Skip to content

fix(ci): installer fixes — NSIS MUI2, YAML heredoc, macOS dark mode & Gatekeeper signing #117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
iamvirul merged 6 commits into from
May 3, 2026
Merged

fix(ci): installer fixes — NSIS MUI2, YAML heredoc, macOS dark mode & Gatekeeper signing #117

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f3fcc21
fix(ci): remove non-existent MUI_PAGE_README macro from NSIS script
iamvirul May 3, 2026
f773421
Merge branch 'main' into fix/nsis-mui2-readme-macro
iamvirul May 3, 2026
df38b48
fix(macos-installer): dark mode CSS and Gatekeeper code signing
iamvirul May 3, 2026
4b96226
Merge pull request #118 from iamvirul/fix/macos-installer-signing
iamvirul May 3, 2026
74c3d8b
chore(changelog): add v1.4.3 release notes
iamvirul May 3, 2026
350a3e0
Update .github/workflows/release.yml
iamvirul May 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 11 additions & 4 deletions .github/macos-installer/conclusion.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,30 +3,37 @@
<head>
<meta charset="utf-8"/>
<style>
:root {
color-scheme: light dark;
--code-bg: rgba(0, 0, 0, 0.07);
}
@media (prefers-color-scheme: dark) {
:root { --code-bg: rgba(255, 255, 255, 0.12); }
}
body {
font-family: -apple-system, Helvetica Neue, sans-serif;
font-size: 13px;
color: #1d1d1f;
color: -apple-system-label;
margin: 20px 24px;
line-height: 1.5;
}
h2 { font-size: 17px; font-weight: 600; margin: 0 0 10px; }
p { margin: 0 0 10px; }
code {
background: #f2f2f7;
background: var(--code-bg);
border-radius: 4px;
padding: 1px 5px;
font-size: 12px;
font-family: "SF Mono", Menlo, monospace;
}
pre {
background: #f2f2f7;
background: var(--code-bg);
border-radius: 6px;
padding: 10px 12px;
font-size: 12px;
font-family: "SF Mono", Menlo, monospace;
}
a { color: #0066cc; }
a { color: -apple-system-blue; }
</style>
</head>
<body>
Expand Down
15 changes: 11 additions & 4 deletions .github/macos-installer/readme.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,17 @@
<head>
<meta charset="utf-8"/>
<style>
:root {
color-scheme: light dark;
--code-bg: rgba(0, 0, 0, 0.07);
}
@media (prefers-color-scheme: dark) {
:root { --code-bg: rgba(255, 255, 255, 0.12); }
}
body {
font-family: -apple-system, Helvetica Neue, sans-serif;
font-size: 13px;
color: #1d1d1f;
color: -apple-system-label;
margin: 20px 24px;
line-height: 1.5;
}
Expand All @@ -16,21 +23,21 @@
ul { margin: 0 0 10px; padding-left: 20px; }
li { margin-bottom: 4px; }
code {
background: #f2f2f7;
background: var(--code-bg);
border-radius: 4px;
padding: 1px 5px;
font-size: 12px;
font-family: "SF Mono", Menlo, monospace;
}
pre {
background: #f2f2f7;
background: var(--code-bg);
border-radius: 6px;
padding: 10px 12px;
font-size: 12px;
font-family: "SF Mono", Menlo, monospace;
overflow-x: auto;
}
a { color: #0066cc; }
a { color: -apple-system-blue; }
</style>
</head>
<body>
Expand Down
11 changes: 9 additions & 2 deletions .github/macos-installer/welcome.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,17 @@
<head>
<meta charset="utf-8"/>
<style>
:root {
color-scheme: light dark;
--code-bg: rgba(0, 0, 0, 0.07);
}
@media (prefers-color-scheme: dark) {
:root { --code-bg: rgba(255, 255, 255, 0.12); }
}
body {
font-family: -apple-system, Helvetica Neue, sans-serif;
font-size: 13px;
color: #1d1d1f;
color: -apple-system-label;
margin: 20px 24px;
line-height: 1.5;
}
Expand All @@ -15,7 +22,7 @@
ul { margin: 0 0 10px; padding-left: 20px; }
li { margin-bottom: 4px; }
code {
background: #f2f2f7;
background: var(--code-bg);
border-radius: 4px;
padding: 1px 5px;
font-size: 12px;
Expand Down
5 changes: 3 additions & 2 deletions .github/windows-installer.nsi
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
; Built by the release workflow; __APP_VERSION__ is substituted at compile time.
;
; Uses NSIS Modern UI 2 (bundled with NSIS — no external plugins required).
; Wizard pages: Welcome → Read Me → Directory → Installing → Finish
; Wizard pages: Welcome → Directory → Installing → Finish

Unicode true
SetCompressor /SOLID lzma
Expand Down Expand Up @@ -35,8 +35,9 @@ SetCompressor /SOLID lzma
!define MUI_FINISHPAGE_NOREBOOTSUPPORT

; ── Installer Pages ──────────────────────────────────────────────────────────
; MUI2 valid installer pages: WELCOME, LICENSE, COMPONENTS, DIRECTORY,
; STARTMENU, INSTFILES, FINISH. MUI_PAGE_README does not exist in MUI2.
!insertmacro MUI_PAGE_WELCOME
!insertmacro MUI_PAGE_README "readme.txt" ; generated by workflow at build time
!insertmacro MUI_PAGE_DIRECTORY
!insertmacro MUI_PAGE_INSTFILES
!insertmacro MUI_PAGE_FINISH
Expand Down
26 changes: 0 additions & 26 deletions .github/windows-installer/readme.txt
View file
Open in desktop

This file was deleted.

78 changes: 70 additions & 8 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,10 +85,9 @@ jobs:
- name: Build .pkg installer
run: |
VERSION="${GITHUB_REF_NAME}"
VER_CLEAN="${VERSION#v}" # v1.4.1 → 1.4.1
VER_CLEAN="${VERSION#v}" # v1.4.2 → 1.4.2
ARCH="${{ matrix.arch }}"
PKG_NAME="deepdiff-db-${VERSION}-darwin-${ARCH}.pkg"
DMG_NAME="deepdiff-db-${VERSION}-darwin-${ARCH}.dmg"

# ── 1. Payload: mirrors the install layout on the target volume ──
# pkgbuild --install-location / means pkg-payload/ is the root.
Expand Down Expand Up @@ -123,8 +122,75 @@ jobs:
--package-path . \
"${PKG_NAME}"

# ── 5. Wrap the .pkg in a DMG for a familiar download experience ─
# Users mount the DMG → double-click the .pkg → wizard launches.
echo "PKG_NAME=${PKG_NAME}" >> "$GITHUB_ENV"
echo "VERSION=${VERSION}" >> "$GITHUB_ENV"

- name: Sign .pkg with Developer ID
# Requires secrets: MACOS_CERTIFICATE (base64 .p12), MACOS_CERTIFICATE_PWD,
# MACOS_KEYCHAIN_PWD, MACOS_IDENTITY ("Developer ID Installer: Name (TEAMID)").
# Skipped gracefully when secrets are not configured.
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
MACOS_IDENTITY: ${{ secrets.MACOS_IDENTITY }}
run: |
if [ -z "${MACOS_CERTIFICATE}" ]; then
echo "⚠️ MACOS_CERTIFICATE not set — skipping code signing."
echo " Users will see a Gatekeeper warning on first open."
exit 0
fi
Comment thread
iamvirul marked this conversation as resolved.

# Import the Developer ID Installer certificate into a temporary keychain
echo "${MACOS_CERTIFICATE}" | base64 --decode > certificate.p12
security create-keychain -p "${MACOS_KEYCHAIN_PWD}" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "${MACOS_KEYCHAIN_PWD}" build.keychain
security set-keychain-settings -t 3600 -u build.keychain
security import certificate.p12 \
-k build.keychain \
-P "${MACOS_CERTIFICATE_PWD}" \
-T /usr/bin/productsign
security set-key-partition-list \
-S apple-tool:,apple: -s -k "${MACOS_KEYCHAIN_PWD}" build.keychain

# Sign the distribution package
productsign \
--sign "${MACOS_IDENTITY}" \
"${PKG_NAME}" \
"${PKG_NAME}-signed.pkg"
mv "${PKG_NAME}-signed.pkg" "${PKG_NAME}"

# Clean up keychain and certificate
security delete-keychain build.keychain
rm -f certificate.p12

- name: Notarize and staple .pkg
# Requires secrets: MACOS_NOTARIZATION_APPLE_ID, MACOS_NOTARIZATION_TEAM_ID,
# MACOS_NOTARIZATION_PWD (app-specific password).
# Skipped gracefully when secrets are not configured.
env:
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
run: |
if [ -z "${MACOS_NOTARIZATION_APPLE_ID}" ]; then
echo "⚠️ Notarization secrets not set — skipping notarization."
exit 0
fi

xcrun notarytool submit "${PKG_NAME}" \
--apple-id "${MACOS_NOTARIZATION_APPLE_ID}" \
--team-id "${MACOS_NOTARIZATION_TEAM_ID}" \
--password "${MACOS_NOTARIZATION_PWD}" \
--wait
Comment thread
iamvirul marked this conversation as resolved.

# Staple the notarization ticket so Gatekeeper works offline
xcrun stapler staple "${PKG_NAME}"

- name: Wrap .pkg in DMG
run: |
DMG_NAME="${PKG_NAME%.pkg}.dmg"
mkdir -p dmg-stage
cp "${PKG_NAME}" dmg-stage/

Expand Down Expand Up @@ -189,10 +255,6 @@ jobs:
sed "s/__APP_VERSION__/${VER_CLEAN}/g" \
.github/windows-installer.nsi > installer.nsi

# MUI2 README page — copy the static file tracked in the repo.
# Avoids inline heredocs which are error-prone inside YAML run blocks.
cp .github/windows-installer/readme.txt readme.txt

echo "INSTALLER_NAME=deepdiff-db-${VERSION}-windows-amd64-installer.exe" \
>> "$GITHUB_ENV"

Expand Down
Loading