-
Notifications
You must be signed in to change notification settings - Fork 0
161 lines (145 loc) · 5.83 KB
/
Copy pathrelease-macos.yml
File metadata and controls
161 lines (145 loc) · 5.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: Release macOS signed DMG
on:
push:
tags:
- "v*"
workflow_dispatch:
inputs:
tag:
description: "Release tag to upload to, for example v0.1.2."
required: true
type: string
draft:
description: "Create the release as a draft when it does not already exist."
required: false
default: true
type: boolean
permissions:
contents: write
concurrency:
group: release-macos-${{ github.ref }}
cancel-in-progress: false
jobs:
signed-dmg:
name: Build, sign, notarize, and upload Apple Silicon DMG
runs-on: macos-latest
env:
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
ref: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.ref }}
- name: Resolve release tag
id: release
env:
INPUT_TAG: ${{ inputs.tag }}
INPUT_DRAFT: ${{ inputs.draft }}
run: |
set -euo pipefail
if [[ "${GITHUB_EVENT_NAME}" == "push" ]]; then
tag="${GITHUB_REF_NAME}"
draft="false"
else
tag="$INPUT_TAG"
draft="$INPUT_DRAFT"
fi
echo "tag=${tag}" >> "$GITHUB_OUTPUT"
echo "draft=${draft}" >> "$GITHUB_OUTPUT"
- name: Validate Apple signing secrets
run: |
set -euo pipefail
missing=0
for name in APPLE_CERTIFICATE APPLE_CERTIFICATE_PASSWORD APPLE_ID APPLE_PASSWORD APPLE_TEAM_ID KEYCHAIN_PASSWORD; do
if [[ -z "${!name:-}" ]]; then
echo "::error title=Missing secret::${name} is required for signed notarized macOS releases."
missing=1
fi
done
exit "$missing"
- name: Set up Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: 22
package-manager-cache: false
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
with:
targets: aarch64-apple-darwin
- name: Install npm dependencies
run: npm ci
- name: Import Developer ID certificate
run: |
set -euo pipefail
printf '%s' "$APPLE_CERTIFICATE" | base64 --decode > certificate.p12 2>/dev/null || \
printf '%s' "$APPLE_CERTIFICATE" | base64 -D > certificate.p12
security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
security set-keychain-settings -lut 21600 build.keychain
security import certificate.p12 \
-k build.keychain \
-P "$APPLE_CERTIFICATE_PASSWORD" \
-T /usr/bin/codesign \
-T /usr/bin/security
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
security find-identity -v -p codesigning build.keychain
cert_id="${APPLE_SIGNING_IDENTITY:-}"
if [[ -z "$cert_id" ]]; then
cert_id="$(security find-identity -v -p codesigning build.keychain | awk -F '"' '/Developer ID Application/{print $2; exit}')"
fi
if [[ -z "$cert_id" ]]; then
echo "::error title=Missing Developer ID Application identity::Set APPLE_SIGNING_IDENTITY or provide a Developer ID Application certificate."
exit 1
fi
echo "APPLE_SIGNING_IDENTITY=$cert_id" >> "$GITHUB_ENV"
- name: Build signed and notarized DMG
env:
CI: true
run: npx tauri build --bundles dmg --target aarch64-apple-darwin -- --no-default-features --features gui
- name: Locate release DMG
run: |
set -euo pipefail
dmg_path="$(find src-tauri/target -path '*/release/bundle/dmg/Memex_*.dmg' -print -quit)"
if [[ -z "$dmg_path" ]]; then
echo "::error title=Missing DMG::Could not find Memex_*.dmg under src-tauri/target."
exit 1
fi
echo "DMG_PATH=$dmg_path" >> "$GITHUB_ENV"
echo "Located $dmg_path"
- name: Notarize and staple DMG
run: |
set -euo pipefail
xcrun notarytool submit "$DMG_PATH" \
--apple-id "$APPLE_ID" \
--password "$APPLE_PASSWORD" \
--team-id "$APPLE_TEAM_ID" \
--wait
xcrun stapler staple "$DMG_PATH"
- name: Verify notarized DMG
run: |
set -euo pipefail
codesign --verify --verbose=2 "$DMG_PATH"
spctl --assess --type open --context context:primary-signature --verbose=4 "$DMG_PATH"
xcrun stapler validate "$DMG_PATH"
- name: Upload DMG to GitHub Release
env:
GH_TOKEN: ${{ github.token }}
RELEASE_TAG: ${{ steps.release.outputs.tag }}
RELEASE_DRAFT: ${{ steps.release.outputs.draft }}
run: |
set -euo pipefail
if ! gh release view "$RELEASE_TAG" >/dev/null 2>&1; then
args=(release create "$RELEASE_TAG" --verify-tag --title "Memex ${RELEASE_TAG}" --notes "Signed and notarized macOS Apple Silicon DMG.")
if [[ "$RELEASE_DRAFT" == "true" ]]; then
args+=(--draft)
fi
gh "${args[@]}"
fi
gh release upload "$RELEASE_TAG" "$DMG_PATH"