SoftwareQuality/jabref/.github/workflows/deployment-arm64.yml

name: Deployment (macOS/ARM64)
on:
  push:
    branches:
      - main
      - main-release
    paths-ignore:
      - 'docs/**'
      - 'src/test/**'
      - 'README.md'
    tags:
       - '*'
  pull_request:
  merge_group:
  workflow_dispatch:
    inputs:
      notarization:
        type: boolean
        required: false
        default: false

env:
  SpringerNatureAPIKey: ${{ secrets.SpringerNatureAPIKey }}
  AstrophysicsDataSystemAPIKey: ${{ secrets.AstrophysicsDataSystemAPIKey }}
  IEEEAPIKey: ${{ secrets.IEEEAPIKey }}
  BiodiversityHeritageApiKey: ${{ secrets.BiodiversityHeritageApiKey}}
  OSXCERT: ${{ secrets.OSX_SIGNING_CERT }}
  GRADLE_OPTS: -Xmx4g -Dorg.gradle.daemon=false -Dorg.gradle.vfs.watch=false
  JAVA_OPTS: -Xmx4g

concurrency:
  group: "${{ github.workflow }}-${{ github.head_ref || github.ref }}"
  cancel-in-progress: true

jobs:
  build:
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: macos-14
            displayName: macOS (ARM64)
            suffix: '_arm64'
    runs-on: ${{ matrix.os }}
    outputs:
      major: ${{ steps.gitversion.outputs.Major }}
      minor: ${{ steps.gitversion.outputs.Minor }}
      branchname: ${{ steps.gitversion.outputs.branchName }}
    name: Create installer and portable version for ${{ matrix.displayName }}
    steps:
      - name: Check secrets presence
        id: checksecrets
        shell: bash
        run: |
          if [ "$BUILDJABREFPRIVATEKEY" == "" ]; then
            echo "secretspresent=NO" >> $GITHUB_OUTPUT
            echo "❌ Secret BUILDJABREFPRIVATEKEY not present"
          else
            echo "secretspresent=YES" >> $GITHUB_OUTPUT
            echo "✔️ Secret BUILDJABREFPRIVATEKEY present"
          fi
        env:
          BUILDJABREFPRIVATEKEY: ${{ secrets.buildJabRefPrivateKey }}
      - name: Fetch all history for all tags and branches
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          submodules: 'true'
          show-progress: 'false'
      - name: Install GitVersion
        uses: gittools/actions/gitversion/setup@v3.0.0
        with:
          versionSpec: "5.x"
      - name: Run GitVersion
        id: gitversion
        uses: gittools/actions/gitversion/execute@v3.0.0
      - name: Setup JDK
        uses: actions/setup-java@v4
        with:
          java-version: 21.0.2
          distribution: 'temurin'
      - name: Clean up keychain
        run: |
         security delete-keychain signing_temp.keychain ${{runner.temp}}/keychain/notarization.keychain || true
      - name: Setup OSX key chain on macOS-arm
        if: (steps.checksecrets.outputs.secretspresent == 'YES')
        uses: slidoapp/import-codesign-certs@1923310662e8682dd05b76b612b53301f431cd5d
        with:
          p12-file-base64: ${{ secrets.OSX_SIGNING_CERT }}
          p12-password: ${{ secrets.OSX_CERT_PWD }}
          keychain-password: jabref
      - name: Setup OSX key chain on OSX for app id cert
        if: (steps.checksecrets.outputs.secretspresent == 'YES')
        uses: slidoapp/import-codesign-certs@1923310662e8682dd05b76b612b53301f431cd5d
        with:
          p12-file-base64: ${{ secrets.OSX_SIGNING_CERT_APPLICATION }}
          p12-password: ${{ secrets.OSX_CERT_PWD }}
          create-keychain: false
          keychain-password: jabref
      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@v4
        with:
          gradle-home-cache-cleanup: true
      - name: Prepare merged jars and modules dir (macOS)
        run: ./gradlew -i -PprojVersion="${{ steps.gitversion.outputs.AssemblySemVer }}" -PprojVersionInfo="${{ steps.gitversion.outputs.InformationalVersion }}" prepareModulesDir
      - name: Build dmg (macOS)
        if: (steps.checksecrets.outputs.secretspresent == 'YES')
        shell: bash
        run: |
          jpackage \
          --module org.jabref/org.jabref.Launcher \
          --module-path ${{env.JAVA_HOME}}/jmods/:build/jlinkbase/jlinkjars \
          --add-modules org.jabref,org.jabref.merged.module  \
          --add-modules jdk.incubator.vector \
          --dest build/distribution \
          --app-content buildres/mac/jabrefHost.py \
          --app-content buildres/mac/native-messaging-host \
          --name JabRef \
          --app-version ${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }} \
          --verbose \
          --mac-sign \
          --vendor "JabRef e.V." \
          --mac-package-identifier JabRef \
          --mac-package-name JabRef \
          --type dmg --mac-signing-key-user-name "JabRef e.V. (6792V39SK3)" \
          --mac-package-signing-prefix org.jabref \
          --mac-entitlements buildres/mac/jabref.entitlements \
          --icon src/main/resources/icons/jabref.icns \
          --resource-dir buildres/mac \
          --file-associations buildres/mac/bibtexAssociations.properties \
          --jlink-options --bind-services \
          --java-options --add-exports=javafx.base/com.sun.javafx.event=org.jabref.merged.module \
          --java-options --add-exports=javafx.controls/com.sun.javafx.scene.control=org.jabref.merged.module \
          --java-options --add-opens=javafx.graphics/javafx.scene=org.jabref.merged.module \
          --java-options --add-opens=javafx.controls/javafx.scene.control=org.jabref.merged.module \
          --java-options --add-opens=javafx.controls/javafx.scene.control.skin=org.jabref.merged.module \
          --java-options --add-opens=javafx.controls/com.sun.javafx.scene.control=org.jabref.merged.module \
          --java-options --add-opens=javafx.controls/javafx.scene.control=org.jabref \
          --java-options --add-exports=javafx.base/com.sun.javafx.event=org.jabref \
          --java-options --add-exports=javafx.controls/com.sun.javafx.scene.control=org.jabref \
          --java-options --add-opens=javafx.graphics/javafx.scene=org.jabref \
          --java-options --add-opens=javafx.controls/javafx.scene.control=org.jabref \
          --java-options --add-opens=javafx.controls/com.sun.javafx.scene.control=org.jabref \
          --java-options --add-opens=javafx.base/javafx.collections=org.jabref \
          --java-options --add-opens=javafx.base/javafx.collections.transformation=org.jabref \
          --java-options --add-modules=jdk.incubator.vector
      - name: Build pkg (macOS)
        if: (steps.checksecrets.outputs.secretspresent == 'YES')
        shell: bash
        run: |
          jpackage \
          --module org.jabref/org.jabref.Launcher \
          --module-path ${{env.JAVA_HOME}}/jmods/:build/jlinkbase/jlinkjars \
          --add-modules org.jabref,org.jabref.merged.module  \
          --add-modules jdk.incubator.vector \
          --dest build/distribution \
          --app-content buildres/mac/jabrefHost.py \
          --app-content buildres/mac/native-messaging-host \
          --name JabRef \
          --app-version ${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }} \
          --verbose \
          --mac-sign \
          --vendor "JabRef e.V." \
          --mac-package-identifier JabRef \
          --mac-package-name JabRef \
          --type pkg --mac-signing-key-user-name "JabRef e.V. (6792V39SK3)" \
          --mac-package-signing-prefix org.jabref \
          --mac-entitlements buildres/mac/jabref.entitlements \
          --icon src/main/resources/icons/jabref.icns \
          --resource-dir buildres/mac \
          --file-associations buildres/mac/bibtexAssociations.properties \
          --jlink-options --bind-services \
          --java-options --add-exports=javafx.base/com.sun.javafx.event=org.jabref.merged.module \
          --java-options --add-exports=javafx.controls/com.sun.javafx.scene.control=org.jabref.merged.module \
          --java-options --add-opens=javafx.graphics/javafx.scene=org.jabref.merged.module \
          --java-options --add-opens=javafx.controls/javafx.scene.control=org.jabref.merged.module \
          --java-options --add-opens=javafx.controls/com.sun.javafx.scene.control=org.jabref.merged.module \
          --java-options --add-opens=javafx.controls/javafx.scene.control=org.jabref \
          --java-options --add-exports=javafx.base/com.sun.javafx.event=org.jabref \
          --java-options --add-exports=javafx.controls/com.sun.javafx.scene.control=org.jabref \
          --java-options --add-opens=javafx.graphics/javafx.scene=org.jabref \
          --java-options --add-opens=javafx.controls/javafx.scene.control=org.jabref \
          --java-options --add-opens=javafx.controls/com.sun.javafx.scene.control=org.jabref \
          --java-options --add-opens=javafx.base/javafx.collections=org.jabref \
          --java-options --add-opens=javafx.base/javafx.collections.transformation=org.jabref \
          --java-options --add-modules=jdk.incubator.vector
      - name: Rename files with arm64 suffix as well
        if: (steps.checksecrets.outputs.secretspresent == 'YES')
        shell: bash
        run: |
          mv build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg  build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-arm64.dmg
          mv build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.pkg  build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-arm64.pkg
      - name: Setup rsync (macOS)
        if: ${{ (!startsWith(github.ref, 'refs/heads/gh-readonly-queue')) && (steps.checksecrets.outputs.secretspresent == 'YES') && ((matrix.os == 'macos-14') && !((startsWith(github.ref, 'refs/tags/') || inputs.notarization == true))) }}
        run: brew install rsync
      - name: Setup SSH key
        if: ${{ (steps.checksecrets.outputs.secretspresent == 'YES') && (!startsWith(github.ref, 'refs/heads/gh-readonly-queue')) && ((matrix.os != 'macos-14') || !((startsWith(github.ref, 'refs/tags/') || (inputs.notarization == true)))) }}
        run: |
          echo "${{ secrets.buildJabRefPrivateKey }}" > sshkey
          chmod 600 sshkey
      - name: Upload to builds.jabref.org (linux, macOS)
        # macOS: Negated condition of "Upload to GitHub workflow artifacts store (macOS)"
        #        Reason: We either upload the non-notarized files - or notarize the files later (and upload these later)
        # needs to be on one line; multi line does not work
        if: ${{ (!startsWith(github.ref, 'refs/heads/gh-readonly-queue')) && (steps.checksecrets.outputs.secretspresent == 'YES') && ((matrix.os == 'ubuntu-latest') || ((matrix.os == 'macos-14') && !((startsWith(github.ref, 'refs/tags/') || inputs.notarization == true)))) }}
        shell: bash
        run: |
          rsync -rt --chmod=Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r --itemize-changes --stats --rsync-path="mkdir -p /var/www/builds.jabref.org/www/${{ steps.gitversion.outputs.branchName }} && rsync" -e 'ssh -p 9922 -i sshkey -o StrictHostKeyChecking=no' build/distribution/ jrrsync@build-upload.jabref.org:/var/www/builds.jabref.org/www/${{ steps.gitversion.outputs.branchName }}/
      - name: Upload to GitHub workflow artifacts store (macOS)
        if: (matrix.os == 'macos-14') && (steps.checksecrets.outputs.secretspresent == 'YES') && (startsWith(github.ref, 'refs/tags/') || inputs.notarization == true)
        uses: actions/upload-artifact@v4
        with:
          # tbn = to-be-notarized
          name: JabRef-macOS-arm-tbn
          path: build/distribution
          compression-level: 0 # no compression
      - name: Upload to GitHub workflow artifacts store
        if: (steps.checksecrets.outputs.secretspresent != 'YES')
        uses: actions/upload-artifact@v4
        with:
          # tbn = to-be-notarized
          name: JabRef-${{ matrix.os }}
          path: build/distribution
          compression-level: 0 # no compression

  notarize: # outsourced in a separate job to be able to rerun if this fails for timeouts
    name: macOS notarization-arm
    runs-on: macos-14
    needs: [build]
    if: ${{ startsWith(github.ref, 'refs/tags/') || inputs.notarization == true }}
    steps:
      - name: Check secrets presence
        id: checksecrets
        shell: bash
        run: |
          if [ "$BUILDJABREFPRIVATEKEY" == "" ]; then
            echo "secretspresent=NO" >> $GITHUB_OUTPUT
            echo "❌ Secret BUILDJABREFPRIVATEKEY not present"
          else
            echo "secretspresent=YES" >> $GITHUB_OUTPUT
            echo "✔️ Secret BUILDJABREFPRIVATEKEY present"
          fi
        env:
          BUILDJABREFPRIVATEKEY: ${{ secrets.buildJabRefPrivateKey }}
      - name: Download from GitHub workflow artifacts store (macOS)
        if: (steps.checksecrets.outputs.secretspresent == 'YES')
        uses: actions/download-artifact@master
        with:
          name: JabRef-macOS-arm-tbn
          path: build/distribution/
      - name: Notarize dmg
        if: (steps.checksecrets.outputs.secretspresent == 'YES')
        shell: bash
        run: |
          xcrun notarytool store-credentials "notarytool-profile" --apple-id "vorstand@jabref.org" --team-id "6792V39SK3" --password "${{ secrets.OSX_NOTARIZATION_APP_PWD }}"
          xcrun notarytool submit build/distribution/JabRef-${{ needs.build.outputs.major }}.${{ needs.build.outputs.minor }}-arm64.dmg --keychain-profile "notarytool-profile" --wait
          xcrun stapler staple build/distribution/JabRef-${{ needs.build.outputs.major }}.${{ needs.build.outputs.minor }}-arm64.dmg
      - name: Notarize pkg
        if: (steps.checksecrets.outputs.secretspresent == 'YES')
        shell: bash
        run: |
          xcrun notarytool store-credentials "notarytool-profile" --apple-id "vorstand@jabref.org" --team-id "6792V39SK3" --password "${{ secrets.OSX_NOTARIZATION_APP_PWD }}"
          xcrun notarytool submit build/distribution/JabRef-${{ needs.build.outputs.major }}.${{ needs.build.outputs.minor }}-arm64.pkg --keychain-profile "notarytool-profile" --wait
          xcrun stapler staple build/distribution/JabRef-${{ needs.build.outputs.major }}.${{ needs.build.outputs.minor }}-arm64.pkg
      - name: Upload to builds.jabref.org
        if: (steps.checksecrets.outputs.secretspresent == 'YES')
        shell: bash
        run: |
          echo "${{ secrets.buildJabRefPrivateKey }}" > sshkey
          chmod 600 sshkey
          rsync -rt --chmod=Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r --itemize-changes --stats --rsync-path="mkdir -p /var/www/builds.jabref.org/www/${{ needs.build.outputs.branchname }} && rsync" -e 'ssh -p 9922 -i sshkey -o StrictHostKeyChecking=no' build/distribution/ jrrsync@build-upload.jabref.org:/var/www/builds.jabref.org/www/${{ needs.build.outputs.branchname }}/