GitHub CI/CD
How to setup GitHub CI/CD to automate building, signing, and publishing your MōBrowser application across macOS, Windows, and Linux using GitHub Actions.
Overview
When you create a new MōBrowser project, you can enable GitHub Actions support. This includes a release workflow that automatically:
- Detects when you push a version tag (e.g.,
v1.0.0) - Builds your application for macOS, Windows, and Linux
- Signs the binaries and installers with your configured credentials
- Creates a GitHub Release with the signed artifacts
To enable the workflow template, scaffold your project using npm create mobrowser-app and answer “yes” to the GitHub Actions prompt. If you already have a project, you can copy the .github/workflows/release.yml file from a project scaffolded with the GitHub Actions.
Creating a release
To trigger a release, push a version tag to your repository:
- Update the version in
mobrowser.conf.json:
{
"version": "1.0.0"
}
- Commit your changes:
git add .
git commit -m "Release v1.0.0"
- Create and push a tag:
git tag v1.0.0
git push origin main
git push origin v1.0.0
The workflow is triggered automatically when it detects a tag matching the pattern v* (e.g., v1.0.0).
Setting up credentials
To enable signing in your workflow, you need to configure credentials for each platform.
Important: Without setting these signing credentials, the generated installers and binaries inside these installers will not be signed. This means users will see security warnings when running your application, and it may not be permitted to run on their systems.
Creating an environment
Create a production environment to manage and control access to all signing credentials:
- Go to your repository on GitHub
- Navigate to Settings → Environments
- Click New environment and name it
production
After creating the environment, you can add platform-specific environment secrets to it in the steps below.
macOS signing credentials
Add the following secrets to the production environment for signing on macOS:
| Secret Name | Description |
|---|---|
MAC_CERTIFICATE | Base64-encoded Developer ID Application certificate (.p12) |
MAC_CERTIFICATE_PWD | Password used to export the .p12 certificate from Keychain Access |
MAC_KEYCHAIN_PWD | Password for the temporary CI keychain created during the build |
MAC_CODESIGN_IDENTITY | Signing identity string, e.g. Developer ID Application: Company Name (TEAMID) |
MAC_TEAM_ID | Apple Developer Team ID (10-character string from developer.apple.com) |
MAC_APPLE_ID | Your Apple Developer account email |
MAC_APPLE_PASSWORD | App-specific password generated at appleid.apple.com for notarization |
Windows signing credentials
For cloud-based signing on Windows using Azure Artifact Signing, add the following secrets to the production environment:
| Secret Name | Description |
|---|---|
AZURE_CLIENT_ID | Service Principal client ID |
AZURE_TENANT_ID | Azure Active Directory tenant ID of the service principal |
AZURE_SUBSCRIPTION_ID | Azure subscription ID |
AZURE_SIGNING_ENDPOINT | Azure signing endpoint (e.g., https://eus.codesigning.azure.net/) |
AZURE_SIGNING_ACCOUNT_NAME | Name of your Artifact Signing account |
AZURE_SIGNING_PROFILE_NAME | Name of your certificate profile |
See Azure Artifact Signing Setup for detailed instructions on acquiring these credentials.
The production environment allows you to securely authenticate GitHub Actions with Azure. Instead of storing long-lived secrets in your repository, GitHub uses OpenID Connect to exchange a short-lived token with Azure. An environment-based approach can be triggered by any event (including version tags).
Monitoring the release
To view the workflow status:
- Go to your repository on GitHub
- Click the Actions tab
- Select the workflow run to view logs and status
If a job fails:
- Check the job logs for error messages
- Verify all required secrets are set correctly
- Ensure signing credentials haven’t expired
- Check that your code builds successfully locally first