osaurus-ai
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 345 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 345 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 10 additions & 0 deletions b/‎.gitignore‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎Package.swift‎
Lines changed: 16 additions & 0 deletions b/‎Package.swift‎
Lines changed: 16 additions & 0 deletions
@@ -0,0 +1,345 @@
+# =============================================================================
+# Osaurus Plugin Release Workflow
+# =============================================================================
+# This workflow automatically builds, signs, and releases your Osaurus plugin
+# when you push a version tag (e.g., 1.0.0). It also generates the registry
+# entry JSON for submitting to the plugin registry.
+#
+# SETUP:
+# 1. Update the configuration below for your plugin
+# 2. Add the required secrets to your repository:
+#    - MINISIGN_SECRET_KEY: Your minisign private key
+#    - MINISIGN_PUBLIC_KEY: Your minisign public key
+#    - MINISIGN_PASSWORD: Key password (optional, can be empty)
+#    - DEVELOPER_ID_CERTIFICATE_P12_BASE64: Base64-encoded .p12 certificate (for code signing)
+#    - DEVELOPER_ID_CERTIFICATE_PASSWORD: Password for the .p12 certificate
+#
+# USAGE:
+#   git tag 1.0.0
+#   git push origin 1.0.0
+#
+# After the workflow completes, follow the instructions in the workflow summary
+# to submit your plugin to the registry.
+# =============================================================================
+
+name: Build and Release
+
+on:
+  push:
+    tags:
+      - "[0-9]*"
+
+permissions:
+  contents: write
+
+# =============================================================================
+# CONFIGURATION - Update these values for your plugin
+# =============================================================================
+env:
+  # Your plugin ID
+  PLUGIN_ID: osaurus.contacts
+
+  # Display name for the plugin
+  PLUGIN_NAME: Contacts
+
+  # Brief description of what the plugin does
+  PLUGIN_DESCRIPTION: Interact with macOS Contacts.app - get phone numbers, find contacts by name or phone
+
+  # The built dynamic library name (without lib prefix and .dylib extension)
+  DYLIB_NAME: osaurus-contacts
+
+  # License (e.g., MIT, Apache-2.0)
+  LICENSE: MIT
+
+  # Minimum macOS version required
+  MIN_MACOS: "13.0"
+
+  # Minimum Osaurus version required (optional)
+  MIN_OSAURUS: "0.5.0"
+
+  # Tool definitions (JSON array of {name, description} objects)
+  TOOLS: '[{"name": "get_all_numbers", "description": "Get all contacts and their phone numbers"}, {"name": "find_number", "description": "Find phone numbers for a contact by name"}, {"name": "find_contact_by_phone", "description": "Find a contact name by their phone number"}]'
+
+# =============================================================================
+# JOBS - No changes needed below this line
+# =============================================================================
+jobs:
+  build:
+    runs-on: macos-14
+    outputs:
+      version: ${{ steps.version.outputs.VERSION }}
+      sha256: ${{ steps.sha256.outputs.SHA256 }}
+      size: ${{ steps.size.outputs.SIZE }}
+      signature_b64: ${{ steps.minisign.outputs.SIGNATURE_B64 }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Swift
+        uses: swift-actions/setup-swift@v2
+        with:
+          swift-version: "6.0"
+
+      - name: Build Release
+        run: swift build -c release -Xswiftc -swift-version -Xswiftc 5
+
+      - name: Import Code Signing Certificate
+        id: codesign
+        env:
+          CERTIFICATE_P12_BASE64: ${{ secrets.DEVELOPER_ID_CERTIFICATE_P12_BASE64 }}
+          CERTIFICATE_PASSWORD: ${{ secrets.DEVELOPER_ID_CERTIFICATE_PASSWORD }}
+        run: |
+          if [ -z "$CERTIFICATE_P12_BASE64" ]; then
+            echo "⚠️  No DEVELOPER_ID_CERTIFICATE_P12_BASE64 configured, will use ad-hoc signing"
+            echo "   Note: Code signing is REQUIRED for distributed plugins"
+            echo "identity=" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          # Create a temporary keychain
+          KEYCHAIN_PATH="$RUNNER_TEMP/build.keychain-db"
+          KEYCHAIN_PASSWORD="$(openssl rand -base64 32)"
+
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+          # Import certificate
+          CERT_PATH="$RUNNER_TEMP/certificate.p12"
+          echo "$CERTIFICATE_P12_BASE64" | base64 --decode > "$CERT_PATH"
+
+          security import "$CERT_PATH" \
+            -P "$CERTIFICATE_PASSWORD" \
+            -A \
+            -t cert \
+            -f pkcs12 \
+            -k "$KEYCHAIN_PATH"
+
+          # Add keychain to search list
+          security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
+
+          # Allow codesign to access the key without prompting
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+          # Extract signing identity from certificate
+          IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | sed 's/.*"\(.*\)".*/\1/')
+
+          if [ -z "$IDENTITY" ]; then
+            echo "::error::No Developer ID Application certificate found in keychain"
+            exit 1
+          fi
+
+          echo "Found signing identity: $IDENTITY"
+          echo "identity=$IDENTITY" >> $GITHUB_OUTPUT
+
+          # Store keychain path for cleanup
+          echo "keychain_path=$KEYCHAIN_PATH" >> $GITHUB_OUTPUT
+
+          # Clean up temp cert file
+          rm -f "$CERT_PATH"
+
+      - name: Code Sign dylib
+        env:
+          CODESIGN_IDENTITY: ${{ steps.codesign.outputs.identity }}
+        run: |
+          DYLIB_PATH=".build/release/lib${{ env.DYLIB_NAME }}.dylib"
+
+          if [ -z "$CODESIGN_IDENTITY" ]; then
+            echo "⚠️  No signing identity available, using ad-hoc signing"
+            codesign --force --sign - "$DYLIB_PATH"
+          else
+            echo "Signing with: $CODESIGN_IDENTITY"
+            codesign --force --options runtime --timestamp \
+              --sign "$CODESIGN_IDENTITY" \
+              "$DYLIB_PATH"
+          fi
+
+          # Verify signature
+          codesign -dv --verbose=4 "$DYLIB_PATH"
+          echo "✅ Code signing completed successfully"
+
+      - name: Get version from tag
+        id: version
+        run: echo "VERSION=${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT
+
+      - name: Package artifact
+        run: |
+          mkdir -p dist
+          cp ".build/release/lib${{ env.DYLIB_NAME }}.dylib" dist/
+          cd dist
+          zip -r "../${{ env.PLUGIN_ID }}-${{ steps.version.outputs.VERSION }}.zip" .
+
+      - name: Calculate SHA256
+        id: sha256
+        run: |
+          SHA=$(shasum -a 256 "${{ env.PLUGIN_ID }}-${{ steps.version.outputs.VERSION }}.zip" | cut -d ' ' -f 1)
+          echo "SHA256=$SHA" >> $GITHUB_OUTPUT
+
+      - name: Get artifact size
+        id: size
+        run: |
+          SIZE=$(stat -f%z "${{ env.PLUGIN_ID }}-${{ steps.version.outputs.VERSION }}.zip")
+          echo "SIZE=$SIZE" >> $GITHUB_OUTPUT
+
+      - name: Install minisign
+        run: brew install minisign
+
+      - name: Sign artifact with minisign
+        id: minisign
+        env:
+          MINISIGN_SECRET_KEY: ${{ secrets.MINISIGN_SECRET_KEY }}
+          MINISIGN_PASSWORD: ${{ secrets.MINISIGN_PASSWORD }}
+        run: |
+          if [ -z "$MINISIGN_SECRET_KEY" ]; then
+            echo "No MINISIGN_SECRET_KEY configured, skipping signing"
+            echo "SIGNATURE_B64=" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          echo "$MINISIGN_SECRET_KEY" > $RUNNER_TEMP/minisign.key
+
+          ARTIFACT="${{ env.PLUGIN_ID }}-${{ steps.version.outputs.VERSION }}.zip"
+          if [ -n "$MINISIGN_PASSWORD" ]; then
+            echo "$MINISIGN_PASSWORD" | minisign -Slm "$ARTIFACT" -s $RUNNER_TEMP/minisign.key -x "${ARTIFACT}.minisig"
+          else
+            minisign -Slm "$ARTIFACT" -s $RUNNER_TEMP/minisign.key -x "${ARTIFACT}.minisig" -W
+          fi
+
+          SIGNATURE_B64=$(base64 -i "${ARTIFACT}.minisig")
+          echo "SIGNATURE_B64=$SIGNATURE_B64" >> $GITHUB_OUTPUT
+
+          rm -f $RUNNER_TEMP/minisign.key
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          name: "${{ env.PLUGIN_NAME }} v${{ steps.version.outputs.VERSION }}"
+          files: |
+            ${{ env.PLUGIN_ID }}-${{ steps.version.outputs.VERSION }}.zip
+            ${{ env.PLUGIN_ID }}-${{ steps.version.outputs.VERSION }}.zip.minisig
+          fail_on_unmatched_files: false
+          generate_release_notes: true
+
+      - name: Upload registry JSON artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-outputs
+          path: |
+            ${{ env.PLUGIN_ID }}-${{ steps.version.outputs.VERSION }}.zip
+
+      - name: Cleanup Keychain
+        if: always()
+        run: |
+          KEYCHAIN_PATH="${{ steps.codesign.outputs.keychain_path }}"
+          if [ -n "$KEYCHAIN_PATH" ] && [ -f "$KEYCHAIN_PATH" ]; then
+            security delete-keychain "$KEYCHAIN_PATH" || true
+          fi
+
+  registry-entry:
+    needs: build
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download build outputs
+        uses: actions/download-artifact@v4
+        with:
+          name: build-outputs
+
+      - name: Generate registry JSON
+        env:
+          VERSION: ${{ needs.build.outputs.version }}
+          SHA256: ${{ needs.build.outputs.sha256 }}
+          SIZE: ${{ needs.build.outputs.size }}
+          SIGNATURE_B64: ${{ needs.build.outputs.signature_b64 }}
+          REPO_URL: ${{ github.server_url }}/${{ github.repository }}
+          REPO_OWNER: ${{ github.repository_owner }}
+          TAG_NAME: ${{ github.ref_name }}
+          MINISIGN_PUBLIC_KEY: ${{ secrets.MINISIGN_PUBLIC_KEY }}
+        run: |
+          mkdir -p release
+
+          # Decode signature if present
+          if [ -n "$SIGNATURE_B64" ]; then
+            MINISIGN_SIG=$(echo "$SIGNATURE_B64" | base64 -d)
+          else
+            MINISIGN_SIG=""
+          fi
+
+          echo "$MINISIGN_SIG" > /tmp/minisign_sig.txt
+
+          python3 << 'PYTHON_SCRIPT'
+          import json
+          import os
+          from datetime import datetime
+
+          plugin_id = os.environ["PLUGIN_ID"]
+          plugin_name = os.environ["PLUGIN_NAME"]
+          plugin_desc = os.environ["PLUGIN_DESCRIPTION"]
+          version = os.environ["VERSION"]
+          sha256 = os.environ["SHA256"]
+          size = int(os.environ["SIZE"])
+          repo_url = os.environ["REPO_URL"]
+          repo_owner = os.environ["REPO_OWNER"]
+          tag_name = os.environ["TAG_NAME"]
+          license_type = os.environ["LICENSE"]
+          min_macos = os.environ["MIN_MACOS"]
+          minisign_public_key = os.environ.get("MINISIGN_PUBLIC_KEY", "")
+
+          try:
+              with open('/tmp/minisign_sig.txt', 'r') as f:
+                  minisign_sig = f.read().strip()
+          except:
+              minisign_sig = ""
+
+          # Get tools from TOOLS env var
+          tools = json.loads(os.environ.get("TOOLS", "[]"))
+
+          artifact = {
+              "os": "macos",
+              "arch": "arm64",
+              "min_macos": min_macos,
+              "url": f"{repo_url}/releases/download/{tag_name}/{plugin_id}-{version}.zip",
+              "sha256": sha256,
+              "size": size
+          }
+
+          if minisign_sig:
+              artifact["minisign"] = {"signature": minisign_sig}
+
+          data = {
+              "plugin_id": plugin_id,
+              "name": plugin_name,
+              "description": plugin_desc,
+              "homepage": repo_url,
+              "license": license_type,
+              "authors": [repo_owner],
+              "capabilities": {"tools": tools},
+              "public_keys": {"minisign": minisign_public_key} if minisign_public_key else {},
+              "versions": [{
+                  "version": version,
+                  "release_date": datetime.utcnow().strftime("%Y-%m-%d"),
+                  "artifacts": [artifact]
+              }]
+          }
+
+          # Remove empty public_keys
+          if not data["public_keys"]:
+              del data["public_keys"]
+
+          with open(f'release/{plugin_id}.json', 'w') as f:
+              json.dump(data, f, indent=2)
+
+          print(f"Generated release/{plugin_id}.json for v{version}")
+          PYTHON_SCRIPT
+
+      - name: Commit registry entry
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add release/
+          git commit -m "Update registry entry for ${{ needs.build.outputs.version }}"
+          git push origin HEAD:master
@@ -0,0 +1,10 @@
+.DS_Store
+/.build
+/Packages
+/*.xcodeproj
+/*.xcworkspace
+/xcuserdata
+/.swiftpm
+/*.zip
+*.dylib
+
@@ -0,0 +1,16 @@
+// swift-tools-version: 5.9
+import PackageDescription
+
+let package = Package(
+    name: "osaurus-contacts",
+    platforms: [.macOS(.v13)],
+    products: [
+        .library(name: "osaurus-contacts", type: .dynamic, targets: ["osaurus_contacts"])
+    ],
+    targets: [
+        .target(
+            name: "osaurus_contacts",
+            path: "Sources/osaurus_contacts"
+        )
+    ]
+)