From fe72d8e16a0efc19f0054a2c7c9cd585b70af5c5 Mon Sep 17 00:00:00 2001 From: Julian Gruber Date: Tue, 27 Sep 2022 11:24:54 +0200 Subject: [PATCH] Add sign and notarize macOS x86_64 #35 (#53) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * sign and notarize (wip) * always run for now * add install gon * try fixing the rate limiting issue * just always run on macos * change gon invocation * try again after updating env * try again after updating env * try again after updating env * try again after updating env * pass secrets to env * import cert into keychain * just pass the cert name (no secret) * fix build id * fix build id * build on all darwin architectures * add sign arm64 * fix hcl syntax * undo debug changes * clean up * attach artifacts to workflow run * run on push again * clean up * update bundle id * use hooks instead of signs * turn gon config into dotfile * add zip output * try "signs" again * try mirroring mitchellh/gon setup * update paths * :thinking: * looks like username needs to be hardcoded * clean up * attach everything from `./dist` * remove unnecessary dmg artifact * undo some changes * only archive macos * undo some changes * undo some changes * undo some changes * zip -> tar.gz * add arch to macos artifact * remove version from other builds too * skip folder artifact upload * Revert "zip -> tar.gz" This reverts commit c49d051dbc0e2c4ac19f57cbd34335f8aa7c852a. * docs * keep previous artifact naming * fix artifact name * build all darwin archs * sign macos archs independently * refactor, fix redundant signs ids * consistent naming * fix signing source paths * fix source path again * arm signing issues * clean up * always run * try manual arm script * fix path * fix paths * wait, why is x86_64 failing now * fix sign command * switch back to gon, remove arm signing attempts again * Update bundle_id Co-authored-by: Miroslav Bajtoš Co-authored-by: Miroslav Bajtoš --- .github/workflows/release.yml | 41 +++++++++++++++++++++++++++++++---- .gon.hcl | 15 +++++++++++++ .goreleaser.yaml | 36 +++++++++++++++++++++++++----- 3 files changed, 82 insertions(+), 10 deletions(-) create mode 100644 .gon.hcl diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0f0a6f2..6879f20 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,9 +2,6 @@ name: goreleaser on: push: - # run only against tags - tags: - - '*' permissions: contents: write @@ -13,7 +10,7 @@ permissions: jobs: goreleaser: - runs-on: ubuntu-latest + runs-on: macos-latest steps: - name: Checkout @@ -29,6 +26,7 @@ jobs: tag: v0.0.19 fileName: saturn-webui.tar.gz out-file-path: resources/webui + token: ${{ secrets.GITHUB_TOKEN }} - name: Unpack web UI archive run: | @@ -43,6 +41,33 @@ jobs: uses: actions/setup-go@v2 with: go-version: 1.18 + - + name: Install gon + run: | + brew tap mitchellh/gon + brew install mitchellh/gon/gon + - + name: Install the Apple certificate and provisioning profile + env: + BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} + P12_PASSWORD: ${{ secrets.P12_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + run: | + # create variables + CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 + KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db + + # import certificate and provisioning profile from secrets + echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH + + # create temporary keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security set-keychain-settings -lut 21600 $KEYCHAIN_PATH + security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + + # import certificate to keychain + security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + security list-keychain -d user -s $KEYCHAIN_PATH - name: Run GoReleaser uses: goreleaser/goreleaser-action@v2 @@ -53,5 +78,13 @@ jobs: args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + AC_PASSWORD: ${{ secrets.AC_PASSWORD }} # Your GoReleaser Pro key, if you are using the 'goreleaser-pro' distribution # GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} + - + name: Attach produced packages to Github Action + uses: actions/upload-artifact@v2 + with: + name: dist + path: dist/*.* + if-no-files-found: error diff --git a/.gon.hcl b/.gon.hcl new file mode 100644 index 0000000..e01c76c --- /dev/null +++ b/.gon.hcl @@ -0,0 +1,15 @@ +source = ["./dist/macos-x86-64_darwin_amd64_v1/L2-node"] +bundle_id = "io.filecoin.saturn.l2-node" + +apple_id { + username = "oli@protocol.ai" + password = "@env:AC_PASSWORD" +} + +sign { + application_identity = "Developer ID Application: Protocol Labs, Inc." +} + +zip { + output_path="./dist/L2-node_Darwin_x86_64.zip" +} diff --git a/.goreleaser.yaml b/.goreleaser.yaml index ea4efdb..527f186 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -7,27 +7,52 @@ before: # you may remove this if you don't need go generate - go generate ./... builds: - - env: + - id: saturn + env: - CGO_ENABLED=0 goos: - linux - windows - - darwin ignore: - goos: windows goarch: arm64 main: ./cmd/saturn-l2 binary: saturn-L2-node - + - id: macos-x86-64 + env: + - CGO_ENABLED=0 + goos: + - darwin + goarch: + - amd64 + main: ./cmd/saturn-l2 archives: - - replacements: - darwin: Darwin + - builds: + - saturn + name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}" + replacements: linux: Linux windows: Windows 386: i386 amd64: x86_64 + - builds: + - macos-x86-64 + id: macos-x86-64-zip + format: zip + name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}" + replacements: + darwin: Darwin + amd64: x86_64 checksum: name_template: 'checksums.txt' +signs: + - id: macos-x86-64 + ids: + - macos-x86-64-zip + cmd: gon + args: + - .gon.hcl + artifacts: all snapshot: name_template: "{{ incpatch .Version }}-next" changelog: @@ -45,4 +70,3 @@ changelog: exclude: - '^docs:' - '^test:' -