Skip to content

Commit

Permalink
Notarize builds (mac-cain13#644)
Browse files Browse the repository at this point in the history 
* Create swift.yml

* automatically bump homebrew version

* remove unused file

* add notarize step

* import siging

* use more secrets

* use only one certificate for now. also mark pkg as artifact

* fix p12 file name

* also notarize zip. fix pkg root. import multiple p12’s.

* use same passwords for keychain

* remove stapler from notarize shell script

* attach pkg and zip to artifacts

* Delete swift.yml

* Enable hardened runtime

* make steps simpler

* remove homebrew update step

* Cleanup release workflow

Co-authored-by: Mathijs Kadijk <[email protected]>
  • Loading branch information
@tomasharkema @mac-cain13
tomasharkema and mac-cain13 authored Apr 29, 2020
1 parent dcab112 commit 7fbf193
Show file tree
Hide file tree
Showing 3 changed files with 114 additions and 11 deletions.
68 changes: 57 additions & 11 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,31 +19,77 @@ jobs:
sed -i "" "s/\(static let version = \"\).*\(\"\)/\1${TAG}\2/" Sources/rswift/Rswift.swift
env:
TAG: ${{ github.event.release.tag_name }}

- name: Build
run: swift build -v -c release
- name: Archive
run: zip --junk-paths ${{ runner.temp }}/archive.zip .build/release/rswift License
- name: Upload
- name: Import Signing Certificates
uses: apple-actions/import-codesign-certs@v1
with:
p12-file-base64: ${{ secrets.APPLE_CERTS }}
p12-password: ${{ secrets.APPLE_CERTS_PASSWORD }}
- name: Code Sign
run: |
codesign --force --options runtime --sign 'Developer ID Application: Mathijs Kadijk (5Z49PA849J)' .build/release/rswift
- name: Store build artifact
uses: actions/upload-artifact@v1
with:
name: rswift-${{ github.event.release.tag_name }}
path: .build/release/rswift

- name: Archive ZIP
run: zip --junk-paths ${{ runner.temp }}/rswift-${{ github.event.release.tag_name }}.zip .build/release/rswift License
- name: Notarize ZIP
run: |
sh notarize.sh
env:
BUNDLE_ID: nl.mathijskadijk.rswift
DEV_ACCOUNT: ${{ secrets.APPLE_ID_EMAIL }}
PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
DEV_TEAM: 5Z49PA849J
FILENAME: ${{ runner.temp }}/rswift-${{ github.event.release.tag_name }}.zip
- name: Attach ZIP to release
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ github.event.release.upload_url }}
asset_path: ${{ runner.temp }}/archive.zip
asset_path: ${{ runner.temp }}/rswift-${{ github.event.release.tag_name }}.zip
asset_name: rswift-${{ github.event.release.tag_name }}.zip
asset_content_type: application/zip

- name: Store artifact
uses: actions/upload-artifact@v1
with:
name: rswift-${{ github.event.release.tag_name }}
path: .build/release/rswift

- name: Publish to Cocoapods
run: |
export POD_VERSION=$(echo $TAG_NAME | cut -c2-)
pod trunk push
env:
TAG_NAME: ${{ github.event.release.tag_name }}
COCOAPODS_TRUNK_TOKEN: ${{ secrets.COCOAPODS_TRUNK_TOKEN }}

- name: Archive PKG
run: |
mkdir -p $PKG_ROOT/$BINARY_ROOT
cp .build/release/rswift $PKG_ROOT/$BINARY_ROOT
pkgbuild --root $PKG_ROOT --identifier "nl.mathijskadijk.rswift" --version $TAG_NAME --install-location "/" --sign "Developer ID Installer: Mathijs Kadijk (5Z49PA849J)" $FILENAME
env:
TAG_NAME: ${{ github.event.release.tag_name }}
FILENAME: ${{ runner.temp }}/rswift-${{ github.event.release.tag_name }}.pkg
BUNDLE_ID: nl.mathijskadijk.rswift
PKG_ROOT: ${{ runner.temp }}/pkgroot
BINARY_ROOT: /usr/local/bin
- name: Notarize PKG
run: |
sh notarize.sh && xcrun stapler staple "$FILENAME"
env:
BUNDLE_ID: nl.mathijskadijk.rswift
DEV_ACCOUNT: ${{ secrets.APPLE_ID_EMAIL }}
PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
DEV_TEAM: 5Z49PA849J
FILENAME: ${{ runner.temp }}/rswift-${{ github.event.release.tag_name }}.pkg
- name: Attach PKG to release
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ github.event.release.upload_url }}
asset_path: ${{ runner.temp }}/rswift-${{ github.event.release.tag_name }}.pkg
asset_name: rswift-${{ github.event.release.tag_name }}.pkg
asset_content_type: application/pkg
3 changes: 3 additions & 0 deletions RswiftConfig.xcconfig
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,6 @@ BUILT_PRODUCTS_DIR = $(SRCROOT)/build/$CONFIGURATION

// Mac OS SDK 10.11
MACOSX_DEPLOYMENT_TARGET = 10.11

// Enable hardened runtime
ENABLE_HARDENED_RUNTIME = YES
54 changes: 54 additions & 0 deletions notarize.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@

requeststatus() { # $1: requestUUID
requestUUID=${1?:"need a request UUID"}
req_status=$(xcrun altool --notarization-info "$requestUUID" \
--username "$DEV_ACCOUNT" \
--password "$PASSWORD" 2>&1 \
| awk -F ': ' '/Status:/ { print $2; }' )
echo "$req_status"
}


notarizefile() { # $1: path to file to notarize, $2: identifier
filepath=${1:?"need a filepath"}
identifier=${2:?"need an identifier"}

# upload file
echo "## uploading $filepath for notarization"
requestUUID=$(xcrun altool --notarize-app \
--primary-bundle-id "$BUNDLE_ID" \
--username "$DEV_ACCOUNT" \
--password "$PASSWORD" \
--asc-provider "$DEV_TEAM" \
--file "$FILENAME" 2>&1 \
| awk '/RequestUUID/ { print $NF; }')

echo "Notarization RequestUUID: $requestUUID"

if [[ $requestUUID == "" ]]; then
echo "could not upload for notarization"
exit 1
fi

# wait for status to be not "in progress" any more
request_status="in progress"
while [[ "$request_status" == "in progress" ]]; do
echo -n "waiting... "
sleep 10
request_status=$(requeststatus "$requestUUID")
echo "$request_status"
done

# print status information
xcrun altool --notarization-info "$requestUUID" \
--username "$DEV_ACCOUNT" \
--password "$PASSWORD"
echo

if [[ $request_status != "success" ]]; then
echo "## could not notarize $filepath"
exit 1
fi
}

notarizefile "$FILENAME" "$BUNDLE_ID"

0 comments on commit 7fbf193

Please sign in to comment.