Merge pull request #529 from mountaindude/node23-sea

build(ci): Update CI workflow to target Node.js 23 and enhance binary signing and notarization process

.github/workflows/ci.yaml

@@ -107,17 +107,23 @@ jobs:
 
       - name: Build binaries
         run: |
-          pwd
-          ./node_modules/.bin/esbuild src/ctrl-q.js --bundle --external:axios --external:xdg-open --external:enigma.js --outfile=build.cjs --format=cjs --platform=node --target=node18 --minify --inject:./src/lib/util/import-meta-url.js --define:import.meta.url=import_meta_url
-          pkg --output "./${DIST_FILE_NAME}" -t node18-macos-x64 ./build.cjs --config package.json --compress GZip
+          # -------------------
+          ./node_modules/.bin/esbuild src/ctrl-q.js --bundle --outfile=build.cjs --format=cjs --platform=node --target=node23 --inject:./src/lib/util/import-meta-url.js --define:import.meta.url=import_meta_url
+          node --experimental-sea-config sea-config.json
+          cp $(command -v node) ${DIST_FILE_NAME}
+          codesign --remove-signature ${DIST_FILE_NAME}
+          npx postject ctrl-q NODE_SEA_BLOB sea-prep.blob --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 --macho-segment-name NODE_SEA
 
-          chmod +x "${DIST_FILE_NAME}"
           security delete-keychain build.keychain || true
 
-          # Turn our base64-encoded certificate back to a regular .p12 file
+          pwd
+          ls -la
 
+          # -------------------
+          # Turn our base64-encoded certificate back to a regular .p12 file
           echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
 
+          # -------------------
           # We need to create a new keychain, otherwise using the certificate will prompt
           # with a UI dialog asking for the certificate password, which we can't
           # use in a headless CI environment
@@ -131,25 +137,33 @@ jobs:
 
           codesign --force -s "$MACOS_CERTIFICATE_NAME" -v "./${DIST_FILE_NAME}" --deep --strict --options=runtime --timestamp --entitlements ./release-config/${DIST_FILE_NAME}.entitlements
 
+          # -------------------
+          # Notarize
+          # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
 
+          echo "Create keychain profile"
+          xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
+
+          # -------------------
           # We can't notarize an app bundle directly, but we need to compress it as an archive.
           # Therefore, we create a zip file containing our app bundle, so that we can send it to the
           # notarization service
-
-          # Notarize release binary
-          echo "Creating temp notarization archive for release binary"
-          # ditto -c -k --keepParent "./${DIST_FILE_NAME}" "./${DIST_FILE_NAME}.zip"
+          # Notarize insider binary
+          echo "Creating temp notarization archive for insider build"
           ditto -c -k --keepParent "./${DIST_FILE_NAME}" "./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_version }}-macos.zip"
 
           # Here we send the notarization request to the Apple's Notarization service, waiting for the result.
           # This typically takes a few seconds inside a CI environment, but it might take more depending on the App
           # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
           # you're curious
-          echo "Notarize release app"
+          echo "Notarize insider app"
           xcrun notarytool submit "./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_version }}-macos.zip" --keychain-profile "notarytool-profile" --wait
 
+          # -------------------
+          # Clean up
           # Delete build keychain
           security delete-keychain build.keychain
+          rm build.cjs
 
       - name: Upload to existing release
         uses: ncipollo/release-action@v1
@@ -216,8 +230,23 @@ jobs:
 
       - name: Build binaries
         run: |
-          ./node_modules/.bin/esbuild src/ctrl-q.js --bundle --external:axios --external:xdg-open --external:enigma.js --outfile=build.cjs --format=cjs --platform=node --target=node18 --minify --inject:./src/lib/util/import-meta-url.js --define:import.meta.url=import_meta_url
-          pkg --output "./${env:DIST_FILE_NAME}.exe" -t node18-win-x64 ./build.cjs --config package.json --compress GZip
+          ./node_modules/.bin/esbuild src/ctrl-q.js --bundle --outfile=build.cjs --format=cjs --platform=node --target=node23 --inject:./src/lib/util/import-meta-url.js --define:import.meta.url=import_meta_url
+          node --experimental-sea-config sea-config.json
+          node -e "require('fs').copyFileSync(process.execPath, 'ctrl-q.exe')"
+
+          # Remove the signature from the executable
+          $processOptions1 = @{
+            FilePath = "C:\Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe"
+            Wait = $true
+            ArgumentList = "remove", "/s", "./${env:DIST_FILE_NAME}.exe"
+            WorkingDirectory = "."
+            NoNewWindow = $true
+          }
+          Start-Process @processOptions1
+
+          npx postject ctrl-q.exe NODE_SEA_BLOB sea-prep.blob --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2
+
+          dir
 
           # Sign the executable
           # 1st signing
@@ -240,12 +269,13 @@ jobs:
           }
           Start-Process @processOptions2
 
-          # Create release binary zip
+          # Create insider's build zip
           $compress = @{
             Path = "./${env:DIST_FILE_NAME}.exe"
             CompressionLevel = "Fastest"
             DestinationPath = "${env:DIST_FILE_NAME}-${{ needs.release-please.outputs.release_version }}-win.zip"
           }
+
           Compress-Archive @compress
 
       - name: Upload to existing release
@@ -304,8 +334,10 @@ jobs:
 
       - name: Build binaries
         run: |
-          ./node_modules/.bin/esbuild src/ctrl-q.js --bundle --external:axios --external:xdg-open --external:enigma.js --outfile=build.cjs --format=cjs --platform=node --target=node18 --minify --inject:./src/lib/util/import-meta-url.js --define:import.meta.url=import_meta_url
-          pkg --output "./${DIST_FILE_NAME}" -t node18-linux-x64 ./build.cjs --config package.json --compress GZip
+          ./node_modules/.bin/esbuild src/ctrl-q.js --bundle --outfile=build.cjs --format=cjs --platform=node --target=node23 --inject:./src/lib/util/import-meta-url.js --define:import.meta.url=import_meta_url
+          node --experimental-sea-config sea-config.json
+          cp $(command -v node) ${DIST_FILE_NAME}
+          npx postject ctrl-q NODE_SEA_BLOB sea-prep.blob --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2
 
           chmod +x ${DIST_FILE_NAME}
 

package.json

@@ -30,7 +30,7 @@
     "license": "MIT",
     "type": "module",
     "dependencies": {
-        "@qlik/api": "^1.23.0",
+        "@qlik/api": "^1.24.0",
         "axios": "^1.7.7",
         "commander": "^12.1.0",
         "csv-parse": "^5.5.6",
@@ -47,18 +47,18 @@
         "retry-axios": "^3.1.3",
         "table": "^6.8.2",
         "text-treeview": "^1.0.2",
-        "undici": "^6.20.1",
+        "undici": "^6.21.0",
         "upath": "^2.0.1",
-        "uuid": "^11.0.0",
-        "winston": "^3.15.0",
+        "uuid": "^11.0.3",
+        "winston": "^3.17.0",
         "winston-daily-rotate-file": "^5.0.0",
         "ws": "^8.18.0",
         "yesno": "^0.4.0"
     },
     "devDependencies": {
         "@babel/eslint-parser": "^7.25.9",
         "@babel/plugin-syntax-import-assertions": "^7.26.0",
-        "@eslint/js": "^9.13.0",
+        "@eslint/js": "^9.14.0",
         "@jest/globals": "^29.7.0",
         "eslint-config-prettier": "^9.1.0",
         "eslint-plugin-prettier": "^5.2.1",