GitHub CI/CD
How to setup GitHub CI/CD to automate building, signing, and publishing your MōBrowser application across macOS, Windows, and Linux using GitHub Actions.
Overview
When you create a new MōBrowser project, you can enable GitHub Actions support. This includes a release workflow that automatically:
- Detects when you push a version tag (e.g.,
v1.0.0) - Builds your application for macOS, Windows, and Linux
- Signs the binaries and installers with your configured credentials
- Creates a GitHub Release with the signed artifacts
To enable the workflow template, scaffold your project using npm create mobrowser-app and answer “yes” to the GitHub Actions prompt. If you already have a project, you can copy the .github/workflows/release.yml file from a project scaffolded with the GitHub Actions.
Creating a release
To trigger a release, push a version tag to your repository:
- Update the version in
mobrowser.conf.json:
{
"version": "1.0.0"
}
- Commit your changes:
git add .
git commit -m "Release v1.0.0"
- Create and push a tag:
git tag v1.0.0
git push origin main
git push origin v1.0.0
The workflow is triggered automatically when it detects a tag matching the pattern v* (e.g., v1.0.0).
Setting up credentials
To enable signing in your workflow, you need to configure credentials for each platform. Add these as GitHub Secrets to your repository:
Important: Without setting these signing credentials, the generated installers and binaries inside these installers will not be signed. This means users will see security warnings when running your application, and it may not be permitted to run on their systems.
- Go to your repository on GitHub
- Navigate to Settings → Secrets and variables → Actions
- Click New repository secret
- Enter the secret name and value
- Click Add secret
macOS signing credentials
Configure the following secrets for signing on macOS:
| Secret Name | Description |
|---|---|
MAC_CERTIFICATE | Base64-encoded Developer ID Application certificate (.p12) |
MAC_CERTIFICATE_PWD | Password used to export the .p12 certificate from Keychain Access |
MAC_KEYCHAIN_PWD | Password for the temporary CI keychain created during the build |
MAC_CODESIGN_IDENTITY | Signing identity string, e.g. Developer ID Application: Company Name (TEAMID) |
MAC_TEAM_ID | Apple Developer Team ID (10-character string from developer.apple.com) |
MAC_APPLE_ID | Your Apple Developer account email |
MAC_APPLE_PASSWORD | App-specific password generated at appleid.apple.com for notarization |
Windows signing credentials
For cloud-based signing on Windows using Azure Artifact Signing, configure these secrets:
| Secret Name | Description |
|---|---|
AZURE_CLIENT_ID | Service Principal client ID |
AZURE_TENANT_ID | Azure Active Directory tenant ID of the service principal |
AZURE_CLIENT_SECRET | Client secret for the service principal |
AZURE_SIGNING_ENDPOINT | Azure signing endpoint (e.g., https://eus.codesigning.azure.net/) |
AZURE_SIGNING_ACCOUNT_NAME | Name of your Artifact Signing account |
AZURE_SIGNING_PROFILE_NAME | Name of your certificate profile |
See Azure Artifact Signing Setup for detailed instructions on acquiring these credentials.
Monitoring the release
To view the workflow status:
- Go to your repository on GitHub
- Click the Actions tab
- Select the workflow run to view logs and status
If a job fails:
- Check the job logs for error messages
- Verify all required secrets are set correctly
- Ensure signing credentials haven’t expired
- Check that your code builds successfully locally first