From 9e0451ef9ebb5860fa3112e8829c37600fc6e0ab Mon Sep 17 00:00:00 2001
From: Will Kelly <willkelly9617@gmail.com>
Date: Tue, 29 Oct 2024 08:33:52 -0500
Subject: [PATCH] feature: add macos signing + notarization.  Upgrade install4j
 version. Change secretes management in build

---
 .github/workflows/build.yml     | 85 +++++++++++++++++++++++++--------
 jvm/workbookapp/build.gradle    | 10 ++--
 jvm/workbookapp/otter.install4j | 11 ++++-
 3 files changed, 79 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a3378ee3f4..ea31296150 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,18 +1,17 @@
 name: Java CI with Gradle
-on: [ push, pull_request ]
+on: [push, pull_request]
 jobs:
-
   set-env-vars:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - uses: FranzDiebold/github-env-vars-action@v2.1.0
       - name: Parse SemVer if tagged build
         id: semver_parser
         uses: booxmedialtd/ws-action-parse-semver@v1.4.2
         with:
           input_string: ${{ env.CI_REF_NAME }}
-          version_extractor_regex: 'v(.*)$'
+          version_extractor_regex: "v(.*)$"
         if: contains( github.ref, 'refs/tags/v' )
       - name: set version var for tags and update path for releases
         id: tagged
@@ -51,38 +50,74 @@ jobs:
     runs-on: ubuntu-20.04
     needs: set-env-vars
     steps:
-      - uses: actions/checkout@v2
-      - name: Decrypt secret file
+      - uses: actions/checkout@v3
+      - name: Set Build Secrets
+        uses: 1password/load-secrets-action@v2
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          MAC_SIGNING_KEY_BASE64: "op://DevOps/Orature_CI_CD/Mac-Cert-and-Signing-Key/B64_CERT_AND_SIGNING"
+          MAC_APP_STORE_NOTARY_API_KEY: "op://DevOps/Orature_CI_CD/App-Store-Connect-API-Key/app-store-connect-private-key.p8"
+          INSTALL4J_LICENSE_11: "op://DevOps/Orature_CI_CD/INSTALL4J_LICENSE"
+          MAC_KEYSTORE_PW: "op://DevOps/Orature_CI_CD/MAC-P12-SIGNING-PASSWORD"
+          ORG_GRADLE_PROJECT_githubOauthToken: "op://DevOps/Orature_CI_CD/CRASH_REPORTS_OAUTH_TOKEN"
+          ORG_GRADLE_PROJECT_sentryDsn: "op://DevOps/Orature_CI_CD/SENTRY_TOKEN"
+          SONAR_TOKEN: "op://DevOps/Orature_CI_CD/SONAR_TOKEN"
+          MAC_NOTARY_ISSUER: "op://DevOps/Orature_CI_CD/MAC_NOTARY_ISSUER"
+          MAC_NOTARY_KEY_ID: "op://DevOps/Orature_CI_CD/MAC_NOTARY_KEY_ID"
+      - name: Write mac secrets for i4j
         shell: bash
-        run: ./.github/scripts/decrypt_secret.sh
+        run: |
+          echo -n $MAC_SIGNING_KEY_BASE64 | base64 -d > $HOME/signing_macos.p12 && echo -n $MAC_APP_STORE_NOTARY_API_KEY > $HOME/mac_app_notary_key.p8
         env:
-          LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
+          MAC_SIGNING_KEY_BASE64: ${{ env.MAC_SIGNING_KEY_BASE64 }}
+          MAC_APP_STORE_NOTARY_API_KEY: ${{ env.MAC_APP_STORE_NOTARY_API_KEY }}
       - name: install4j build
         shell: bash
         run: |
           docker run -v $(pwd):/repo \
-          -v $HOME/signing.p12:/root/signing.p12 \
+          -v $HOME/signing_macos.p12:/root/signing_macos.p12 \
+          -v $HOME/mac_app_notary_key.p8:/root/mac_app_notary_key.p8 \
           -e UPDATE_PATH \
           -e ORG_GRADLE_PROJECT_gradlewCommandVersionProp \
           -e ORG_GRADLE_PROJECT_gradlewCommandLicenseProp \
           -e ORG_GRADLE_PROJECT_githubRepoUrl \
-          -e ORG_GRADLE_PROJECT_gradlewwinKeystorePassword \
+          -e ORG_GRADLE_PROJECT_gradlewmacKeystorePassword \
           -e ORG_GRADLE_PROJECT_githubOauthToken \
           -e ORG_GRADLE_PROJECT_sentryDsn \
           -e GITHUB_TOKEN \
           -e SONAR_TOKEN \
-          wycliffeassociates/install4j-docker:10.0.9 \
-          ./gradlew build :jvm:workbookapp:install4jdeploy "-Dorg.gradle.jvmargs=-Xmx2048m -Dnet.bytebuddy.experimental=true -XX:MaxMetaspaceSize=512m"
+          -e MAC_NOTARY_ISSUER \
+          -e MAC_NOTARY_KEY_ID \
+          wycliffeassociates/install4j-docker:11.0 \
+          ./gradlew build :jvm:workbookapp:install4jdeploy "-Dorg.gradle.jvmargs=-Xmx2048m -Dnet.bytebuddy.experimental=true -XX:MaxMetaspaceSize=1024m"
         env:
           UPDATE_PATH: ${{ needs.set-env-vars.outputs.UPDATE_PATH }}
           ORG_GRADLE_PROJECT_gradlewCommandVersionProp: ${{ needs.set-env-vars.outputs.GHA_VERSION }}
-          ORG_GRADLE_PROJECT_gradlewCommandLicenseProp: ${{ secrets.INSTALL4J_LICENSE_10 }}
+          ORG_GRADLE_PROJECT_gradlewCommandLicenseProp: ${{ env.INSTALL4J_LICENSE_11 }}
           ORG_GRADLE_PROJECT_githubRepoUrl: https://api.github.com/repos/OratureCrashReports/orature-crash-reports/issues
-          ORG_GRADLE_PROJECT_gradlewwinKeystorePassword: ${{ secrets.WIN_KEYSTORE_PW }}
-          ORG_GRADLE_PROJECT_githubOauthToken: ${{ secrets.GH_API_OAUTH_TOKEN }}
-          ORG_GRADLE_PROJECT_sentryDsn: ${{ secrets.SENTRY_OTTER_DSN }}
+          ORG_GRADLE_PROJECT_gradlewmacKeystorePassword: ${{ env.MAC_KEYSTORE_PW }}
+          ORG_GRADLE_PROJECT_githubOauthToken: ${{ env.ORG_GRADLE_PROJECT_githubOauthToken }}
+          ORG_GRADLE_PROJECT_sentryDsn: ${{ env.ORG_GRADLE_PROJECT_sentryDsn }}
+          SONAR_TOKEN: ${{ env.SONAR_TOKEN }}
+          MAC_NOTARY_ISSUER: ${{ env.MAC_NOTARY_ISSUER }}
+          MAC_NOTARY_KEY_ID: ${{ env.MAC_NOTARY_KEY_ID }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+      - name: Get notarization log
+        if: ${{ failure() }}
+        run: |
+          NOTARIZATION_LOG=$(find /repo/jvm/workbookapp/.exec/ -name "*.notarization.log")
+          echo "NOTARIZATION_LOG=$NOTARIZATION_LOG" >> $GITHUB_ENV
+      - name: Write notarization log to artifact
+        if: ${{ failure() }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: notarization-log
+          path: ${{ env.NOTARIZATION_LOG }}
+          retention-days: 7
+
       - name: cache binaries
         uses: actions/upload-artifact@v4
         with:
@@ -91,7 +126,7 @@ jobs:
           path: jvm/workbookapp/.exec/
   sign-windows:
     runs-on: windows-latest
-    needs: build
+    needs: [build]
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -101,7 +136,7 @@ jobs:
         uses: actions/setup-dotnet@v2
         with:
           dotnet-version: 6.0.x
-      
+
       - name: download artifacts from previous job
         uses: actions/download-artifact@v4
         with:
@@ -111,6 +146,7 @@ jobs:
 
       - name: Sign files with Azure Code Signing
         uses: azure/trusted-signing-action@v0.4.0
+        # op doesn't work windows. Have to stick with secrets
         with:
           azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
@@ -133,6 +169,15 @@ jobs:
     runs-on: ubuntu-20.04
     needs: [sign-windows, set-env-vars]
     steps:
+      - name: Set upload secrets
+        uses: 1password/load-secrets-action@v2
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          AWS_KEY_ID: "op://DevOps/travis-nightlybuilds aws s3 api access for travis uploads/S3_ACCESS_KEY_ID"
+          AWS_SECRET_ACCESS_KEY: "op://DevOps/travis-nightlybuilds aws s3 api access for travis uploads/S3_SECRET_ACCESS_KEY"
+          AWS_BUCKET: "op://DevOps/travis-nightlybuilds aws s3 api access for travis uploads/S3_BUCKET"
       - name: download artifacts from previous job
         uses: actions/download-artifact@v4
         with:
@@ -142,7 +187,7 @@ jobs:
       - name: upload
         if: github.event_name != 'pull_request'
         run: |
-          AWS_DEFAULT_REGION=us-east-1 AWS_ACCESS_KEY_ID=${{secrets.AWS_KEY_ID}} AWS_SECRET_ACCESS_KEY=${{secrets.AWS_SECRET_ACCESS_KEY}} aws s3 sync . s3://${{ secrets.AWS_BUCKET }}/${{ needs.set-env-vars.outputs.S3_DESTINATION }}
+          AWS_DEFAULT_REGION=us-east-1 AWS_ACCESS_KEY_ID=${{env.AWS_KEY_ID}} AWS_SECRET_ACCESS_KEY=${{env.AWS_SECRET_ACCESS_KEY}} aws s3 sync . s3://${{ env.AWS_BUCKET }}/${{ needs.set-env-vars.outputs.S3_DESTINATION }}
         working-directory: ${{ github.workspace }}/binaries
       - name: upload artifacts to github releases on tags
         uses: "marvinpinto/action-automatic-releases@v1.2.1"
diff --git a/jvm/workbookapp/build.gradle b/jvm/workbookapp/build.gradle
index 638d123752..b39df66f5e 100644
--- a/jvm/workbookapp/build.gradle
+++ b/jvm/workbookapp/build.gradle
@@ -95,9 +95,9 @@ apply from: './jooq.gradle'
 
 boolean devbuild = hasProperty("devbuild")
 
-//install4j tasks for building win/nix/mac installers. Executable jar can be built without it
+//install4j tasks for building win/nix/mac installers. Executable jar can be built without itv
 install4j {
-    vmParameters = ["-Dinstall4j.timestampUrl=http://timestamp.sectigo.com/"]
+    vmParameters = ["-Dinstall4j.timestampUrl=http://timestamp.sectigo.com/", "-Xmx4096m"]
     faster = devbuild
     disableSigning = devbuild
     //pass in the install4j directory via -P if it's not in the default install location, e.q. for use with travis or arbitrary paths
@@ -108,9 +108,9 @@ install4j {
     if (project.hasProperty('gradlewCommandLicenseProp')) {
         license = gradlewCommandLicenseProp
     }
-    //gradle command Property for the code signing cert password
-    if (project.hasProperty('gradlewwinKeystorePassword')) {
-        winKeystorePassword = gradlewwinKeystorePassword
+    //gradle command Property for the maac code signing cert password
+    if (project.hasProperty('gradlewmacKeystorePassword')) {
+        macKeystorePassword = gradlewmacKeystorePassword
     }
 }
 
diff --git a/jvm/workbookapp/otter.install4j b/jvm/workbookapp/otter.install4j
index 7f10bf6b97..1bb7ed985e 100644
--- a/jvm/workbookapp/otter.install4j
+++ b/jvm/workbookapp/otter.install4j
@@ -1,8 +1,15 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<install4j version="10.0.9" transformSequenceNumber="10">
+<install4j version="11.0" transformSequenceNumber="11">
   <directoryPresets config="." />
   <application name="Orature" applicationId="8057-9807-3529-9982" mediaDir=".exec" mediaFilePattern="${compiler:sys.shortName}-${compiler:sys.platform}-${compiler:sys.version}" shortName="orature" version="0.1" allPathsRelative="true" convertDotsToUnderscores="false" macVolumeId="82fd10b9f6e2b1b5" javaMinVersion="21" javaMaxVersion="21">
-    <codeSigning windowsEnabled="true" windowsPkcs12File="~/signing.p12" />
+    <codeSigning macEnabled="true" macPkcs12File="~/signing_macos.p12" macNotarize="true" macApiIssuer="${compiler:env.MAC_NOTARY_ISSUER}" macApiKey="${compiler:env.MAC_NOTARY_KEY_ID}" macApiPrivateKey="/root/mac_app_notary_key.p8">
+      <macSearchedJars>
+        <entry>jna-*</entry>
+        <entry>swt-*</entry>
+        <entry>javafx-*</entry>
+        <entry>workbookapp.jar</entry>
+      </macSearchedJars>
+    </codeSigning>
     <jreBundles jdkProviderId="Liberica" release="21/latest">
       <modules>
         <defaultModules set="all" />