Skip to content

Commit

Permalink
build: sign and notarize macos releases
Browse files Browse the repository at this point in the history
  • Loading branch information
asimpson committed Aug 23, 2021
1 parent 10101fb commit b14f857
Show file tree
Hide file tree
Showing 4 changed files with 63 additions and 4 deletions.
8 changes: 7 additions & 1 deletion .github/workflows/go.yml
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
name: build releases

on:
workflow_dispatch:
release:
types: [published]

jobs:

build:
runs-on: ubuntu-latest
runs-on: macos-latest
steps:
- uses: actions/checkout@v2

Expand All @@ -18,3 +19,8 @@ jobs:

- name: build binaries
run: GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} ./build.sh
env:
AC_USERNAME: ${{ secrets.AC_USERNAME }}
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
APPLE_DEVELOPER_CERTIFICATE_P12_BASE64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
APPLE_DEVELOPER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
11 changes: 11 additions & 0 deletions amd64-darwin-sb-gon-config.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"source" : ["./amd64-darwin-sb"],
"bundle_id" : "com.sparkbox.sb",
"sign" :{
"application_identity" : "Developer ID Application: Rob Harr (J77MB48G77)"
},
"dmg" :{
"output_path" : "./amd64-darwin-sb.dmg",
"volume_name" : "amd64-sb"
}
}
11 changes: 11 additions & 0 deletions arm64-darwin-sb-gon-config.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"source" : ["./arm64-darwin-sb"],
"bundle_id" : "com.sparkbox.sb",
"sign" :{
"application_identity" : "Developer ID Application: Rob Harr (J77MB48G77)"
},
"dmg" :{
"output_path" : "./arm64-darwin-sb.dmg",
"volume_name" : "arm-sb"
}
}
37 changes: 34 additions & 3 deletions build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,24 +4,55 @@
# https://docs.github.com/en/actions/reference/environment-variables#default-environment-variables
GIT_TAG=$(jq .release.tag_name < "${GITHUB_EVENT_PATH}" | sed -e 's/"//g')
UPLOAD_URL=$(jq .release.upload_url < "${GITHUB_EVENT_PATH}" | sed -e 's/"//g' | cut -d "{" -f 1)
CERT_FILE="${HOME}/developer_id_certificate.p12"
RELEASES="arm64-darwin-sb amd64-linux-sb amd64-darwin-sb"

upload_file() {
NAME=$1

zip "${NAME}.zip" "${NAME}"
if [ "${NAME}" = "amd64-linux-sb" ]; then
zip "${NAME}.zip" "${NAME}"
NAME="${NAME}.zip"
else
NAME="${NAME}.dmg"
fi

curl -H "Accept: application/vnd.github.v3+json" \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-H "Content-Type: application/zip" \
--data-binary "@${NAME}.zip" \
"${UPLOAD_URL}?name=${NAME}.zip"
--data-binary "@${NAME}" \
"${UPLOAD_URL}?name=${NAME}"
}

setup_keychain() {
echo "${APPLE_DEVELOPER_CERTIFICATE_P12_BASE64}" | base64 --decode > "${CERT_FILE}"
EPHEMERAL_KEYCHAIN="ci-ephemeral-keychain"
EPHEMERAL_KEYCHAIN_PASSWORD="$(openssl rand -base64 100)"
security create-keychain -p "${EPHEMERAL_KEYCHAIN_PASSWORD}" "${EPHEMERAL_KEYCHAIN}"
EPHEMERAL_KEYCHAIN_FULL_PATH="${HOME}/Library/Keychains/${EPHEMERAL_KEYCHAIN}-db"
security import "${CERT_FILE}" -k "${EPHEMERAL_KEYCHAIN_FULL_PATH}" -P "${APPLE_DEVELOPER_CERTIFICATE_PASSWORD}" -T "$(command -v codesign)"
security set-key-partition-list -S "apple-tool:,apple:" -s -k "${EPHEMERAL_KEYCHAIN_PASSWORD}" "${EPHEMERAL_KEYCHAIN_FULL_PATH}"
security default-keychain -d "user" -s "${EPHEMERAL_KEYCHAIN_FULL_PATH}"
}

sign() {
PLATFORM=$1
gon -log-json -log-level=info "./${PLATFORM}-gon-config.json"
}

setup_keychain
brew tap mitchellh/gon
brew install mitchellh/gon/gon

for PLATFORM in ${RELEASES}; do
GOOS=$(echo "${PLATFORM}" | cut -d - -f 2) \
GOARCH=$(echo "${PLATFORM}" | cut -d - -f 1) \
go build -o "${PLATFORM}" -a -ldflags="-X 'sb/cmd.AppVersion=${GIT_TAG}'"

if [ "${PLATFORM}" != "amd64-linux-sb" ]; then
sign "${PLATFORM}"
fi

if [ "${UPLOAD_URL}" != null ]; then
upload_file "${PLATFORM}"
fi
Expand Down

0 comments on commit b14f857

Please sign in to comment.