-
Notifications
You must be signed in to change notification settings - Fork 285
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Split signing out from qsrelease, fix codesigning (#2655)
Fixes #2654 Issues addressed: - Provides separate GitHub Actions for building and signing (#2583 (comment)) - Provides separate script for debugging signing so you don't have to rebuild every time (requires exporting a few variables normally set in `qsrelease` - By default will still build *and* sign (for local builds) unless `QS_BUILD_ONLY` is set -- preserves current behavior - Uses GitHub Actions' artifacts to avoid re-building the entire project twice - Removes the "arbitrary volume size and hope it's big enough" workaround - Adds what I think should be the necessary changes for automatic notarization of the DMG Other changes: - Removes need for `buildDMG.pl` with no new dependencies - Reorders test *after* build, since the tests depend on `/tmp/QS/Configuration/Quicksilver.pch` - Split uploads into separate named actions - Copy the codesigned app to parent directory for easy acess - Create a zip of QS.app as a convenience build artifact - Specify release config for testing - Use `working-directory` instead of `cd` for several actions - Rename `release.yaml` to `ci.yaml` as it now has separate stages for build, sign, and release
- Loading branch information
Showing
8 changed files
with
205 additions
and
525 deletions.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
/.github/workflows @quicksilver/developers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
name: build | ||
|
||
on: | ||
push: | ||
pull_request: | ||
|
||
jobs: | ||
build: | ||
runs-on: macos-11 | ||
env: | ||
QS_BUILD_ONLY: 1 | ||
steps: | ||
- uses: actions/checkout@v2 | ||
with: | ||
submodules: recursive | ||
- name: Run qrelease | ||
working-directory: Quicksilver | ||
run: ./Tools/qsrelease | ||
- name: Upload unsigned app | ||
uses: actions/upload-artifact@v2 | ||
with: | ||
name: Quicksilver.zip | ||
path: /tmp/QS/build/Release/Quicksilver.zip | ||
- name: Prepare DMG_INGREDIENTS artifact | ||
working-directory: /tmp/QS/build/Release/ | ||
run: | | ||
cp /tmp/qs_build_settings ./dmg/ | ||
tar -czvf ./dmg_ingredients.tar.gz ./dmg | ||
- name: Upload components for sign action | ||
uses: actions/upload-artifact@v2 | ||
with: | ||
name: DMG_INGREDIENTS | ||
path: /tmp/QS/build/Release/dmg_ingredients.tar.gz | ||
|
||
sign: | ||
needs: build | ||
runs-on: macos-11 | ||
env: | ||
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} | ||
MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }} | ||
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | ||
|
||
SIGNING_IDENTITY: ${{ secrets.SIGNING_IDENTITY }} | ||
NOTARIZING_ID: ${{ secrets.NOTARIZING_ID }} | ||
NOTARIZING_PASS: ${{ secrets.NOTARIZING_PASS }} | ||
|
||
KEYCHAIN_PROFILE: "Quicksilver Notarization" | ||
steps: | ||
- name: Download dmg folder artifact | ||
uses: actions/download-artifact@v2 | ||
with: | ||
name: DMG_INGREDIENTS | ||
path: /tmp/QS/build/Release/ | ||
- name: Decompress DMG_INGREDIENTS | ||
working-directory: /tmp/QS/build/Release/ | ||
run: | | ||
tar -xzvf ./dmg_ingredients.tar.gz | ||
mv ./dmg/qs_build_settings /tmp/ | ||
QS_INFO_VERSION=$(awk '/QS_INFO_VERSION/ { print $NF }' /tmp/qs_build_settings) | ||
echo "QS_INFO_VERSION=${QS_INFO_VERSION}" >> $GITHUB_ENV | ||
- uses: actions/checkout@v2 | ||
with: | ||
submodules: recursive | ||
- name: Run Tools/qssign | ||
working-directory: Quicksilver | ||
run: | | ||
# https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development | ||
KEYCHAIN_PATH=${RUNNER_TEMP}/app-signing.keychain-db | ||
CERTIFICATE_PATH=${RUNNER_TEMP}/build_certificate.p12 | ||
echo -n "${MACOS_CERTIFICATE}" | base64 --decode --output "${CERTIFICATE_PATH}" | ||
security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}" | ||
security default-keychain -s "${KEYCHAIN_PATH}" | ||
security set-keychain-settings -lut 21600 "${KEYCHAIN_PATH}" | ||
security unlock-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}" | ||
security import "${CERTIFICATE_PATH}" -P "${MACOS_CERTIFICATE_PASSWORD}" -A -t cert -f pkcs12 -k "${KEYCHAIN_PATH}" | ||
xcrun notarytool store-credentials "${KEYCHAIN_PROFILE}" \ | ||
--apple-id "${NOTARIZING_ID}" \ | ||
--team-id "${SIGNING_IDENTITY}" \ | ||
--password "${NOTARIZING_PASS}" | ||
./Tools/qssign | ||
- name: Upload document | ||
uses: actions/upload-artifact@v2 | ||
with: | ||
name: "Quicksilver_${{ env.QS_INFO_VERSION }}.dmg" | ||
path: /tmp/QS/build/Release/Quicksilver*.dmg | ||
- name: Release | ||
uses: softprops/action-gh-release@v1 | ||
if: startsWith(github.ref, 'refs/tags/') | ||
with: | ||
files: /tmp/QS/build/Release/Quicksilver*.dmg |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.