Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[GHA MAC] Move from matrix to composite action
Will allow to more easily/prettily separate signature for 4 macOS built ci release
- Loading branch information
1 parent
fcab28e
commit 46f4d4b
Showing
2 changed files
with
146 additions
and
130 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
name: 'MacOS Notaring Signing' | ||
description: 'Greet someone' | ||
inputs: | ||
# Matrix variables | ||
toSignedZipName: | ||
description: '[string] Name of the generated zip archive to turn in file.dmg (should only be filename, w/o extension -ie `.zip` part)' | ||
required: true | ||
default: 'Gama1.7-macosx.cocoa.x86_64' | ||
IS_WITH_JDK: | ||
description: '[bool] Reverse list order to sign application' | ||
required: false | ||
default: false | ||
# Get secrets | ||
MACOS_CERTIFICATE: | ||
required: true | ||
MACOS_CERTIFICATE_PWD: | ||
required: true | ||
MACOS_KEYCHAIN_PWD: | ||
required: true | ||
MACOS_DEV_ID: | ||
required: true | ||
NOTARY_APPLE_ID: | ||
required: true | ||
NOTARY_PASSWORD: | ||
required: true | ||
NOTARY_TEAM_ID: | ||
required: true | ||
|
||
runs: | ||
using: "composite" | ||
steps: | ||
- name: Prepare vm | ||
run: | | ||
# Change XCode version | ||
sudo xcode-select -s "/Applications/Xcode_13.0.app" | ||
export JAVA_HOME=$JAVA_HOME_11_X64 | ||
mkdir -p ${{ github.workspace }}/artifacts/work | ||
- uses: actions/download-artifact@v2 | ||
with: | ||
name: gama-mac-unsigned | ||
path: ./artifacts/ | ||
|
||
- name: Create Keychain | ||
env: | ||
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} | ||
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} | ||
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }} | ||
run: | | ||
# Prepare the keychain - Based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions | ||
security create-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain | ||
security default-keychain -s build.keychain | ||
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain | ||
# Prepare certificate | ||
echo "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12 | ||
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign | ||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_KEYCHAIN_PWD" build.keychain | ||
- name: Sign Application | ||
env: | ||
working_directory: ${{ github.workspace }}/artifacts/work | ||
# Variables | ||
MACOS_DEV_ID: ${{ secrets.MACOS_DEV_ID }} | ||
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }} | ||
IS_WITH_JDK: ${{ inputs.IS_WITH_JDK }} | ||
run: | | ||
# Unlock | ||
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain | ||
unzip -q ${{ github.workspace }}/artifacts/${{ inputs.toSignedZipName }}.zip -d . && rm ${{ github.workspace }}/artifacts/*.zip | ||
# Sign everything inside app | ||
bash ${{ github.workspace }}/artifacts/mac-sign.sh | ||
wget https://raw.githubusercontent.com/gama-platform/gama/$( echo $GITHUB_SHA )/ummisco.gama.product/extraresources/entitlements.plist && plutil -convert xml1 ./entitlements.plist && plutil -lint ./entitlements.plist | ||
codesign --entitlements "./entitlements.plist" --timestamp --options=runtime --force -s "$MACOS_DEV_ID" -v ./Gama.app/Contents/MacOS/Gama | ||
- name: Packaging signed Application w/o JDK | ||
env: | ||
working_directory: ${{ github.workspace }}/artifacts/work | ||
# Variables | ||
MACOS_DEV_ID: ${{ secrets.MACOS_DEV_ID }} | ||
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }} | ||
# Notarization variables | ||
NOTARY_APPLE_ID: ${{ secrets.NOTARY_APPLE_ID }} | ||
NOTARY_PASSWORD: ${{ secrets.NOTARY_PASSWORD }} | ||
NOTARY_TEAM_ID: ${{ secrets.NOTARY_TEAM_ID }} | ||
run: | | ||
# Unlock | ||
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain | ||
# Make DMG - Based on : https://developer.apple.com/forums/thread/128166 | ||
hdiutil create -verbose -srcFolder ./Gama.app -o ./${{ inputs.toSignedZipName }}.dmg | ||
codesign -s "$MACOS_DEV_ID" --timestamp -f -v ./${{ inputs.toSignedZipName }}.dmg | ||
# Notarize dmg - Based on : https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow#3087734 | ||
xcrun -v notarytool store-credentials "AC_PASSWORD" --apple-id "$NOTARY_APPLE_ID" --team-id "$NOTARY_TEAM_ID" --password "$NOTARY_PASSWORD" | ||
xcrun -v notarytool submit ./${{ inputs.toSignedZipName }}.dmg --keychain-profile "AC_PASSWORD" --wait | ||
xcrun -v stapler staple ./${{ inputs.toSignedZipName }}.dmg | ||
- uses: actions/upload-artifact@v3 | ||
env: | ||
working_directory: ${{ github.workspace }}/artifacts/work | ||
with: | ||
name: gama-mac-signed | ||
path: ./${{ inputs.toSignedZipName }}.dmg | ||
if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters