GitHub Action for alpha releases#234
Merged
jordywitteman merged 1 commit intomasterfrom Aug 7, 2025
Merged
Conversation
GitHub Action for alpha releases with Xcode beta
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+7
to
+91
| runs-on: macos-15 | ||
| environment: production | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Bump Build Number and set version number to env | ||
| run: | | ||
| cd ./src | ||
| xcrun agvtool next-version -all | ||
|
|
||
| APP_BUILD_NUMBER=$(xcrun agvtool vers -terse) | ||
| echo "Build number: ${APP_BUILD_NUMBER}" | ||
| echo "APP_BUILD_NUMBER=${APP_BUILD_NUMBER}" >> $GITHUB_ENV | ||
|
|
||
| APP_VERSION=$(/usr/libexec/PlistBuddy -c Print:CFBundleShortVersionString Support/Info.plist) | ||
| echo "Version number: ${APP_VERSION}" | ||
| echo "APP_VERSION=${APP_VERSION}" >> $GITHUB_ENV | ||
|
|
||
| - name: Commit Changes | ||
| env: | ||
| APP_BUILD_NUMBER: ${{ env.APP_BUILD_NUMBER }} | ||
| run: | | ||
| git add . | ||
| git config --local user.email "action@github.com" | ||
| git config --local user.name "GitHub Action" | ||
| git commit -m "Bump build number to ${APP_BUILD_NUMBER}" | ||
|
|
||
| - name: Push Changes | ||
| uses: ad-m/github-push-action@v0.8.0 | ||
| with: | ||
| github_token: ${{ secrets.GITHUB_TOKEN }} | ||
| branch: ${{ github.ref }} | ||
|
|
||
| - name: Install Developer ID Application certificate | ||
| uses: apple-actions/import-codesign-certs@v2 | ||
| with: | ||
| keychain-password: ${{ github.run_id }} | ||
| p12-file-base64: ${{ secrets.DEVELOPER_ID_APPLICATION_BASE64 }} | ||
| p12-password: ${{ secrets.DEVELOPER_ID_APPLICATION_PASSWORD }} | ||
|
|
||
| - name: Install Developer ID Installer certificate | ||
| uses: apple-actions/import-codesign-certs@v2 | ||
| with: | ||
| create-keychain: false | ||
| keychain-password: ${{ github.run_id }} | ||
| p12-file-base64: ${{ secrets.DEVELOPER_ID_INSTALLER_BASE64 }} | ||
| p12-password: ${{ secrets.DEVELOPER_ID_INSTALLER_PASSWORD }} | ||
|
|
||
| - name: Enable beta watermark | ||
| run: | | ||
| sed -i '' "s/let betaRelease: Bool = false/let betaRelease: Bool = true/g" ./src/Support/Preferences.swift | ||
|
|
||
| - name: Build macOS app | ||
| run: | | ||
| ARCHIVE_PATH="./build/Support.xcarchive" | ||
| APP_PATH="./build" | ||
|
|
||
| ls -la /Applications | ||
|
|
||
| # Set Xcode version to latest version available | ||
| # XCODE_VERSION=$(ls -d /Applications/Xcode*.app 2>/dev/null | sort -V | tail -n 1) | ||
| # echo "Path to latest Xcode version: ${XCODE_VERSION}" | ||
| XCODE_VERSION="${{vars.XCODE_VERSION_BETA}}" | ||
|
|
||
| # Select Xcode version | ||
| sudo xcode-select -s "${XCODE_VERSION}" | ||
|
|
||
| # Build and archive app | ||
| "${XCODE_VERSION}/Contents/Developer/usr/bin/xcodebuild" clean build -project ./src/Support.xcodeproj -scheme "Support" -configuration Release CODE_SIGN_IDENTITY="Developer ID Application: Root3 B.V. (98LJ4XBGYK)" -archivePath $ARCHIVE_PATH archive | ||
| "${XCODE_VERSION}/Contents/Developer/usr/bin/xcodebuild" -archivePath $ARCHIVE_PATH -exportArchive -exportPath $APP_PATH -exportOptionsPlist ./pkgbuild/exportOptions.plist | ||
| chmod +x "${APP_PATH}/Support.app" | ||
|
|
||
| - name: Notarize and package macOS app | ||
| run: | ||
| ./build_pkg_automated.zsh "${{env.APP_VERSION}}" "${{ secrets.APPLE_ID }}" "${{ secrets.APPLE_ID_APP_SPECIFIC_PASSWORD }}" "${{vars.XCODE_VERSION_BETA}}" | ||
|
|
||
| - name: Upload package | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: Support ${{env.APP_VERSION}} Beta (${{ env.APP_BUILD_NUMBER }}) | ||
| path: build/ | ||
|
|
||
|
|
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the problem, add an explicit permissions block to the workflow. Since the workflow pushes changes to the repository, it requires contents: write. Other permissions (such as pull-requests: write) are not needed based on the shown steps. The permissions block can be added at the workflow root (applies to all jobs) or at the job level (applies only to the specific job). The best practice is to add it at the workflow root unless different jobs require different permissions. In this case, since there is only one job, add the following at the top level (after the name: and before on:):
permissions:
contents: writeNo additional methods, imports, or definitions are needed.
Suggested changeset
1
.github/workflows/build_pkg_alpha_xcode_beta.yml
| @@ -1,2 +1,4 @@ | ||
| name: Build and Notarize Support App - Alpha Manual - Xcode Beta | ||
| permissions: | ||
| contents: write | ||
|
|
Copilot is powered by AI and may make mistakes. Always verify output.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GitHub Action for alpha releases with Xcode beta