diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 65fc26d..7145cfd 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -13,33 +13,73 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@v2 - + - name: Install codesign certificate + env: + # DEV_CERT_B64: Base64-encoded developer certificate as .p12 + # DEV_CERT_PWD: Developer certificate .p12 password + # PROVISION_PROFILE_B64: Base64-encoded provisioning profile as .provisionprofile + # KEYCHAIN_TIMEOUT: Lock keychain after timeout interval + # https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development + DEV_CERT_B64: ${{ secrets.DEV_CERT_B64 }} + DEV_CERT_PWD: ${{ secrets.DEV_CERT_PWD }} + KEYCHAIN_TIMEOUT: 21600 + run: | + DEV_CERT_P12="$RUNNER_TEMP/dev_cert.p12" + KEYCHAIN_DB="$RUNNER_TEMP/keychain.keychain-db" + KEYCHAIN_PWD=$(openssl rand -base64 24) + security create-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_DB" + security set-keychain-settings -lut "$KEYCHAIN_TIMEOUT" "$KEYCHAIN_DB" + security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_DB" + echo -n "$DEV_CERT_B64" | base64 --decode --output "$DEV_CERT_P12" + security import "$DEV_CERT_P12" -P "$DEV_CERT_PWD" -A -t cert -f pkcs12 -k "$KEYCHAIN_DB" + security list-keychain -d user -s "$KEYCHAIN_DB" - name: Building run: | swift build -c release --arch arm64 --arch x86_64 - cd .build/apple/Products/Release/ - zip codeedit-cli.zip codeedit-cli - cd ../../../../ - # CODESIGN & NOTARIZE THE BINARY - - - name: Create Release - id: create_release - uses: actions/create-release@v1 + - name: Sign env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ github.ref }} - release_name: ${{ github.ref }} - draft: false - prerelease: false - - - name: Upload Release Asset - uses: actions/upload-release-asset@v1 + CODESIGN_SIGN: ${{ secrets.CODESIGN_SIGN }} + run: | + codesign --sign "$CODESIGN_SIGN" --prefix austincondiff.CodeEdit. --options=runtime --verbose --timestamp .build/apple/Products/Release/codeedit-cli + - name: Zip + run: zip -r .build/apple/Products/Release/codeedit-cli.zip .build/apple/Products/Release/codeedit-cli + - name: Notarize env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: .build/apple/Products/Release/codeedit-cli.zip - asset_name: codeedit-cli-binary.zip - asset_content_type: application/zip + APPLE_ID: ${{ secrets.APPLE_ID }} + APPLE_ID_PWD: ${{ secrets.APPLE_ID_PWD }} + APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} + run: | + xcrun notarytool submit ".build/apple/Products/Release/codeedit-cli.zip" --apple-id "$APPLE_ID" --password "$APPLE_ID_PWD" --team-id "$APPLE_TEAM_ID" --verbose --wait --output-format plist > "NotarizationResponse.plist" + echo "**RESPONSE**" + cat NotarizationResponse.plist + id=`/usr/libexec/PlistBuddy -c "Print :id" "NotarizationResponse.plist"` + xcrun notarytool log --verbose --apple-id "$APPLE_ID" --password "$APPLE_ID_PWD" --team-id "$APPLE_TEAM_ID" "$id" + status=`/usr/libexec/PlistBuddy -c "Print :status" "NotarizationResponse.plist"` + if [[ $status != "Accepted" ]]; then + exit 999 + fi + #- name: Create Release + # id: create_release + #uses: actions/create-release@v1 + #env: + #GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + #with: + #tag_name: ${{ github.ref }} + #release_name: ${{ github.ref }} + #draft: false + #prerelease: false + + #- name: Upload Release Asset + # uses: actions/upload-release-asset@v1 + #env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + #with: + #upload_url: ${{ steps.create_release.outputs.upload_url }} + #asset_path: .build/apple/Products/Release/codeedit-cli.zip + #asset_name: codeedit-cli-binary.zip + #asset_content_type: application/zip + - name: Clean up keychain + if: ${{ always() }} + run: | + security delete-keychain "$RUNNER_TEMP/keychain.keychain-db"