add temp sign and notarize #15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish | ||
| on: | ||
| push: | ||
| branches: | ||
| - master | ||
| tags: | ||
| - 'v[0-9]+.[0-9]+.[0-9]+' | ||
| - 'v[0-9]+.[0-9]+.[0-9]+-**' | ||
| jobs: | ||
| mac: | ||
| strategy: | ||
| matrix: | ||
| node: [20] | ||
| app: [hostd, renterd] | ||
| runs-on: macos-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: ${{ matrix.node }} | ||
| - name: Setup signing | ||
| env: | ||
| APPLE_CERT_ID: ${{ secrets.APPLE_CERT_ID }} | ||
| APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }} | ||
| APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} | ||
| APPLE_KEY_B64: ${{ secrets.APPLE_KEY_B64 }} | ||
| APPLE_CERT_B64: ${{ secrets.APPLE_CERT_B64 }} | ||
| APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }} | ||
| APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} | ||
| run: | | ||
| # extract apple cert | ||
| APPLE_CERT_PATH=$RUNNER_TEMP/apple_cert.p12 | ||
| KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | ||
| echo -n "$APPLE_CERT_B64" | base64 --decode --output $APPLE_CERT_PATH | ||
| # extract apple key | ||
| mkdir -p ~/private_keys | ||
| APPLE_API_KEY_PATH=~/private_keys/AuthKey_$APPLE_API_KEY.p8 | ||
| echo -n "$APPLE_KEY_B64" | base64 --decode --output $APPLE_API_KEY_PATH | ||
| # create temp keychain | ||
| security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | ||
| security default-keychain -s $KEYCHAIN_PATH | ||
| security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | ||
| security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | ||
| # import keychain | ||
| security import $APPLE_CERT_PATH -P $APPLE_CERT_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | ||
| security find-identity -v $KEYCHAIN_PATH -p codesigning | ||
| security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $APPLE_KEYCHAIN_PASSWORD $KEYCHAIN_PATH | ||
| - name: Install dependencies | ||
| run: | | ||
| cd ${{ matrix.app }} | ||
| npm install | ||
| - name: Build | ||
| run: | | ||
| cd ${{ matrix.app }} | ||
| npm run build | ||
| - name: Package into executable bundle | ||
| env: | ||
| APPLE_CERT_ID: ${{ secrets.APPLE_CERT_ID }} | ||
| APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }} | ||
| APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} | ||
| APPLE_KEY_B64: ${{ secrets.APPLE_KEY_B64 }} | ||
| APPLE_CERT_B64: ${{ secrets.APPLE_CERT_B64 }} | ||
| APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }} | ||
| APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} | ||
| run: | | ||
| cd ${{ matrix.app }} | ||
| npm run package | ||
| # APP_PATH="out/${{ matrix.app }}-darwin-arm64/${{ matrix.app }}.app" | ||
| # BINARY_PATH="$APP_PATH/Contents/MacOS/${{ matrix.app }}" | ||
| # /usr/bin/codesign --deep -f -v --timestamp -o runtime,library -s $APPLE_CERT_ID $BINARY_PATH | ||
| # xcrun notarytool submit -k ~/private_keys/AuthKey_$APPLE_API_KEY.p8 -d $APPLE_API_KEY -i $APPLE_API_ISSUER --wait --timeout 10m $APP_PATH | ||
| - name: Make distributables | ||
| run: | | ||
| cd ${{ matrix.app }} | ||
| npm run make --skip-package | ||
| - name: Upload | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: ${{ matrix.app }} | ||
| path: make/zip/darwin/arm64/${{ matrix.app }}-darwin-arm64.zip | ||
| windows: | ||
| strategy: | ||
| matrix: | ||
| node: [20] | ||
| app: [hostd, renterd] | ||
| runs-on: windows-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: ${{ matrix.node }} | ||
| - name: Setup signing | ||
| shell: bash | ||
| run: | | ||
| dotnet tool install --global AzureSignTool | ||
| - name: Install dependencies | ||
| run: | | ||
| cd ${{ matrix.app }} | ||
| npm install | ||
| - name: Build | ||
| run: | | ||
| cd ${{ matrix.app }} | ||
| npm run build | ||
| - name: Package into executable bundle | ||
| shell: bash | ||
| env: | ||
| run: | | ||
| cd ${{ matrix.app }} | ||
| npm run package | ||
| # TODO: probably not correct | ||
| APP_PATH="out/${{ matrix.app }}-win32-x64/${{ matrix.app }}.app" | ||
| BINARY_PATH="$APP_PATH/Contents/Windows/${{ matrix.app }}.exe" | ||
| azuresigntool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v $BINARY_PATH | ||
| - name: Make distributables | ||
| run: | | ||
| cd ${{ matrix.app }} | ||
| npm run make --skip-package | ||
| - name: Upload | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: ${{ matrix.app }} | ||
| # TODO: probably not correct | ||
| path: make/zip/win32/x64/${{ matrix.app }}-win32-x64.zip | ||
