CI: Explicitly pass through secrets to codesign actions

YuriSizov · Jun 5, 2024 · 133c077 · 133c077
1 parent d36110e
commit 133c077
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 10 deletions.
diff --git a/.github/actions/upload-extension/action.yml b/.github/actions/upload-extension/action.yml
@@ -6,6 +6,20 @@ inputs:
     description: Flag that enables the codesign routine for platforms that support it.
     default: false
 
+  # Explicit secrets passthrough for codesign.
+  apple-cert-base64:
+    required: true
+  apple-cert-password:
+    required: true
+  apple-dev-id:
+    required: true
+  apple-dev-app-id:
+    required: true
+  apple-dev-team-id:
+    required: true
+  apple-dev-password:
+    required: true
+
 runs:
   using: "composite"
   steps:
@@ -33,8 +47,8 @@ runs:
       with:
         setup-env: true
 
-        apple-cert-base64:   ${{ secrets.APPLE_CERT_BASE64 }}
-        apple-cert-password: ${{ secrets.APPLE_CERT_PASSWORD }}
+        apple-cert-base64:   ${{ inputs.apple-cert-base64 }}
+        apple-cert-password: ${{ inputs.apple-cert-password }}
 
     - name: Sign the binaries (macOS, debug)
       if: ${{ env.SCONS_PLATFORM == 'macos' && inputs.sign-extension }}
@@ -44,10 +58,10 @@ runs:
         directory: bin
         target-name: libgdsion.macos.template_debug.framework
 
-        apple-dev-id:        ${{ secrets.APPLE_DEV_ID }}
-        apple-dev-app-id:    ${{ secrets.APPLE_DEV_APP_ID }}
-        apple-dev-team-id:   ${{ secrets.APPLE_DEV_TEAM_ID }}
-        apple-dev-password:  ${{ secrets.APPLE_DEV_PASSWORD }}
+        apple-dev-id:        ${{ inputs.apple-dev-id }}
+        apple-dev-app-id:    ${{ inputs.apple-dev-app-id }}
+        apple-dev-team-id:   ${{ inputs.apple-dev-team-id }}
+        apple-dev-password:  ${{ inputs.apple-dev-password }}
 
     - name: Sign the binaries (macOS, release)
       if: ${{ env.SCONS_PLATFORM == 'macos' && inputs.sign-extension }}
@@ -57,10 +71,10 @@ runs:
         directory: bin
         target-name: libgdsion.macos.template_release.framework
 
-        apple-dev-id:        ${{ secrets.APPLE_DEV_ID }}
-        apple-dev-app-id:    ${{ secrets.APPLE_DEV_APP_ID }}
-        apple-dev-team-id:   ${{ secrets.APPLE_DEV_TEAM_ID }}
-        apple-dev-password:  ${{ secrets.APPLE_DEV_PASSWORD }}
+        apple-dev-id:        ${{ inputs.apple-dev-id }}
+        apple-dev-app-id:    ${{ inputs.apple-dev-app-id }}
+        apple-dev-team-id:   ${{ inputs.apple-dev-team-id }}
+        apple-dev-password:  ${{ inputs.apple-dev-password }}
 
     # Windows-specific steps.
 

diff --git a/.github/workflows/build-release-tagged.yml b/.github/workflows/build-release-tagged.yml
@@ -24,6 +24,7 @@ jobs:
   build-macos:
     name: Compile and upload macOS version
     uses: ./.github/workflows/extension-build-macos.yml
+    secrets: inherit
     with:
       git-base-ref: ${{ github.ref }}
       with-codesign: true

diff --git a/.github/workflows/build-release-unstable.yml b/.github/workflows/build-release-unstable.yml
@@ -23,6 +23,7 @@ jobs:
   build-macos:
     name: Compile and upload macOS version
     uses: ./.github/workflows/extension-build-macos.yml
+    secrets: inherit
     with:
       git-base-ref: 'main'
       with-codesign: true

diff --git a/.github/workflows/extension-build-macos.yml b/.github/workflows/extension-build-macos.yml
@@ -49,3 +49,9 @@ jobs:
         uses: ./.github/actions/upload-extension
         with:
           sign-extension: ${{ inputs.with-codesign }}
+          apple-cert-base64:   ${{ secrets.APPLE_CERT_BASE64 }}
+          apple-cert-password: ${{ secrets.APPLE_CERT_PASSWORD }}
+          apple-dev-id:        ${{ secrets.APPLE_DEV_ID }}
+          apple-dev-app-id:    ${{ secrets.APPLE_DEV_APP_ID }}
+          apple-dev-team-id:   ${{ secrets.APPLE_DEV_TEAM_ID }}
+          apple-dev-password:  ${{ secrets.APPLE_DEV_PASSWORD }}