name: Build on: push: tags: - v* paths-ignore: - 'README.md' - '.github/ISSUE_TEMPLATE/**' - '.github/workflows/issues.yml' workflow_dispatch: permissions: write-all jobs: windows: strategy: fail-fast: false matrix: arch: - x64 - ia32 - arm64 runs-on: windows-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Setup pnpm run: npm install -g pnpm - name: Install Dependencies env: npm_config_arch: ${{ matrix.arch }} npm_config_target_arch: ${{ matrix.arch }} run: | pnpm install pnpm add @mihomo-party/sysproxy-win32-${{ matrix.arch }}-msvc pnpm prepare --${{ matrix.arch }} - name: Build env: npm_config_arch: ${{ matrix.arch }} npm_config_target_arch: ${{ matrix.arch }} run: pnpm build:win --${{ matrix.arch }} - name: Add Portable Flag run: | New-Item -Path "PORTABLE" -ItemType File Get-ChildItem dist/*portable.7z | ForEach-Object { 7z a $_.FullName PORTABLE } - name: Generate checksums run: pnpm checksum setup.exe portable.7z - name: Upload Artifacts if: startsWith(github.ref, 'refs/heads/') uses: actions/upload-artifact@v4 with: name: Windows ${{ matrix.arch }} path: | dist/*.sha256 dist/*setup.exe dist/*portable.7z if-no-files-found: error - name: Publish Release if: startsWith(github.ref, 'refs/tags/v') uses: softprops/action-gh-release@v2 with: files: | dist/*.sha256 dist/*setup.exe dist/*portable.7z body_path: changelog.md token: ${{ secrets.GITHUB_TOKEN }} windows7: strategy: fail-fast: false matrix: arch: - x64 - ia32 runs-on: windows-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Setup pnpm run: npm install -g pnpm - name: Install Dependencies env: npm_config_arch: ${{ matrix.arch }} npm_config_target_arch: ${{ matrix.arch }} run: | pnpm install pnpm add @mihomo-party/sysproxy-win32-${{ matrix.arch }}-msvc pnpm add -D electron@22.3.27 (Get-Content electron-builder.yml) -replace 'windows', 'win7' | Set-Content electron-builder.yml pnpm prepare --${{ matrix.arch }} - name: Build env: npm_config_arch: ${{ matrix.arch }} npm_config_target_arch: ${{ matrix.arch }} run: pnpm build:win --${{ matrix.arch }} - name: Add Portable Flag run: | New-Item -Path "PORTABLE" -ItemType File Get-ChildItem dist/*portable.7z | ForEach-Object { 7z a $_.FullName PORTABLE } - name: Generate checksums run: pnpm checksum setup.exe portable.7z - name: Upload Artifacts if: startsWith(github.ref, 'refs/heads/') uses: actions/upload-artifact@v4 with: name: Win7 ${{ matrix.arch }} path: | dist/*.sha256 dist/*setup.exe dist/*portable.7z if-no-files-found: error - name: Publish Release if: startsWith(github.ref, 'refs/tags/v') uses: softprops/action-gh-release@v2 with: files: | dist/*.sha256 dist/*setup.exe dist/*portable.7z body_path: changelog.md token: ${{ secrets.GITHUB_TOKEN }} linux: strategy: fail-fast: false matrix: arch: - x64 - arm64 runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Setup pnpm run: npm install -g pnpm - name: Install Dependencies env: npm_config_arch: ${{ matrix.arch }} npm_config_target_arch: ${{ matrix.arch }} run: | pnpm install pnpm add @mihomo-party/sysproxy-linux-${{ matrix.arch }}-gnu sed -i "s/productName: Mihomo Party/productName: mihomo-party/" electron-builder.yml pnpm prepare --${{ matrix.arch }} - name: Build env: npm_config_arch: ${{ matrix.arch }} npm_config_target_arch: ${{ matrix.arch }} run: pnpm build:linux --${{ matrix.arch }} - name: Generate checksums run: pnpm checksum .deb .rpm - name: Upload Artifacts if: startsWith(github.ref, 'refs/heads/') uses: actions/upload-artifact@v4 with: name: Linux ${{ matrix.arch }} path: | dist/*.sha256 dist/*.deb dist/*.rpm if-no-files-found: error - name: Publish Release if: startsWith(github.ref, 'refs/tags/v') uses: softprops/action-gh-release@v2 with: files: | dist/*.sha256 dist/*.deb dist/*.rpm body_path: changelog.md token: ${{ secrets.GITHUB_TOKEN }} macos: strategy: fail-fast: false matrix: arch: - x64 - arm64 runs-on: macos-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Setup pnpm run: npm install -g pnpm - name: Install Dependencies env: npm_config_arch: ${{ matrix.arch }} npm_config_target_arch: ${{ matrix.arch }} run: | pnpm install pnpm add @mihomo-party/sysproxy-darwin-${{ matrix.arch }} pnpm prepare --${{ matrix.arch }} - name: Verify Code Signing Certificate env: CSC_LINK: ${{ secrets.CSC_LINK }} CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} run: | echo "验证代码签名证书..." if [ -n "$CSC_LINK" ]; then echo "CSC_LINK 已设置" else echo "警告: CSC_LINK 未设置" fi if [ -n "$CSC_KEY_PASSWORD" ]; then echo "CSC_KEY_PASSWORD 已设置" else echo "警告: CSC_KEY_PASSWORD 未设置" fi echo "可用的代码签名证书:" security find-identity -v -p codesigning echo "可用的安装器签名证书:" security find-identity -v -p basic - name: Build timeout-minutes: 60 env: npm_config_arch: ${{ matrix.arch }} npm_config_target_arch: ${{ matrix.arch }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} CSC_LINK: ${{ secrets.CSC_LINK }} CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} CSC_NAME: "Developer ID Application: Prometheus Advertising Corp (489PDK5LP3)" DEBUG: "electron-builder" CSC_IDENTITY_AUTO_DISCOVERY: "false" run: | echo "开始构建 macOS 应用..." security list-keychains security find-identity -v -p codesigning chmod +x build/pkg-scripts/postinstall pnpm build:mac --${{ matrix.arch }} --publish=never echo "验证构建产物签名..." for app in dist/mac*/*.app; do if [ -d "$app" ]; then echo "检查 $app 的签名..." codesign --verify --verbose=2 "$app" || echo "警告: $app 签名验证失败" spctl --assess --verbose --type execute "$app" || echo "警告: $app Gatekeeper 评估失败" fi done - name: Setup temporary installer signing keychain uses: apple-actions/import-codesign-certs@v3 with: p12-file-base64: ${{ secrets.CSC_INSTALLER_LINK }} p12-password: ${{ secrets.CSC_INSTALLER_KEY_PASSWORD }} - name: Sign the Apple pkg # if: false # 临时禁用此步骤 timeout-minutes: 30 run: | echo "设置 notarytool 凭据..." if ! xcrun notarytool store-credentials "NOTARIZE_PROFILE" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD"; then echo "错误: 无法设置 notarytool 凭据" exit 1 fi echo "验证凭据设置..." xcrun notarytool list --keychain-profile "NOTARIZE_PROFILE" || true echo "签名和公证 pkg 文件..." for pkg_name in $(ls -1 dist/*.pkg); do pkg_name=$(ls -1 dist/*.pkg) echo "处理文件: $pkg_name" if [ ! -f "$pkg_name" ]; then echo "错误: 找不到 pkg 文件: $pkg_name" exit 1 fi mv $pkg_name Unsigned-Workbench.pkg echo "使用 productsign 签名..." if ! productsign --sign "Developer ID Installer: Prometheus Advertising Corp (489PDK5LP3)" Unsigned-Workbench.pkg $pkg_name; then echo "错误: productsign 签名失败" exit 1 fi rm -f Unsigned-Workbench.pkg echo "验证签名..." pkgutil --check-signature "$pkg_name" || echo "警告: pkg 签名验证失败" spctl --assess --verbose --type install "$pkg_name" || echo "警告: Gatekeeper 评估失败" echo "提交公证..." submission_id=$(xcrun notarytool submit $pkg_name --keychain-profile "NOTARIZE_PROFILE" --wait --output-format json | jq -r '.id') if [ $? -ne 0 ] || [ "$submission_id" = "null" ]; then echo "错误: notarytool 公证失败" echo "检查最近的公证历史..." xcrun notarytool history --keychain-profile "NOTARIZE_PROFILE" || true exit 1 fi echo "公证提交ID: $submission_id" # 获取详细的公证结果 echo "获取公证详细信息..." xcrun notarytool info "$submission_id" --keychain-profile "NOTARIZE_PROFILE" || true # 如果公证失败,获取详细日志 notarization_status=$(xcrun notarytool info "$submission_id" --keychain-profile "NOTARIZE_PROFILE" --output-format json | jq -r '.status') if [ "$notarization_status" != "Accepted" ]; then echo "公证失败,状态: $notarization_status" echo "获取公证日志..." xcrun notarytool log "$submission_id" --keychain-profile "NOTARIZE_PROFILE" || true exit 1 fi echo "公证成功完成!" echo "检查公证状态..." xcrun notarytool history --keychain-profile "NOTARIZE_PROFILE" | head -10 || true done env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} - name: Generate checksums run: pnpm checksum .pkg - name: Upload Artifacts if: startsWith(github.ref, 'refs/heads/') uses: actions/upload-artifact@v4 with: name: MacOS ${{ matrix.arch }} path: | dist/*.sha256 dist/*.pkg if-no-files-found: error - name: Publish Release if: startsWith(github.ref, 'refs/tags/v') uses: softprops/action-gh-release@v2 with: files: | dist/*.sha256 dist/*.pkg body_path: changelog.md token: ${{ secrets.GITHUB_TOKEN }} macos10: strategy: fail-fast: false matrix: arch: - x64 - arm64 runs-on: macos-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Setup pnpm run: npm install -g pnpm - name: Install Dependencies env: npm_config_arch: ${{ matrix.arch }} npm_config_target_arch: ${{ matrix.arch }} run: | pnpm install pnpm add @mihomo-party/sysproxy-darwin-${{ matrix.arch }} pnpm add -D electron@32.2.2 pnpm prepare --${{ matrix.arch }} - name: Verify Code Signing Certificate env: CSC_LINK: ${{ secrets.CSC_LINK }} CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} run: | echo "验证代码签名证书..." if [ -n "$CSC_LINK" ]; then echo "CSC_LINK 已设置" else echo "警告: CSC_LINK 未设置" fi if [ -n "$CSC_KEY_PASSWORD" ]; then echo "CSC_KEY_PASSWORD 已设置" else echo "警告: CSC_KEY_PASSWORD 未设置" fi echo "可用的代码签名证书:" security find-identity -v -p codesigning echo "可用的安装器签名证书:" security find-identity -v -p basic - name: Build timeout-minutes: 60 env: npm_config_arch: ${{ matrix.arch }} npm_config_target_arch: ${{ matrix.arch }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} CSC_LINK: ${{ secrets.CSC_LINK }} CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} CSC_NAME: "Developer ID Application: Prometheus Advertising Corp (489PDK5LP3)" DEBUG: "electron-builder" CSC_IDENTITY_AUTO_DISCOVERY: "false" run: | echo "开始构建 macOS 10 应用..." security list-keychains security find-identity -v -p codesigning sed -i "" -e "s/macos/catalina/" electron-builder.yml chmod +x build/pkg-scripts/postinstall pnpm build:mac --${{ matrix.arch }} --publish=never echo "验证构建产物签名..." for app in dist/mac*/*.app; do if [ -d "$app" ]; then echo "检查 $app 的签名..." codesign --verify --verbose=2 "$app" || echo "警告: $app 签名验证失败" spctl --assess --verbose --type execute "$app" || echo "警告: $app Gatekeeper 评估失败" fi done - name: Setup temporary installer signing keychain uses: apple-actions/import-codesign-certs@v3 with: p12-file-base64: ${{ secrets.CSC_INSTALLER_LINK }} p12-password: ${{ secrets.CSC_INSTALLER_KEY_PASSWORD }} - name: Sign the Apple pkg # if: false # 临时禁用此步骤 timeout-minutes: 30 run: | echo "设置 notarytool 凭据..." if ! xcrun notarytool store-credentials "NOTARIZE_PROFILE" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD"; then echo "错误: 无法设置 notarytool 凭据" exit 1 fi echo "验证凭据设置..." xcrun notarytool list --keychain-profile "NOTARIZE_PROFILE" || true echo "签名和公证 pkg 文件..." for pkg_name in $(ls -1 dist/*.pkg); do pkg_name=$(ls -1 dist/*.pkg) echo "处理文件: $pkg_name" if [ ! -f "$pkg_name" ]; then echo "错误: 找不到 pkg 文件: $pkg_name" exit 1 fi mv $pkg_name Unsigned-Workbench.pkg echo "使用 productsign 签名..." if ! productsign --sign "Developer ID Installer: Prometheus Advertising Corp (489PDK5LP3)" Unsigned-Workbench.pkg $pkg_name; then echo "错误: productsign 签名失败" exit 1 fi rm -f Unsigned-Workbench.pkg echo "验证签名..." pkgutil --check-signature "$pkg_name" || echo "警告: pkg 签名验证失败" spctl --assess --verbose --type install "$pkg_name" || echo "警告: Gatekeeper 评估失败" echo "提交公证..." submission_id=$(xcrun notarytool submit $pkg_name --keychain-profile "NOTARIZE_PROFILE" --wait --output-format json | jq -r '.id') if [ $? -ne 0 ] || [ "$submission_id" = "null" ]; then echo "错误: notarytool 公证失败" echo "检查最近的公证历史..." xcrun notarytool history --keychain-profile "NOTARIZE_PROFILE" || true exit 1 fi echo "公证提交ID: $submission_id" # 获取详细的公证结果 echo "获取公证详细信息..." xcrun notarytool info "$submission_id" --keychain-profile "NOTARIZE_PROFILE" || true # 如果公证失败,获取详细日志 notarization_status=$(xcrun notarytool info "$submission_id" --keychain-profile "NOTARIZE_PROFILE" --output-format json | jq -r '.status') if [ "$notarization_status" != "Accepted" ]; then echo "公证失败,状态: $notarization_status" echo "获取公证日志..." xcrun notarytool log "$submission_id" --keychain-profile "NOTARIZE_PROFILE" || true exit 1 fi echo "公证成功完成!" echo "检查公证状态..." xcrun notarytool history --keychain-profile "NOTARIZE_PROFILE" | head -10 || true done env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} - name: Generate checksums run: pnpm checksum .pkg - name: Upload Artifacts if: startsWith(github.ref, 'refs/heads/') uses: actions/upload-artifact@v4 with: name: Catalina ${{ matrix.arch }} path: | dist/*.sha256 dist/*.pkg if-no-files-found: error - name: Publish Release if: startsWith(github.ref, 'refs/tags/v') uses: softprops/action-gh-release@v2 with: files: | dist/*.sha256 dist/*.pkg body_path: changelog.md token: ${{ secrets.GITHUB_TOKEN }} updater: if: startsWith(github.ref, 'refs/tags/v') needs: [windows, macos, windows7, macos10] runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Setup pnpm run: npm install -g pnpm - name: Install Dependencies run: pnpm install - name: Telegram Notification env: TELEGRAM_BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }} run: pnpm telegram - name: Generate latest.yml run: pnpm updater - name: Publish Release uses: softprops/action-gh-release@v2 with: files: latest.yml body_path: changelog.md token: ${{ secrets.GITHUB_TOKEN }} aur-release-updater: strategy: fail-fast: false matrix: pkgname: - mihomo-party-electron-bin - mihomo-party-electron - mihomo-party-bin - mihomo-party if: startsWith(github.ref, 'refs/tags/v') needs: linux runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Update Version run: | sed -i "s/pkgver=.*/pkgver=$(echo ${{ github.ref }} | tr -d 'refs/tags/v')/" aur/${{ matrix.pkgname }}/PKGBUILD - name: Update Checksums if: matrix.pkgname == 'mihomo-party' || matrix.pkgname == 'mihomo-party-electron' run: | wget https://github.com/mihomo-party-org/mihomo-party/archive/refs/tags/$(echo ${{ github.ref }} | tr -d 'refs/tags/').tar.gz -O release.tar.gz sed -i "s/sha256sums=.*/sha256sums=(\"$(sha256sum ./release.tar.gz | awk '{print $1}')\"/" aur/mihomo-party/PKGBUILD sed -i "s/sha256sums=.*/sha256sums=(\"$(sha256sum ./release.tar.gz | awk '{print $1}')\"/" aur/mihomo-party-electron/PKGBUILD - name: Update Checksums if: matrix.pkgname == 'mihomo-party-bin' || matrix.pkgname == 'mihomo-party-electron-bin' run: | wget https://github.com/mihomo-party-org/mihomo-party/releases/download/$(echo ${{ github.ref }} | tr -d 'refs/tags/')/mihomo-party-linux-$(echo ${{ github.ref }} | tr -d 'refs/tags/v')-amd64.deb -O amd64.deb wget https://github.com/mihomo-party-org/mihomo-party/releases/download/$(echo ${{ github.ref }} | tr -d 'refs/tags/')/mihomo-party-linux-$(echo ${{ github.ref }} | tr -d 'refs/tags/v')-arm64.deb -O arm64.deb sed -i "s/sha256sums_x86_64=.*/sha256sums_x86_64=(\"$(sha256sum ./amd64.deb | awk '{print $1}')\")/" aur/mihomo-party-bin/PKGBUILD sed -i "s/sha256sums_aarch64=.*/sha256sums_aarch64=(\"$(sha256sum ./arm64.deb | awk '{print $1}')\")/" aur/mihomo-party-bin/PKGBUILD sed -i "s/sha256sums_x86_64=.*/sha256sums_x86_64=(\"$(sha256sum ./amd64.deb | awk '{print $1}')\")/" aur/mihomo-party-electron-bin/PKGBUILD sed -i "s/sha256sums_aarch64=.*/sha256sums_aarch64=(\"$(sha256sum ./arm64.deb | awk '{print $1}')\")/" aur/mihomo-party-electron-bin/PKGBUILD - name: Publish AUR package uses: KSXGitHub/github-actions-deploy-aur@v2.7.2 with: pkgname: ${{ matrix.pkgname }} pkgbuild: aur/${{ matrix.pkgname }}/PKGBUILD commit_username: pompurin404 commit_email: pompurin404@mihomo.party ssh_private_key: ${{ secrets.AUR_SSH_PRIVATE_KEY }} commit_message: Update AUR package ssh_keyscan_types: rsa,ed25519 allow_empty_commits: false aur-git-updater: if: startsWith(github.ref, 'refs/heads/') runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: update version run: | sed -i "s/pkgver=.*/pkgver=$(git describe --long 2>/dev/null | sed 's/\([^-]*-g\)/r\1/;s/-/./g' | tr -d 'v')/" aur/mihomo-party-git/PKGBUILD - name: Publish AUR package uses: KSXGitHub/github-actions-deploy-aur@v2.7.2 with: pkgname: mihomo-party-git pkgbuild: aur/mihomo-party-git/PKGBUILD commit_username: pompurin404 commit_email: pompurin404@mihomo.party ssh_private_key: ${{ secrets.AUR_SSH_PRIVATE_KEY }} commit_message: Update AUR package ssh_keyscan_types: rsa,ed25519 allow_empty_commits: false winget: if: startsWith(github.ref, 'refs/tags/v') name: Update WinGet Package needs: windows runs-on: ubuntu-latest steps: - name: Get Tag Name run: echo "VERSION=$(echo ${{ github.ref }} | tr -d 'refs/tags/v')" >> $GITHUB_ENV - name: Submit to Winget uses: vedantmgoyal9/winget-releaser@main with: identifier: Mihomo-Party.Mihomo-Party version: ${{env.VERSION}} release-tag: v${{env.VERSION}} installers-regex: 'mihomo-party-windows-.*setup\.exe$' token: ${{ secrets.POMPURIN404_TOKEN }}