next-ai-draw-io/.github/workflows/electron-release.yml

name: Electron Release

on:
  push:
    tags:
      - "v*"
  workflow_dispatch:
    inputs:
      version:
        description: "Version tag (e.g., v0.4.5)"
        required: false

jobs:
  # Mac and Linux: Build and publish directly (no signing needed)
  build-mac-linux:
    permissions:
      contents: write
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: macos-latest
            platform: mac
          - os: ubuntu-latest
            platform: linux
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: "npm"

      - name: Install dependencies
        run: npm install

      - name: Build and publish
        run: npm run dist:${{ matrix.platform }}
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  # Windows: Build, sign with SignPath, then publish
  build-windows:
    permissions:
      contents: write
    runs-on: windows-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: "npm"

      - name: Install dependencies
        run: npm install

      # Build WITHOUT publishing
      - name: Build Windows app
        run: npm run dist:win:build
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload unsigned artifacts for signing
        uses: actions/upload-artifact@v4
        id: upload-unsigned
        with:
          name: windows-unsigned
          path: release/*.exe
          retention-days: 1

      - name: Sign with SignPath
        uses: signpath/github-action-submit-signing-request@v2
        with:
          api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
          organization-id: '880a211d-2cd3-4e7b-8d04-3d1f8eb39df5'
          project-slug: 'next-ai-draw-io'
          signing-policy-slug: 'test-signing'
          artifact-configuration-slug: 'windows-exe'
          github-artifact-id: ${{ steps.upload-unsigned.outputs.artifact-id }}
          wait-for-completion: true
          output-artifact-directory: release-signed

      - name: Upload signed artifacts to release
        uses: softprops/action-gh-release@v2
        with:
          files: release-signed/*.exe
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}