-
Notifications
You must be signed in to change notification settings - Fork 0
137 lines (130 loc) · 5.65 KB
/
buildapp.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Build app
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
workflow_dispatch: {}
jobs:
build:
strategy:
matrix:
target: [release, app-store]
runs-on: macos-latest
steps:
- uses: actions/checkout@v2
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: "3.10"
- name: Check actions to perform
run: |
set -x
if [ -n '${{ secrets.APPLE_ID}}' ] && [ '${{ matrix.target }}' == release ]; then
echo "should_notarize_app=yes" >> "$GITHUB_ENV"
fi
if [[ "${{ github.event_name }}" == 'workflow_dispatch' || "${{ github.ref }}" == 'refs/heads/main' ]]; then
echo "should_upload_app=yes" >> "$GITHUB_ENV"
fi
if [ '${{ matrix.target }}' == release ]; then
echo "NAME_QUALIFIER=" >> "$GITHUB_ENV"
else
echo "NAME_QUALIFIER=-${{ matrix.target }}" >> "$GITHUB_ENV"
fi
- name: Will notarize
if: env.should_notarize_app
run: echo "Will notarize app"
- name: Will upload
if: env.should_upload_app
run: echo "Will upload app"
- name: Pip install
run: |
python -m pip install --upgrade pip
python -m pip install --upgrade dmgbuild
- name: Create temporary keychain
run: |
set -eu -o pipefail
## Create and populate a temporary keychain with our cert.
# We need the "Apple Development" one for building, and then "Developer ID" one for notarizing
keychain_path="$RUNNER_TEMP/app-signing.keychain-db"
keychain_password="$(uuidgen)"
security create-keychain -p "$keychain_password" "$keychain_path"
security set-keychain-settings -lut 21600 "$keychain_path"
security unlock-keychain -p "$keychain_password" "$keychain_path"
echo "KEYCHAIN_PATH=$keychain_path" >> "$GITHUB_ENV"
- name: Confirm keychain
run: |
set -eu -o pipefail
set -x
security list-keychain -d user -s "$KEYCHAIN_PATH"
security list-keychain
- name: Import build cert
run: |
set -eu o pipefail
certificate_path="$RUNNER_TEMP/build_certificate.p12"
echo -n "$BUILD_P12_BASE64" | base64 --decode > "$certificate_path"
security import "$certificate_path" -P "$BUILD_P12_PASSPHRASE" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
env:
BUILD_P12_BASE64: ${{ secrets.BUILD_P12_BASE64 }} # the "Apple Development" one, though "Mac Developer ID" also seems to work (that's what I'm using now)
BUILD_P12_PASSPHRASE: ${{ secrets.BUILD_P12_PASSPHRASE }}
- name: Import notarization cert
run: |
set -eu -o pipefail
dev_id_certificate_path="$RUNNER_TEMP/build_dev_id.cer"
echo -n "$DEV_ID_CERTIFICATE_BASE64" | base64 --decode > "$dev_id_certificate_path"
security import "$dev_id_certificate_path" -k "$KEYCHAIN_PATH"
env:
DEV_ID_CERTIFICATE_BASE64: ${{ secrets.DEV_ID_CERTIFICATE_BASE64 }} # the "Developer ID Application" one
- name: Build
run: |
xcodebuild -scheme "whatdid-${{ matrix.target }}" build archive -archivePath build/whatdid
- name: Archive
if: env.should_upload_app
run: |
set -eu -o pipefail
/usr/bin/plutil -insert teamID -string "${APPLE_TEAM_ID}" buildscripts/archive-export.plist
/usr/bin/plutil -insert signingCertificate -string "${APPLE_SIGNING_CERT_NAME}" buildscripts/archive-export.plist
xcodebuild -exportArchive -archivePath build/whatdid.xcarchive -exportPath build -exportOptionsPlist buildscripts/archive-export.plist
env:
APPLE_SIGNING_CERT_NAME: ${{ secrets.APPLE_SIGNING_CERT_NAME }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
- name: Notarize
if: env.should_upload_app && env.should_notarize_app
run: |
cd build
ditto -c -k --keepParent Whatdid*.app whatdid.zip
mkdir logs
mv DistributionSummary.plist Packaging.log logs/
xcrun notarytool store-credentials "AC_PASSWORD" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_NOTARYTOOL_PASSWORD"
# tee /dev/fd/2 just tees out to stderr -- so we can see the response, but also capture it to a variable
notary_submission="$(xcrun notarytool submit whatdid.zip --keychain-profile AC_PASSWORD -f json | tee /dev/fd/2)"
echo "$notary_submission" | jq .
notary_id="$(echo "$notary_submission" | jq -r .id)"
notary_result="$(xcrun notarytool wait "$notary_id" --keychain-profile AC_PASSWORD -f json | tee /dev/fd/2)"
if [[ "$(echo "$notary_result" | jq -r .status)" != Accepted ]]; then
xcrun notarytool log "$notary_id" --keychain-profile AC_PASSWORD | jq .
fi
pwd
xcrun stapler staple Whatdid.app
spctl -vvv --assess --type exec ./Whatdid.app
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
APPLE_NOTARYTOOL_PASSWORD: ${{ secrets.APPLE_NOTARYTOOL_PASSWORD }}
- name: Create DMG
if: env.should_upload_app
run: |
app_name="$(cd build; echo *.app)" # "whatdid.app" or "whatdid-app-store.app"
dmgbuild -s buildscripts/dmgbuild_settings.py -D "app=build/$app_name" "Whatdid" build/Whatdid.dmg
- name: Upload app
uses: actions/upload-artifact@v2
if: env.should_upload_app
with:
name: Whatdid${{ env.NAME_QUALIFIER }}.dmg
path: build/Whatdid.dmg
- name: Upload packaging logs
uses: actions/upload-artifact@v2
if: env.should_upload_app && env.should_notarize_app
with:
name: packaging-logs${{ env.NAME_QUALIFIER }}
path: build/logs