Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 4e8d928350 | |||
| 6277e86d0f | |||
| 4baf24f6f8 |
@@ -58,6 +58,8 @@ jobs:
|
||||
/mnt/scripts/ci/backup-db.sh \
|
||||
/mnt/scripts/ci/compile-android.sh \
|
||||
/mnt/scripts/ci/compile-windows.sh \
|
||||
/mnt/scripts/ci/compile-macos.sh \
|
||||
/mnt/scripts/ci/compile-ios.sh \
|
||||
/mnt/scripts/ci/release-client.sh \
|
||||
/mnt/scripts/ci/deploy-client.sh
|
||||
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
name: Deploy Client
|
||||
|
||||
# Mirrors ~/code/jiu/.gitea/workflows/deploy-client.yml's tag→build→release→
|
||||
# deploy shape, trimmed to the two platforms drafted so far (Android +
|
||||
# Windows — no client-web/macOS/iOS jobs; pangolin has no Flutter-web build
|
||||
# in this pipeline and macOS/iOS are a separate not-yet-drafted phase, see
|
||||
# docs/superpowers/plans/2026-07-05-cicd.md Phase 3).
|
||||
# deploy shape. Android + Windows are required (release-deploy `needs` them);
|
||||
# macOS + iOS (Phase 3, see docs/superpowers/plans/2026-07-05-cicd.md) are
|
||||
# intentionally DECOUPLED — see the "why build-macos/build-ios don't block"
|
||||
# note above the build-macos job below for the mechanism and rationale.
|
||||
#
|
||||
# TODO(controller) — RUNNER AVAILABILITY: per docs/ci-runner.md, pangolin
|
||||
# currently has exactly ONE registered Gitea Actions runner
|
||||
@@ -76,6 +76,77 @@ jobs:
|
||||
name: windows
|
||||
path: dist/
|
||||
|
||||
# Why build-macos/build-ios don't block the working android+windows pipeline
|
||||
# when Apple secrets aren't configured yet (they aren't, as of this writing):
|
||||
# 1. release-deploy's `needs:` below is [build-android, build-windows]
|
||||
# ONLY — macOS/iOS are NOT dependencies, so release-deploy never waits
|
||||
# on them and never fails because of them.
|
||||
# 2. `continue-on-error: true` on both jobs keeps the overall workflow-run
|
||||
# status green even while compile-macos.sh hard-fails (Apple Developer
|
||||
# ID / notary secrets absent — see its fail-fast checks) — that failure
|
||||
# is real signal ("go configure the secrets"), but it shouldn't read as
|
||||
# "the release pipeline is broken" when android+windows shipped fine.
|
||||
# 3. compile-macos.sh's own default behavior is to hard-fail (not skip)
|
||||
# when its secrets are missing (macOS distribution must never ship
|
||||
# unsigned/unnotarized — see its header comment); compile-ios.sh's
|
||||
# default is to skip gracefully (exit 0) since an unconfigured iOS
|
||||
# account is a normal "not set up yet" state, not a defect. Either way
|
||||
# the job produces no dist/pangolin-macos-x64.zip, and
|
||||
# release-deploy's "Download all artifacts" step (no `name:` filter)
|
||||
# simply picks up whatever artifacts DO exist — an absent "macos"
|
||||
# artifact is not an error there.
|
||||
build-macos:
|
||||
runs-on: mac
|
||||
continue-on-error: true
|
||||
env:
|
||||
PUB_HOSTED_URL: https://pub.flutter-io.cn
|
||||
FLUTTER_STORAGE_BASE_URL: https://storage.flutter-io.cn
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Compile (macOS System Extension app)
|
||||
env:
|
||||
MACOS_DEVELOPER_ID_CERT_P12_BASE64: ${{ secrets.MACOS_DEVELOPER_ID_CERT_P12_BASE64 }}
|
||||
MACOS_DEVELOPER_ID_CERT_PASSWORD: ${{ secrets.MACOS_DEVELOPER_ID_CERT_PASSWORD }}
|
||||
MACOS_APP_PROVISION_PROFILE_BASE64: ${{ secrets.MACOS_APP_PROVISION_PROFILE_BASE64 }}
|
||||
MACOS_SYSEXT_PROVISION_PROFILE_BASE64: ${{ secrets.MACOS_SYSEXT_PROVISION_PROFILE_BASE64 }}
|
||||
APPSTORE_API_KEY_ID: ${{ secrets.APPSTORE_API_KEY_ID }}
|
||||
APPSTORE_API_ISSUER_ID: ${{ secrets.APPSTORE_API_ISSUER_ID }}
|
||||
APPSTORE_API_KEY_P8_BASE64: ${{ secrets.APPSTORE_API_KEY_P8_BASE64 }}
|
||||
REF_NAME: ${{ gitea.ref_name }}
|
||||
run: bash scripts/ci/compile-macos.sh "$REF_NAME"
|
||||
|
||||
- name: Upload macos artifact
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: macos
|
||||
path: dist/
|
||||
|
||||
build-ios:
|
||||
runs-on: mac
|
||||
continue-on-error: true
|
||||
env:
|
||||
PUB_HOSTED_URL: https://pub.flutter-io.cn
|
||||
FLUTTER_STORAGE_BASE_URL: https://storage.flutter-io.cn
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Compile & upload to TestFlight (iOS)
|
||||
env:
|
||||
IOS_DIST_CERT_P12_BASE64: ${{ secrets.IOS_DIST_CERT_P12_BASE64 }}
|
||||
IOS_DIST_CERT_PASSWORD: ${{ secrets.IOS_DIST_CERT_PASSWORD }}
|
||||
IOS_APP_PROVISIONING_PROFILE_BASE64: ${{ secrets.IOS_APP_PROVISIONING_PROFILE_BASE64 }}
|
||||
IOS_PACKETTUNNEL_PROVISIONING_PROFILE_BASE64: ${{ secrets.IOS_PACKETTUNNEL_PROVISIONING_PROFILE_BASE64 }}
|
||||
APPSTORE_API_KEY_ID: ${{ secrets.APPSTORE_API_KEY_ID }}
|
||||
APPSTORE_API_ISSUER_ID: ${{ secrets.APPSTORE_API_ISSUER_ID }}
|
||||
APPSTORE_API_KEY_P8_BASE64: ${{ secrets.APPSTORE_API_KEY_P8_BASE64 }}
|
||||
REF_NAME: ${{ gitea.ref_name }}
|
||||
run: bash scripts/ci/compile-ios.sh "$REF_NAME"
|
||||
# No artifact upload — compile-ios.sh uploads straight to TestFlight via
|
||||
# altool (matches jiu); nothing is produced under dist/ for this job.
|
||||
|
||||
release-deploy:
|
||||
needs: [build-android, build-windows]
|
||||
runs-on: mac
|
||||
@@ -101,6 +172,11 @@ jobs:
|
||||
env:
|
||||
FORGEJO_TOKEN: ${{ secrets.FORGEJO_TOKEN }}
|
||||
FORGEJO_URL: ${{ secrets.FORGEJO_URL }}
|
||||
# Needed here (not just in the "Deploy" step below) because
|
||||
# release-client.sh now also SSH-pushes the auto-update manifest
|
||||
# (version.yaml) straight to pangolin1's /etc/pangolin/ — see the
|
||||
# header comment in scripts/ci/release-client.sh.
|
||||
DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
|
||||
REF_NAME: ${{ gitea.ref_name }}
|
||||
run: bash scripts/ci/release-client.sh "$REF_NAME"
|
||||
|
||||
|
||||
@@ -148,6 +148,14 @@ abstract class AppText {
|
||||
String get killSwitch;
|
||||
String get killSwitchSub;
|
||||
String get checkUpdate;
|
||||
String get webUserCenter; // 「用户中心(网页)」入口(App→Web SSO 免登)
|
||||
// 更新检查(设置页「检查更新」手动触发)
|
||||
String updateAvailableTitle(String version); // 「发现新版本 vX.Y.Z」
|
||||
String get updateNotesFallback; // 无 release_notes 时的兜底文案
|
||||
String get updateLater;
|
||||
String get updateDownload;
|
||||
String get updateUpToDate; // 检查后:已是最新版本
|
||||
String get updateCheckFailed; // 检查失败(网络异常)
|
||||
|
||||
// ── 套餐选择 ──
|
||||
String get choosePlan;
|
||||
|
||||
@@ -235,6 +235,20 @@ class StringsEn extends AppText {
|
||||
String get killSwitchSub => 'Block traffic if the link drops';
|
||||
@override
|
||||
String get checkUpdate => 'Check for updates';
|
||||
@override
|
||||
String get webUserCenter => 'User Center (Web)';
|
||||
@override
|
||||
String updateAvailableTitle(String version) => 'New version v$version available';
|
||||
@override
|
||||
String get updateNotesFallback => 'This update includes fixes and stability improvements.';
|
||||
@override
|
||||
String get updateLater => 'Later';
|
||||
@override
|
||||
String get updateDownload => 'Download update';
|
||||
@override
|
||||
String get updateUpToDate => 'You are up to date';
|
||||
@override
|
||||
String get updateCheckFailed => 'Update check failed, try again later';
|
||||
|
||||
@override
|
||||
String get choosePlan => 'Choose plan';
|
||||
|
||||
@@ -234,6 +234,20 @@ class StringsZh extends AppText {
|
||||
String get killSwitchSub => '断线时阻断网络,防止泄露';
|
||||
@override
|
||||
String get checkUpdate => '检查更新';
|
||||
@override
|
||||
String get webUserCenter => '用户中心(网页)';
|
||||
@override
|
||||
String updateAvailableTitle(String version) => '发现新版本 v$version';
|
||||
@override
|
||||
String get updateNotesFallback => '本次更新修复了一些问题并提升了稳定性,建议尽快更新。';
|
||||
@override
|
||||
String get updateLater => '稍后';
|
||||
@override
|
||||
String get updateDownload => '下载更新';
|
||||
@override
|
||||
String get updateUpToDate => '已是最新版本';
|
||||
@override
|
||||
String get updateCheckFailed => '检查更新失败,请稍后重试';
|
||||
|
||||
@override
|
||||
String get choosePlan => '选择套餐';
|
||||
|
||||
@@ -9,9 +9,29 @@ import 'package:flutter_riverpod/flutter_riverpod.dart';
|
||||
|
||||
import '../l10n/app_text.dart';
|
||||
import '../pangolin_theme.dart';
|
||||
import '../services/web_launch.dart';
|
||||
import '../state/app_providers.dart';
|
||||
import '../state/settings_provider.dart';
|
||||
import '../state/update_provider.dart';
|
||||
import '../widgets/pangolin_icons.dart';
|
||||
import '../widgets/pangolin_toast.dart';
|
||||
import '../widgets/update_dialog.dart';
|
||||
|
||||
/// 「检查更新」手动触发:拉取 `$kApiBaseUrl/version`,失败/无更新走轻提示,
|
||||
/// 有更新则弹 [showUpdateDialog]。
|
||||
Future<void> _checkForUpdate(BuildContext context, WidgetRef ref, AppText t) async {
|
||||
final info = await ref.read(updateCheckerProvider).check();
|
||||
if (!context.mounted) return;
|
||||
if (info == null) {
|
||||
showPangolinToast(context, t.updateCheckFailed);
|
||||
return;
|
||||
}
|
||||
if (!info.hasUpdate) {
|
||||
showPangolinToast(context, t.updateUpToDate);
|
||||
return;
|
||||
}
|
||||
await showUpdateDialog(context, t, info);
|
||||
}
|
||||
|
||||
class SettingsPage extends ConsumerWidget {
|
||||
const SettingsPage({super.key});
|
||||
@@ -59,7 +79,8 @@ class SettingsPage extends ConsumerWidget {
|
||||
right: sw(isDark, (v) => ref.read(themeModeProvider.notifier).state = v ? ThemeMode.dark : ThemeMode.light),
|
||||
),
|
||||
_Row(title: t.protocol, right: Text('REALITY / Hysteria2', style: PangolinText.mono.copyWith(fontSize: 13, color: c.fg3))),
|
||||
_Row(title: t.checkUpdate, right: Icon(PangolinIcons.chevronRight, size: 18, color: c.fg3), onTap: () {}),
|
||||
_Row(title: t.webUserCenter, right: Icon(PangolinIcons.externalLink, size: 18, color: c.fg3), onTap: () => openWebUserCenter(ref)),
|
||||
_Row(title: t.checkUpdate, right: Icon(PangolinIcons.chevronRight, size: 18, color: c.fg3), onTap: () => _checkForUpdate(context, ref, t)),
|
||||
_Row(title: 'Version', last: true, right: Text(version, style: PangolinText.mono.copyWith(fontSize: 13, color: c.fg3))),
|
||||
]),
|
||||
]),
|
||||
|
||||
@@ -0,0 +1,29 @@
|
||||
// web_launch.dart — App→Web 单点登录跳转(SSO 换票)。
|
||||
//
|
||||
// 「用户中心(网页)」入口:先向控制面签一张短时单次票据
|
||||
// (POST /v1/auth/web-ticket,需登录),再打开 用户中心网页版 的
|
||||
// /sso?t=<票>&redirect=<路径> 落地页兑票登录——避免用户在网页端重新输入密码。
|
||||
// 签票失败(未登录/网络异常)时降级为直接打开目标页(未登录态浏览)。
|
||||
import 'package:flutter_riverpod/flutter_riverpod.dart';
|
||||
import 'package:url_launcher/url_launcher.dart';
|
||||
|
||||
import '../state/account_providers.dart';
|
||||
|
||||
/// 用户中心(网页版)基址。
|
||||
const String kWebUserCenterBaseUrl = 'https://app.yanmeiai.com';
|
||||
|
||||
/// 打开用户中心网页版 [path](默认首页),尝试免登录(SSO 换票)。
|
||||
Future<void> openWebUserCenter(WidgetRef ref, {String path = '/'}) async {
|
||||
Uri target = Uri.parse('$kWebUserCenterBaseUrl$path');
|
||||
try {
|
||||
final resp = await ref.read(apiClientProvider).postJson('/v1/auth/web-ticket');
|
||||
final ticket = resp['ticket'] as String?;
|
||||
if (ticket != null && ticket.isNotEmpty) {
|
||||
target = Uri.parse(
|
||||
'$kWebUserCenterBaseUrl/sso?t=$ticket&redirect=${Uri.encodeComponent(path)}');
|
||||
}
|
||||
} catch (_) {
|
||||
// 签票失败(未登录/网络异常)降级:直接打开目标页(未登录态浏览)。
|
||||
}
|
||||
await launchUrl(target, mode: LaunchMode.externalApplication);
|
||||
}
|
||||
@@ -0,0 +1,105 @@
|
||||
// update_provider.dart — 应用更新检查(轻量版,无后台轮询)。
|
||||
//
|
||||
// 手动触发(设置页「检查更新」)向控制面 GET $kApiBaseUrl/version 拉取最新版本信息,
|
||||
// 与本地版本(package_info_plus)做语义比较;有更新则由调用方(settings_page)弹窗
|
||||
// 展示(见 widgets/update_dialog.dart)。检查失败静默返回 null,不影响主流程。
|
||||
//
|
||||
// 对照 jiu client/lib/providers/update_provider.dart,去掉了定时轮询 Timer 与
|
||||
// dismiss 状态——按需求这里只做「手动检查」,启动期自动检查留作后续 TODO。
|
||||
import 'dart:convert';
|
||||
import 'dart:io';
|
||||
|
||||
import 'package:flutter_riverpod/flutter_riverpod.dart';
|
||||
import 'package:http/http.dart' as http;
|
||||
import 'package:package_info_plus/package_info_plus.dart';
|
||||
|
||||
import '../services/api_config.dart';
|
||||
|
||||
/// 一次更新检查的结果。
|
||||
class AppUpdateInfo {
|
||||
const AppUpdateInfo({
|
||||
required this.latestVersion,
|
||||
required this.buildNumber,
|
||||
required this.forceUpdate,
|
||||
required this.releaseNotes,
|
||||
required this.downloadUrls,
|
||||
required this.hasUpdate,
|
||||
});
|
||||
|
||||
final String latestVersion;
|
||||
final int buildNumber;
|
||||
final bool forceUpdate;
|
||||
final String releaseNotes;
|
||||
final Map<String, String> downloadUrls;
|
||||
final bool hasUpdate;
|
||||
}
|
||||
|
||||
/// 无状态更新检查服务,供设置页「检查更新」按钮直接调用。
|
||||
final updateCheckerProvider = Provider<UpdateChecker>((ref) => const UpdateChecker());
|
||||
|
||||
class UpdateChecker {
|
||||
const UpdateChecker();
|
||||
|
||||
/// 拉取 `$kApiBaseUrl/version` 并与本地版本比较。网络/解析失败返回 null(静默)。
|
||||
Future<AppUpdateInfo?> check() async {
|
||||
try {
|
||||
final resp = await http
|
||||
.get(Uri.parse('$kApiBaseUrl/version'))
|
||||
.timeout(const Duration(seconds: 8));
|
||||
if (resp.statusCode != 200) return null;
|
||||
final data = jsonDecode(resp.body) as Map<String, dynamic>;
|
||||
|
||||
final latestVersion = data['version'] as String? ?? '0.0.0';
|
||||
final buildNumber = (data['build_number'] as num?)?.toInt() ?? 0;
|
||||
final forceUpdate = data['force_update'] as bool? ?? false;
|
||||
final releaseNotes = data['release_notes'] as String? ?? '';
|
||||
final rawUrls = data['download_urls'] as Map<String, dynamic>? ?? const {};
|
||||
final downloadUrls = rawUrls.map((k, v) => MapEntry(k, v?.toString() ?? ''));
|
||||
|
||||
final info = await PackageInfo.fromPlatform();
|
||||
final hasUpdate = _isNewer(latestVersion, info.version);
|
||||
|
||||
return AppUpdateInfo(
|
||||
latestVersion: latestVersion,
|
||||
buildNumber: buildNumber,
|
||||
forceUpdate: forceUpdate,
|
||||
releaseNotes: releaseNotes,
|
||||
downloadUrls: downloadUrls,
|
||||
hasUpdate: hasUpdate,
|
||||
);
|
||||
} catch (_) {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
/// 语义化版本比较:latest > current → true。容忍 1.1.4-dev / 1.1.4+7 等后缀。
|
||||
bool _isNewer(String latest, String current) {
|
||||
final l = _parse(latest);
|
||||
final c = _parse(current);
|
||||
for (var i = 0; i < 3; i++) {
|
||||
if (l[i] > c[i]) return true;
|
||||
if (l[i] < c[i]) return false;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
List<int> _parse(String v) {
|
||||
final parts = v.split('.').map((s) {
|
||||
final m = RegExp(r'^\d+').firstMatch(s);
|
||||
return m == null ? 0 : int.parse(m.group(0)!);
|
||||
}).toList();
|
||||
while (parts.length < 3) {
|
||||
parts.add(0);
|
||||
}
|
||||
return parts;
|
||||
}
|
||||
}
|
||||
|
||||
/// 按当前平台从服务端 download_urls 里取对应下载直链。
|
||||
String? platformDownloadUrl(Map<String, String> downloadUrls) {
|
||||
if (Platform.isMacOS) return downloadUrls['macos'];
|
||||
if (Platform.isWindows) return downloadUrls['windows'];
|
||||
if (Platform.isIOS) return downloadUrls['ios'];
|
||||
if (Platform.isAndroid) return downloadUrls['android'];
|
||||
return downloadUrls['web'];
|
||||
}
|
||||
@@ -0,0 +1,81 @@
|
||||
// update_dialog.dart — 「发现新版本」更新提示弹窗。
|
||||
//
|
||||
// 只做「展示 + 引导下载」:点「下载更新」用 url_launcher 打开对应平台的下载直链
|
||||
// (浏览器下载),不做应用内静默安装/自动重启。force_update=true 时不可关闭
|
||||
// (无「稍后」按钮、点遮罩/返回也关不掉)。
|
||||
import 'package:flutter/material.dart';
|
||||
import 'package:url_launcher/url_launcher.dart';
|
||||
|
||||
import '../l10n/app_text.dart';
|
||||
import '../pangolin_theme.dart';
|
||||
import '../state/update_provider.dart';
|
||||
import 'pangolin_icons.dart';
|
||||
|
||||
/// 展示更新弹窗。调用方(设置页「检查更新」)在拿到 `info.hasUpdate == true` 时调用。
|
||||
Future<void> showUpdateDialog(BuildContext context, AppText t, AppUpdateInfo info) {
|
||||
return showDialog<void>(
|
||||
context: context,
|
||||
barrierDismissible: !info.forceUpdate,
|
||||
builder: (ctx) => PopScope(
|
||||
canPop: !info.forceUpdate,
|
||||
child: _UpdateDialog(t: t, info: info),
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
class _UpdateDialog extends StatelessWidget {
|
||||
const _UpdateDialog({required this.t, required this.info});
|
||||
final AppText t;
|
||||
final AppUpdateInfo info;
|
||||
|
||||
@override
|
||||
Widget build(BuildContext context) {
|
||||
final c = context.pangolin;
|
||||
return AlertDialog(
|
||||
backgroundColor: c.surface,
|
||||
shape: RoundedRectangleBorder(borderRadius: BorderRadius.circular(PangolinRadius.xl)),
|
||||
title: Row(children: [
|
||||
Container(
|
||||
width: 34,
|
||||
height: 34,
|
||||
decoration: BoxDecoration(color: c.accentSubtle, shape: BoxShape.circle),
|
||||
child: Icon(PangolinIcons.zap, size: 18, color: c.accent),
|
||||
),
|
||||
const SizedBox(width: 12),
|
||||
Expanded(
|
||||
child: Text(
|
||||
t.updateAvailableTitle(info.latestVersion),
|
||||
overflow: TextOverflow.ellipsis,
|
||||
style: PangolinText.body.copyWith(color: c.fg1, fontWeight: FontWeight.w700),
|
||||
),
|
||||
),
|
||||
]),
|
||||
content: SingleChildScrollView(
|
||||
child: Text(
|
||||
info.releaseNotes.isEmpty ? t.updateNotesFallback : info.releaseNotes,
|
||||
style: PangolinText.sm.copyWith(color: c.fg2, height: 1.5),
|
||||
),
|
||||
),
|
||||
actions: [
|
||||
if (!info.forceUpdate)
|
||||
TextButton(
|
||||
onPressed: () => Navigator.of(context).pop(),
|
||||
child: Text(t.updateLater, style: PangolinText.sm.copyWith(color: c.fg2, fontWeight: FontWeight.w600)),
|
||||
),
|
||||
TextButton(
|
||||
onPressed: () async {
|
||||
final url = platformDownloadUrl(info.downloadUrls);
|
||||
if (url != null && url.isNotEmpty) {
|
||||
final uri = Uri.parse(url);
|
||||
if (await canLaunchUrl(uri)) {
|
||||
await launchUrl(uri, mode: LaunchMode.externalApplication);
|
||||
}
|
||||
}
|
||||
if (context.mounted) Navigator.of(context).pop();
|
||||
},
|
||||
child: Text(t.updateDownload, style: PangolinText.sm.copyWith(color: c.accent, fontWeight: FontWeight.w700)),
|
||||
),
|
||||
],
|
||||
);
|
||||
}
|
||||
}
|
||||
@@ -11,6 +11,7 @@ import package_info_plus
|
||||
import screen_retriever_macos
|
||||
import shared_preferences_foundation
|
||||
import tray_manager
|
||||
import url_launcher_macos
|
||||
import window_manager
|
||||
|
||||
func RegisterGeneratedPlugins(registry: FlutterPluginRegistry) {
|
||||
@@ -20,5 +21,6 @@ func RegisterGeneratedPlugins(registry: FlutterPluginRegistry) {
|
||||
ScreenRetrieverMacosPlugin.register(with: registry.registrar(forPlugin: "ScreenRetrieverMacosPlugin"))
|
||||
SharedPreferencesPlugin.register(with: registry.registrar(forPlugin: "SharedPreferencesPlugin"))
|
||||
TrayManagerPlugin.register(with: registry.registrar(forPlugin: "TrayManagerPlugin"))
|
||||
UrlLauncherPlugin.register(with: registry.registrar(forPlugin: "UrlLauncherPlugin"))
|
||||
WindowManagerPlugin.register(with: registry.registrar(forPlugin: "WindowManagerPlugin"))
|
||||
}
|
||||
|
||||
@@ -20,6 +20,7 @@ dependencies:
|
||||
flutter_secure_storage: ^9.2.2 # JWT token 安全存储 + 稳定 device_id 持久化
|
||||
shared_preferences: ^2.5.5
|
||||
package_info_plus: ^9.0.1
|
||||
url_launcher: ^6.3.0 # 打开外部链接(用户中心 SSO 免登 / 更新下载页)
|
||||
device_info_plus: ^11.2.0 # 设备名/平台(「我的设备」上报)
|
||||
uuid: ^4.5.1 # 客户端生成稳定 device_id (UUID v4)
|
||||
launch_at_startup: ^0.5.1
|
||||
|
||||
@@ -9,6 +9,7 @@
|
||||
#include <flutter_secure_storage_windows/flutter_secure_storage_windows_plugin.h>
|
||||
#include <screen_retriever_windows/screen_retriever_windows_plugin_c_api.h>
|
||||
#include <tray_manager/tray_manager_plugin.h>
|
||||
#include <url_launcher_windows/url_launcher_windows.h>
|
||||
#include <window_manager/window_manager_plugin.h>
|
||||
|
||||
void RegisterPlugins(flutter::PluginRegistry* registry) {
|
||||
@@ -18,6 +19,8 @@ void RegisterPlugins(flutter::PluginRegistry* registry) {
|
||||
registry->GetRegistrarForPlugin("ScreenRetrieverWindowsPluginCApi"));
|
||||
TrayManagerPluginRegisterWithRegistrar(
|
||||
registry->GetRegistrarForPlugin("TrayManagerPlugin"));
|
||||
UrlLauncherWindowsRegisterWithRegistrar(
|
||||
registry->GetRegistrarForPlugin("UrlLauncherWindows"));
|
||||
WindowManagerPluginRegisterWithRegistrar(
|
||||
registry->GetRegistrarForPlugin("WindowManagerPlugin"));
|
||||
}
|
||||
|
||||
@@ -6,6 +6,7 @@ list(APPEND FLUTTER_PLUGIN_LIST
|
||||
flutter_secure_storage_windows
|
||||
screen_retriever_windows
|
||||
tray_manager
|
||||
url_launcher_windows
|
||||
window_manager
|
||||
)
|
||||
|
||||
|
||||
@@ -178,6 +178,7 @@ GRPC_KEY_PATH=$ETC/grpc.key
|
||||
PANGOLIN_PUBLIC_URL=https://api.yanmeiai.com
|
||||
PANGOLIN_RULES_DIR=$DATA_DIR/rules
|
||||
DOWNLOADS_DIR=$DATA_DIR/downloads
|
||||
VERSION_MANIFEST=$ETC/version.yaml
|
||||
EOF
|
||||
if [ -n "${SMTP_HOST:-}" ]; then
|
||||
cat >> "$ETC/server.env" <<EOF
|
||||
@@ -211,6 +212,15 @@ curl -fsSL -o "$RULES_DIR/geosite-cn.srs" \
|
||||
DOWNLOADS_DIR="$DATA_DIR/downloads"
|
||||
install -d -m 755 "$DOWNLOADS_DIR"
|
||||
|
||||
# ── 6d. 客户端自动更新版本清单 ─────────────────────────────────────────────────
|
||||
# GET /version(公开、免鉴权)按 VERSION_MANIFEST(见上 server.env)读取该文件;
|
||||
# scripts/ci/release-client.sh 每次 client-v* 发版都会以本仓库这份文件为模板,
|
||||
# 改写 version/build_number 后 SSH 推到这个路径覆盖 —— 幂等重跑本脚本不应该把
|
||||
# 已发布的最新版本号退回仓库里的默认值,所以文件已存在时不覆盖。
|
||||
if [ ! -f "$ETC/version.yaml" ]; then
|
||||
install -m 644 "$HERE/version.yaml" "$ETC/version.yaml"
|
||||
fi
|
||||
|
||||
# ── 7. 迁移 + seed(SQLite)────────────────────────────────────────────────────
|
||||
log "执行迁移(sqlite)..."
|
||||
DB_DRIVER=sqlite DB_DSN="$DB_FILE" "$BIN/pangolin-migrate" up
|
||||
|
||||
@@ -0,0 +1,22 @@
|
||||
# version.yaml — 客户端自动更新版本清单(committed default)。
|
||||
#
|
||||
# deploy/single-node/deploy.sh 把这份文件安装到 /etc/pangolin/version.yaml
|
||||
# (VERSION_MANIFEST 默认路径,见 server/internal/httpapi/version.go)。
|
||||
# scripts/ci/release-client.sh 在每次 client-v* 发版时,以这份文件为模板改写
|
||||
# version / build_number 字段,再原样(SSH)推到 pangolin1 的
|
||||
# /etc/pangolin/version.yaml —— 控制面每次请求都重新读该文件,发版立即生效,
|
||||
# 不需要重启/重新部署控制面。
|
||||
#
|
||||
# download_urls 目前是固定「仅保留最新一份」的稳定 URL(deploy-client.sh 每次
|
||||
# 用同名文件覆盖),不是按版本变化的路径,因此这里不需要随发版改写;
|
||||
# macos / ios 产物尚未产出,先留空字符串。
|
||||
version: "1.0.48"
|
||||
build_number: 10048
|
||||
force_update: false
|
||||
release_notes: ""
|
||||
download_urls:
|
||||
android: "https://api.yanmeiai.com/downloads/pangolin-android.apk"
|
||||
windows: "https://api.yanmeiai.com/downloads/pangolin-windows-x64-setup.exe"
|
||||
macos: ""
|
||||
ios: ""
|
||||
changelog: []
|
||||
Executable
+198
@@ -0,0 +1,198 @@
|
||||
#!/usr/bin/env bash
|
||||
# compile-ios.sh <tag> — build a signed iOS IPA (app + PacketTunnel Network
|
||||
# Extension) and upload it to TestFlight (App Store Connect).
|
||||
#
|
||||
# Mirrors ~/code/jiu/scripts/ci/compile-ios.sh's shape (temp-keychain dist
|
||||
# cert import, provisioning-profile install by UUID, ExportOptions.plist,
|
||||
# `flutter build ipa`, `xcrun altool --upload-app`), adapted for pangolin:
|
||||
# - pangolin's iOS app ships a NEPacketTunnelProvider **app extension**
|
||||
# (client/ios/PacketTunnel/, bundle com.pangolin.pangolinVpn.PacketTunnel)
|
||||
# alongside the main app (com.pangolin.pangolinVpn) — jiu has no
|
||||
# extension at all, just the one app target. So this script needs TWO
|
||||
# distribution provisioning profiles (app + extension), not one, and the
|
||||
# ExportOptions.plist provisioningProfiles dict needs both bundle-id ->
|
||||
# profile-name mappings.
|
||||
# - pangolin embeds sing-box as a native core (gomobile-built
|
||||
# Libbox.xcframework, io.nekohasekai.libbox) — jiu's Flutter app has no
|
||||
# embedded core. This script MUST run `scripts/build-libbox.sh apple ios`
|
||||
# before `flutter build ipa`, or the IPA links no VPN kernel (mirrors the
|
||||
# equivalent step in compile-android.sh / compile-macos.sh).
|
||||
# - Team ID BYL4KQHMTN is hardcoded as a script constant rather than a
|
||||
# secret (unlike jiu's IOS_TEAM_ID secret): it's already public inside
|
||||
# this repo (CLAUDE.md, client/ios/Runner.xcodeproj/project.pbxproj
|
||||
# DEVELOPMENT_TEAM, scripts/local_test.sh SIGN_ID) — not sensitive, no
|
||||
# reason to add another secret for it.
|
||||
# - APPSTORE_API_KEY_ID / APPSTORE_API_ISSUER_ID / APPSTORE_API_KEY_P8_BASE64
|
||||
# are shared with compile-macos.sh's notarization step (same App Store
|
||||
# Connect API key serves both notarization and TestFlight upload).
|
||||
#
|
||||
# Required CI secrets (missing ANY of them => SKIP gracefully, exit 0 — does
|
||||
# NOT fail the pipeline; Apple iOS distribution needs an enrolled account +
|
||||
# certs that may not exist yet, unlike macOS Developer ID which is a hard
|
||||
# fail-fast in compile-macos.sh):
|
||||
# IOS_DIST_CERT_P12_BASE64 Apple Distribution 证书(.p12)base64
|
||||
# IOS_DIST_CERT_PASSWORD .p12 导出密码
|
||||
# IOS_APP_PROVISIONING_PROFILE_BASE64 App Store 类型描述文件(主 app,
|
||||
# com.pangolin.pangolinVpn)base64
|
||||
# IOS_PACKETTUNNEL_PROVISIONING_PROFILE_BASE64 App Store 类型描述文件(扩展,
|
||||
# com.pangolin.pangolinVpn.PacketTunnel)base64
|
||||
# APPSTORE_API_KEY_ID / APPSTORE_API_ISSUER_ID / APPSTORE_API_KEY_P8_BASE64
|
||||
# App Store Connect API Key(上传 TestFlight 用;与 compile-macos.sh 公证共用)。
|
||||
#
|
||||
# No dist/ artifact is produced (matches jiu) — the IPA goes straight to
|
||||
# TestFlight via altool, nothing is uploaded to the Forgejo release.
|
||||
set -euo pipefail
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
# shellcheck source=scripts/ci/_env.sh
|
||||
. "${SCRIPT_DIR}/_env.sh"
|
||||
|
||||
TAG="${1:?usage: compile-ios.sh <tag>}"
|
||||
|
||||
ver_file="/tmp/compile_ios_ver.$$"
|
||||
ver_from_tag client "$TAG" > "$ver_file"
|
||||
VER=""
|
||||
read -r VER < "$ver_file" || true # 无结尾换行的 read 退出码,见 compile-android.sh 同注释
|
||||
rm -f "$ver_file"
|
||||
|
||||
# CFBundleVersion(两个 target 均为 "$(FLUTTER_BUILD_NUMBER)",见
|
||||
# client/ios/Runner.xcodeproj/project.pbxproj —— 与 macOS 的 PacketTunnel 硬编码
|
||||
# CURRENT_PROJECT_VERSION 不同,这里走 flutter build --build-number 走标准路径)。
|
||||
# 必须单调递增,否则 TestFlight 拒绝重复上传(同 jiu 注释),公式与
|
||||
# compile-android.sh / compile-macos.sh 一致。
|
||||
MAJOR="${VER%%.*}"
|
||||
_REST="${VER#*.}"
|
||||
MINOR="${_REST%%.*}"
|
||||
PATCH="${_REST#*.}"
|
||||
PATCH="${PATCH%%-*}"
|
||||
BUILD=$(( MAJOR * 10000 + MINOR * 100 + PATCH ))
|
||||
|
||||
echo "==> compile-ios: tag=${TAG} version=${VER} build=${BUILD}"
|
||||
|
||||
# ── 凭证缺失则优雅跳过(不阻塞流水线;见头部说明)─────────────────────────
|
||||
if [ -z "${IOS_DIST_CERT_P12_BASE64:-}" ] || \
|
||||
[ -z "${IOS_DIST_CERT_PASSWORD:-}" ] || \
|
||||
[ -z "${IOS_APP_PROVISIONING_PROFILE_BASE64:-}" ] || \
|
||||
[ -z "${IOS_PACKETTUNNEL_PROVISIONING_PROFILE_BASE64:-}" ] || \
|
||||
[ -z "${APPSTORE_API_KEY_ID:-}" ] || \
|
||||
[ -z "${APPSTORE_API_ISSUER_ID:-}" ] || \
|
||||
[ -z "${APPSTORE_API_KEY_P8_BASE64:-}" ]; then
|
||||
echo "==> compile-ios: SKIP — iOS signing secrets not fully configured yet (not a failure)"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
|
||||
API_URL="${PANGOLIN_API_URL:-https://api.yanmeiai.com}"
|
||||
TEAM_ID="BYL4KQHMTN"
|
||||
APP_BUNDLE_ID="com.pangolin.pangolinVpn"
|
||||
EXT_BUNDLE_ID="com.pangolin.pangolinVpn.PacketTunnel"
|
||||
|
||||
WORK="$(mktemp -d)"
|
||||
KEYCHAIN="${WORK}/pangolin-ios-ci.keychain-db"
|
||||
PROFILES_DIR="${HOME}/Library/MobileDevice/Provisioning Profiles"
|
||||
mkdir -p "$PROFILES_DIR"
|
||||
|
||||
cleanup_ios() {
|
||||
security delete-keychain "$KEYCHAIN" 2>/dev/null || true
|
||||
security list-keychains -d user -s login.keychain-db 2>/dev/null || true
|
||||
[ -n "${APP_PROFILE_UUID:-}" ] && rm -f "${PROFILES_DIR}/${APP_PROFILE_UUID}.mobileprovision" 2>/dev/null || true
|
||||
[ -n "${EXT_PROFILE_UUID:-}" ] && rm -f "${PROFILES_DIR}/${EXT_PROFILE_UUID}.mobileprovision" 2>/dev/null || true
|
||||
rm -rf "$WORK"
|
||||
}
|
||||
trap cleanup_ios EXIT
|
||||
|
||||
# ── [1/6] 重建 libbox.xcframework(apple ios;gitignore 产物,每次都要重建) ──
|
||||
echo "==> compile-ios: building Libbox.xcframework (apple ios)"
|
||||
bash "${REPO_ROOT}/scripts/build-libbox.sh" apple ios
|
||||
LIBBOX_FW="${REPO_ROOT}/client/ios/Frameworks/Libbox.xcframework"
|
||||
if [ ! -d "$LIBBOX_FW" ]; then
|
||||
echo "ERROR: ${LIBBOX_FW} not found after build-libbox.sh — aborting." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# ── [2/6] 临时 keychain 导入 Apple Distribution 证书 ─────────────────────────
|
||||
KEYCHAIN_PWD="ci-temp-$$"
|
||||
security create-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN"
|
||||
security set-keychain-settings -lut 21600 "$KEYCHAIN"
|
||||
security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN"
|
||||
printf '%s' "$IOS_DIST_CERT_P12_BASE64" | base64 --decode > "${WORK}/dist.p12"
|
||||
security import "${WORK}/dist.p12" -k "$KEYCHAIN" \
|
||||
-P "$IOS_DIST_CERT_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
|
||||
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PWD" "$KEYCHAIN" >/dev/null
|
||||
security list-keychains -d user -s "$KEYCHAIN" login.keychain-db
|
||||
|
||||
# ── [3/6] 安装 2 个 App Store 类型描述文件(app + PacketTunnel 扩展) ─────────
|
||||
printf '%s' "$IOS_APP_PROVISIONING_PROFILE_BASE64" | base64 --decode > "${WORK}/app.mobileprovision"
|
||||
security cms -D -i "${WORK}/app.mobileprovision" > "${WORK}/app_profile.plist"
|
||||
/usr/libexec/PlistBuddy -c 'Print :Name' "${WORK}/app_profile.plist" > "${WORK}/app_name.txt"
|
||||
/usr/libexec/PlistBuddy -c 'Print :UUID' "${WORK}/app_profile.plist" > "${WORK}/app_uuid.txt"
|
||||
APP_PROFILE_NAME=""
|
||||
read -r APP_PROFILE_NAME < "${WORK}/app_name.txt" || true
|
||||
APP_PROFILE_UUID=""
|
||||
read -r APP_PROFILE_UUID < "${WORK}/app_uuid.txt" || true
|
||||
cp "${WORK}/app.mobileprovision" "${PROFILES_DIR}/${APP_PROFILE_UUID}.mobileprovision"
|
||||
echo "==> compile-ios: app profile '${APP_PROFILE_NAME}' (${APP_PROFILE_UUID})"
|
||||
|
||||
printf '%s' "$IOS_PACKETTUNNEL_PROVISIONING_PROFILE_BASE64" | base64 --decode > "${WORK}/ext.mobileprovision"
|
||||
security cms -D -i "${WORK}/ext.mobileprovision" > "${WORK}/ext_profile.plist"
|
||||
/usr/libexec/PlistBuddy -c 'Print :Name' "${WORK}/ext_profile.plist" > "${WORK}/ext_name.txt"
|
||||
/usr/libexec/PlistBuddy -c 'Print :UUID' "${WORK}/ext_profile.plist" > "${WORK}/ext_uuid.txt"
|
||||
EXT_PROFILE_NAME=""
|
||||
read -r EXT_PROFILE_NAME < "${WORK}/ext_name.txt" || true
|
||||
EXT_PROFILE_UUID=""
|
||||
read -r EXT_PROFILE_UUID < "${WORK}/ext_uuid.txt" || true
|
||||
cp "${WORK}/ext.mobileprovision" "${PROFILES_DIR}/${EXT_PROFILE_UUID}.mobileprovision"
|
||||
echo "==> compile-ios: PacketTunnel profile '${EXT_PROFILE_NAME}' (${EXT_PROFILE_UUID})"
|
||||
|
||||
# ── [4/6] App Store Connect API Key(供 altool 上传使用)──────────────────────
|
||||
API_KEYS_DIR="${HOME}/.appstoreconnect/private_keys"
|
||||
mkdir -p "$API_KEYS_DIR"
|
||||
printf '%s' "$APPSTORE_API_KEY_P8_BASE64" | base64 --decode > "${API_KEYS_DIR}/AuthKey_${APPSTORE_API_KEY_ID}.p8"
|
||||
|
||||
# ── [5/6] 同步版本号 + 生成 ExportOptions.plist(manual 签名,两个 bundle 都映射)──
|
||||
sed -i '' "s/^version:.*/version: ${VER}+${BUILD}/" "${REPO_ROOT}/client/pubspec.yaml"
|
||||
|
||||
cat > "${WORK}/ExportOptions.plist" <<EOF
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>method</key><string>app-store</string>
|
||||
<key>teamID</key><string>${TEAM_ID}</string>
|
||||
<key>signingStyle</key><string>manual</string>
|
||||
<key>uploadBitcode</key><false/>
|
||||
<key>uploadSymbols</key><true/>
|
||||
<key>provisioningProfiles</key>
|
||||
<dict>
|
||||
<key>${APP_BUNDLE_ID}</key><string>${APP_PROFILE_NAME}</string>
|
||||
<key>${EXT_BUNDLE_ID}</key><string>${EXT_PROFILE_NAME}</string>
|
||||
</dict>
|
||||
</dict>
|
||||
</plist>
|
||||
EOF
|
||||
|
||||
# ── [6/6] flutter build ipa + 上传 TestFlight ───────────────────────────────
|
||||
cd "${REPO_ROOT}/client"
|
||||
flutter build ipa --release \
|
||||
--build-name="${VER}" \
|
||||
--build-number="${BUILD}" \
|
||||
--export-options-plist="${WORK}/ExportOptions.plist" \
|
||||
"--dart-define=PANGOLIN_API_URL=${API_URL}"
|
||||
cd "$REPO_ROOT"
|
||||
|
||||
IPA=""
|
||||
for cand in "${REPO_ROOT}"/client/build/ios/ipa/*.ipa; do
|
||||
if [ -f "$cand" ]; then IPA="$cand"; break; fi
|
||||
done
|
||||
if [ -z "$IPA" ]; then
|
||||
echo "ERROR: IPA not found under client/build/ios/ipa/" >&2
|
||||
exit 1
|
||||
fi
|
||||
echo "==> compile-ios: built ${IPA}"
|
||||
|
||||
echo "==> compile-ios: uploading to TestFlight"
|
||||
xcrun altool --upload-app -f "$IPA" -t ios \
|
||||
--apiKey "$APPSTORE_API_KEY_ID" \
|
||||
--apiIssuer "$APPSTORE_API_ISSUER_ID"
|
||||
|
||||
echo "==> compile-ios: done — uploaded build ${BUILD} to TestFlight"
|
||||
Executable
+267
@@ -0,0 +1,267 @@
|
||||
#!/usr/bin/env bash
|
||||
# compile-macos.sh <tag> — build the Flutter macOS app (with its embedded
|
||||
# PacketTunnel System Extension), Developer ID sign + notarize + staple,
|
||||
# package into dist/.
|
||||
#
|
||||
# Mirrors ~/code/jiu/scripts/ci/compile-macos.sh's shape (temp-keychain
|
||||
# Developer ID import, inside-out codesign, notarytool submit --wait, staple,
|
||||
# ditto zip), but pangolin's macOS app is heavier than jiu's plain window:
|
||||
# - it embeds a System Extension (com.pangolin.pangolin.PacketTunnel,
|
||||
# `.systemextension` bundle under Contents/Library/SystemExtensions/)
|
||||
# that needs ITS OWN Developer ID provisioning profile + entitlements,
|
||||
# signed separately, inside-out, before the outer app is signed — see
|
||||
# CLAUDE.md "client/ macOS 原生隧道" and
|
||||
# docs/macos-sysext-realize-troubleshooting.html for why every one of
|
||||
# these steps is load-bearing (wrong order / missing entitlement /
|
||||
# unsigned nested item => sysextd silently refuses to load it).
|
||||
# - the Xcode project (client/macos/Runner.xcodeproj) is ALREADY configured
|
||||
# CODE_SIGN_STYLE=Manual with CODE_SIGN_IDENTITY="Developer ID
|
||||
# Application" + PROVISIONING_PROFILE_SPECIFIER set per target (unlike
|
||||
# jiu, whose Release config has CODE_SIGN_IDENTITY="-", i.e. unsigned at
|
||||
# build time, signed entirely by hand afterward). So `flutter build macos
|
||||
# --release` here should already produce a signed .app *if* the identity
|
||||
# is in a searched keychain and the profiles are in place. This script
|
||||
# still re-runs the explicit inside-out codesign pass below (mirroring
|
||||
# scripts/local_test.sh's now-legacy `cmd_sign`) as a defensive,
|
||||
# idempotent safety net — resigning with the same identity is harmless,
|
||||
# and it removes any dependency on Xcode's automatic nested-item signing
|
||||
# behaving identically on a CI runner vs. the maintainer's dev machine.
|
||||
# - CFBundleVersion for the PacketTunnel extension is NOT derived from
|
||||
# FLUTTER_BUILD_NUMBER (unlike the main Runner target, and unlike iOS
|
||||
# where every target uses "$(FLUTTER_BUILD_NUMBER)") — it's a literal
|
||||
# CURRENT_PROJECT_VERSION build setting hardcoded in project.pbxproj
|
||||
# (currently 53, see CLAUDE.md: "每次构建必递增 CFBundleVersion
|
||||
# (CURRENT_PROJECT_VERSION)——否则 sysextd 视为同版本不更新"). This script
|
||||
# computes a monotonic build number from the tag version (same
|
||||
# major*10000+minor*100+patch formula as compile-android.sh /
|
||||
# compile-ios.sh) and sed's every CURRENT_PROJECT_VERSION occurrence in
|
||||
# the pbxproj (RunnerTests + PacketTunnel Debug/Release/Profile, 6 total)
|
||||
# before building. This edit is NOT committed back to git — each CI run
|
||||
# starts from the repo's checked-in value and recomputes deterministically
|
||||
# from the tag, so it stays monotonic across releases as long as the
|
||||
# version itself increases.
|
||||
#
|
||||
# Required CI secrets (fail-fast — ANY missing => abort, never ship unsigned):
|
||||
# MACOS_DEVELOPER_ID_CERT_P12_BASE64 Developer ID Application 证书(.p12)base64
|
||||
# MACOS_DEVELOPER_ID_CERT_PASSWORD .p12 导出密码
|
||||
# MACOS_APP_PROVISION_PROFILE_BASE64 "Pangolin App DevID" 描述文件 base64
|
||||
# MACOS_SYSEXT_PROVISION_PROFILE_BASE64 "Pangolin PacketTunnel DevID" 描述文件 base64
|
||||
# APPSTORE_API_KEY_ID / APPSTORE_API_ISSUER_ID / APPSTORE_API_KEY_P8_BASE64
|
||||
# App Store Connect API Key(公证用,notarytool --key/--key-id/--issuer;
|
||||
# 不同于 scripts/local_test.sh 本机用的 --keychain-profile pangolin-notary,
|
||||
# CI 无法预置 keychain profile,必须走显式 API key 三件套)。
|
||||
#
|
||||
# Output: dist/pangolin-macos-x64.zip (stable name — deploy-client.sh /
|
||||
# release-client.sh key off this exact filename).
|
||||
set -euo pipefail
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
# shellcheck source=scripts/ci/_env.sh
|
||||
. "${SCRIPT_DIR}/_env.sh"
|
||||
|
||||
TAG="${1:?usage: compile-macos.sh <tag>}"
|
||||
|
||||
ver_file="/tmp/compile_macos_ver.$$"
|
||||
ver_from_tag client "$TAG" > "$ver_file"
|
||||
VER=""
|
||||
read -r VER < "$ver_file" || true # 无结尾换行的 read 退出码,见 compile-android.sh 同注释
|
||||
rm -f "$ver_file"
|
||||
|
||||
# 单调递增 build 号:major*10000 + minor*100 + patch(同 compile-android.sh /
|
||||
# compile-ios.sh 公式)。纯参数展开,不用 cut/$();剥掉 patch 段的 `-suffix`
|
||||
# (如预发布 tag "48-rc1")以保证后面的算术展开是纯数字。
|
||||
MAJOR="${VER%%.*}"
|
||||
_REST="${VER#*.}"
|
||||
MINOR="${_REST%%.*}"
|
||||
PATCH="${_REST#*.}"
|
||||
PATCH="${PATCH%%-*}"
|
||||
BUILD=$(( MAJOR * 10000 + MINOR * 100 + PATCH ))
|
||||
|
||||
echo "==> compile-macos: tag=${TAG} version=${VER} build=${BUILD}"
|
||||
|
||||
# ── [0/7] fail-fast:签名/公证所需 secret 一个不少 ──────────────────────────
|
||||
# 比 jiu 的 mac 脚本(只查 2 个)更严格:任一缺失都直接报错中止,不产出未签名/
|
||||
# 未公证包。用 `${VAR:?msg}` 而非 if-empty,出错信息更精确定位到具体哪个 secret。
|
||||
: "${MACOS_DEVELOPER_ID_CERT_P12_BASE64:?缺少 MACOS_DEVELOPER_ID_CERT_P12_BASE64:未配置 Developer ID 证书,构建中止(不产出未签名包)}"
|
||||
: "${MACOS_DEVELOPER_ID_CERT_PASSWORD:?缺少 MACOS_DEVELOPER_ID_CERT_PASSWORD}"
|
||||
: "${MACOS_APP_PROVISION_PROFILE_BASE64:?缺少 MACOS_APP_PROVISION_PROFILE_BASE64('Pangolin App DevID' 描述文件)}"
|
||||
: "${MACOS_SYSEXT_PROVISION_PROFILE_BASE64:?缺少 MACOS_SYSEXT_PROVISION_PROFILE_BASE64('Pangolin PacketTunnel DevID' 描述文件)}"
|
||||
: "${APPSTORE_API_KEY_ID:?缺少 APPSTORE_API_KEY_ID(公证用 App Store Connect API Key)}"
|
||||
: "${APPSTORE_API_ISSUER_ID:?缺少 APPSTORE_API_ISSUER_ID}"
|
||||
: "${APPSTORE_API_KEY_P8_BASE64:?缺少 APPSTORE_API_KEY_P8_BASE64}"
|
||||
|
||||
REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
|
||||
API_URL="${PANGOLIN_API_URL:-https://api.yanmeiai.com}"
|
||||
SIGN_ID_PREFIX="Developer ID Application"
|
||||
TEAM_ID="BYL4KQHMTN"
|
||||
APP_BUNDLE_ID="com.pangolin.pangolin"
|
||||
SYSEXT_BUNDLE_ID="com.pangolin.pangolin.PacketTunnel"
|
||||
APP_GROUP="${TEAM_ID}.com.pangolin.pangolin"
|
||||
|
||||
WORK="$(mktemp -d)"
|
||||
KEYCHAIN="${WORK}/pangolin-mac-ci.keychain-db"
|
||||
# 与 scripts/local_test.sh 用的描述文件目录保持一致(Xcode UserData 目录,
|
||||
# 而非经典的 ~/Library/MobileDevice/Provisioning Profiles/)——CI 与本机联调
|
||||
# 复用同一处,两边的 "Pangolin App DevID"/"Pangolin PacketTunnel DevID" 描述
|
||||
# 文件本就应该是同一份,CI 覆盖写入是幂等的。故清理阶段【不删除】这两个描述
|
||||
# 文件(只清理临时 keychain/证书),避免影响维护者在同一台 mac runner 上继续
|
||||
# 用 local_test.sh 手动联调。
|
||||
PROF_DIR="${HOME}/Library/Developer/Xcode/UserData/Provisioning Profiles"
|
||||
mkdir -p "$PROF_DIR"
|
||||
|
||||
cleanup_mac() {
|
||||
security delete-keychain "$KEYCHAIN" 2>/dev/null || true
|
||||
# 把 keychain 搜索列表还原成默认单项,不把临时 keychain 的痕迹留在这台常驻
|
||||
# runner 上(mac-pangolin-2 同时也被人手动用来跑 local_test.sh)。
|
||||
security list-keychains -d user -s login.keychain-db 2>/dev/null || true
|
||||
rm -rf "$WORK"
|
||||
}
|
||||
trap cleanup_mac EXIT
|
||||
|
||||
# ── [1/7] 重建 libbox.xcframework(gitignore 产物,每次换 worktree/CI 都要重建)─
|
||||
echo "==> compile-macos: building Libbox.xcframework (apple macos)"
|
||||
bash "${REPO_ROOT}/scripts/build-libbox.sh" apple macos
|
||||
LIBBOX_FW="${REPO_ROOT}/client/macos/Frameworks/Libbox.xcframework"
|
||||
if [ ! -d "$LIBBOX_FW" ]; then
|
||||
echo "ERROR: ${LIBBOX_FW} not found after build-libbox.sh — aborting." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# ── [2/7] 递增 CURRENT_PROJECT_VERSION(sysext CFBundleVersion,见头部说明)──
|
||||
PBXPROJ="${REPO_ROOT}/client/macos/Runner.xcodeproj/project.pbxproj"
|
||||
echo "==> compile-macos: bumping CURRENT_PROJECT_VERSION -> ${BUILD} in project.pbxproj"
|
||||
sed -i '' -E "s/CURRENT_PROJECT_VERSION = [0-9]+;/CURRENT_PROJECT_VERSION = ${BUILD};/g" "$PBXPROJ"
|
||||
# 同步 pubspec.yaml(主 app 自身的 FLUTTER_BUILD_NUMBER,和 android/windows 脚本一致)。
|
||||
sed -i '' "s/^version:.*/version: ${VER}+${BUILD}/" "${REPO_ROOT}/client/pubspec.yaml"
|
||||
|
||||
# ── [3/7] 解码 2 个 Developer ID 描述文件到 local_test.sh 同款目录 ──────────
|
||||
printf '%s' "$MACOS_APP_PROVISION_PROFILE_BASE64" | base64 --decode > "${WORK}/app.provisionprofile"
|
||||
printf '%s' "$MACOS_SYSEXT_PROVISION_PROFILE_BASE64" | base64 --decode > "${WORK}/sysext.provisionprofile"
|
||||
|
||||
# 提取 UUID 用来落盘为规范文件名(Xcode/xcodebuild 靠内容匹配,文件名本身不
|
||||
# 强制要求,但用 UUID 命名是 Xcode 自身导入时的惯例,避免与其他描述文件重名冲突)。
|
||||
security cms -D -i "${WORK}/app.provisionprofile" > "${WORK}/app_profile.plist"
|
||||
/usr/libexec/PlistBuddy -c 'Print :UUID' "${WORK}/app_profile.plist" > "${WORK}/app_uuid.txt"
|
||||
APP_PROFILE_UUID=""
|
||||
read -r APP_PROFILE_UUID < "${WORK}/app_uuid.txt" || true
|
||||
APP_PROFILE="${PROF_DIR}/${APP_PROFILE_UUID}.provisionprofile"
|
||||
cp "${WORK}/app.provisionprofile" "$APP_PROFILE"
|
||||
|
||||
security cms -D -i "${WORK}/sysext.provisionprofile" > "${WORK}/sysext_profile.plist"
|
||||
/usr/libexec/PlistBuddy -c 'Print :UUID' "${WORK}/sysext_profile.plist" > "${WORK}/sysext_uuid.txt"
|
||||
SYSEXT_PROFILE_UUID=""
|
||||
read -r SYSEXT_PROFILE_UUID < "${WORK}/sysext_uuid.txt" || true
|
||||
SYSEXT_PROFILE="${PROF_DIR}/${SYSEXT_PROFILE_UUID}.provisionprofile"
|
||||
cp "${WORK}/sysext.provisionprofile" "$SYSEXT_PROFILE"
|
||||
|
||||
echo "==> compile-macos: profiles installed to '${PROF_DIR}' (app=${APP_PROFILE_UUID}, sysext=${SYSEXT_PROFILE_UUID})"
|
||||
|
||||
# ── [4/7] 临时 keychain 导入 Developer ID Application 证书 ──────────────────
|
||||
KEYCHAIN_PWD="ci-temp-$$"
|
||||
security create-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN"
|
||||
security set-keychain-settings -lut 21600 "$KEYCHAIN"
|
||||
security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN"
|
||||
printf '%s' "$MACOS_DEVELOPER_ID_CERT_P12_BASE64" | base64 --decode > "${WORK}/devid.p12"
|
||||
security import "${WORK}/devid.p12" -k "$KEYCHAIN" \
|
||||
-P "$MACOS_DEVELOPER_ID_CERT_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
|
||||
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PWD" "$KEYCHAIN" >/dev/null
|
||||
security list-keychains -d user -s "$KEYCHAIN" login.keychain-db
|
||||
|
||||
security find-identity -v -p codesigning "$KEYCHAIN" > "${WORK}/identities.txt"
|
||||
grep "$SIGN_ID_PREFIX" "${WORK}/identities.txt" | head -1 | sed -E 's/.*"(.*)"/\1/' > "${WORK}/identity.txt"
|
||||
IDENTITY=""
|
||||
read -r IDENTITY < "${WORK}/identity.txt" || true
|
||||
if [ -z "$IDENTITY" ]; then
|
||||
echo "ERROR: '${SIGN_ID_PREFIX}' identity not found in imported keychain" >&2
|
||||
exit 1
|
||||
fi
|
||||
echo "==> compile-macos: signing identity '${IDENTITY}'"
|
||||
|
||||
# ── [5/7] flutter build macos --release ─────────────────────────────────────
|
||||
# 项目已配 CODE_SIGN_STYLE=Manual + PROVISIONING_PROFILE_SPECIFIER(见头部说
|
||||
# 明),本步应已产出 Developer ID 签名 + hardened runtime 的 .app;下一步的
|
||||
# inside-out 重签是幂等的安全网,不依赖这一步是否已经"恰好签对"。
|
||||
cd "${REPO_ROOT}/client"
|
||||
flutter build macos --release --dart-define="PANGOLIN_API_URL=${API_URL}"
|
||||
cd "$REPO_ROOT"
|
||||
|
||||
APP="${REPO_ROOT}/client/build/macos/Build/Products/Release/pangolin_vpn.app"
|
||||
SE="${APP}/Contents/Library/SystemExtensions/${SYSEXT_BUNDLE_ID}.systemextension"
|
||||
[ -d "$APP" ] || { echo "ERROR: build product not found: ${APP}" >&2; exit 1; }
|
||||
[ -d "$SE" ] || { echo "ERROR: sysext bundle not found: ${SE}" >&2; exit 1; }
|
||||
|
||||
# ── [6/7] inside-out 重签(sysext → app frameworks → app),同 local_test.sh cmd_sign ──
|
||||
cat > "${WORK}/app.entitlements" <<PLIST
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0"><dict>
|
||||
<key>com.apple.application-identifier</key><string>${TEAM_ID}.${APP_BUNDLE_ID}</string>
|
||||
<key>com.apple.developer.team-identifier</key><string>${TEAM_ID}</string>
|
||||
<key>com.apple.developer.system-extension.install</key><true/>
|
||||
<key>com.apple.developer.networking.networkextension</key>
|
||||
<array><string>packet-tunnel-provider-systemextension</string></array>
|
||||
<key>com.apple.security.app-sandbox</key><false/>
|
||||
<key>com.apple.security.network.client</key><true/>
|
||||
<key>com.apple.security.network.server</key><true/>
|
||||
<key>keychain-access-groups</key>
|
||||
<array><string>${APP_GROUP}</string></array>
|
||||
</dict></plist>
|
||||
PLIST
|
||||
cat > "${WORK}/sysext.entitlements" <<PLIST
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0"><dict>
|
||||
<key>com.apple.application-identifier</key><string>${TEAM_ID}.${SYSEXT_BUNDLE_ID}</string>
|
||||
<key>com.apple.developer.team-identifier</key><string>${TEAM_ID}</string>
|
||||
<key>com.apple.developer.networking.networkextension</key>
|
||||
<array><string>packet-tunnel-provider-systemextension</string></array>
|
||||
<key>com.apple.security.app-sandbox</key><true/>
|
||||
<key>com.apple.security.application-groups</key>
|
||||
<array><string>group.com.pangolin.pangolin</string></array>
|
||||
</dict></plist>
|
||||
PLIST
|
||||
|
||||
echo "==> compile-macos: inside-out codesign (sysext -> frameworks -> app)"
|
||||
xattr -cr "$APP"
|
||||
cp "$SYSEXT_PROFILE" "${SE}/Contents/embedded.provisionprofile"
|
||||
cp "$APP_PROFILE" "${APP}/Contents/embedded.provisionprofile"
|
||||
|
||||
# sysext first — libbox is linked (not embedded) into the sysext binary
|
||||
# itself (see CLAUDE.md), so signing the sysext bundle re-covers its statically
|
||||
# linked libbox; no separate Libbox.framework to sign inside it.
|
||||
codesign --force --options runtime --timestamp \
|
||||
--entitlements "${WORK}/sysext.entitlements" --sign "$IDENTITY" "$SE"
|
||||
|
||||
if [ -d "${APP}/Contents/Frameworks" ]; then
|
||||
for item in "${APP}/Contents/Frameworks/"*; do
|
||||
[ -e "$item" ] && codesign --force --options runtime --timestamp --sign "$IDENTITY" "$item"
|
||||
done
|
||||
fi
|
||||
|
||||
codesign --force --options runtime --timestamp \
|
||||
--entitlements "${WORK}/app.entitlements" --sign "$IDENTITY" "$APP"
|
||||
|
||||
codesign --verify --deep --strict --verbose=2 "$APP"
|
||||
echo "==> compile-macos: signed + verified (${IDENTITY})"
|
||||
|
||||
# ── [7/7] 公证(notarytool,API key 三件套) + staple + 打包 ──────────────────
|
||||
echo "==> compile-macos: notarizing (notarytool submit --wait, ~1-5min)"
|
||||
NOTARIZE_ZIP="${WORK}/notarize.zip"
|
||||
ditto -c -k --keepParent "$APP" "$NOTARIZE_ZIP"
|
||||
printf '%s' "$APPSTORE_API_KEY_P8_BASE64" | base64 --decode > "${WORK}/AuthKey.p8"
|
||||
xcrun notarytool submit "$NOTARIZE_ZIP" \
|
||||
--key "${WORK}/AuthKey.p8" \
|
||||
--key-id "$APPSTORE_API_KEY_ID" \
|
||||
--issuer "$APPSTORE_API_ISSUER_ID" \
|
||||
--wait
|
||||
|
||||
xcrun stapler staple "$APP"
|
||||
xcrun stapler validate "$APP"
|
||||
spctl -a -vvv -t install "$APP" || true # 期望 source=Notarized Developer ID
|
||||
echo "==> compile-macos: notarized + stapled"
|
||||
|
||||
mkdir -p "${REPO_ROOT}/dist"
|
||||
ditto -c -k --keepParent "$APP" "${REPO_ROOT}/dist/pangolin-macos-x64.zip"
|
||||
|
||||
echo "==> compile-macos: done — dist/ contents:"
|
||||
ls -lh "${REPO_ROOT}/dist/"
|
||||
@@ -47,7 +47,7 @@ if ! [[ "$TAG" =~ ^client-v[0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9.]+)?$ ]]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -f dist/pangolin-android.apk ] && [ ! -f dist/pangolin-windows-x64-setup.exe ]; then
|
||||
if [ ! -f dist/pangolin-android.apk ] && [ ! -f dist/pangolin-windows-x64-setup.exe ] && [ ! -f dist/pangolin-macos-x64.zip ]; then
|
||||
echo "deploy-client: no artifacts found in dist/ — nothing to deploy" >&2
|
||||
exit 1
|
||||
fi
|
||||
@@ -70,7 +70,13 @@ if [ -f dist/pangolin-windows-x64-setup.exe ]; then
|
||||
$SSH "root@${DEPLOY_HOST}" "rm -f ${DOWNLOADS_DIR}/pangolin-windows-x64-setup.exe && mv /tmp/pangolin-windows-x64-setup.exe.new ${DOWNLOADS_DIR}/pangolin-windows-x64-setup.exe && chmod 644 ${DOWNLOADS_DIR}/pangolin-windows-x64-setup.exe"
|
||||
fi
|
||||
|
||||
# TODO(controller): macOS artifact not yet produced by this draft — add the
|
||||
# same guarded upload+swap once compile-macos.sh lands (Phase 3).
|
||||
if [ -f dist/pangolin-macos-x64.zip ]; then
|
||||
echo "==> deploy-client: uploading pangolin-macos-x64.zip"
|
||||
$SCP dist/pangolin-macos-x64.zip "root@${DEPLOY_HOST}:/tmp/pangolin-macos-x64.zip.new"
|
||||
$SSH "root@${DEPLOY_HOST}" "rm -f ${DOWNLOADS_DIR}/pangolin-macos-x64.zip && mv /tmp/pangolin-macos-x64.zip.new ${DOWNLOADS_DIR}/pangolin-macos-x64.zip && chmod 644 ${DOWNLOADS_DIR}/pangolin-macos-x64.zip"
|
||||
fi
|
||||
|
||||
# iOS has no dist/ artifact to deploy here — compile-ios.sh uploads straight
|
||||
# to TestFlight via altool (matches jiu).
|
||||
|
||||
echo "==> deploy-client: done"
|
||||
|
||||
@@ -1,14 +1,27 @@
|
||||
#!/usr/bin/env bash
|
||||
# release-client.sh <tag> — ensure the Forgejo release for a client-v* tag
|
||||
# exists and upload whichever client artifacts are present in dist/.
|
||||
# exists, upload whichever client artifacts are present in dist/, and roll
|
||||
# the auto-update manifest (deploy/single-node/version.yaml) forward.
|
||||
#
|
||||
# Mirrors ~/code/jiu/scripts/ci/release-client.sh's asset-guarding pattern,
|
||||
# but uses pangolin's own lib-forgejo.sh API (forgejo_release_ensure /
|
||||
# forgejo_upload_asset — different names/signature than jiu's create_release/
|
||||
# upload_asset) and drops jiu's version.yaml/CHANGELOG bookkeeping entirely:
|
||||
# pangolin has no equivalent backend/config/version.yaml manifest — client
|
||||
# self-update checking is out of scope here (server just serves the release
|
||||
# assets; see deploy-client.sh).
|
||||
# upload_asset).
|
||||
#
|
||||
# Manifest handling differs from jiu on purpose: jiu's backend reads
|
||||
# backend/config/version.yaml straight out of its own working directory, so
|
||||
# rewriting that file in the repo checkout is enough. Pangolin's server reads
|
||||
# VERSION_MANIFEST from /etc/pangolin (see server/internal/httpapi/version.go
|
||||
# + deploy/single-node/deploy.sh), a path that lives on pangolin1, not in any
|
||||
# git checkout — so getting the new version/build_number onto the live host
|
||||
# needs an SSH push, the same DEPLOY_SSH_KEY / lib-ssh.sh path
|
||||
# deploy-client.sh already uses for the downloads/ dir (see
|
||||
# .gitea/workflows/deploy-client.yml, which now passes DEPLOY_SSH_KEY into
|
||||
# this step too). Also unlike jiu, download_urls are fixed "latest" stable
|
||||
# URLs (deploy-client.sh keeps only one file per platform) and changelog[]
|
||||
# isn't populated yet (no CHANGELOG-client.md in this repo) — so only
|
||||
# version/build_number are rewritten here, everything else in the manifest
|
||||
# template is passed through unchanged.
|
||||
#
|
||||
# Multiple platform build jobs (android/windows/...) all upload into the SAME
|
||||
# release, guarded by `[ -f ... ]` since a given CI run may only have built a
|
||||
@@ -16,10 +29,13 @@
|
||||
set -euo pipefail
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
|
||||
# shellcheck source=scripts/ci/_env.sh
|
||||
. "${SCRIPT_DIR}/_env.sh"
|
||||
# shellcheck source=scripts/ci/lib-forgejo.sh
|
||||
. "${SCRIPT_DIR}/lib-forgejo.sh"
|
||||
# shellcheck source=scripts/ci/lib-ssh.sh
|
||||
. "${SCRIPT_DIR}/lib-ssh.sh"
|
||||
|
||||
TAG="${1:?usage: release-client.sh <tag>}"
|
||||
|
||||
@@ -41,12 +57,59 @@ if [ -f dist/pangolin-windows-x64-setup.exe ]; then
|
||||
forgejo_upload_asset "$TAG" dist/pangolin-windows-x64-setup.exe
|
||||
fi
|
||||
|
||||
# TODO(controller): macOS artifact not yet built by any compile-*.sh in this
|
||||
# draft (Phase 3 / Task 9 of docs/superpowers/plans/2026-07-05-cicd.md is out
|
||||
# of scope for this task). Once compile-macos.sh lands, add here:
|
||||
# if [ -f dist/pangolin-macos-x64.zip ]; then
|
||||
# forgejo_upload_asset "$TAG" dist/pangolin-macos-x64.zip
|
||||
# fi
|
||||
if [ -f dist/pangolin-macos-x64.zip ]; then
|
||||
forgejo_upload_asset "$TAG" dist/pangolin-macos-x64.zip
|
||||
fi
|
||||
|
||||
# iOS has no dist/ artifact — compile-ios.sh uploads straight to TestFlight
|
||||
# via altool (matches jiu), nothing to attach to the Forgejo release here.
|
||||
|
||||
# ── Auto-update manifest: bump version/build_number, stage + push to pangolin1 ──
|
||||
# BUILD is derived the exact same way compile-android.sh derives the APK's
|
||||
# Android versionCode (major*10000 + minor*100 + patch) so the manifest's
|
||||
# build_number stays consistent with the shipped APK for a given tag, rather
|
||||
# than being an independently-incremented counter like jiu's.
|
||||
MAJOR="${VER%%.*}"
|
||||
_REST="${VER#*.}"
|
||||
MINOR="${_REST%%.*}"
|
||||
PATCH="${_REST#*.}"
|
||||
PATCH="${PATCH%%-*}"
|
||||
BUILD=$(( MAJOR * 10000 + MINOR * 100 + PATCH ))
|
||||
|
||||
MANIFEST_TMPL="${REPO_ROOT}/deploy/single-node/version.yaml"
|
||||
MANIFEST_OUT="/tmp/pangolin_version_manifest.$$.yaml"
|
||||
|
||||
if [ -f "$MANIFEST_TMPL" ]; then
|
||||
: > "$MANIFEST_OUT"
|
||||
while IFS= read -r line || [ -n "$line" ]; do
|
||||
case "$line" in
|
||||
version:*) printf 'version: "%s"\n' "$VER" >> "$MANIFEST_OUT" ;;
|
||||
build_number:*) printf 'build_number: %d\n' "$BUILD" >> "$MANIFEST_OUT" ;;
|
||||
*) printf '%s\n' "$line" >> "$MANIFEST_OUT" ;;
|
||||
esac
|
||||
done < "$MANIFEST_TMPL"
|
||||
|
||||
mkdir -p dist
|
||||
cp "$MANIFEST_OUT" dist/version.yaml
|
||||
# Stage as a release asset too, so a manual rollback can re-fetch the exact
|
||||
# manifest that shipped alongside this tag (mirrors jiu's rationale).
|
||||
forgejo_upload_asset "$TAG" dist/version.yaml
|
||||
|
||||
if [ -n "${DEPLOY_SSH_KEY:-}" ]; then
|
||||
echo "==> release-client: pushing version.yaml (version=${VER} build_number=${BUILD}) to pangolin1"
|
||||
setup_ssh
|
||||
SCP="scp -i ${SSH_KEY_FILE} -P ${DEPLOY_PORT} -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=${SSH_KNOWN_HOSTS_FILE}"
|
||||
$SSH "root@${DEPLOY_HOST}" "mkdir -p /etc/pangolin"
|
||||
$SCP "$MANIFEST_OUT" "root@${DEPLOY_HOST}:/tmp/pangolin_version.yaml.new"
|
||||
$SSH "root@${DEPLOY_HOST}" "mv /tmp/pangolin_version.yaml.new /etc/pangolin/version.yaml && chown pangolin:pangolin /etc/pangolin/version.yaml && chmod 644 /etc/pangolin/version.yaml"
|
||||
echo "==> release-client: version.yaml deployed to pangolin1 (/etc/pangolin/version.yaml)"
|
||||
else
|
||||
echo "==> release-client: DEPLOY_SSH_KEY not set — skipping live manifest push (dist/version.yaml still staged + uploaded as a release asset)"
|
||||
fi
|
||||
rm -f "$MANIFEST_OUT"
|
||||
else
|
||||
echo "==> release-client: WARN manifest template ${MANIFEST_TMPL} not found — skipping version.yaml update" >&2
|
||||
fi
|
||||
|
||||
echo "==> release-client: done — Release ${TAG} updated. dist/ contents:"
|
||||
ls -lh dist/ 2>/dev/null || true
|
||||
|
||||
@@ -138,6 +138,13 @@ func main() {
|
||||
downloadsHandler := httpapi.NewDownloadsHandler(os.Getenv("DOWNLOADS_DIR"))
|
||||
r.Get("/downloads/*", downloadsHandler.Serve)
|
||||
|
||||
// Public (no auth): 客户端自动更新版本清单。VERSION_MANIFEST 可配置清单路径
|
||||
// (默认 /etc/pangolin/version.yaml);deploy/single-node/deploy.sh 安装仓库内
|
||||
// 默认清单,scripts/ci/release-client.sh 在每次 client-v* 发版时改写其
|
||||
// version/build_number。每次请求都重新读文件,发版脚本改完立即生效,无需重启。
|
||||
versionHandler := httpapi.NewVersionHandler(os.Getenv("VERSION_MANIFEST"))
|
||||
r.Get("/version", versionHandler.Serve)
|
||||
|
||||
// Optional probe ingest route. sharedProbeStore is reused by the scheduler
|
||||
// (below) when both are enabled, so they share one Redis-backed store.
|
||||
var sharedProbeStore *probe.Store
|
||||
|
||||
@@ -0,0 +1,137 @@
|
||||
package httpapi
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"os"
|
||||
|
||||
"gopkg.in/yaml.v3"
|
||||
)
|
||||
|
||||
// defaultVersionManifestPath is VERSION_MANIFEST's default when unset — mirrors
|
||||
// how server.env wires DOWNLOADS_DIR alongside DownloadsHandler's own built-in
|
||||
// default (see downloads.go / deploy/single-node/deploy.sh).
|
||||
const defaultVersionManifestPath = "/etc/pangolin/version.yaml"
|
||||
|
||||
// Fallback values used ONLY when the manifest file itself is missing (fresh
|
||||
// box that hasn't run deploy/single-node/deploy.sh's manifest-install step
|
||||
// yet, or a local dev server). These are hand-set, not auto-derived — once a
|
||||
// box is deployed, the real source of truth is the on-disk manifest that
|
||||
// scripts/ci/release-client.sh overwrites on every client-v* release.
|
||||
const (
|
||||
defaultManifestVersion = "1.0.48"
|
||||
defaultManifestBuildNumber = 10048
|
||||
)
|
||||
|
||||
// changelogSection / changelogEntry mirror jiu's backend/config/version.yaml
|
||||
// shape (~/code/jiu/backend/internal/handler/version.go) so any future shared
|
||||
// tooling (e.g. a website changelog widget) can treat both services'
|
||||
// /version responses identically. Pangolin's release pipeline doesn't
|
||||
// populate Changelog yet (no CHANGELOG-client.md parsing wired in
|
||||
// scripts/ci/release-client.sh) — the field exists for shape-compatibility
|
||||
// and always serializes as [] rather than null.
|
||||
type changelogSection struct {
|
||||
Type string `yaml:"type" json:"type"`
|
||||
Items []string `yaml:"items" json:"items"`
|
||||
}
|
||||
|
||||
type changelogEntry struct {
|
||||
Version string `yaml:"version" json:"version"`
|
||||
Date string `yaml:"date" json:"date"`
|
||||
Intro string `yaml:"intro" json:"intro"`
|
||||
Sections []changelogSection `yaml:"sections" json:"sections"`
|
||||
}
|
||||
|
||||
// versionManifest is the on-disk (and wire) shape of the auto-update
|
||||
// manifest. download_urls keys in practice: macos, windows, ios, android
|
||||
// (web is intentionally not used — pangolin's client is native-only).
|
||||
type versionManifest struct {
|
||||
Version string `yaml:"version" json:"version"`
|
||||
BuildNumber int `yaml:"build_number" json:"build_number"`
|
||||
ForceUpdate bool `yaml:"force_update" json:"force_update"`
|
||||
ReleaseNotes string `yaml:"release_notes" json:"release_notes"`
|
||||
DownloadURLs map[string]string `yaml:"download_urls" json:"download_urls"`
|
||||
Changelog []changelogEntry `yaml:"changelog" json:"changelog"`
|
||||
}
|
||||
|
||||
// VersionHandler serves GET /version (public, no auth — mounted directly in
|
||||
// main.go next to /healthz and /downloads/*). Unlike most handlers in this
|
||||
// package it re-reads its manifest file from disk on EVERY request rather
|
||||
// than caching it in memory: scripts/ci/release-client.sh rewrites
|
||||
// /etc/pangolin/version.yaml's version/build_number on each client-v*
|
||||
// release, and that must take effect immediately without a control-plane
|
||||
// restart or redeploy (mirrors jiu's loadVersionConfig()-per-request).
|
||||
type VersionHandler struct {
|
||||
path string
|
||||
}
|
||||
|
||||
// NewVersionHandler builds a VersionHandler reading the manifest at path.
|
||||
// path=="" falls back to defaultVersionManifestPath (in production this is
|
||||
// overridden via the VERSION_MANIFEST env var — see main.go).
|
||||
func NewVersionHandler(path string) *VersionHandler {
|
||||
if path == "" {
|
||||
path = defaultVersionManifestPath
|
||||
}
|
||||
return &VersionHandler{path: path}
|
||||
}
|
||||
|
||||
// defaultManifest is returned when the manifest file doesn't exist yet, so
|
||||
// GET /version still answers usefully (client update-checks shouldn't hard
|
||||
// fail just because deploy/single-node/deploy.sh hasn't run on this box).
|
||||
func defaultManifest() versionManifest {
|
||||
return versionManifest{
|
||||
Version: defaultManifestVersion,
|
||||
BuildNumber: defaultManifestBuildNumber,
|
||||
ForceUpdate: false,
|
||||
ReleaseNotes: "",
|
||||
DownloadURLs: map[string]string{
|
||||
"android": "https://api.yanmeiai.com/downloads/pangolin-android.apk",
|
||||
"windows": "https://api.yanmeiai.com/downloads/pangolin-windows-x64-setup.exe",
|
||||
"macos": "",
|
||||
"ios": "",
|
||||
},
|
||||
Changelog: []changelogEntry{},
|
||||
}
|
||||
}
|
||||
|
||||
// loadManifest reads+parses h.path. A missing file is NOT an error (falls
|
||||
// back to defaultManifest()); any other read/parse failure IS, so ServeHTTP
|
||||
// can 500 instead of silently masking a corrupt manifest written by a bad
|
||||
// release-client.sh run.
|
||||
func (h *VersionHandler) loadManifest() (versionManifest, error) {
|
||||
data, err := os.ReadFile(h.path)
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
return defaultManifest(), nil
|
||||
}
|
||||
return versionManifest{}, err
|
||||
}
|
||||
var m versionManifest
|
||||
if err := yaml.Unmarshal(data, &m); err != nil {
|
||||
return versionManifest{}, err
|
||||
}
|
||||
// Keep the JSON response shape stable (empty object/array, never null)
|
||||
// regardless of what the manifest on disk happens to omit.
|
||||
if m.DownloadURLs == nil {
|
||||
m.DownloadURLs = map[string]string{}
|
||||
}
|
||||
if m.Changelog == nil {
|
||||
m.Changelog = []changelogEntry{}
|
||||
}
|
||||
return m, nil
|
||||
}
|
||||
|
||||
// Serve handles GET /version. Named Serve (not ServeHTTP) to match
|
||||
// DownloadsHandler's convention in this package (see downloads.go).
|
||||
func (h *VersionHandler) Serve(w http.ResponseWriter, r *http.Request) {
|
||||
m, err := h.loadManifest()
|
||||
if err != nil {
|
||||
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
||||
w.WriteHeader(http.StatusInternalServerError)
|
||||
_ = json.NewEncoder(w).Encode(map[string]string{"error": "version manifest unavailable"})
|
||||
return
|
||||
}
|
||||
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
||||
w.WriteHeader(http.StatusOK)
|
||||
_ = json.NewEncoder(w).Encode(m)
|
||||
}
|
||||
@@ -0,0 +1,160 @@
|
||||
package httpapi
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"net/http/httptest"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
|
||||
"github.com/go-chi/chi/v5"
|
||||
)
|
||||
|
||||
// buildVersionRouter mounts VersionHandler on a real chi router (mirrors how
|
||||
// main.go mounts GET /version) so routing behaves exactly as in production.
|
||||
func buildVersionRouter(path string) chi.Router {
|
||||
h := NewVersionHandler(path)
|
||||
r := chi.NewRouter()
|
||||
r.Get("/version", h.Serve)
|
||||
return r
|
||||
}
|
||||
|
||||
func TestVersionHandler_ServesManifestFromDisk(t *testing.T) {
|
||||
dir := t.TempDir()
|
||||
path := filepath.Join(dir, "version.yaml")
|
||||
yamlContent := `version: "1.2.3"
|
||||
build_number: 10203
|
||||
force_update: true
|
||||
release_notes: "测试发布说明"
|
||||
download_urls:
|
||||
android: "https://api.yanmeiai.com/downloads/pangolin-android.apk"
|
||||
windows: "https://api.yanmeiai.com/downloads/pangolin-windows-x64-setup.exe"
|
||||
macos: ""
|
||||
ios: ""
|
||||
changelog:
|
||||
- version: "1.2.3"
|
||||
date: "2026-07-06"
|
||||
intro: "小版本更新"
|
||||
sections:
|
||||
- type: "新增"
|
||||
items:
|
||||
- "示例条目"
|
||||
`
|
||||
if err := os.WriteFile(path, []byte(yamlContent), 0o644); err != nil {
|
||||
t.Fatalf("write fixture: %v", err)
|
||||
}
|
||||
|
||||
r := buildVersionRouter(path)
|
||||
req := httptest.NewRequest("GET", "/version", nil)
|
||||
rec := httptest.NewRecorder()
|
||||
r.ServeHTTP(rec, req)
|
||||
|
||||
if rec.Code != 200 {
|
||||
t.Fatalf("status = %d, want 200; body=%s", rec.Code, rec.Body.String())
|
||||
}
|
||||
|
||||
var got versionManifest
|
||||
if err := json.Unmarshal(rec.Body.Bytes(), &got); err != nil {
|
||||
t.Fatalf("unmarshal response: %v; body=%s", err, rec.Body.String())
|
||||
}
|
||||
|
||||
if got.Version != "1.2.3" {
|
||||
t.Errorf("version = %q, want %q", got.Version, "1.2.3")
|
||||
}
|
||||
if got.BuildNumber != 10203 {
|
||||
t.Errorf("build_number = %d, want %d", got.BuildNumber, 10203)
|
||||
}
|
||||
if !got.ForceUpdate {
|
||||
t.Errorf("force_update = false, want true")
|
||||
}
|
||||
if got.ReleaseNotes != "测试发布说明" {
|
||||
t.Errorf("release_notes = %q, want %q", got.ReleaseNotes, "测试发布说明")
|
||||
}
|
||||
if got.DownloadURLs["android"] != "https://api.yanmeiai.com/downloads/pangolin-android.apk" {
|
||||
t.Errorf("download_urls.android = %q", got.DownloadURLs["android"])
|
||||
}
|
||||
if got.DownloadURLs["windows"] != "https://api.yanmeiai.com/downloads/pangolin-windows-x64-setup.exe" {
|
||||
t.Errorf("download_urls.windows = %q", got.DownloadURLs["windows"])
|
||||
}
|
||||
if got.DownloadURLs["macos"] != "" || got.DownloadURLs["ios"] != "" {
|
||||
t.Errorf("expected empty macos/ios download URLs, got macos=%q ios=%q", got.DownloadURLs["macos"], got.DownloadURLs["ios"])
|
||||
}
|
||||
if len(got.Changelog) != 1 || got.Changelog[0].Version != "1.2.3" {
|
||||
t.Errorf("changelog = %+v, want 1 entry for version 1.2.3", got.Changelog)
|
||||
}
|
||||
}
|
||||
|
||||
func TestVersionHandler_MissingFileReturnsDefault(t *testing.T) {
|
||||
dir := t.TempDir()
|
||||
path := filepath.Join(dir, "does-not-exist.yaml")
|
||||
|
||||
r := buildVersionRouter(path)
|
||||
req := httptest.NewRequest("GET", "/version", nil)
|
||||
rec := httptest.NewRecorder()
|
||||
r.ServeHTTP(rec, req)
|
||||
|
||||
if rec.Code != 200 {
|
||||
t.Fatalf("status = %d, want 200 (missing file falls back to default manifest); body=%s", rec.Code, rec.Body.String())
|
||||
}
|
||||
|
||||
var got versionManifest
|
||||
if err := json.Unmarshal(rec.Body.Bytes(), &got); err != nil {
|
||||
t.Fatalf("unmarshal response: %v; body=%s", err, rec.Body.String())
|
||||
}
|
||||
if got.Version == "" {
|
||||
t.Errorf("default manifest: version should not be empty")
|
||||
}
|
||||
if got.DownloadURLs["android"] == "" {
|
||||
t.Errorf("default manifest: download_urls.android should not be empty")
|
||||
}
|
||||
if got.DownloadURLs["windows"] == "" {
|
||||
t.Errorf("default manifest: download_urls.windows should not be empty")
|
||||
}
|
||||
if got.Changelog == nil {
|
||||
t.Errorf("default manifest: changelog should be [] not null")
|
||||
}
|
||||
}
|
||||
|
||||
func TestVersionHandler_JSONShape(t *testing.T) {
|
||||
dir := t.TempDir()
|
||||
path := filepath.Join(dir, "version.yaml")
|
||||
if err := os.WriteFile(path, []byte(`version: "1.0.0"
|
||||
build_number: 10000
|
||||
force_update: false
|
||||
release_notes: ""
|
||||
download_urls:
|
||||
android: "https://example.com/a.apk"
|
||||
`), 0o644); err != nil {
|
||||
t.Fatalf("write fixture: %v", err)
|
||||
}
|
||||
|
||||
r := buildVersionRouter(path)
|
||||
req := httptest.NewRequest("GET", "/version", nil)
|
||||
rec := httptest.NewRecorder()
|
||||
r.ServeHTTP(rec, req)
|
||||
|
||||
var raw map[string]json.RawMessage
|
||||
if err := json.Unmarshal(rec.Body.Bytes(), &raw); err != nil {
|
||||
t.Fatalf("unmarshal raw response: %v", err)
|
||||
}
|
||||
for _, key := range []string{"version", "build_number", "force_update", "release_notes", "download_urls", "changelog"} {
|
||||
if _, ok := raw[key]; !ok {
|
||||
t.Errorf("response missing expected top-level key %q; body=%s", key, rec.Body.String())
|
||||
}
|
||||
}
|
||||
// changelog must serialize as an array even when the manifest omits it —
|
||||
// front-ends should be able to blindly .map()/range over it.
|
||||
if string(raw["changelog"]) != "[]" {
|
||||
t.Errorf("changelog = %s, want []", raw["changelog"])
|
||||
}
|
||||
if ct := rec.Header().Get("Content-Type"); ct != "application/json; charset=utf-8" {
|
||||
t.Errorf("Content-Type = %q, want application/json; charset=utf-8", ct)
|
||||
}
|
||||
}
|
||||
|
||||
func TestVersionHandler_DefaultPathFallback(t *testing.T) {
|
||||
h := NewVersionHandler("")
|
||||
if h.path != defaultVersionManifestPath {
|
||||
t.Errorf("NewVersionHandler(\"\").path = %q, want %q", h.path, defaultVersionManifestPath)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user