-
Notifications
You must be signed in to change notification settings - Fork 63
201 lines (199 loc) · 9.57 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
name: releaser
on:
push:
tags:
- '*'
permissions:
contents: 'write'
packages: 'write'
env:
GORELEASER_ARTIFACTS_NAME: release_candidate
SIGNED_MACOS_ARTIFACTS_NAME: signed_macos_release
GORELEASER_ARTIFACTS_DOWNLOAD_PATH: /tmp/archives
jobs:
goreleaser:
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
runs-on: ubuntu-latest
steps:
- name: Install osslsigncode
run: |
sudo apt-get update
sudo apt-get install osslsigncode=2.2-1ubuntu1
- uses: 'actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b'
with:
fetch-depth: 0
- uses: 'actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2'
with:
go-version: '1.19'
- uses: 'docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b'
with:
registry: 'ghcr.io'
username: '${{ github.actor }}'
password: '${{ secrets.GITHUB_TOKEN }}'
- name: save keys to files
run: echo ${{ secrets.WINDOWS_PUBLIC_KEY_B64 }} | base64 -d > /tmp/legit_signature.crt ; echo ${{ secrets.WINDOWS_PRIVATE_KEY_B64 }} | base64 -d > /tmp/legit_signature.key
- uses: goreleaser/goreleaser-action@b953231f81b8dfd023c58e0854a721e35037f28b
id: run-goreleaser
with:
version: latest
args: "release --rm-dist"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3
with:
name: ${{ env.GORELEASER_ARTIFACTS_NAME }}
path: |
./dist/*
- name: provenance-inputs
id: hash
env:
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
run: |
set -euo pipefail
hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | grep -v darwin | base64 -w0)
echo "hashes=$hashes" >> $GITHUB_OUTPUT
macos_sign:
needs: goreleaser
runs-on: macos-latest
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
env:
SIGNED_ARTIFACTS_PATH: /tmp/signed_path
steps:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
with:
fetch-depth: 0
- uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3
with:
name: ${{ env.GORELEASER_ARTIFACTS_NAME }}
path: ${{ env.GORELEASER_ARTIFACTS_DOWNLOAD_PATH }}
- name: Codesign executable
env:
MACOS_CERTIFICATE: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
MACOS_CERTIFICATE_PWD: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
PROD_MACOS_APPLICATION_ID_NAME: ${{ secrets.MACOS_APPLICATION_ID_NAME }}
PROD_MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
run: |
echo "extracting files to sign"
extracted_files=()
for file in $GORELEASER_ARTIFACTS_DOWNLOAD_PATH/*darwin*.tar.gz; do
dirname="${file%.tar.gz}"
mkdir "$dirname"
tar -xzvf "$file" -C "$dirname"
extracted_files+=($dirname/legitify)
done
echo "Prepare keychain to sign"
echo $MACOS_CERTIFICATE | base64 -d > certificate.p12
security create-keychain -p "$PROD_MACOS_KEYCHAIN_PASSWORD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$PROD_MACOS_KEYCHAIN_PASSWORD" build.keychain
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$PROD_MACOS_KEYCHAIN_PASSWORD" build.keychain
for file in "${extracted_files[@]}"; do
echo "Signing $file"
/usr/bin/codesign --force -s "$PROD_MACOS_APPLICATION_ID_NAME" --options runtime "$file" -v
done
# Store the notarization credentials so that we can prevent a UI password dialog
# from blocking the CI
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
echo "Creating temp notarization archive"
for file in "${extracted_files[@]}"; do
echo "dittoing $file"
ditto -c -k "$file" "notarization.zip"
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics.
echo "Notarize app"
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
done
mkdir ${{ env.SIGNED_ARTIFACTS_PATH }}
for file in "${extracted_files[@]}"; do
parent_dirname=$(basename "$(dirname "$file")")
currnet_archive_name=${parent_dirname}.tar.gz
cli_path=$(dirname $file)
cli_name=$(basename $file)
cd "$cli_path"
tar -czvf "$currnet_archive_name" -C "$cli_path" *
cp "$currnet_archive_name" ${{ env.SIGNED_ARTIFACTS_PATH }}
done
- uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3
with:
name: ${{ env.SIGNED_MACOS_ARTIFACTS_NAME }}
path: ${{ env.SIGNED_ARTIFACTS_PATH }}
- name: provenance-inputs
id: hash
run: |
set -euo pipefail
cd "${{ env.SIGNED_ARTIFACTS_PATH }}"
mac_hashes="$(shasum -a 256 *.tar.gz)"
release_hashes="$(echo "${{ needs.goreleaser.outputs.hashes }}" | base64 -d)" # without darwin
hashes="$(echo -e "${release_hashes}\n${mac_hashes}" | base64)"
echo "hashes=$hashes" >> $GITHUB_OUTPUT
release:
needs: macos_sign
runs-on: ubuntu-latest
outputs:
brew_release_file: ${{ steps.artifact_name.outputs.brew_release_file }}
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
env:
ARTIFACTS_DOWNLOAD_PATH: /tmp/macos_archives
steps:
- uses: 'actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b'
with:
fetch-depth: 0
- uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3
with:
name: ${{ env.SIGNED_MACOS_ARTIFACTS_NAME }}
path: ${{ env.ARTIFACTS_DOWNLOAD_PATH }}
- uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3
with:
name: ${{ env.GORELEASER_ARTIFACTS_NAME }}
path: ${{ env.GORELEASER_ARTIFACTS_DOWNLOAD_PATH }}
- name: prepare-release-files
run: |
find ${{ env.GORELEASER_ARTIFACTS_DOWNLOAD_PATH }} -maxdepth 1 -type f -not -name '*darwin*' -exec cp {} ${{ env.ARTIFACTS_DOWNLOAD_PATH }}/ \;
- name: Release
uses: softprops/action-gh-release@d4e8205d7e959a9107da6396278b2f1f07af0f9b
# if: startsWith(github.ref, 'refs/tags/')
with:
files: ${{ env.ARTIFACTS_DOWNLOAD_PATH }}/*
- name: brew-inputs
id: artifact_name
run: |
set -euo pipefail
echo "version=${GITHUB_REF/refs\/tags\/v/}" >> $GITHUB_OUTPUT
cd "${{ env.ARTIFACTS_DOWNLOAD_PATH }}"
darwin_intel_file_name=$(find . -maxdepth 1 -type f -name "*darwin_amd64*" -exec basename {} \;)
darwin_intel_sha="$(shasum -a 256 $darwin_intel_file_name | awk '{printf $1}')"
echo "brew_intel_files_sha=$darwin_intel_sha" >> $GITHUB_OUTPUT
darwin_arm_file_name=$(find . -maxdepth 1 -type f -name "*darwin_arm64*" -exec basename {} \;)
darwin_arm_sha="$(shasum -a 256 $darwin_arm_file_name | awk '{printf $1}')"
echo "brew_arm_files_sha=$darwin_arm_sha" >> $GITHUB_OUTPUT
- name: update brew formula
env:
# Required token to create a pull request in the tap repository
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
GITHUB_USER: ${{ secrets.HOMEBREW_TAP_GITHUB_USER }}
run: |
python3 scripts/gen-brew-multi-arch.py ${{ steps.artifact_name.outputs.version }} ${{ steps.artifact_name.outputs.brew_arm_files_sha }} ${{ steps.artifact_name.outputs.brew_intel_files_sha }}
provenance:
needs: macos_sign
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.macos_sign.outputs.hashes }}"
upload-assets: true # upload to a new release