forked from twilio/twilio-cli
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: added notarization changes (twilio#349)
- Loading branch information
Showing
4 changed files
with
127 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
#!/bin/sh | ||
#Functionality for signing macos package | ||
|
||
|
||
import_certificate() { | ||
CERTIFICATE=$RUNNER_TEMP/certificate.p12 | ||
OSX_KEYCHAIN=$RUNNER_TEMP/app-signing.keychain-db | ||
# import certificate from secrets | ||
echo -n "$OSX_INSTALLER_CERT_BASE64" | base64 --decode --output $CERTIFICATE | ||
# genrate random keychain password | ||
OSX_KEYCHAIN_PASSWORD=`openssl rand -hex 12` | ||
# create new keychain | ||
security create-keychain -p "$OSX_KEYCHAIN_PASSWORD" $OSX_KEYCHAIN | ||
security unlock-keychain -p "$OSX_KEYCHAIN_PASSWORD" $OSX_KEYCHAIN | ||
# set keycahin configuration (lock after timeout etc) | ||
security set-keychain-settings -lut 21600 $OSX_KEYCHAIN | ||
# import certificate to keychain | ||
security import $CERTIFICATE -k $OSX_KEYCHAIN -f pkcs12 -A -T /usr/bin/codesign -T /usr/bin/security -P "$OSX_INSTALLER_CERT_PASSWORD" | ||
security set-key-partition-list -S apple-tool:,apple: -k "$OSX_KEYCHAIN_PASSWORD" $OSX_KEYCHAIN | ||
|
||
security list-keychains -d user -s $OSX_KEYCHAIN login.keychain | ||
#security import $CERTIFICATE_PATH -k $KEYCHAIN_PATH -A -P $OSX_INSTALLER_CERT_PASSWORD -T /usr/bin/codesign -T /usr/bin/security | ||
security find-identity | ||
} | ||
notarize_and_staple() { | ||
#Functionality to notarize application | ||
xcrun notarytool store-credentials new-profile --apple-id "$APPLE_ID" --password "$APPLE_ID_APP_PASSWORD" --team-id "$APPLE_TEAM_ID" | ||
# wait for notarization response and capture it in notarization_log.json | ||
xcrun notarytool submit "$FILE_PATH" --keychain-profile new-profile --wait -f json >> $RUNNER_TEMP/notarization_log.json | ||
notarization_status=$(jq -r .status $RUNNER_TEMP/notarization_log.json) | ||
notarization_id=$(jq -r .id $RUNNER_TEMP/notarization_log.json) | ||
echo "for notarization id ${notarization_id} the status is ${notarization_status}" | ||
if [${notarization_status} = "Accepted"] | ||
then | ||
xcrun stapler staple "$FILE_PATH" | ||
spctl --assess -vv --type install "$FILE_PATH" | ||
else | ||
echo "Notarization unsuccessfull" | ||
#display notarization logs for error | ||
xcrun notarytool log ${notarization_id} --keychain-profile new-profile $RUNNER_TEMP/notarization_log.json | ||
jq . $RUNNER_TEMP/notarization_log.json | ||
exit 1 | ||
fi | ||
} | ||
|
||
pack_macos() { | ||
import_certificate | ||
npx oclif-dev pack:macos | ||
notarize_and_staple | ||
} | ||
|
||
make install | ||
brew install makensis | ||
pack_macos |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
name: Macos Executable Release | ||
on: | ||
workflow_dispatch: | ||
inputs: | ||
formula: | ||
description: 'Artifact Prefix' | ||
default: twilio | ||
jobs: | ||
get-tag: | ||
runs-on: macos-11 | ||
outputs: | ||
TAG_NAME: ${{steps.get-tag.outputs.TAG_NAME}} | ||
steps: | ||
- uses: actions/checkout@v2 | ||
- name: Getting latest tag | ||
id: get-tag | ||
run: | | ||
git fetch --prune --unshallow | ||
echo "::set-output name=TAG_NAME::$(git describe --tags $(git rev-list --tags --max-count=1))" | ||
pack-macos: | ||
needs: [get-tag] | ||
runs-on: macos-11 | ||
steps: | ||
- uses: actions/checkout@v2 | ||
- run: source .github/scripts/pack_macos.sh | ||
env: | ||
OSX_INSTALLER_CERT_BASE64: ${{ secrets.OSX_INSTALLER_CERT_BASE64}} | ||
OSX_INSTALLER_CERT_PASSWORD: ${{ secrets.OSX_INSTALLER_CERT_PASSWORD}} | ||
APPLE_ID: ${{ secrets.APPLE_ID}} | ||
APPLE_ID_APP_PASSWORD: ${{ secrets.APPLE_ID_APP_PASSWORD}} | ||
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID}} | ||
FILE_PATH: dist/macos/${{ github.event.inputs.formula }}-v${{ needs.get-tag.outputs.TAG_NAME }}.pkg | ||
- name: Upload binaries to release | ||
run: node .github/scripts/update-platform-executables.js | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
FILE: dist/macos/${{ github.event.inputs.formula }}-v${{ needs.get-tag.outputs.TAG_NAME }}.pkg | ||
ASSET_NAME: ${{ github.event.inputs.formula }}-${{ needs.get-tag.outputs.TAG_NAME }}.pkg | ||
TAG_NAME: ${{ needs.get-tag.outputs.TAG_NAME }} | ||
REPO_NAME: twilio/twilio-cli | ||
|
||
notify-complete-fail: | ||
if: ${{ failure() || cancelled() }} | ||
needs: [pack-macos] | ||
name: Notify Release Failed | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v2 | ||
- name: Slack Notification | ||
uses: rtCamp/action-slack-notify@v2 | ||
env: | ||
SLACK_WEBHOOK: ${{ secrets.ALERT_SLACK_WEB_HOOK }} | ||
SLACK_COLOR: "#ff3333" | ||
SLACK_USERNAME: CLI Release Bot | ||
SLACK_ICON_EMOJI: ":ship:" | ||
SLACK_TITLE: "Twilio Cli" | ||
SLACK_MESSAGE: 'Macos Executable Release Failed' | ||
MSG_MINIMAL: actions url |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters