ci: build for distribution

.env

@@ -0,0 +1,9 @@
+# Build a release locally using: op run --env-file="./.env" -- make release
+APPLE_CERT="op://Apple/Apple DeveloperID PKCS12 base64/notesPlain"
+CERT_PASSWORD="op://Apple/DeveloperID p12 password/password"
+
+APPLE_ID="op://Apple/3apcadvvcojjbpxnd7m5fgh5wm/username"
+APPLE_ID_PASSWORD="op://Apple/3apcadvvcojjbpxnd7m5fgh5wm/password"
+
+APP_PROF="op://Apple/Provisioning Profiles/profiles/application_base64"
+EXT_PROF="op://Apple/Provisioning Profiles/profiles/extension_base64"

.gitattributes

@@ -0,0 +1 @@
+nix/create-dmg/package-lock.json -diff

.github/actions/nix-devshell/action.yaml

@@ -6,8 +6,5 @@ runs:
     - name: Setup Nix
       uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d # v16
 
-    - name: Setup GHA Nix cache
-      uses: DeterminateSystems/magic-nix-cache-action@6221693898146dc97e38ad0e013488a16477a4c4 # v9
-
     - name: Enter devshell
       uses: nicknovitski/nix-develop@9be7cfb4b10451d3390a75dc18ad0465bed4932a # v1.2.1

.github/dependabot.yaml

@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      time: "06:00"
+      timezone: "America/Chicago"
+    labels: []
+    commit-message:
+      prefix: "ci"
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/ci.yml

@@ -18,15 +18,11 @@ jobs:
     name: test
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest'}}
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
-        with:
-          egress-policy: audit
-
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Switch XCode Version
         uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
@@ -44,15 +40,11 @@ jobs:
     name: fmt
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest'}}
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
-        with:
-          egress-policy: audit
-
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Switch XCode Version
         uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
@@ -70,15 +62,11 @@ jobs:
     name: lint
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest'}}
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
-        with:
-          egress-policy: audit
-
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup Nix
         uses: ./.github/actions/nix-devshell

.github/workflows/release.yml

@@ -0,0 +1,45 @@
+name: release
+
+on:
+  release:
+    types: [published]
+
+permissions: {}
+
+jobs:
+  build:
+    runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest'}}
+    if: ${{ github.repository_owner == 'coder' }}
+    permissions:
+      # To upload assets to the release
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 1
+          persist-credentials: false
+
+      - name: Switch XCode Version
+        uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
+        with:
+          xcode-version: "16.0.0"
+
+      - name: Setup Nix
+        uses: ./.github/actions/nix-devshell
+
+      - name: Build
+        env:
+          APPLE_CERT: ${{ secrets.APPLE_DEVELOPER_ID_PKCS12_B64 }}
+          APPLE_ID: ${{ secrets.APPLE_NOTARYTOOL_USERNAME  }}
+          APPLE_ID_PASSWORD: ${{ secrets.APPLE_NOTARYTOOL_PASSWORD }}
+          APP_PROF: ${{ secrets.CODER_DESKTOP_APP_PROVISIONPROFILE_B64 }}
+          CERT_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_PKCS12_PASSWORD }}
+          EXT_PROF: ${{ secrets.CODER_DESKTOP_EXTENSION_PROVISIONPROFILE_B64 }}
+        run: make release
+
+      - name: Upload Release Assets
+        run: gh release upload "$RELEASE_TAG" "$out"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}

.gitignore

@@ -295,3 +295,10 @@ xcuserdata
 buildServer.json
 
 # End of https://www.toptal.com/developers/gitignore/api/xcode,jetbrains,macos,direnv,swift,swiftpm,objective-c
+
+*.entitlements
+app-signing.keychain-db
+release/
+
+# marker files
+.fl5C1A396C

Coder Desktop/Coder Desktop/Views/LoginForm.swift

@@ -194,7 +194,9 @@ enum LoginField: Hashable {
     case sessionToken
 }
 
-#Preview {
-    LoginForm<PreviewSession>()
-        .environmentObject(PreviewSession())
-}
+#if DEBUG
+    #Preview {
+        LoginForm<PreviewSession>()
+            .environmentObject(PreviewSession())
+    }
+#endif

Coder Desktop/Coder Desktop/Views/Settings/NetworkTab.swift

@@ -9,6 +9,8 @@ struct NetworkTab<VPN: VPNService>: View {
     }
 }
 
-#Preview {
-    NetworkTab<PreviewVPN>()
-}
+#if DEBUG
+    #Preview {
+        NetworkTab<PreviewVPN>()
+    }
+#endif

Coder Desktop/Coder Desktop/Views/VPNMenu.swift

@@ -101,8 +101,10 @@ func openSystemExtensionSettings() {
     NSWorkspace.shared.open(URL(string: "x-apple.systempreferences:com.apple.ExtensionsPreferences?extensionPointIdentifier=com.apple.system_extension.network_extension.extension-point")!)
 }
 
-#Preview {
-    VPNMenu<PreviewVPN, PreviewSession>().frame(width: 256)
-        .environmentObject(PreviewVPN())
-        .environmentObject(PreviewSession())
-}
+#if DEBUG
+    #Preview {
+        VPNMenu<PreviewVPN, PreviewSession>().frame(width: 256)
+            .environmentObject(PreviewVPN())
+            .environmentObject(PreviewSession())
+    }
+#endif

Coder Desktop/VPN/Manager.swift

@@ -48,12 +48,13 @@ actor Manager {
         }
 
         // HACK: The downloaded dylib may be quarantined, but we've validated it's signature
-        // so it's safe to execute. However, this SE must be sandboxed, so we defer to the app.
+        // so it's safe to execute. However, the SE must be sandboxed, so we defer to the app.
         try await removeQuarantine(dest)
 
         do {
             try tunnelHandle = TunnelHandle(dylibPath: dest)
         } catch {
+            logger.error("couldn't open dylib \(error, privacy: .public)")
             throw .tunnelSetup(error)
         }
         speaker = await Speaker<Vpn_ManagerMessage, Vpn_TunnelMessage>(

Coder Desktop/project.yml

@@ -8,8 +8,8 @@ options:
 
 settings:
   base:
-    MARKETING_VERSION: "1.0" # Sets the version number.
-    CURRENT_PROJECT_VERSION: "1" # Sets the build number.
+    MARKETING_VERSION: ${MARKETING_VERSION} # Sets the version number.
+    CURRENT_PROJECT_VERSION: ${CURRENT_PROJECT_VERSION} # Sets the build number.
 
     ALWAYS_SEARCH_USER_PATHS: NO
     ASSETCATALOG_COMPILER_GENERATE_SWIFT_ASSET_SYMBOL_EXTENSIONS: YES
@@ -114,14 +114,15 @@ targets:
       path: Coder Desktop/Coder_Desktop.entitlements
       properties:
         com.apple.developer.networking.networkextension:
-          - packet-tunnel-provider
+          - packet-tunnel-provider${PTP_SUFFIX}
         com.apple.developer.system-extension.install: true
         com.apple.security.application-groups:
           - $(TeamIdentifierPrefix)com.coder.Coder-Desktop
     settings:
       base:
         ASSETCATALOG_COMPILER_APPICON_NAME: AppIcon # Sets the app icon to "AppIcon".
         ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME: AccentColor
+        # `CODE_SIGN_*` options are overriden during a release build
         CODE_SIGN_IDENTITY: "Apple Development"
         CODE_SIGN_STYLE: Automatic
         COMBINE_HIDPI_IMAGES: YES
@@ -132,6 +133,8 @@ targets:
         INFOPLIST_KEY_NSHumanReadableCopyright: ""
         SWIFT_EMIT_LOC_STRINGS: YES
         PRODUCT_BUNDLE_IDENTIFIER: "com.coder.Coder-Desktop"
+        # Empty outside of release builds
+        PROVISIONING_PROFILE_SPECIFIER: ${APP_PROVISIONING_PROFILE_ID}
 
         # (ThomasK33): Install the application into the /Applications folder
         # so that macOS stops complaining about the app being run from an
@@ -197,7 +200,8 @@ targets:
       path: VPN/VPN.entitlements
       properties:
         com.apple.developer.networking.networkextension:
-          - packet-tunnel-provider
+          # PTP_SUFFIX is populated at `xcodegen` time.
+          - packet-tunnel-provider${PTP_SUFFIX}
         com.apple.security.app-sandbox: true
         com.apple.security.application-groups:
           - $(TeamIdentifierPrefix)com.coder.Coder-Desktop
@@ -212,6 +216,11 @@ targets:
         PRODUCT_NAME: "$(PRODUCT_BUNDLE_IDENTIFIER)"
         SWIFT_EMIT_LOC_STRINGS: YES
         SWIFT_OBJC_BRIDGING_HEADER: "VPN/com_coder_Coder_Desktop_VPN-Bridging-Header.h"
+        # `CODE_SIGN_*` are overriden during a release build
+        CODE_SIGN_IDENTITY: "Apple Development"
+        CODE_SIGN_STYLE: Automatic
+        # Empty outside of release builds
+        PROVISIONING_PROFILE_SPECIFIER: ${EXT_PROVISIONING_PROFILE_ID}
     dependencies:
       - target: VPNLib
         embed: true
@@ -232,8 +241,6 @@ targets:
         DYLIB_COMPATIBILITY_VERSION: 1
         DYLIB_CURRENT_VERSION: 1
         DYLIB_INSTALL_NAME_BASE: "@rpath"
-        CODE_SIGN_IDENTITY: "Apple Development"
-        CODE_SIGN_STYLE: Automatic
         LD_RUNPATH_SEARCH_PATHS:
           - "@executable_path/../Frameworks"
           - "@loader_path/Frameworks"
@@ -294,4 +301,4 @@ targets:
     settings:
       base:
         TEST_HOST: "$(BUILT_PRODUCTS_DIR)/Coder Desktop.app/$(BUNDLE_EXECUTABLE_FOLDER_PATH)/Coder Desktop"
-        PRODUCT_BUNDLE_IDENTIFIER: com.coder.Coder-Desktop.CoderSDKTests
+        PRODUCT_BUNDLE_IDENTIFIER: com.coder.Coder-Desktop.CoderSDKTests