Skip to content

Commit

Permalink
[GHA MAC] Sub-parallelize mac builds
Browse files Browse the repository at this point in the history 
Only 2 VM at the time, should prevent signature timeout
ci release
  • Loading branch information
@RoiArthurB
RoiArthurB committed Apr 22, 2022
1 parent 6e88c1e commit ff131d2
Show file tree
Hide file tree
Showing 2 changed files with 85 additions and 10 deletions.
93 changes: 83 additions & 10 deletions .github/workflows/github-travis.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,21 +112,94 @@ jobs:
outputs:
continue_pipeline: ${{ env.CONTINUE }}

macOS-signing:
macOS-signing-x86_64:
needs: build
if: needs.build.outputs.continue_pipeline == 'true'
runs-on: macos-latest
strategy:
matrix:
toSignedZipName: [Gama1.7-macosx.cocoa.x86_64, Gama1.7-macosx.cocoa.x86_64_withJDK, Gama1.7-macosx.cocoa.aarch64, Gama1.7-macosx.cocoa.aarch64_withJDK]
toSignedZipName: [Gama1.7-macosx.cocoa.x86_64, Gama1.7-macosx.cocoa.x86_64_withJDK]
steps:
- name: Delay x86_64 jobs
if: contains(matrix.toSignedZipName, 'x86_64')
run: sleep 60
- name: Delay JDK jobs
if: contains(matrix.toSignedZipName, 'withJDK')
run: sleep 100
- name: Prepare vm
run: |
# Change XCode version
sudo xcode-select -s "/Applications/Xcode_13.0.app"
export JAVA_HOME=$JAVA_HOME_11_X64
mkdir -p ${{ github.workspace }}/artifacts/work
- uses: actions/download-artifact@v2
with:
name: gama-mac-unsigned
path: ./artifacts/

- name: Create Keychain
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
run: |
# Prepare the keychain - Based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
security create-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
# Prepare certificate
echo "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_KEYCHAIN_PWD" build.keychain
- name: Sign Application
env:
working_directory: ${{ github.workspace }}/artifacts/work
# Variables
MACOS_DEV_ID: ${{ secrets.MACOS_DEV_ID }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
IS_WITH_JDK: contains(matrix.toSignedZipName, 'withJDK')
run: |
# Unlock
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
unzip -q ${{ github.workspace }}/artifacts/${{ matrix.toSignedZipName }}.zip -d . && rm ${{ github.workspace }}/artifacts/*.zip
# Sign everything inside app
bash ${{ github.workspace }}/artifacts/mac-sign.sh
wget https://raw.githubusercontent.com/gama-platform/gama/$( echo $GITHUB_SHA )/ummisco.gama.product/extraresources/entitlements.plist && plutil -convert xml1 ./entitlements.plist && plutil -lint ./entitlements.plist
codesign --entitlements "./entitlements.plist" --timestamp --options=runtime --force -s "$MACOS_DEV_ID" -v ./Gama.app/Contents/MacOS/Gama
- name: Packaging signed Application w/o JDK
env:
working_directory: ${{ github.workspace }}/artifacts/work
# Variables
MACOS_DEV_ID: ${{ secrets.MACOS_DEV_ID }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
# Notarization variables
NOTARY_APPLE_ID: ${{ secrets.NOTARY_APPLE_ID }}
NOTARY_PASSWORD: ${{ secrets.NOTARY_PASSWORD }}
NOTARY_TEAM_ID: ${{ secrets.NOTARY_TEAM_ID }}
run: |
# Unlock
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
# Make DMG - Based on : https://developer.apple.com/forums/thread/128166
hdiutil create -verbose -srcFolder ./Gama.app -o ./${{ matrix.toSignedZipName }}.dmg
codesign -s "$MACOS_DEV_ID" --timestamp -f -v ./${{ matrix.toSignedZipName }}.dmg
# Notarize dmg - Based on : https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow#3087734
xcrun -v notarytool store-credentials "AC_PASSWORD" --apple-id "$NOTARY_APPLE_ID" --team-id "$NOTARY_TEAM_ID" --password "$NOTARY_PASSWORD"
xcrun -v notarytool submit ./${{ matrix.toSignedZipName }}.dmg --keychain-profile "AC_PASSWORD" --wait
xcrun -v stapler staple ./${{ matrix.toSignedZipName }}.dmg
- uses: actions/upload-artifact@v3
env:
working_directory: ${{ github.workspace }}/artifacts/work
with:
name: gama-mac-signed
path: ./${{ matrix.toSignedZipName }}.dmg
if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn`

macOS-signing-aarch64:
needs: macOS-signing-x86_64
if: needs.build.outputs.continue_pipeline == 'true'
runs-on: macos-latest
strategy:
matrix:
toSignedZipName: [Gama1.7-macosx.cocoa.aarch64, Gama1.7-macosx.cocoa.aarch64_withJDK]
steps:
- name: Prepare vm
run: |
# Change XCode version
Expand Down Expand Up @@ -160,7 +233,7 @@ jobs:
# Variables
MACOS_DEV_ID: ${{ secrets.MACOS_DEV_ID }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
IS_WITH_JDK: ${{ contains(matrix.toSignedZipName, 'withJDK') }}
IS_WITH_JDK: contains(matrix.toSignedZipName, 'withJDK')
run: |
# Unlock
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
Expand Down Expand Up @@ -237,7 +310,7 @@ jobs:
${{ github.workspace }}/${{ matrix.zipName }}.deb
publish-archives:
needs: [macOS-signing, debian-archive]
needs: [macOS-signing-x84_64, macOS-signing-aarch64, debian-archive]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
Expand Down
2 changes: 2 additions & 0 deletions travis/mac-sign.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ function signInJar(){
fi
}

echo $IS_WITH_JDK

find ./ -name "*jar" > jarlist.txt

# Reverse list to prevent concurrency signature submition per architecture
Expand Down

0 comments on commit ff131d2

Please sign in to comment.