Build and upload Mac app artifact #117

Summary
Jobs
- notarize
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/app-artifacts-mac.yml at ffc4b06

	name: Build and upload Mac app artifact

	on:
	workflow_dispatch:
	inputs:
	buildBranch:
	description: 'Headlamp ref/branch/tag'
	required: true
	default: 'main'
	signBinaries:
	description: Notarize app
	default: false
	type: boolean
	jobs:
	# build-mac:
	# runs-on: macos-latest
	# steps:
	# - uses: actions/checkout@v4
	# with:
	# ref: ${{ github.event.inputs.buildBranch }}
	# - name: Setup nodejs
	# uses: actions/setup-node@v4
	# with:
	# node-version: 18.x
	# cache: 'npm'
	# cache-dependency-path: \|
	# app/package-lock.json
	# frontend/package-lock.json
	# - uses: actions/setup-go@v5
	# with:
	# go-version: '1.20.*'
	# cache-dependency-path: \|
	# backend/go.sum
	# - name: Dependencies
	# run: brew install make
	# - name: Build Backend and Frontend
	# run: \|
	# make
	# - name: Add MacOS certs
	# run: cd ./app/mac/scripts/ && sh ./setup-certificate.sh
	# env:
	# APPLE_CERTIFICATE: ${{ secrets.TEST_APPLE_DEV_CERT }}
	# APPLE_CERTIFICATE_PASSWORD: ${{ secrets.TEST_APPLE_DEV_CERT_PASS }}
	# - name: Build Notarized App Mac
	# if: ${{ inputs.signBinaries }}
	# env:
	# APPLE_TEAM_ID: ${{ secrets.TEST_APPLE_TEAM_ID }}
	# run: \|
	# make app-mac
	# ls ./app
	# ls ./app/dist
	# ls ./app/dist/mac*
	# # env:
	# # APPLEID: ${{ secrets.APPLEID }}
	# # APPLEIDPASS: ${{ secrets.APPLEIDPASS }}
	# # APPLETEAMID: ${{ secrets.APPLETEAMID }}
	# # - name: Build App Mac
	# # if: ${{ ! inputs.signBinaries }}
	# # run: \|
	# # make app-mac
	# # - name: CodeSign
	# # run: \|
	# # cd ./app/dist/mac && codesign -s ${{ secrets.TEST_APPLE_TEAM_ID }} --deep --force --options runtime --entitlements ../../mac/entitlements.mac.plist ./Headlamp.app
	# # - name: Zip Artifact
	# # run: \|
	# # cd ./app/dist/mac/ && ditto -c -k --sequesterRsrc --keepParent Headlamp.app ./Headlamp.zip
	# - name: Upload artifact
	# uses: actions/upload-artifact@v4
	# with:
	# name: dmg
	# path: ./app/dist/Headlamp*.dmg
	# if-no-files-found: error
	# retention-days: 1
	notarize:
	runs-on: windows-latest
	# needs: build-mac
	if: ${{ inputs.signBinaries }}
	steps:
	- uses: actions/checkout@v4
	with:
	ref: ${{ github.event.inputs.buildBranch }}
	- name: Setup nodejs
	uses: actions/setup-node@v4
	with:
	node-version: 18.x
	cache: 'npm'
	cache-dependency-path: \|
	app/package-lock.json
	frontend/package-lock.json
	- name: Download artifact
	id: download-artifact
	uses: dawidd6/action-download-artifact@v3
	with:
	# Optional, GitHub token, a Personal Access Token with `public_repo` scope if needed
	# Required, if the artifact is from a different repo
	# Required, if the repo is private a Personal Access Token with `repo` scope is needed or GitHub token in a job where the permissions `action` scope set to `read`
	github_token: ${{secrets.GITHUB_TOKEN}}
	run_id: 8018373845

	# - name: Download artifact
	# uses: actions/download-artifact@v2
	# name: dmg
	- name: Fetch certificates
	if: ${{ inputs.signBinaries }}
	shell: pwsh
	run: \|
	az login --service-principal -u ${{ secrets.WINDOWS_CLIENT_ID }} -p ${{ secrets.AZ_LOGIN_PASS }} --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47
	az keyvault secret download --subscription ${{ secrets.AZ_SUBSCRIPTION_ID }} --vault-name headlamp --name HeadlampAuthCert --file c:\HeadlampAuthCert.pfx --encoding base64
	az keyvault secret download --subscription ${{ secrets.AZ_SUBSCRIPTION_ID }} --vault-name headlamp --name ESRPHeadlampReqCert --file c:\HeadlampReqCert.pfx --encoding base64
	- name: Set up certificates
	if: ${{ inputs.signBinaries }}
	shell: pwsh
	run: \|
	Import-PfxCertificate -FilePath c:\HeadlampAuthCert.pfx -CertStoreLocation Cert:\LocalMachine\My -Exportable
	Import-PfxCertificate -FilePath c:\HeadlampReqCert.pfx -CertStoreLocation Cert:\LocalMachine\My -Exportable

	- name: Download and Set up ESRPClient
	if: ${{ inputs.signBinaries }}
	shell: pwsh
	run: \|
	nuget.exe sources add -name esrp -source ${{ secrets.ESRP_NUGET_INDEX_URL }} -username headlamp -password ${{ secrets.AZ_DEVOPS_TOKEN }}
	nuget.exe install Microsoft.EsrpClient -Version 1.2.87 -source ${{ secrets.ESRP_NUGET_INDEX_URL }} \| out-null

	- name: Sign App
	shell: pwsh
	run: \|
	ls app/mac/scripts
	ls
	ls dmg*
	if ("${{ inputs.signBinaries }}" -eq "true") {
	$env:ESRP_PATH="$(Get-Location)\Microsoft.EsrpClient.1.2.87\tools\EsrpClient.exe"
	$env:HEADLAMP_WINDOWS_CLIENT_ID="${{ secrets.WINDOWS_CLIENT_ID }}"
	$env:HEADLAMP_WINDOWS_SIGN_EMAIL="${{ secrets.WINDOWS_SIGN_EMAIL }}"
	} else {
	echo "Not signing binaries"
	}
	cd ./app/mac/scripts
	ls ../../../dmg
	node ./esrp-notarize.js SIGN ../../../dmg/Headlamp*.dmg
	- name: Notarize App
	shell: pwsh
	run: \|
	ls app/mac/scripts
	ls
	if ("${{ inputs.signBinaries }}" -eq "true") {
	$env:ESRP_PATH="$(Get-Location)\Microsoft.EsrpClient.1.2.87\tools\EsrpClient.exe"
	$env:HEADLAMP_WINDOWS_CLIENT_ID="${{ secrets.WINDOWS_CLIENT_ID }}"
	$env:HEADLAMP_WINDOWS_SIGN_EMAIL="${{ secrets.WINDOWS_SIGN_EMAIL }}"
	} else {
	echo "Not signing binaries"
	}
	cd ./app/mac/scripts
	ls ../../../dmg
	node ./esrp-notarize.js NOTARIZE ../../../dmg/Headlamp*.dmg
	- name: Upload Notarized
	uses: actions/upload-artifact@v4
	with:
	name: Win exes
	path: ./dmg/Headlamp*.dmg
	if-no-files-found: error
	retention-days: 2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build and upload Mac app artifact #117

Workflow file

Build and upload Mac app artifact #117

Jobs

Run details

Workflow file for this run