chore: import upstream snapshot with attribution
Docker Publish / docker (web, apps/web/Dockerfile, web) (push) Failing after 0s
Docker Publish / docker (api, apps/api/Dockerfile, api) (push) Failing after 1s
Publish Extension / detect-version (push) Has been skipped
Publish Extension / submit (push) Has been cancelled

This commit is contained in:
wehub-resource-sync
2026-07-13 12:24:41 +08:00
commit d18ada4ee7
567 changed files with 118275 additions and 0 deletions
+201
View File
@@ -0,0 +1,201 @@
name: Build
on:
workflow_call:
inputs:
upload_artifacts:
required: false
type: boolean
default: false
description: 'Whether to upload build artifacts'
secrets:
MAC_CERT_P12_BASE64:
required: false
MAC_CERT_P12_PASSWORD:
required: false
APPLE_API_KEY_ID:
required: false
APPLE_API_ISSUER:
required: false
APPLE_API_KEY_P8_BASE64:
required: false
VITE_GLITCHTIP_DSN:
required: false
SENTRY_URL:
required: false
SENTRY_ORG:
required: false
SENTRY_PROJECT:
required: false
SENTRY_AUTH_TOKEN:
required: false
jobs:
build:
runs-on: ${{ matrix.os }}
strategy:
matrix:
include:
- platform: windows
os: windows-latest
build_script: pnpm run build:win
mac_ffmpeg_mode: native
- platform: macos
os: macos-latest
build_script: pnpm run build:mac
mac_ffmpeg_mode: universal
- platform: linux
os: ubuntu-latest
build_script: pnpm run build:linux
mac_ffmpeg_mode: native
steps:
- name: Check out Git repository
uses: actions/checkout@v4
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 22
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 11.1.2
- name: Install Dependencies
run: pnpm install --frozen-lockfile
- name: Lint and format check
run: pnpm run check && pnpm run typecheck
- name: Setup macOS signing
if: matrix.platform == 'macos'
shell: bash
env:
MAC_CERT_P12_BASE64: ${{ secrets.MAC_CERT_P12_BASE64 }}
MAC_CERT_P12_PASSWORD: ${{ secrets.MAC_CERT_P12_PASSWORD }}
APPLE_API_KEY_P8_BASE64: ${{ secrets.APPLE_API_KEY_P8_BASE64 }}
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
run: |
set -euo pipefail
echo "SIGNING_AVAILABLE=false" >> "$GITHUB_ENV"
# Check if all required secrets are present
if [[ -z "$MAC_CERT_P12_BASE64" ]] || [[ -z "$MAC_CERT_P12_PASSWORD" ]] || \
[[ -z "$APPLE_API_KEY_ID" ]] || [[ -z "$APPLE_API_ISSUER" ]] || \
[[ -z "$APPLE_API_KEY_P8_BASE64" ]]; then
echo "::notice::macOS signing secrets not available, skipping code signing setup"
exit 0
fi
CERT_PATH="$RUNNER_TEMP/mac_cert.p12"
KEYCHAIN_PATH="$RUNNER_TEMP/build.keychain"
API_KEY_PATH="$RUNNER_TEMP/AuthKey.p8"
echo "$MAC_CERT_P12_BASE64" | base64 --decode > "$CERT_PATH"
echo "$APPLE_API_KEY_P8_BASE64" | base64 --decode > "$API_KEY_PATH"
security create-keychain -p "$MAC_CERT_P12_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "$MAC_CERT_P12_PASSWORD" "$KEYCHAIN_PATH"
security import "$CERT_PATH" -k "$KEYCHAIN_PATH" -P "$MAC_CERT_P12_PASSWORD" -T /usr/bin/codesign -T /usr/bin/productbuild
security list-keychain -d user -s "$KEYCHAIN_PATH"
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MAC_CERT_P12_PASSWORD" "$KEYCHAIN_PATH"
echo "CSC_KEYCHAIN=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
echo "CSC_KEY_PASSWORD=$MAC_CERT_P12_PASSWORD" >> "$GITHUB_ENV"
echo "APPLE_API_KEY=$API_KEY_PATH" >> "$GITHUB_ENV"
echo "APPLE_API_KEY_ID=$APPLE_API_KEY_ID" >> "$GITHUB_ENV"
echo "APPLE_API_ISSUER=$APPLE_API_ISSUER" >> "$GITHUB_ENV"
echo "SIGNING_AVAILABLE=true" >> "$GITHUB_ENV"
- name: Stamp release version and channel from tag
if: github.ref_type == 'tag'
shell: bash
# Stamp the tag version into package.json and, for prerelease tags, set the publish
# channel so electron-builder emits preview*.yml instead of latest*.yml (its GitHub
# provider does not derive the channel from the version on its own).
run: node apps/desktop/scripts/stamp-release.mjs "${GITHUB_REF_NAME}"
- name: Build application
env:
VIDBEE_MAC_FFMPEG_MODE: ${{ matrix.mac_ffmpeg_mode }}
VITE_GLITCHTIP_DSN: ${{ secrets.VITE_GLITCHTIP_DSN }}
VITE_GLITCHTIP_ENVIRONMENT: production
SENTRY_URL: ${{ secrets.SENTRY_URL }}
SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
run: ${{ matrix.build_script }}
- name: Verify Windows release artifacts
if: matrix.platform == 'windows'
shell: pwsh
run: |
$dist = "apps/desktop/dist"
$requiredPatterns = @("*-setup.exe", "*-portable.exe", "*-windows-portable.zip")
foreach ($pattern in $requiredPatterns) {
$matches = Get-ChildItem -Path $dist -Filter $pattern -File
if ($matches.Count -eq 0) {
Write-Error "Missing Windows release artifact matching $pattern"
exit 1
}
$matches | ForEach-Object {
Write-Host "Found Windows release artifact: $($_.Name)"
}
}
- name: Verify macOS codesign and notarization
if: matrix.platform == 'macos' && env.SIGNING_AVAILABLE == 'true'
shell: bash
run: |
set -euo pipefail
apps_found=0
while IFS= read -r app; do
apps_found=1
echo "Verifying codesign for $app"
codesign --verify --deep --strict --verbose=2 "$app"
spctl -a -t exec -vv "$app"
echo "Validating notarization ticket for $app"
xcrun stapler validate "$app"
done < <(find apps/desktop/dist -type d -name "*.app" -prune -print)
if [[ "$apps_found" -eq 0 ]]; then
echo "::error::No .app bundles found in dist"
exit 1
fi
dmgs_found=0
while IFS= read -r dmg; do
dmgs_found=1
echo "Submitting DMG for notarization: $dmg"
xcrun notarytool submit "$dmg" --key "$APPLE_API_KEY" --key-id "$APPLE_API_KEY_ID" --issuer "$APPLE_API_ISSUER" --wait
echo "Stapling notarization ticket for $dmg"
xcrun stapler staple "$dmg"
echo "Validating notarization ticket for $dmg"
xcrun stapler validate "$dmg"
done < <(find apps/desktop/dist -type f -name "*.dmg" -print)
if [[ "$dmgs_found" -eq 0 ]]; then
echo "::notice::No DMG artifacts found to validate"
fi
- name: Upload build artifacts
if: inputs.upload_artifacts == true
uses: actions/upload-artifact@v4
with:
name: dist-${{ matrix.os }}
path: |
apps/desktop/dist/*.exe
apps/desktop/dist/*.zip
apps/desktop/dist/*.dmg
apps/desktop/dist/*.AppImage
apps/desktop/dist/*.snap
apps/desktop/dist/*.deb
apps/desktop/dist/*.rpm
apps/desktop/dist/*.tar.gz
apps/desktop/dist/*.yml
apps/desktop/dist/*.blockmap
retention-days: 1
if-no-files-found: error
+11
View File
@@ -0,0 +1,11 @@
name: CI
on:
pull_request:
branches: [ main ]
jobs:
build:
uses: ./.github/workflows/build.yml
with:
upload_artifacts: true
+122
View File
@@ -0,0 +1,122 @@
name: CLI Publish
# Publishes @vidbee/cli to npm when a `cli-vX.Y.Z` tag is pushed. Standalone
# from the Desktop release pipeline (NEX-148): the CLI ships independently
# so a `yt-dlp` probe-flag fix doesn't have to wait for a Desktop release.
on:
push:
tags:
- 'cli-v*'
workflow_dispatch:
inputs:
tag:
description: 'Tag to publish (cli-vX.Y.Z). When empty, builds from main but skips publish.'
required: false
default: ''
jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Check out Git repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.inputs.tag || github.ref }}
- name: Resolve version from tag
id: meta
shell: bash
run: |
ref="${GITHUB_REF_NAME}"
if [[ -n "${{ github.event.inputs.tag }}" ]]; then
ref="${{ github.event.inputs.tag }}"
fi
if [[ "$ref" == cli-v* ]]; then
version="${ref#cli-v}"
echo "version=$version" >> "$GITHUB_OUTPUT"
echo "publish=true" >> "$GITHUB_OUTPUT"
if [[ "$version" == *-* ]]; then
echo "tag=next" >> "$GITHUB_OUTPUT"
else
echo "tag=latest" >> "$GITHUB_OUTPUT"
fi
else
echo "publish=false" >> "$GITHUB_OUTPUT"
echo "tag=latest" >> "$GITHUB_OUTPUT"
echo "version=" >> "$GITHUB_OUTPUT"
fi
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 22
registry-url: 'https://registry.npmjs.org'
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 11.1.2
- name: Install dependencies
run: pnpm install --filter ./apps/cli... --frozen-lockfile
- name: Verify package.json version matches tag
if: steps.meta.outputs.publish == 'true'
shell: bash
run: |
tag_version="${{ steps.meta.outputs.version }}"
pkg_version=$(node -p "require('./apps/cli/package.json').version")
if [[ "$pkg_version" != "$tag_version" ]]; then
echo "::error::Tag $tag_version does not match apps/cli/package.json version $pkg_version"
exit 1
fi
- name: Run CLI tests
run: pnpm --filter @vidbee/cli test
- name: Run CLI typecheck
run: pnpm --filter @vidbee/cli typecheck
- name: Build CLI bundle
run: pnpm --filter @vidbee/cli build
- name: Verify dist artifacts exist
run: pnpm --filter @vidbee/cli verify-dist
- name: Pack tarball (sanity-check files whitelist)
run: |
cd apps/cli
pnpm pack --pack-destination ../..
- name: Publish to npm
if: steps.meta.outputs.publish == 'true'
run: |
cd apps/cli
pnpm publish --no-git-checks --access public --tag ${{ steps.meta.outputs.tag }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: Create GitHub Release
if: steps.meta.outputs.publish == 'true'
uses: softprops/action-gh-release@v1
with:
tag_name: ${{ github.ref_name }}
name: '@vidbee/cli ${{ steps.meta.outputs.version }}'
body: |
`@vidbee/cli@${{ steps.meta.outputs.version }}` published to npm.
Install:
```sh
npm install -g @vidbee/cli@${{ steps.meta.outputs.version }}
pnpm add -g @vidbee/cli@${{ steps.meta.outputs.version }}
bun install -g @vidbee/cli@${{ steps.meta.outputs.version }}
```
See `apps/cli/CHANGELOG.md` for release notes.
files: |
*.tgz
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+71
View File
@@ -0,0 +1,71 @@
name: Docker Publish
on:
push:
branches:
- main
paths:
- 'apps/api/**'
- 'apps/desktop/resources/drizzle/**'
- 'apps/web/**'
- 'packages/**'
- 'pnpm-lock.yaml'
- 'pnpm-workspace.yaml'
- 'package.json'
- '.github/workflows/docker-publish.yml'
workflow_dispatch:
jobs:
docker:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- app: api
dockerfile: apps/api/Dockerfile
image_suffix: api
- app: web
dockerfile: apps/web/Dockerfile
image_suffix: web
permissions:
contents: read
packages: write
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract image metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository_owner }}/vidbee-${{ matrix.image_suffix }}
tags: |
type=raw,value=latest,enable={{is_default_branch}}
type=sha,format=short
- name: Build and push image
uses: docker/build-push-action@v6
with:
context: .
file: ${{ matrix.dockerfile }}
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
VITE_API_URL=${{ vars.VITE_API_URL || 'http://localhost:3100' }}
+47
View File
@@ -0,0 +1,47 @@
name: Build Extension
on:
workflow_call:
inputs:
upload_artifacts:
required: false
type: boolean
default: false
description: 'Whether to upload build artifacts'
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Check out Git repository
uses: actions/checkout@v4
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 11.1.2
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 22
cache: 'pnpm'
cache-dependency-path: pnpm-lock.yaml
- name: Install dependencies
run: pnpm install --filter ./apps/extension...
- name: Build extension
run: pnpm --filter ./apps/extension build
- name: Build extension zip
run: pnpm --filter ./apps/extension zip
- name: Upload extension artifacts
if: inputs.upload_artifacts == true
uses: actions/upload-artifact@v4
with:
name: dist-extension
path: apps/extension/.output/*.zip
retention-days: 1
if-no-files-found: error
+84
View File
@@ -0,0 +1,84 @@
name: Publish Extension
on:
push:
branches: [ main ]
paths:
- apps/extension/package.json
jobs:
detect-version:
if: vars.ENABLE_EXTENSION_CI == 'true'
runs-on: ubuntu-latest
outputs:
changed: ${{ steps.version_check.outputs.changed }}
current_version: ${{ steps.version_check.outputs.current_version }}
previous_version: ${{ steps.version_check.outputs.previous_version }}
steps:
- name: Check out Git repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Check if extension version changed
id: version_check
shell: bash
run: |
set -euo pipefail
before_sha="${{ github.event.before }}"
current_version=$(node -e "const fs = require('fs'); const v = JSON.parse(fs.readFileSync('apps/extension/package.json', 'utf8')).version; process.stdout.write(v);")
previous_version=""
if git cat-file -e "${before_sha}:apps/extension/package.json" 2>/dev/null; then
previous_version=$(git show "${before_sha}:apps/extension/package.json" | node -e "let data=''; process.stdin.on('data', d => data += d); process.stdin.on('end', () => { const v = JSON.parse(data).version; process.stdout.write(v); });")
fi
echo "current_version=${current_version}" >> "$GITHUB_OUTPUT"
echo "previous_version=${previous_version}" >> "$GITHUB_OUTPUT"
if [[ -n "${previous_version}" && "${current_version}" == "${previous_version}" ]]; then
echo "changed=false" >> "$GITHUB_OUTPUT"
exit 0
fi
echo "changed=true" >> "$GITHUB_OUTPUT"
submit:
if: vars.ENABLE_EXTENSION_CI == 'true' && needs.detect-version.outputs.changed == 'true'
needs: detect-version
runs-on: ubuntu-latest
steps:
- name: Check out Git repository
uses: actions/checkout@v4
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 11.1.2
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 22
cache: 'pnpm'
cache-dependency-path: pnpm-lock.yaml
- name: Install dependencies
run: pnpm install --filter ./apps/extension...
- name: Build extension
run: pnpm --filter ./apps/extension build
- name: Zip extensions
run: pnpm --filter ./apps/extension zip
- name: Submit to stores
run: |
pnpm --dir apps/extension wxt submit \
--chrome-zip .output/*-chrome.zip
env:
CHROME_EXTENSION_ID: ${{ secrets.CHROME_EXTENSION_ID }}
CHROME_CLIENT_ID: ${{ secrets.CHROME_CLIENT_ID }}
CHROME_CLIENT_SECRET: ${{ secrets.CHROME_CLIENT_SECRET }}
CHROME_REFRESH_TOKEN: ${{ secrets.CHROME_REFRESH_TOKEN }}
CHROME_PUBLISH_TARGET: "default"
CHROME_SKIP_SUBMIT_REVIEW: false
+73
View File
@@ -0,0 +1,73 @@
name: Build and Release Electron App
on:
push:
tags:
- v*.*.*
workflow_dispatch:
# Never run two releases for the same ref at once, and never cancel an in-progress
# release (cancelling mid-publish could leave a half-uploaded GitHub release).
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: false
jobs:
build:
uses: ./.github/workflows/build.yml
with:
upload_artifacts: true
secrets: inherit
release:
needs: [build]
runs-on: ubuntu-latest
# Only publish a GitHub release for tag pushes. A manual workflow_dispatch run
# has no tag, so it acts as a build-only smoke test (artifacts only, no release).
if: github.ref_type == 'tag'
steps:
- name: Check out Git repository
uses: actions/checkout@v4
- name: Detect release type
id: release_meta
shell: bash
run: |
if [[ "${GITHUB_REF_NAME}" == *-preview.* ]]; then
echo "is_preview=true" >> "$GITHUB_OUTPUT"
else
echo "is_preview=false" >> "$GITHUB_OUTPUT"
fi
- name: Download artifacts
uses: actions/download-artifact@v4
with:
pattern: dist-*
merge-multiple: true
path: dist/
- name: Release
uses: softprops/action-gh-release@v1
with:
generate_release_notes: true
prerelease: ${{ steps.release_meta.outputs.is_preview == 'true' }}
files: |
dist/*.exe
dist/*.zip
dist/*.dmg
dist/*.AppImage
dist/*.snap
dist/*.deb
dist/*.rpm
dist/*.tar.gz
dist/*.yml
dist/*.blockmap
env:
GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }}
- name: Notify Cloudflare Pages
if: steps.release_meta.outputs.is_preview != 'true'
env:
CLOUDFLARE_WEBHOOK_URL: ${{ secrets.CLOUDFLARE_WEBHOOK_URL }}
run: |
curl -X POST "$CLOUDFLARE_WEBHOOK_URL"
+26
View File
@@ -0,0 +1,26 @@
name: 'translator'
on:
issues:
types: [opened, edited]
issue_comment:
types: [created, edited]
discussion:
types: [created, edited]
discussion_comment:
types: [created, edited]
jobs:
translate:
if: ${{ !github.event.issue.pull_request }}
permissions:
issues: write
discussions: write
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: lizheming/github-translate-action@c55aac477e98562d4faed9f77c54ab8306ae6ebf
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
IS_MODIFY_TITLE: true
+129
View File
@@ -0,0 +1,129 @@
name: Auto Release yt-dlp Patch
on:
schedule:
- cron: '17 */6 * * *'
workflow_dispatch:
permissions:
contents: read
concurrency:
group: ytdlp-auto-release
cancel-in-progress: false
jobs:
prepare:
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
update_available: ${{ steps.check.outputs.update_available }}
release_version: ${{ steps.prepare.outputs.release_version }}
latest_ytdlp_version: ${{ steps.prepare.outputs.latest_ytdlp_version }}
steps:
- name: Check out Git repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.repository.default_branch }}
persist-credentials: false
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 22
- name: Check for yt-dlp updates
id: check
env:
YTDLP_RELEASE_TOKEN: ${{ github.token }}
run: node apps/desktop/scripts/ytdlp-auto-release.mjs check
- name: Prepare patch release
if: steps.check.outputs.update_available == 'true'
id: prepare
env:
YTDLP_RELEASE_TOKEN: ${{ github.token }}
run: node apps/desktop/scripts/ytdlp-auto-release.mjs prepare
- name: Install pnpm
if: steps.check.outputs.update_available == 'true'
uses: pnpm/action-setup@v4
with:
version: 11.1.2
- name: Install Dependencies
if: steps.check.outputs.update_available == 'true'
run: pnpm install --frozen-lockfile --ignore-scripts
- name: Validate release changes
if: steps.check.outputs.update_available == 'true'
run: pnpm run check
- name: Upload release changes
if: steps.check.outputs.update_available == 'true'
uses: actions/upload-artifact@v4
with:
name: ytdlp-release-changes
path: |
apps/desktop/package.json
apps/desktop/changelogs/CHANGELOG.md
apps/desktop/release-metadata.json
if-no-files-found: error
retention-days: 1
- name: Report up-to-date status
if: steps.check.outputs.update_available != 'true'
run: echo "yt-dlp is already up to date. No patch release is needed."
publish:
needs: prepare
if: needs.prepare.outputs.update_available == 'true'
runs-on: ubuntu-latest
permissions:
contents: write
env:
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
RELEASE_VERSION: ${{ needs.prepare.outputs.release_version }}
LATEST_YTDLP_VERSION: ${{ needs.prepare.outputs.latest_ytdlp_version }}
steps:
- name: Check release token
env:
GH_TOKEN: ${{ secrets.ACCESS_TOKEN }}
run: |
if [ -z "${GH_TOKEN}" ]; then
echo "ACCESS_TOKEN secret is required to push the release commit and tag."
exit 1
fi
- name: Check out Git repository
uses: actions/checkout@v4
with:
token: ${{ secrets.ACCESS_TOKEN }}
ref: ${{ github.event.repository.default_branch }}
- name: Download release changes
uses: actions/download-artifact@v4
with:
name: ytdlp-release-changes
path: .ytdlp-release-changes
- name: Apply release changes
run: |
cp .ytdlp-release-changes/package.json apps/desktop/package.json
cp .ytdlp-release-changes/release-metadata.json apps/desktop/release-metadata.json
cp .ytdlp-release-changes/changelogs/CHANGELOG.md apps/desktop/changelogs/CHANGELOG.md
rm -rf .ytdlp-release-changes
- name: Commit release changes
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add apps/desktop/package.json apps/desktop/changelogs/CHANGELOG.md apps/desktop/release-metadata.json
git commit -m "chore(release): publish v${RELEASE_VERSION} with yt-dlp ${LATEST_YTDLP_VERSION}"
git tag "v${RELEASE_VERSION}"
- name: Push release commit and tag
run: |
git push origin HEAD:${DEFAULT_BRANCH}
git push origin "v${RELEASE_VERSION}"