# Claude Desktop — AppImage Build Pipeline # Triggert bei [appimage] im Commit oder bei Release-Tags (v*) # Runner: data-it/forgejo-runner mit Rust + GTK vorinstalliert name: Build AppImage on: push: tags: - 'v*' branches: - main jobs: build: # Laeuft auf dem Debian-Runner (16-Forgejo-Runner-AppImage) - glibc fuer linuxdeploy runs-on: appimage if: contains(github.event.head_commit.message, '[appimage]') || startsWith(github.ref, 'refs/tags/v') steps: - name: Notify start uses: https://git.data-it-solution.de/data/ntfy-action@main with: status: start project: claude-desktop auth: ${{ secrets.NTFY_AUTH }} - name: Checkout run: | git clone --depth 1 --branch "${GITHUB_REF_NAME}" \ "https://oauth2:${{ secrets.REGISTRY_TOKEN }}@git.data-it-solution.de/${GITHUB_REPOSITORY}.git" . - name: Show Rust Version run: | rustc --version cargo --version - name: App-Version festlegen # Version EINMAL am Anfang festlegen (KB #160) — wird als Env an alle Folge-Steps durchgereicht run: | APP_VERSION="$(date +%Y%m%d-%H%M)" echo "APP_VERSION=${APP_VERSION}" >> $GITHUB_ENV echo "App-Version: ${APP_VERSION}" - name: Install npm packages run: npm ci - name: Build Tauri App env: APP_VERSION: ${{ env.APP_VERSION }} # Wird als Basic-Auth (user: "data") fuer /api/packages gebraucht. # REGISTRY_TOKEN hat Package-Read-Rechte und ist im Repo bereits gesetzt. UPDATE_TOKEN: ${{ secrets.REGISTRY_TOKEN }} run: | npm run tauri build -- --bundles appimage ls -la src-tauri/target/release/bundle/appimage/ - name: Patch AppRun fuer NixOS-Support + Re-Bundle run: | set -e BUNDLE_DIR=src-tauri/target/release/bundle/appimage APPDIR=$(ls -d "$BUNDLE_DIR"/*.AppDir | head -1) OLD_APPIMAGE=$(ls "$BUNDLE_DIR"/*.AppImage | head -1) OLD_NAME=$(basename "$OLD_APPIMAGE") echo "AppDir: $APPDIR" echo "Original AppImage: $OLD_NAME" # Original AppRun sichern + ueberhaupt: das linuxdeploy-Original # ist sehr klein, laedt einen Hook (linuxdeploy-plugin-gtk.sh) der # ALLE ENV-Vars korrekt setzt (LD_LIBRARY_PATH, WEBKIT_EXEC_PATH, # GDK_PIXBUF etc.), dann ruft es AppRun.wrapped auf. # Wir ergaenzen davor nur unsere NixOS+WebKit-Workarounds. cp "$APPDIR/AppRun" "$APPDIR/AppRun.original" cat > "$APPDIR/AppRun" << 'APPRUN_EOF' #!/bin/bash HERE="$(readlink -f "$(dirname "$0")")" # --- NixOS-Detection --- # Host-Mesa unter /run/opengl-driver bevorzugen, # weil bundled Mesa gegen NixOS-Treiber kollidiert if [ -d /run/opengl-driver/lib ]; then export LD_LIBRARY_PATH="/run/opengl-driver/lib:${LD_LIBRARY_PATH}" fi # --- WebKit-Workarounds --- # fuer problematische GPU/Compositor-Stacks (Wayland-Bugs, NVIDIA, etc.) # Nur setzen wenn User nichts vorgegeben hat (override moeglich). : "${WEBKIT_DISABLE_DMABUF_RENDERER:=1}" : "${WEBKIT_DISABLE_COMPOSITING_MODE:=1}" export WEBKIT_DISABLE_DMABUF_RENDERER WEBKIT_DISABLE_COMPOSITING_MODE # --- Original linuxdeploy-Logik (1:1 wie AppRun.original) --- set -e source "$HERE"/apprun-hooks/linuxdeploy-plugin-gtk.sh exec "$HERE"/AppRun.wrapped "$@" APPRUN_EOF chmod +x "$APPDIR/AppRun" echo "--- neuer AppRun ---" cat "$APPDIR/AppRun" # Altes AppImage weg, neu packen mit appimagetool rm "$OLD_APPIMAGE" appimagetool --no-appstream "$APPDIR" "$BUNDLE_DIR/$OLD_NAME" ls -la "$BUNDLE_DIR/" - name: Upload to Package Registry run: | set -e # --- AppImage vorbereiten --- ORIG=$(ls src-tauri/target/release/bundle/appimage/*.AppImage | head -1) # Tauri benennt mit "Claude Desktop_..." (Leerzeichen) -> URL-unsicher. SAFE_NAME=$(basename "$ORIG" | tr ' ' '-') APPIMAGE="$(dirname "$ORIG")/$SAFE_NAME" mv "$ORIG" "$APPIMAGE" FILENAME="$SAFE_NAME" # --- Natives Binary fuer Nix-Wrapper-Installationen vorbereiten --- # Cargo legt's unter target/release/claude-desktop (ohne CARGO_TARGET_DIR) BINARY_SRC="src-tauri/target/release/claude-desktop" if [ ! -x "$BINARY_SRC" ]; then echo "❌ Erwartetes Binary nicht gefunden: $BINARY_SRC" >&2 exit 1 fi BINARY_NAME="claude-desktop_${APP_VERSION}_linux-x86_64" cp "$BINARY_SRC" "/tmp/${BINARY_NAME}" # --- Scripts-Bundle fuer Nix-Wrapper vorbereiten --- # Enthaelt claude-bridge.js, package.json und package-lock.json. # Der Client fuehrt nach dem Extract `npm ci --omit=dev` aus → node_modules. BUNDLE_NAME="claude-desktop-bundle_${APP_VERSION}.tar.gz" tar -czf "/tmp/${BUNDLE_NAME}" \ --transform='s,^,,' \ scripts/claude-bridge.js \ package.json \ package-lock.json echo "Lade $FILENAME + $BINARY_NAME + $BUNDLE_NAME (v${APP_VERSION}) in Package Registry..." BASE="https://git.data-it-solution.de/api/packages/data/generic/claude-desktop" # SHA256-Hashes fuer Integritaets-Check in update.json SHA256=$(sha256sum "$APPIMAGE" | awk '{print $1}') BINARY_SHA256=$(sha256sum "/tmp/${BINARY_NAME}" | awk '{print $1}') BUNDLE_SHA256=$(sha256sum "/tmp/${BUNDLE_NAME}" | awk '{print $1}') NOTES=$(git log -1 --pretty=%s) RELEASED_AT=$(date -Iseconds) # update.json-Manifest bauen — wird vom Client-Updater (update.rs) gelesen. # binary_*/bundle_* werden im Nix-Wrapper-Modus verwendet (siehe nix/default.nix). cat > /tmp/update.json </dev/null 2>&1 || true done # AppImage versioniert + latest hochladen curl --fail -sS -X PUT \ --user "data:${{ secrets.REGISTRY_TOKEN }}" \ --upload-file "$APPIMAGE" \ "${BASE}/${APP_VERSION}/${FILENAME}" curl --fail -sS -X PUT \ --user "data:${{ secrets.REGISTRY_TOKEN }}" \ --upload-file "$APPIMAGE" \ "${BASE}/latest/${FILENAME}" # Natives Binary versioniert + latest hochladen curl --fail -sS -X PUT \ --user "data:${{ secrets.REGISTRY_TOKEN }}" \ --upload-file "/tmp/${BINARY_NAME}" \ "${BASE}/${APP_VERSION}/${BINARY_NAME}" curl --fail -sS -X PUT \ --user "data:${{ secrets.REGISTRY_TOKEN }}" \ --upload-file "/tmp/${BINARY_NAME}" \ "${BASE}/latest/${BINARY_NAME}" # Scripts-Bundle versioniert + latest hochladen curl --fail -sS -X PUT \ --user "data:${{ secrets.REGISTRY_TOKEN }}" \ --upload-file "/tmp/${BUNDLE_NAME}" \ "${BASE}/${APP_VERSION}/${BUNDLE_NAME}" curl --fail -sS -X PUT \ --user "data:${{ secrets.REGISTRY_TOKEN }}" \ --upload-file "/tmp/${BUNDLE_NAME}" \ "${BASE}/latest/${BUNDLE_NAME}" # update.json versioniert + latest hochladen curl --fail -sS -X PUT \ --user "data:${{ secrets.REGISTRY_TOKEN }}" \ --upload-file /tmp/update.json \ "${BASE}/${APP_VERSION}/update.json" curl --fail -sS -X PUT \ --user "data:${{ secrets.REGISTRY_TOKEN }}" \ --upload-file /tmp/update.json \ "${BASE}/latest/update.json" echo "Upload abgeschlossen: ${FILENAME} + ${BINARY_NAME} + ${BUNDLE_NAME} (v${APP_VERSION})" echo " AppImage SHA256: ${SHA256}" echo " Bundle SHA256: ${BUNDLE_SHA256}" echo " Binary SHA256: ${BINARY_SHA256}" - name: Upload to Release if: startsWith(github.ref, 'refs/tags/v') run: | set -e # AppImage wurde im vorherigen Step schon umbenannt (Leerzeichen -> -) APPIMAGE=$(ls src-tauri/target/release/bundle/appimage/*.AppImage | head -1) FILENAME=$(basename "$APPIMAGE") TAG="${GITHUB_REF#refs/tags/}" echo "Lade $FILENAME zu Release $TAG hoch..." # Release erstellen falls nicht vorhanden curl -s -X POST \ -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \ -H "Content-Type: application/json" \ "https://git.data-it-solution.de/api/v1/repos/${GITHUB_REPOSITORY}/releases" \ -d "{\"tag_name\":\"${TAG}\",\"name\":\"${TAG}\",\"body\":\"Release ${TAG}\"}" || true # Release-ID holen RELEASE_ID=$(curl -s \ -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \ "https://git.data-it-solution.de/api/v1/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}" \ | grep -o '"id":[0-9]*' | head -1 | sed 's/"id"://') echo "Release-ID: $RELEASE_ID" # AppImage hochladen curl -s -X POST \ -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \ -H "Content-Type: application/octet-stream" \ "https://git.data-it-solution.de/api/v1/repos/${GITHUB_REPOSITORY}/releases/${RELEASE_ID}/assets?name=${FILENAME}" \ --data-binary "@${APPIMAGE}" echo "Upload abgeschlossen: ${FILENAME}" - name: Notify success if: success() uses: https://git.data-it-solution.de/data/ntfy-action@main with: status: success project: claude-desktop message: "Version ${{ env.APP_VERSION }} verfuegbar — AppImage + Nix-Binary in Package Registry" auth: ${{ secrets.NTFY_AUTH }} - name: Notify failure if: failure() uses: https://git.data-it-solution.de/data/ntfy-action@main with: status: failure project: claude-desktop auth: ${{ secrets.NTFY_AUTH }}