312 @@
+name: Package FutrixData
+
+on:
+  repository_dispatch:
+    types:
+      - futrix-package-request
+  workflow_dispatch:
+    inputs:
+      source_repository:
+        description: "Source repository in owner/name format"
+        required: true
+        type: string
+      source_ref:
+        description: "Source git ref, for example refs/heads/main or refs/tags/v1.0.0"
+        required: true
+        default: "refs/heads/main"
+        type: string
+      source_sha:
+        description: "Optional exact source commit SHA"
+        required: false
+        type: string
+      version:
+        description: "Optional version override"
+        required: false
+        type: string
+      release:
+        description: "Create a release in the packaging repository"
+        required: false
+        default: false
+        type: boolean
+
+permissions:
+  contents: write
+
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      source_repository: ${{ steps.resolve.outputs.source_repository }}
+      source_ref: ${{ steps.resolve.outputs.source_ref }}
+      source_sha: ${{ steps.resolve.outputs.source_sha }}
+      source_checkout_ref: ${{ steps.resolve.outputs.source_checkout_ref }}
+      version: ${{ steps.resolve.outputs.version }}
+      release: ${{ steps.resolve.outputs.release }}
+      source_run_url: ${{ steps.resolve.outputs.source_run_url }}
+      triggered_by: ${{ steps.resolve.outputs.triggered_by }}
+      event_name: ${{ steps.resolve.outputs.event_name }}
+    steps:
+      - name: Resolve packaging request
+        id: resolve
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          source_repository="$(jq -r '.client_payload.source_repository // .inputs.source_repository // ""' "$GITHUB_EVENT_PATH")"
+          source_ref="$(jq -r '.client_payload.source_ref // .inputs.source_ref // ""' "$GITHUB_EVENT_PATH")"
+          source_sha="$(jq -r '.client_payload.source_sha // .inputs.source_sha // ""' "$GITHUB_EVENT_PATH")"
+          source_checkout_ref="${source_sha:-$source_ref}"
+          version="$(jq -r '.client_payload.version // .inputs.version // ""' "$GITHUB_EVENT_PATH")"
+          release="$(jq -r '.client_payload.release // .inputs.release // "false"' "$GITHUB_EVENT_PATH")"
+          source_run_url="$(jq -r '.client_payload.source_run_url // ""' "$GITHUB_EVENT_PATH")"
+          triggered_by="$(jq -r '.client_payload.triggered_by // ""' "$GITHUB_EVENT_PATH")"
+          event_name="$(jq -r '.client_payload.event_name // ""' "$GITHUB_EVENT_PATH")"
+
+          if [ -z "$triggered_by" ]; then
+            triggered_by="$GITHUB_ACTOR"
+          fi
+
+          if [ -z "$event_name" ]; then
+            event_name="$GITHUB_EVENT_NAME"
+          fi
+
+          if [ -z "$source_repository" ]; then
+            echo "source_repository is required" >&2
+            exit 1
+          fi
+
+          if [ -z "$source_ref" ] && [ -z "$source_sha" ]; then
+            echo "Either source_ref or source_sha is required" >&2
+            exit 1
+          fi
+
+          if [ -z "$version" ]; then
+            if [[ "$source_ref" == refs/tags/* ]]; then
+              version="${source_ref#refs/tags/}"
+            elif [ -n "$source_sha" ]; then
+              version="sha-${source_sha:0:7}"
+            else
+              version="manual-${GITHUB_RUN_ID}"
+            fi
+          fi
+
+          if [[ "$source_ref" == refs/tags/* ]]; then
+            release=true
+          fi
+
+          {
+            echo "source_repository=$source_repository"
+            echo "source_ref=$source_ref"
+            echo "source_sha=$source_sha"
+            echo "source_checkout_ref=$source_checkout_ref"
+            echo "version=$version"
+            echo "release=$release"
+            echo "source_run_url=$source_run_url"
+            echo "triggered_by=$triggered_by"
+            echo "event_name=$event_name"
+          } >> "$GITHUB_OUTPUT"
+
+  package-macos:
+    needs: prepare
+    runs-on: macos-latest
+    env:
+      SOURCE_REPOSITORY: ${{ needs.prepare.outputs.source_repository }}
+      SOURCE_REF: ${{ needs.prepare.outputs.source_ref }}
+      SOURCE_SHA: ${{ needs.prepare.outputs.source_sha }}
+      SOURCE_CHECKOUT_REF: ${{ needs.prepare.outputs.source_checkout_ref }}
+      VERSION: ${{ needs.prepare.outputs.version }}
+      MACOS_WAILS_PLATFORM: ${{ vars.MACOS_WAILS_PLATFORM || 'darwin/universal' }}
+      MACOS_BUNDLE_ID: ${{ vars.MACOS_BUNDLE_ID || 'com.futrixdata.app' }}
+    steps:
+      - name: Checkout packaging repository
+        uses: actions/checkout@v4
+
+      - name: Checkout source repository
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ env.SOURCE_REPOSITORY }}
+          ref: ${{ env.SOURCE_CHECKOUT_REF }}
+          token: ${{ secrets.SOURCE_REPO_READ_TOKEN }}
+          path: source
+          fetch-depth: 1
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: source/go.mod
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+          cache-dependency-path: source/frontend/package-lock.json
+
+      - name: Install Wails CLI
+        shell: bash
+        run: |
+          set -euo pipefail
+          go install github.com/wailsapp/wails/v2/cmd/wails@v2.11.0
+          echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
+
+      - name: Import macOS signing certificate
+        shell: bash
+        env:
+          MACOS_CERTIFICATE_P12_BASE64: ${{ secrets.MACOS_CERTIFICATE_P12_BASE64 }}
+          MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
+        run: |
+          set -euo pipefail
+          CERT_PATH="$RUNNER_TEMP/macos-signing-cert.p12"
+          KEYCHAIN_PATH="$RUNNER_TEMP/packaging.keychain-db"
+          KEYCHAIN_PASSWORD="$(uuidgen)"
+
+          MACOS_CERTIFICATE_P12_BASE64="$MACOS_CERTIFICATE_P12_BASE64" \
+            python3 - <<'PY' > "$CERT_PATH"
+import base64
+import os
+import sys
+
+sys.stdout.buffer.write(base64.b64decode(os.environ["MACOS_CERTIFICATE_P12_BASE64"]))
+PY
+
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security import "$CERT_PATH" -P "$MACOS_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+          security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
+          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+      - name: Decode App Store Connect key
+        shell: bash
+        env:
+          MACOS_NOTARY_PRIVATE_KEY_BASE64: ${{ secrets.MACOS_NOTARY_PRIVATE_KEY_BASE64 }}
+        run: |
+          set -euo pipefail
+          NOTARY_KEY_PATH="$RUNNER_TEMP/AuthKey.p8"
+          MACOS_NOTARY_PRIVATE_KEY_BASE64="$MACOS_NOTARY_PRIVATE_KEY_BASE64" \
+            python3 - <<'PY' > "$NOTARY_KEY_PATH"
+import base64
+import os
+import sys
+
+sys.stdout.buffer.write(base64.b64decode(os.environ["MACOS_NOTARY_PRIVATE_KEY_BASE64"]))
+PY
+          echo "MACOS_NOTARY_KEY_FILE=$NOTARY_KEY_PATH" >> "$GITHUB_ENV"
+
+      - name: Package macOS app
+        shell: bash
+        env:
+          MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }}
+          MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+          MACOS_NOTARY_ISSUER: ${{ secrets.MACOS_NOTARY_ISSUER }}
+          PRODUCT_NAME: ${{ vars.PRODUCT_NAME || 'FutrixData' }}
+        run: ./scripts/package-macos.sh
+
+      - name: Upload macOS artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist-macos-${{ env.VERSION }}
+          path: dist/macos/*
+          if-no-files-found: error
+
+  package-windows:
+    needs: prepare
+    runs-on: windows-latest
+    env:
+      SOURCE_REPOSITORY: ${{ needs.prepare.outputs.source_repository }}
+      SOURCE_REF: ${{ needs.prepare.outputs.source_ref }}
+      SOURCE_SHA: ${{ needs.prepare.outputs.source_sha }}
+      SOURCE_CHECKOUT_REF: ${{ needs.prepare.outputs.source_checkout_ref }}
+      VERSION: ${{ needs.prepare.outputs.version }}
+      WINDOWS_WAILS_PLATFORM: ${{ vars.WINDOWS_WAILS_PLATFORM || 'windows/amd64' }}
+      WINDOWS_TIMESTAMP_URL: ${{ vars.WINDOWS_TIMESTAMP_URL || 'http://timestamp.digicert.com' }}
+    steps:
+      - name: Checkout packaging repository
+        uses: actions/checkout@v4
+
+      - name: Checkout source repository
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ env.SOURCE_REPOSITORY }}
+          ref: ${{ env.SOURCE_CHECKOUT_REF }}
+          token: ${{ secrets.SOURCE_REPO_READ_TOKEN }}
+          path: source
+          fetch-depth: 1
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: source/go.mod
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+          cache-dependency-path: source/frontend/package-lock.json
+
+      - name: Install Wails CLI
+        shell: pwsh
+        run: |
+          go install github.com/wailsapp/wails/v2/cmd/wails@v2.11.0
+          "$((go env GOPATH) -replace '\\','/')/bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+
+      - name: Decode Windows signing certificate
+        shell: pwsh
+        env:
+          WINDOWS_CERTIFICATE_PFX_BASE64: ${{ secrets.WINDOWS_CERTIFICATE_PFX_BASE64 }}
+        run: |
+          $certPath = Join-Path $env:RUNNER_TEMP "windows-signing-cert.pfx"
+          [System.IO.File]::WriteAllBytes($certPath, [System.Convert]::FromBase64String($env:WINDOWS_CERTIFICATE_PFX_BASE64))
+          "WINDOWS_CERTIFICATE_PATH=$certPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+
+      - name: Package Windows app
+        shell: pwsh
+        env:
+          PRODUCT_NAME: ${{ vars.PRODUCT_NAME || 'FutrixData' }}
+          WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
+        run: ./scripts/package-windows.ps1
+
+      - name: Upload Windows artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist-windows-${{ env.VERSION }}
+          path: dist/windows/*
+          if-no-files-found: error
+
+  release:
+    needs:
+      - prepare
+      - package-macos
+      - package-windows
+    if: ${{ needs.prepare.outputs.release == 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download packaged artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: dist-*
+          path: release-assets
+          merge-multiple: true
+
+      - name: Create release notes
+        shell: bash
+        run: |
+          set -euo pipefail
+          {
+            echo "Source repository: ${{ needs.prepare.outputs.source_repository }}"
+            echo "Source ref: ${{ needs.prepare.outputs.source_ref }}"
+            echo "Source sha: ${{ needs.prepare.outputs.source_sha }}"
+            echo "Triggered by: ${{ needs.prepare.outputs.triggered_by }}"
+            if [ -n "${{ needs.prepare.outputs.source_run_url }}" ]; then
+              echo "Source workflow: ${{ needs.prepare.outputs.source_run_url }}"
+            fi
+          } > RELEASE_NOTES.txt
+
+      - name: Publish GitHub release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ needs.prepare.outputs.version }}
+          name: FutrixData ${{ needs.prepare.outputs.version }}
+          body_path: RELEASE_NOTES.txt
+          files: release-assets/*
@@ -0,0 +1,3 @@
+dist/
+artifacts/
+.DS_Store
@@ -0,0 +1,65 @@
+# FutrixData Packaging Repository
+
+This repository only owns CI packaging, code signing, notarization, and release publication for FutrixData.
+Application source stays in the source repository and is checked out at an exact commit during each packaging run.
+
+## Event Contract
+
+Primary trigger:
+
+- `repository_dispatch`
+- Event type: `futrix-package-request`
+
+Supported manual trigger:
+
+- `workflow_dispatch`
+
+Expected payload fields:
+
+- `source_repository`
+- `source_ref`
+- `source_sha`
+- `version`
+- `source_run_url`
+- `triggered_by`
+- `event_name`
+- `release`
+
+## Required Secrets
+
+- `SOURCE_REPO_READ_TOKEN`
+  - Token that can read the source repository.
+- `MACOS_CERTIFICATE_P12_BASE64`
+  - Base64 encoded Developer ID Application `.p12`.
+- `MACOS_CERTIFICATE_PASSWORD`
+  - Password for the `.p12`.
+- `MACOS_SIGNING_IDENTITY`
+  - Example: `Developer ID Application: Your Company (TEAMID)`.
+- `MACOS_NOTARY_KEY_ID`
+  - App Store Connect API key ID.
+- `MACOS_NOTARY_ISSUER`
+  - App Store Connect issuer ID.
+- `MACOS_NOTARY_PRIVATE_KEY_BASE64`
+  - Base64 encoded `.p8` private key contents.
+- `WINDOWS_CERTIFICATE_PFX_BASE64`
+  - Base64 encoded code-signing `.pfx`.
+- `WINDOWS_CERTIFICATE_PASSWORD`
+  - Password for the `.pfx`.
+
+## Optional Repository Variables
+
+- `PRODUCT_NAME`
+  - Default: `FutrixData`
+- `MACOS_WAILS_PLATFORM`
+  - Default: `darwin/universal`
+- `WINDOWS_WAILS_PLATFORM`
+  - Default: `windows/amd64`
+- `MACOS_BUNDLE_ID`
+  - Example: `com.futrixdata.app`
+- `WINDOWS_TIMESTAMP_URL`
+  - Default: `http://timestamp.digicert.com`
+
+## Release Behavior
+
+- Branch build requests upload workflow artifacts.
+- Tag build requests also publish a GitHub Release in this repository.