This should (!) allow us to generate full release notes relative to the
previous viewer release, instead of letting action-gh-release guess
incorrectly.
Also try again to add to the release page a back-link to the specific build.
Using github.ref as action-gh-release's target_commitish produces:
⚠️ GitHub release failed with status: 422
[{"resource":"Release","code":"invalid","field":"target_commitish"}]
We're currently building every single commit pushed to Github. This is
racking up $20k in build charges a month and is generally superfluous.
This changeset alters build triggers so that builds automatically run if
they are committed to a **shared branch**:
- `release/*` - A release stabilization branch
- `project/*` - A project viewer branch
- `main/*` - The default/stable branch
PR commits are also automatically built.
...need to build another commit? Developers can trigger one using a
manual workflow run.
The fix we wanted was on the pr-branch branch of the viewer-build-util repo.
Now that it's been published as v1.1.2, the updated v1 tag references the fix,
so revert mention to @v1.
Switch the build workflow from targeting the `main` branch of
viewer-build-util (which may receive breaking changes) to the stable
`v1` major version tag.
Only download and publish installers on public releases. This simplifies
the release process, as the flatten_files utility from
viewer-build-utils is not necessary this way. More importantly, it
doesn't clutter public releases with files that shouldn't be published
such as debug symbols.
The release job has been dependent on sign-and-package-windows and
sign-and-package-mac, each of which depends on build. But that indirect
dependency doesn't convey access to ${{ needs.build.outputs.xxx }}. Add the
build job to direct dependencies so release can access its outputs.
for Mac and Windows. That's now done by subsequent jobs in the GitHub build.
Remove workflow step to upload installers before signing and packaging jobs.
Remove from viewer_manifest.py conditionals for 32-bit Windows or Mac.
Also bump to actions/checkout@v4, per dependabot.
"ASC Provider" was a credential accepted by altool, but switching from altool
to notarytool requires a Team ID instead.
Expect to find TEAM_ID in our repository secret NOTARIZE_CREDS_MACOS. Extract
it and pass it to sign-pkg-mac.
Add a Mac signing step to unpack the credentials bundled into
NOTARIZE_CREDS_MACOS so viewer-build-util/sign-pkg-mac need not know about
that peculiarity of our secrets formatting.
The viewer_manifest.py logic to determine the name of the viewer installer
.dmg is a little convoluted. Make it tell viewer-build-util/sign-pkg-mac that
name, rather than passing it all the relevant inputs and composing it
redundantly.
sign-pkg-mac also wants the viewer channel to determine the application name.
instead of trying to checkout viewer-build-util (which doesn't work) and then
reference action subdirs from the filesystem.
Also engage (initial placeholder) actions to sign and package the
platform-specific application artifacts.
Andrey Lihatskiy