From 3abfe1a00f76f061b3cbb206820f4d81c0ec9427 Mon Sep 17 00:00:00 2001
From: paulober <44974737+paulober@users.noreply.github.com>
Date: Thu, 8 Jun 2023 17:19:53 +0200
Subject: [PATCH] Add macOS pkg installer to deployment

---
 .github/workflows/deployment.yml |  14 +++++
 .goreleaser.yml                  |   2 +-
 build/macOS/distribution.xml     |  19 ++++++
 script/pkgmacos                  | 104 +++++++++++++++++++++++++++++++
 4 files changed, 138 insertions(+), 1 deletion(-)
 create mode 100644 build/macOS/distribution.xml
 create mode 100755 script/pkgmacos

diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml
index 3974737aae7..e866eea1163 100644
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -110,6 +110,19 @@ jobs:
         run: |
           shopt -s failglob
           script/sign dist/gh_*_macOS_*.zip
+      - name: Build universal macOS pkg installer
+        if: inputs.environment != 'production'
+        env:
+          TAG_NAME: ${{ inputs.tag_name }}
+        run: script/pkgmacos "$TAG_NAME"
+      - name: Build & notarize universal macOS pkg installer
+        if: inputs.environment == 'production'
+        env:
+          TAG_NAME: ${{ inputs.tag_name }}
+          APPLE_DEVELOPER_INSTALLER_ID: ${{ vars.APPLE_DEVELOPER_INSTALLER_ID }}
+        run: |
+          shopt -s failglob
+          script/pkgmacos "$TAG_NAME"
       - uses: actions/upload-artifact@v3
         with:
           name: macos
@@ -118,6 +131,7 @@ jobs:
           path: |
             dist/*.tar.gz
             dist/*.zip
+            dist/*.pkg
   
   windows:
     runs-on: windows-latest
diff --git a/.goreleaser.yml b/.goreleaser.yml
index f441156e3fb..7e742429213 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -10,7 +10,7 @@ before:
     - >-
       {{ if eq .Runtime.Goos "windows" }}echo{{ end }} make manpages GH_VERSION={{.Version}}
     - >-
-      {{ if ne .Runtime.Goos "linux" }}echo{{ end }} make completions
+      {{ if ne .Runtime.Goos "windows" }}echo{{ end }} make completions
 
 builds:
   - id: macos #build:macos
diff --git a/build/macOS/distribution.xml b/build/macOS/distribution.xml
new file mode 100644
index 00000000000..35f14d930f0
--- /dev/null
+++ b/build/macOS/distribution.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<installer-gui-script minSpecVersion="1">
+    <title>Github Cli</title>
+    <license file="LICENSE" mime-type="text/plain"/>
+    <options hostArchitectures="arm64,x86_64" customize="never" require-scripts="false" allow-external-scripts="false"/>
+    <domains enable_localSystem="true"/>
+    
+    <choices-outline>
+        <line choice="gh-cli"/>
+    </choices-outline>
+    <choice id="gh-cli" title="Github Cli (universal)">
+        <pkg-ref id="com.github.cli.pkg"/>
+    </choice>
+
+    <pkg-ref id="com.github.cli.pkg" auth="Root" packageIdentifier="com.github.cli">#com.github.cli.pkg</pkg-ref>
+    <pkg-ref id="com.github.cli.pkg" auth="Root" packageIdentifier="com.github.cli">
+        <bundle-version/>
+    </pkg-ref>
+</installer-gui-script>
diff --git a/script/pkgmacos b/script/pkgmacos
new file mode 100755
index 00000000000..3659123b1db
--- /dev/null
+++ b/script/pkgmacos
@@ -0,0 +1,104 @@
+#!/bin/zsh
+set -e
+
+print_help() {
+    cat <<EOF
+To build a universal pkg for macOS:
+  script/pkgmacos <tag-name>
+
+To build and sign set APPLE_DEVELOPER_INSTALLER_ID environment variable before.
+For example, if you have a signing identity with the identifier 
+"Developer ID Installer: Your Name (ABC123DEF)" set it in the variable.
+EOF
+}
+
+if [ $# -eq 0 ]; then
+  print_help >&2
+  exit 1
+fi
+
+tag_name=""
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+  -h | --help )
+    print_help
+    exit 0
+    ;;
+  -* )
+    printf "unrecognized flag: %s\n" "$1" >&2
+    exit 1
+    ;;
+  * )
+    tag_name="$1"
+    shift 1
+    ;;
+  esac
+done
+
+# gh-binary paths
+bin_path="/bin/gh"
+arm64_bin="dist/macos_darwin_arm64$bin_path"
+amd64_bin="dist/macos_darwin_amd64_v1$bin_path"
+# payload paths
+payload_root="pkg_payload"
+payload_local_bin="${payload_root}/usr/local/bin"
+payload_zsh_site_functions="${payload_root}/usr/local/share/zsh/site-functions"
+payload_man1="${pkg_payload}/usr/local/share/man/man1"
+
+merge_binaries() {
+    lipo -create -output "${payload_local_bin}/gh" "$arm64_bin" "$amd64_bin"
+}
+
+build_pkg() {
+    # setup payload
+    mkdir -p "${payload_local_bin}"
+    mkdir -p "${payload_man1}"
+    mkdir -p "${payload_zsh_site_functions}"
+
+    # copy man pages
+    for file in "./share/man/man1/gh*.1"; do
+        cp "$file" "${payload_man1}"
+    done
+    # Include only Zsh completions,
+    # the recommended/only option on macOS since Catalina for default shell.
+    cp "./share/zsh/site-functions/_gh" "${payload_zsh_site_functions}"
+
+    # merge binaries
+    merge_binaries
+
+    # build pkg
+    pkgbuild \
+    --root "$payload_root" \
+    --identifier "com.github.cli" \
+    --version "$tag_name" \
+    --install-location "/" \
+    "dist/com.github.cli.pkg"
+
+    # setup resources
+    mkdir "build/macOS/resources"
+    cp "LICENSE" "build/macOS/resources"
+
+    # build distribution
+    if [ -n "$APPLE_DEVELOPER_INSTALLER_ID" ]; then
+        # build and sign production package with license
+        productbuild \
+        --distribution "./build/macOS/distribution.xml" \
+        --resources "./build/macOS/resources" \
+        --package-path "./dist" \
+        --timestamp \
+        --sign "${APPLE_DEVELOPER_INSTALLER_ID?}" \
+        "./dist/gh_${tag_name}_macOS_universal.pkg"
+    else
+        echo "skipping macOS pkg code-signing; APPLE_DEVELOPER_INSTALLER_ID not set" >&2
+
+        # build production package with license without signing
+        productbuild \
+        --distribution "./build/macOS/distribution.xml" \
+        --resources "./build/macOS/resources" \
+        --package-path "./dist" \
+        "./dist/gh_${tag_name}_macOS_universal.pkg"
+    fi
+}
+
+build_pkg