Skip to content

Commit 7462a5e

Browse files
lukepistrollukepistrol
authored
[fix]: deploy workflow - notarization (#19)
- fixes signing and notarization of the deployed binary ## Reference: - #1
2 parents c87b7b9 + 74707d4 commit 7462a5e

File tree

1 file changed

+48
-6
lines changed

1 file changed

+48
-6
lines changed

.github/workflows/deploy.yml

Lines changed: 48 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -14,14 +14,51 @@ jobs:
1414
- name: Checkout Repository
1515
uses: actions/checkout@v2
1616

17+
- name: Install codesign certificate
18+
env:
19+
# DEV_CERT_B64: Base64-encoded developer certificate as .p12
20+
# DEV_CERT_PWD: Developer certificate .p12 password
21+
# KEYCHAIN_TIMEOUT: Lock keychain after timeout interval
22+
# https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development
23+
DEV_CERT_B64: ${{ secrets.DEV_CERT_B64 }}
24+
DEV_CERT_PWD: ${{ secrets.DEV_CERT_PWD }}
25+
KEYCHAIN_TIMEOUT: 21600
26+
run: |
27+
DEV_CERT_P12="$RUNNER_TEMP/dev_cert.p12"
28+
KEYCHAIN_DB="$RUNNER_TEMP/keychain.keychain-db"
29+
KEYCHAIN_PWD=$(openssl rand -base64 24)
30+
security create-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_DB"
31+
security set-keychain-settings -lut "$KEYCHAIN_TIMEOUT" "$KEYCHAIN_DB"
32+
security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_DB"
33+
echo -n "$DEV_CERT_B64" | base64 --decode --output "$DEV_CERT_P12"
34+
security import "$DEV_CERT_P12" -P "$DEV_CERT_PWD" -A -t cert -f pkcs12 -k "$KEYCHAIN_DB"
35+
security list-keychain -d user -s "$KEYCHAIN_DB"
36+
1737
- name: Building
1838
run: |
1939
swift build -c release --arch arm64 --arch x86_64
20-
cd .build/apple/Products/Release/
21-
zip codeedit-cli.zip codeedit-cli
22-
cd ../../../../
2340
24-
# CODESIGN & NOTARIZE THE BINARY
41+
- name: Sign
42+
env:
43+
CODESIGN_SIGN: ${{ secrets.CODESIGN_SIGN }}
44+
run: |
45+
security find-identity -p basic -v
46+
codesign --sign "$CODESIGN_SIGN" --prefix austincondiff.CodeEdit. --options=runtime --verbose --timestamp .build/apple/Products/Release/codeedit-cli
47+
48+
- name: Zip
49+
run: zip -r .build/apple/Products/Release/codeedit-cli.zip .build/apple/Products/Release/codeedit-cli
50+
51+
- name: Notarize
52+
env:
53+
APPLE_ID: ${{ secrets.APPLE_ID }}
54+
APPLE_ID_PWD: ${{ secrets.APPLE_ID_PWD }}
55+
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
56+
run: |
57+
xcrun notarytool submit ".build/apple/Products/Release/codeedit-cli.zip" --apple-id "$APPLE_ID" --password "$APPLE_ID_PWD" --team-id "$APPLE_TEAM_ID" --verbose --wait --output-format plist > "NotarizationResponse.plist"
58+
status=`/usr/libexec/PlistBuddy -c "Print :status" "NotarizationResponse.plist"`
59+
if [[ $status != "Accepted" ]]; then
60+
exit 999
61+
fi
2562
2663
- name: Create Release
2764
id: create_release
@@ -33,13 +70,18 @@ jobs:
3370
release_name: ${{ github.ref }}
3471
draft: false
3572
prerelease: false
36-
73+
3774
- name: Upload Release Asset
3875
uses: actions/upload-release-asset@v1
3976
env:
4077
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
4178
with:
4279
upload_url: ${{ steps.create_release.outputs.upload_url }}
4380
asset_path: .build/apple/Products/Release/codeedit-cli.zip
44-
asset_name: codeedit-cli-binary.zip
81+
asset_name: codeedit-cli-universal-binary.zip
4582
asset_content_type: application/zip
83+
84+
- name: Clean up keychain
85+
if: ${{ always() }}
86+
run: |
87+
security delete-keychain "$RUNNER_TEMP/keychain.keychain-db"

0 commit comments

Comments
 (0)