Skip to content

Commit

Permalink
[GHA MAC] Move from matrix to composite action
Browse files Browse the repository at this point in the history 
Will allow to more easily/prettily separate signature for 4 macOS built
ci release
  • Loading branch information
@RoiArthurB
RoiArthurB committed Apr 25, 2022
1 parent fcab28e commit 46f4d4b
Show file tree
Hide file tree
Showing 2 changed files with 146 additions and 130 deletions.
102 changes: 102 additions & 0 deletions .github/actions/macOS-sign/action.yaml
View file
@@ -0,0 +1,102 @@
name: 'MacOS Notaring Signing'
description: 'Greet someone'
inputs:
# Matrix variables
toSignedZipName:
description: '[string] Name of the generated zip archive to turn in file.dmg (should only be filename, w/o extension -ie `.zip` part)'
required: true
default: 'Gama1.7-macosx.cocoa.x86_64'
IS_WITH_JDK:
description: '[bool] Reverse list order to sign application'
required: false
default: false
# Get secrets
MACOS_CERTIFICATE:
required: true
MACOS_CERTIFICATE_PWD:
required: true
MACOS_KEYCHAIN_PWD:
required: true
MACOS_DEV_ID:
required: true
NOTARY_APPLE_ID:
required: true
NOTARY_PASSWORD:
required: true
NOTARY_TEAM_ID:
required: true

runs:
using: "composite"
steps:
- name: Prepare vm
run: |
# Change XCode version
sudo xcode-select -s "/Applications/Xcode_13.0.app"
export JAVA_HOME=$JAVA_HOME_11_X64
mkdir -p ${{ github.workspace }}/artifacts/work
- uses: actions/download-artifact@v2
with:
name: gama-mac-unsigned
path: ./artifacts/

- name: Create Keychain
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
run: |
# Prepare the keychain - Based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
security create-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
# Prepare certificate
echo "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_KEYCHAIN_PWD" build.keychain
- name: Sign Application
env:
working_directory: ${{ github.workspace }}/artifacts/work
# Variables
MACOS_DEV_ID: ${{ secrets.MACOS_DEV_ID }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
IS_WITH_JDK: ${{ inputs.IS_WITH_JDK }}
run: |
# Unlock
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
unzip -q ${{ github.workspace }}/artifacts/${{ inputs.toSignedZipName }}.zip -d . && rm ${{ github.workspace }}/artifacts/*.zip
# Sign everything inside app
bash ${{ github.workspace }}/artifacts/mac-sign.sh
wget https://raw.githubusercontent.com/gama-platform/gama/$( echo $GITHUB_SHA )/ummisco.gama.product/extraresources/entitlements.plist && plutil -convert xml1 ./entitlements.plist && plutil -lint ./entitlements.plist
codesign --entitlements "./entitlements.plist" --timestamp --options=runtime --force -s "$MACOS_DEV_ID" -v ./Gama.app/Contents/MacOS/Gama
- name: Packaging signed Application w/o JDK
env:
working_directory: ${{ github.workspace }}/artifacts/work
# Variables
MACOS_DEV_ID: ${{ secrets.MACOS_DEV_ID }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
# Notarization variables
NOTARY_APPLE_ID: ${{ secrets.NOTARY_APPLE_ID }}
NOTARY_PASSWORD: ${{ secrets.NOTARY_PASSWORD }}
NOTARY_TEAM_ID: ${{ secrets.NOTARY_TEAM_ID }}
run: |
# Unlock
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
# Make DMG - Based on : https://developer.apple.com/forums/thread/128166
hdiutil create -verbose -srcFolder ./Gama.app -o ./${{ inputs.toSignedZipName }}.dmg
codesign -s "$MACOS_DEV_ID" --timestamp -f -v ./${{ inputs.toSignedZipName }}.dmg
# Notarize dmg - Based on : https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow#3087734
xcrun -v notarytool store-credentials "AC_PASSWORD" --apple-id "$NOTARY_APPLE_ID" --team-id "$NOTARY_TEAM_ID" --password "$NOTARY_PASSWORD"
xcrun -v notarytool submit ./${{ inputs.toSignedZipName }}.dmg --keychain-profile "AC_PASSWORD" --wait
xcrun -v stapler staple ./${{ inputs.toSignedZipName }}.dmg
- uses: actions/upload-artifact@v3
env:
working_directory: ${{ github.workspace }}/artifacts/work
with:
name: gama-mac-signed
path: ./${{ inputs.toSignedZipName }}.dmg
if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn`
174 changes: 44 additions & 130 deletions .github/workflows/github-travis.yml
View file
Expand Up @@ -116,161 +116,75 @@ jobs:
needs: build
if: needs.build.outputs.continue_pipeline == 'true'
runs-on: macos-latest
strategy:
matrix:
toSignedZipName: [Gama1.7-macosx.cocoa.x86_64, Gama1.7-macosx.cocoa.x86_64_withJDK]
steps:
- name: Prepare vm
run: |
# Change XCode version
sudo xcode-select -s "/Applications/Xcode_13.0.app"
export JAVA_HOME=$JAVA_HOME_11_X64
mkdir -p ${{ github.workspace }}/artifacts/work
- uses: actions/download-artifact@v2
- name: toto
uses: ./.github/actions/macOS-sign
with:
name: gama-mac-unsigned
path: ./artifacts/

- name: Create Keychain
env:
toSignedZipName: Gama1.7-macosx.cocoa.x86_64
IS_WITH_JDK: false
# Pass secrets
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
run: |
# Prepare the keychain - Based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
security create-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
# Prepare certificate
echo "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_KEYCHAIN_PWD" build.keychain
- name: Sign Application
env:
working_directory: ${{ github.workspace }}/artifacts/work
# Variables
MACOS_DEV_ID: ${{ secrets.MACOS_DEV_ID }}
NOTARY_APPLE_ID: ${{ secrets.NOTARY_APPLE_ID }}
NOTARY_PASSWORD: ${{ secrets.NOTARY_PASSWORD }}
NOTARY_TEAM_ID: ${{ secrets.NOTARY_TEAM_ID }}
macOS-signing-x86_64_withJDK:
needs: build
if: needs.build.outputs.continue_pipeline == 'true'
runs-on: macos-latest
steps:
- name: toto
uses: ./.github/actions/macOS-sign
with:
toSignedZipName: Gama1.7-macosx.cocoa.x86_64_withJDK
IS_WITH_JDK: true
# Pass secrets
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
IS_WITH_JDK: ${{ matrix.toSignedZipName }} =~ .*'withJDK'
run: |
# Unlock
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
unzip -q ${{ github.workspace }}/artifacts/${{ matrix.toSignedZipName }}.zip -d . && rm ${{ github.workspace }}/artifacts/*.zip
# Sign everything inside app
bash ${{ github.workspace }}/artifacts/mac-sign.sh
wget https://raw.githubusercontent.com/gama-platform/gama/$( echo $GITHUB_SHA )/ummisco.gama.product/extraresources/entitlements.plist && plutil -convert xml1 ./entitlements.plist && plutil -lint ./entitlements.plist
codesign --entitlements "./entitlements.plist" --timestamp --options=runtime --force -s "$MACOS_DEV_ID" -v ./Gama.app/Contents/MacOS/Gama
- name: Packaging signed Application w/o JDK
env:
working_directory: ${{ github.workspace }}/artifacts/work
# Variables
MACOS_DEV_ID: ${{ secrets.MACOS_DEV_ID }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
# Notarization variables
NOTARY_APPLE_ID: ${{ secrets.NOTARY_APPLE_ID }}
NOTARY_PASSWORD: ${{ secrets.NOTARY_PASSWORD }}
NOTARY_TEAM_ID: ${{ secrets.NOTARY_TEAM_ID }}
run: |
# Unlock
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
# Make DMG - Based on : https://developer.apple.com/forums/thread/128166
hdiutil create -verbose -srcFolder ./Gama.app -o ./${{ matrix.toSignedZipName }}.dmg
codesign -s "$MACOS_DEV_ID" --timestamp -f -v ./${{ matrix.toSignedZipName }}.dmg
# Notarize dmg - Based on : https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow#3087734
xcrun -v notarytool store-credentials "AC_PASSWORD" --apple-id "$NOTARY_APPLE_ID" --team-id "$NOTARY_TEAM_ID" --password "$NOTARY_PASSWORD"
xcrun -v notarytool submit ./${{ matrix.toSignedZipName }}.dmg --keychain-profile "AC_PASSWORD" --wait
xcrun -v stapler staple ./${{ matrix.toSignedZipName }}.dmg
- uses: actions/upload-artifact@v3
env:
working_directory: ${{ github.workspace }}/artifacts/work
with:
name: gama-mac-signed
path: ./${{ matrix.toSignedZipName }}.dmg
if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn`

macOS-signing-aarch64:
needs: macOS-signing-x86_64
needs: [macOS-signing-x86_64, macOS-signing-x86_64_withJDK]
if: needs.build.outputs.continue_pipeline == 'true'
runs-on: macos-latest
strategy:
matrix:
toSignedZipName: [Gama1.7-macosx.cocoa.aarch64, Gama1.7-macosx.cocoa.aarch64_withJDK]
steps:
- name: Prepare vm
run: |
# Change XCode version
sudo xcode-select -s "/Applications/Xcode_13.0.app"
export JAVA_HOME=$JAVA_HOME_11_X64
mkdir -p ${{ github.workspace }}/artifacts/work
- uses: actions/download-artifact@v2
- name: toto
uses: ./.github/actions/macOS-sign
with:
name: gama-mac-unsigned
path: ./artifacts/

- name: Create Keychain
env:
toSignedZipName: Gama1.7-macosx.cocoa.aarch64
IS_WITH_JDK: false
# Pass secrets
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
run: |
# Prepare the keychain - Based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
security create-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
# Prepare certificate
echo "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_KEYCHAIN_PWD" build.keychain
- name: Sign Application
env:
working_directory: ${{ github.workspace }}/artifacts/work
# Variables
MACOS_DEV_ID: ${{ secrets.MACOS_DEV_ID }}
NOTARY_APPLE_ID: ${{ secrets.NOTARY_APPLE_ID }}
NOTARY_PASSWORD: ${{ secrets.NOTARY_PASSWORD }}
NOTARY_TEAM_ID: ${{ secrets.NOTARY_TEAM_ID }}
macOS-signing-aarch64_withJDK:
needs: [macOS-signing-x86_64, macOS-signing-x86_64_withJDK]
if: needs.build.outputs.continue_pipeline == 'true'
runs-on: macos-latest
steps:
- name: toto
uses: ./.github/actions/macOS-sign
with:
toSignedZipName: Gama1.7-macosx.cocoa.aarch64_withJDK
IS_WITH_JDK: true
# Pass secrets
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
IS_WITH_JDK: ${{ matrix.toSignedZipName }} =~ .*'withJDK'
run: |
# Unlock
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
unzip -q ${{ github.workspace }}/artifacts/${{ matrix.toSignedZipName }}.zip -d . && rm ${{ github.workspace }}/artifacts/*.zip
# Sign everything inside app
bash ${{ github.workspace }}/artifacts/mac-sign.sh
wget https://raw.githubusercontent.com/gama-platform/gama/$( echo $GITHUB_SHA )/ummisco.gama.product/extraresources/entitlements.plist && plutil -convert xml1 ./entitlements.plist && plutil -lint ./entitlements.plist
codesign --entitlements "./entitlements.plist" --timestamp --options=runtime --force -s "$MACOS_DEV_ID" -v ./Gama.app/Contents/MacOS/Gama
- name: Packaging signed Application w/o JDK
env:
working_directory: ${{ github.workspace }}/artifacts/work
# Variables
MACOS_DEV_ID: ${{ secrets.MACOS_DEV_ID }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
# Notarization variables
NOTARY_APPLE_ID: ${{ secrets.NOTARY_APPLE_ID }}
NOTARY_PASSWORD: ${{ secrets.NOTARY_PASSWORD }}
NOTARY_TEAM_ID: ${{ secrets.NOTARY_TEAM_ID }}
run: |
# Unlock
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
# Make DMG - Based on : https://developer.apple.com/forums/thread/128166
hdiutil create -verbose -srcFolder ./Gama.app -o ./${{ matrix.toSignedZipName }}.dmg
codesign -s "$MACOS_DEV_ID" --timestamp -f -v ./${{ matrix.toSignedZipName }}.dmg
# Notarize dmg - Based on : https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow#3087734
xcrun -v notarytool store-credentials "AC_PASSWORD" --apple-id "$NOTARY_APPLE_ID" --team-id "$NOTARY_TEAM_ID" --password "$NOTARY_PASSWORD"
xcrun -v notarytool submit ./${{ matrix.toSignedZipName }}.dmg --keychain-profile "AC_PASSWORD" --wait
xcrun -v stapler staple ./${{ matrix.toSignedZipName }}.dmg
- uses: actions/upload-artifact@v3
env:
working_directory: ${{ github.workspace }}/artifacts/work
with:
name: gama-mac-signed
path: ./${{ matrix.toSignedZipName }}.dmg
if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn`

debian-archive:
# https://earthly.dev/blog/creating-and-hosting-your-own-deb-packages-and-apt-repo/#step-1-creating-a-deb-package
Expand Down Expand Up @@ -310,7 +224,7 @@ jobs:
${{ github.workspace }}/${{ matrix.zipName }}.deb
publish-archives:
needs: [macOS-signing-x86_64, macOS-signing-aarch64, debian-archive]
needs: [macOS-signing-aarch64, macOS-signing-aarch64_withJDK, debian-archive]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
Expand Down

0 comments on commit 46f4d4b

Please sign in to comment.