name: _native-build on: workflow_call: inputs: upload-artifact-prefix: description: 'Prefix for uploaded artifact name' required: false type: string default: 'kimi-code-native' retention-days: description: 'Artifact retention in days' required: false type: number default: 3 sign-macos: description: 'Whether to sign + notarize macOS builds (requires Apple secrets)' required: false type: boolean default: false secrets: APPLE_CERTIFICATE_P12: required: false APPLE_CERTIFICATE_PASSWORD: required: false APPLE_NOTARIZATION_KEY_P8: required: false APPLE_NOTARIZATION_KEY_ID: required: false APPLE_NOTARIZATION_ISSUER_ID: required: false permissions: contents: read jobs: native-bundle: name: Native bundle (${{ matrix.target }}) runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: include: - os: ubuntu-24.04 target: linux-x64 - os: ubuntu-24.04-arm target: linux-arm64 - os: macos-15-intel target: darwin-x64 - os: macos-15 target: darwin-arm64 - os: windows-2025-vs2026 target: win32-x64 - os: windows-11-arm target: win32-arm64 steps: - name: Checkout uses: actions/checkout@v6 - name: Setup pnpm uses: pnpm/action-setup@v6 - name: Setup Node.js uses: actions/setup-node@v6 with: node-version-file: .nvmrc cache: 'pnpm' - name: Install dependencies run: pnpm install --frozen-lockfile - name: Setup macOS keychain (release only) if: runner.os == 'macOS' && inputs.sign-macos uses: ./.github/actions/macos-keychain-setup with: certificate-p12: ${{ secrets.APPLE_CERTIFICATE_P12 }} certificate-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} - name: Generate built-in catalog (release artifacts) if: inputs.sign-macos shell: bash run: | CATALOG_FILE="$RUNNER_TEMP/kimi-code-built-in-catalog.json" node apps/kimi-code/scripts/update-catalog.mjs --out "$CATALOG_FILE" echo "KIMI_CODE_BUILT_IN_CATALOG_FILE=$CATALOG_FILE" >> "$GITHUB_ENV" - name: Build Kimi web assets # The SEA blob step embeds apps/kimi-code/dist-web; build the web app # and stage its assets before producing the native executable. run: | pnpm --filter @moonshot-ai/kimi-web run build node apps/kimi-code/scripts/copy-web-assets.mjs - name: Build native executable (release profile, macOS signed) if: runner.os == 'macOS' && inputs.sign-macos run: pnpm --filter @moonshot-ai/kimi-code run build:native:release - name: Build native executable (local profile) if: '!(runner.os == ''macOS'' && inputs.sign-macos)' run: pnpm --filter @moonshot-ai/kimi-code run build:native:sea - name: Notarize macOS binary if: runner.os == 'macOS' && inputs.sign-macos uses: ./.github/actions/macos-notarize with: binary-path: ${{ github.workspace }}/apps/kimi-code/dist-native/bin/${{ matrix.target }}/kimi notarization-key-p8: ${{ secrets.APPLE_NOTARIZATION_KEY_P8 }} notarization-key-id: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }} notarization-issuer-id: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }} - name: Cleanup macOS keychain if: always() && runner.os == 'macOS' && inputs.sign-macos uses: ./.github/actions/macos-keychain-cleanup - name: Smoke test native executable run: pnpm --filter @moonshot-ai/kimi-code run test:native:smoke - name: Package native artifact run: pnpm --filter @moonshot-ai/kimi-code run package:native - name: Upload native artifact uses: actions/upload-artifact@v7 with: name: ${{ inputs.upload-artifact-prefix }}-${{ matrix.target }} retention-days: ${{ inputs.retention-days }} path: | apps/kimi-code/dist-native/artifacts/kimi-code-${{ matrix.target }}.zip apps/kimi-code/dist-native/artifacts/kimi-code-${{ matrix.target }}.zip.sha256 if-no-files-found: ignore