.github/workflows/release.yml

name: Release CI

on: workflow_dispatch
permissions: write-all

jobs:
  release-update:
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: windows-latest
            target: x86_64-pc-windows-msvc
          - os: windows-latest
            target: i686-pc-windows-msvc
          - os: windows-latest
            target: aarch64-pc-windows-msvc
          - os: ubuntu-latest
            target: x86_64-unknown-linux-gnu
          - os: ubuntu-latest
            target: i686-unknown-linux-gnu
          - os: ubuntu-latest
            target: aarch64-unknown-linux-gnu
          - os: ubuntu-latest
            target: armv7-unknown-linux-gnueabihf
          - os: macos-latest
            target: aarch64-apple-darwin
          - os: macos-latest
            target: x86_64-apple-darwin

    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install Rust
        if: matrix.os != 'ubuntu-latest'
        uses: dtolnay/rust-toolchain@1.77.0

      - name: Add Rust Target
        if: matrix.os != 'ubuntu-latest'
        run: rustup target add ${{ matrix.target }}

      - name: Build
        if: matrix.os != 'ubuntu-latest'
        run: cargo build --release --target ${{ matrix.target }}

      - name: Build
        if: matrix.os == 'ubuntu-latest'
        uses: ./.github/build-for-linux
        with:
          target: ${{ matrix.target }}

      - name: Update Tag
        uses: richardsimko/update-tag@v1
        with:
          tag_name: ${{ matrix.target }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: CodeSign
        if: matrix.os == 'macos-latest'
        run: |
          # 设置证书
          echo "${{ secrets.APPLE_CERTIFICATE }}" | base64 --decode > cert.p12
          security create-keychain -p github-actions github-actions.keychain
          security default-keychain -s github-actions.keychain
          security unlock-keychain -p github-actions github-actions.keychain
          security import cert.p12 -k github-actions.keychain -P "${{ secrets.APPLE_CERTIFICATE_PASSWORD }}" -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k github-actions github-actions.keychain


          # 对服务程序进行签名
          codesign --force \
            -s "${{ secrets.APPLE_SIGNING_IDENTITY }}" \
            --keychain github-actions.keychain \
            --options runtime \
            --timestamp \
            --identifier "io.github.clash-verge-rev.clash-verge-rev.service" \
            target/${{ matrix.target }}/release/clash-verge-service

          # 对安装程序进行签名
          codesign --force \
            -s "${{ secrets.APPLE_SIGNING_IDENTITY }}" \
            --keychain github-actions.keychain \
            --options runtime \
            --timestamp \
            --identifier "io.github.clash-verge-rev.clash-verge-rev.service.install" \
            target/${{ matrix.target }}/release/install-service

          # 对卸载程序进行签名
          codesign --force \
            -s "${{ secrets.APPLE_SIGNING_IDENTITY }}" \
            --keychain github-actions.keychain \
            --options runtime \
            --timestamp \
            --identifier "io.github.clash-verge-rev.clash-verge-rev.service.uninstall" \
            target/${{ matrix.target }}/release/uninstall-service

          # 验证签名
          codesign -dvv target/${{ matrix.target }}/release/clash-verge-service
          codesign -d --entitlements :- target/${{ matrix.target }}/release/clash-verge-service

      - name: Release
        if: matrix.os == 'windows-latest'
        uses: softprops/action-gh-release@v2
        with:
          name: ${{ matrix.target }}
          tag_name: ${{ matrix.target }}
          token: ${{ secrets.GITHUB_TOKEN }}
          files: |
            target/${{ matrix.target }}/release/clash-verge-service.exe
            target/${{ matrix.target }}/release/install-service.exe
            target/${{ matrix.target }}/release/uninstall-service.exe

      - name: Release
        if: matrix.os != 'windows-latest'
        uses: softprops/action-gh-release@v2
        with:
          name: ${{ matrix.target }}
          tag_name: ${{ matrix.target }}
          token: ${{ secrets.GITHUB_TOKEN }}
          files: |
            target/${{ matrix.target }}/release/clash-verge-service
            target/${{ matrix.target }}/release/install-service
            target/${{ matrix.target }}/release/uninstall-service