Publish #18
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish | |
on: | |
push: | |
tags: | |
- '*' | |
jobs: | |
build-release-cli: | |
name: Build Release CLI | |
runs-on: macos-14 | |
strategy: | |
matrix: | |
architecture: [ | |
'x86_64', | |
'arm64', | |
] | |
fail-fast: false | |
steps: | |
- name: Checkout Repo | |
uses: actions/checkout@v4 | |
- name: Select Xcode Version | |
run: sudo xcode-select --switch /Applications/Xcode_15.0.1.app/Contents/Developer | |
- name: Build SafeDITool | |
run: xcrun swift build -c release --product SafeDITool --arch ${{ matrix.architecture }} | |
- name: Give SafeDITool executable permissions | |
run: chmod +x .build/*/release/SafeDITool | |
- name: Make codesigning folder | |
run: | | |
mkdir codesign | |
cp .build/*/release/SafeDITool codesign/ | |
- name: Codesign | |
run: | | |
# Decode the p12 certificate | |
echo "${{ secrets.BASE_64_ENCODED_P12 }}" | base64 --decode > codesign/certificate.p12 | |
# Create a new keychain | |
security create-keychain -p "" build.keychain | |
# Import the p12 into the keychain | |
security import codesign/certificate.p12 -k build.keychain -P "${{ secrets.P12_PASSWORD }}" -T /usr/bin/codesign | |
# Add the new keychain to the list of keychains to search | |
security list-keychains -s build.keychain | |
# Make the new keychain the default keychain | |
security default-keychain -s build.keychain | |
# Unlock the keychain so it can be used | |
security unlock-keychain -p "" build.keychain | |
# Allows codesign access to the keys in the keychain without user interaction | |
security set-key-partition-list -S apple-tool:,apple: -s -k "" build.keychain | |
# Codesign | |
codesign --force --options runtime --timestamp --sign "${{ secrets.DEVELOPER_ID_CERTIFICATE }}" codesign/SafeDITool | |
- name: Notarize | |
run: | | |
# Create zip | |
pushd codesign && zip -r SafeDITool.zip SafeDITool && popd | |
# Delete original, unsigned tool | |
rm codesign/SafeDITool | |
# Create p8 file | |
echo "${{ secrets.NOTARY_P8 }}" > codesign/AuthKey_${{ secrets.NOTARY_KEY_ID }}.p8 | |
# Notarize | |
xcrun notarytool submit codesign/SafeDITool.zip --key codesign/AuthKey_${{ secrets.NOTARY_KEY_ID }}.p8 --key-id ${{ secrets.NOTARY_KEY_ID }} --issuer ${{ secrets.NOTARY_ISSUER_ID }} | |
- name: Unzip notarized tool | |
run: pushd codesign && unzip SafeDITool.zip && popd | |
- name: Upload SafeDITool artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: SafeDITool-${{ matrix.architecture }} | |
path: codesign/SafeDITool | |
- name: Upload SafeDITool as release binary | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.RELEASE_UPLOADER }} | |
file: codesign/SafeDITool | |
tag: ${{ github.ref }} | |
asset_name: SafeDITool-${{ matrix.architecture }} | |
overwrite: false | |
- name: Cleanup | |
if: always() # This ensures that the cleanup step runs even if earlier steps fail | |
run: | | |
security delete-keychain build.keychain | |
rm -rf codesign | |
bump-cask: | |
name: Create Cask Bumping PR | |
runs-on: macos-14 | |
needs: build-release-cli | |
steps: | |
- name: Bump Brew Version | |
run: | | |
git config --global user.name "Dan Federman" | |
git config --global user.email "[email protected]" | |
echo "export HOMEBREW_GITHUB_API_TOKEN=${{ secrets.RELEASE_UPLOADER }}" >> ~/.bash_profile | |
brew tap dfed/safedi | |
brew bump-cask-pr --no-fork --version ${{ github.ref_name }} dfed/safedi/safeditool |