Add sign and notarize macOS x86_64 #35 (#53)

* sign and notarize (wip)

* always run for now

* add install gon

* try fixing the rate limiting issue

* just always run on macos

* change gon invocation

* try again after updating env

* try again after updating env

* try again after updating env

* try again after updating env

* pass secrets to env

* import cert into keychain

* just pass the cert name (no secret)

* fix build id

* fix build id

* build on all darwin architectures

* add sign arm64

* fix hcl syntax

* undo debug changes

* clean up

* attach artifacts to workflow run

* run on push again

* clean up

* update bundle id

* use hooks instead of signs

* turn gon config into dotfile

* add zip output

* try "signs" again

* try mirroring mitchellh/gon setup

* update paths

* 🤔

* looks like username needs to be hardcoded

* clean up

* attach everything from `./dist`

* remove unnecessary dmg artifact

* undo some changes

* only archive macos

* undo some changes

* undo some changes

* undo some changes

* zip -> tar.gz

* add arch to macos artifact

* remove version from other builds too

* skip folder artifact upload

* Revert "zip -> tar.gz"

This reverts commit c49d051.

* docs

* keep previous artifact naming

* fix artifact name

* build all darwin archs

* sign macos archs independently

* refactor, fix redundant signs ids

* consistent naming

* fix signing source paths

* fix source path again

* arm signing issues

* clean up

* always run

* try manual arm script

* fix path

* fix paths

* wait, why is x86_64 failing now

* fix sign command

* switch back to gon, remove arm signing attempts again

* Update bundle_id

Co-authored-by: Miroslav Bajtoš <[email protected]>

Co-authored-by: Miroslav Bajtoš <[email protected]>

.github/workflows/release.yml

@@ -2,9 +2,6 @@ name: goreleaser
 
 on:
   push:
-    # run only against tags
-    tags:
-      - '*'
 
 permissions:
   contents: write
@@ -13,7 +10,7 @@ permissions:
 
 jobs:
   goreleaser:
-    runs-on: ubuntu-latest
+    runs-on: macos-latest
     steps:
       -
         name: Checkout
@@ -29,6 +26,7 @@ jobs:
           tag: v0.0.19
           fileName: saturn-webui.tar.gz
           out-file-path: resources/webui
+          token: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Unpack web UI archive
         run: |
@@ -43,6 +41,33 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.18
+      -
+        name: Install gon
+        run: |
+          brew tap mitchellh/gon
+          brew install mitchellh/gon/gon
+      -
+        name: Install the Apple certificate and provisioning profile
+        env:
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
+          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+          # import certificate and provisioning profile from secrets
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH
+
+          # create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
       -
         name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
@@ -53,5 +78,13 @@ jobs:
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
           # Your GoReleaser Pro key, if you are using the 'goreleaser-pro' distribution
           # GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      -
+        name: Attach produced packages to Github Action
+        uses: actions/upload-artifact@v2
+        with:
+          name: dist
+          path: dist/*.*
+          if-no-files-found: error

.gon.hcl

@@ -0,0 +1,15 @@
+source = ["./dist/macos-x86-64_darwin_amd64_v1/L2-node"]
+bundle_id = "io.filecoin.saturn.l2-node"
+
+apple_id {
+  username = "[email protected]"
+  password = "@env:AC_PASSWORD"
+}
+
+sign {
+  application_identity = "Developer ID Application: Protocol Labs, Inc."
+}
+
+zip {
+  output_path="./dist/L2-node_Darwin_x86_64.zip"
+}

.goreleaser.yaml

@@ -7,27 +7,52 @@ before:
     # you may remove this if you don't need go generate
     - go generate ./...
 builds:
-  - env:
+  - id: saturn
+    env:
       - CGO_ENABLED=0
     goos:
       - linux
       - windows
-      - darwin
     ignore:
     - goos: windows
       goarch: arm64
     main: ./cmd/saturn-l2
     binary: saturn-L2-node
-
+  - id: macos-x86-64
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+    goarch:
+      - amd64
+    main: ./cmd/saturn-l2
 archives:
-  - replacements:
-      darwin: Darwin
+  - builds:
+    - saturn
+    name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
+    replacements:
       linux: Linux
       windows: Windows
       386: i386
       amd64: x86_64
+  - builds:
+    - macos-x86-64
+    id: macos-x86-64-zip
+    format: zip
+    name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
+    replacements:
+      darwin: Darwin
+      amd64: x86_64
 checksum:
   name_template: 'checksums.txt'
+signs:
+  - id: macos-x86-64
+    ids:
+      - macos-x86-64-zip
+    cmd: gon
+    args:
+      - .gon.hcl
+    artifacts: all
 snapshot:
   name_template: "{{ incpatch .Version }}-next"
 changelog:
@@ -45,4 +70,3 @@ changelog:
     exclude:
       - '^docs:'
       - '^test:'
-