feat: added notarization changes (twilio#349)

shrutiburman · Dec 15, 2021 · 2a8102e · 2a8102e
1 parent f8e1723
commit 2a8102e
Show file tree

Hide file tree

Showing 4 changed files with 127 additions and 4 deletions.
diff --git a/.github/scripts/pack_macos.sh b/.github/scripts/pack_macos.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+#Functionality for signing macos package
+
+
+import_certificate() {
+    CERTIFICATE=$RUNNER_TEMP/certificate.p12
+    OSX_KEYCHAIN=$RUNNER_TEMP/app-signing.keychain-db
+    # import certificate from secrets
+    echo -n "$OSX_INSTALLER_CERT_BASE64" | base64 --decode --output $CERTIFICATE
+    # genrate random keychain password
+    OSX_KEYCHAIN_PASSWORD=`openssl rand -hex 12`
+    # create new keychain 
+    security create-keychain -p "$OSX_KEYCHAIN_PASSWORD" $OSX_KEYCHAIN
+    security unlock-keychain -p "$OSX_KEYCHAIN_PASSWORD" $OSX_KEYCHAIN 
+    # set keycahin configuration (lock after timeout etc)
+    security set-keychain-settings -lut 21600 $OSX_KEYCHAIN
+    # import certificate to keychain
+    security import $CERTIFICATE -k $OSX_KEYCHAIN -f pkcs12 -A -T /usr/bin/codesign -T /usr/bin/security -P "$OSX_INSTALLER_CERT_PASSWORD"
+    security set-key-partition-list -S apple-tool:,apple: -k "$OSX_KEYCHAIN_PASSWORD" $OSX_KEYCHAIN
+
+    security list-keychains -d user -s $OSX_KEYCHAIN login.keychain
+    #security import $CERTIFICATE_PATH -k $KEYCHAIN_PATH -A -P $OSX_INSTALLER_CERT_PASSWORD -T /usr/bin/codesign -T /usr/bin/security
+    security find-identity
+}
+notarize_and_staple() {
+    #Functionality  to notarize application
+    xcrun notarytool store-credentials new-profile --apple-id "$APPLE_ID" --password "$APPLE_ID_APP_PASSWORD" --team-id "$APPLE_TEAM_ID"
+    # wait for notarization response and capture it in notarization_log.json
+    xcrun notarytool submit "$FILE_PATH" --keychain-profile new-profile --wait -f json >> $RUNNER_TEMP/notarization_log.json
+    notarization_status=$(jq -r .status $RUNNER_TEMP/notarization_log.json)
+    notarization_id=$(jq -r .id $RUNNER_TEMP/notarization_log.json)
+    echo "for notarization id ${notarization_id} the status is ${notarization_status}"
+    if [${notarization_status} = "Accepted"]
+    then
+      xcrun stapler staple "$FILE_PATH"
+      spctl --assess -vv --type install "$FILE_PATH"
+    else
+      echo "Notarization unsuccessfull"
+      #display notarization logs for error
+      xcrun notarytool log ${notarization_id} --keychain-profile new-profile $RUNNER_TEMP/notarization_log.json
+      jq . $RUNNER_TEMP/notarization_log.json
+      exit 1
+    fi
+}
+
+pack_macos() {
+    import_certificate
+    npx oclif-dev pack:macos
+    notarize_and_staple
+}
+
+make install
+brew install makensis
+pack_macos
diff --git a/.github/workflows/macos-executable-release.yml b/.github/workflows/macos-executable-release.yml
@@ -0,0 +1,58 @@
+name: Macos Executable Release
+on:
+  workflow_dispatch:
+    inputs:
+      formula:
+        description: 'Artifact Prefix'
+        default: twilio
+jobs:
+  get-tag:
+    runs-on: macos-11
+    outputs:
+     TAG_NAME: ${{steps.get-tag.outputs.TAG_NAME}}
+    steps:
+     - uses: actions/checkout@v2
+     - name: Getting latest tag
+       id: get-tag
+       run: |
+        git fetch --prune --unshallow
+        echo "::set-output name=TAG_NAME::$(git describe --tags $(git rev-list --tags --max-count=1))"
+  pack-macos:
+    needs: [get-tag]
+    runs-on: macos-11
+    steps:
+    - uses: actions/checkout@v2
+    - run: source .github/scripts/pack_macos.sh
+      env:
+        OSX_INSTALLER_CERT_BASE64: ${{ secrets.OSX_INSTALLER_CERT_BASE64}}
+        OSX_INSTALLER_CERT_PASSWORD: ${{ secrets.OSX_INSTALLER_CERT_PASSWORD}}
+        APPLE_ID: ${{ secrets.APPLE_ID}}
+        APPLE_ID_APP_PASSWORD: ${{ secrets.APPLE_ID_APP_PASSWORD}}
+        APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID}}
+        FILE_PATH: dist/macos/${{ github.event.inputs.formula }}-v${{ needs.get-tag.outputs.TAG_NAME }}.pkg
+    - name: Upload binaries to release
+      run: node .github/scripts/update-platform-executables.js
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        FILE: dist/macos/${{ github.event.inputs.formula }}-v${{ needs.get-tag.outputs.TAG_NAME }}.pkg
+        ASSET_NAME: ${{ github.event.inputs.formula }}-${{ needs.get-tag.outputs.TAG_NAME }}.pkg
+        TAG_NAME: ${{ needs.get-tag.outputs.TAG_NAME }}
+        REPO_NAME: twilio/twilio-cli
+
+  notify-complete-fail:
+    if: ${{ failure() || cancelled() }}
+    needs: [pack-macos]
+    name: Notify Release Failed
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Slack Notification
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_WEBHOOK: ${{ secrets.ALERT_SLACK_WEB_HOOK }}
+          SLACK_COLOR: "#ff3333"
+          SLACK_USERNAME: CLI Release Bot
+          SLACK_ICON_EMOJI: ":ship:"
+          SLACK_TITLE: "Twilio Cli"
+          SLACK_MESSAGE: 'Macos Executable Release Failed'
+          MSG_MINIMAL: actions url
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -200,6 +200,9 @@ jobs:
   platform-executables-release:
     runs-on: ubuntu-latest
     needs: [ release ]
+    env: 
+        REPO_NAME: twilio/twilio-cli
+        REPO_ACCESS_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }}
     steps:
       - name: Checkout cli repo
         uses: actions/checkout@v2
@@ -214,9 +217,16 @@ jobs:
         run: node .github/scripts/trigger-workflow.js
         env:
           WORKFLOW_NAME: 'platform-executables.yml'
-          REPO_NAME: twilio/twilio-cli
-          REPO_ACCESS_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }}
           BRANCH_NAME: ${{steps.extract_branch.outputs.branch}}
+
+      - name: Invoke macos package release workflow
+        if: ${{needs.release.outputs.tag-name != ''}}
+        #TODO make changes to trigger-workflow script to accept multiple workflow names at once
+        run: node .github/scripts/trigger-workflow.js
+        env:
+          WORKFLOW_NAME: 'macos-executable-release.yml'
+          BRANCH_NAME: ${{steps.extract_branch.outputs.branch}}
+
 
   notify-complete-fail:
     if: ${{ failure() || cancelled() }}
@@ -233,4 +243,4 @@ jobs:
           SLACK_USERNAME: CLI Release Bot
           SLACK_ICON_EMOJI: ":ship:"
           SLACK_TITLE: "Twilio Cli"
-          SLACK_MESSAGE: 'CLI Release workflow Failed'
+          SLACK_MESSAGE: 'CLI Release workflow Failed'
diff --git a/package.json b/package.json
@@ -118,7 +118,8 @@
       ]
     },
     "macos": {
-      "identifier": "com.twilio.cli"
+      "identifier": "com.twilio.cli",
+      "sign": "Developer ID Installer: Twilio, Inc."
     },
     "update": {
       "s3": {