Split signing out from qsrelease, fix codesigning (#2655)

Fixes #2654

Issues addressed:

- Provides separate GitHub Actions for building and signing (#2583 (comment))
- Provides separate script for debugging signing so you don't have to rebuild every time (requires exporting a few variables normally set in `qsrelease`
- By default will still build *and* sign (for local builds) unless `QS_BUILD_ONLY` is set -- preserves current behavior
- Uses GitHub Actions' artifacts to avoid re-building the entire project twice
- Removes the "arbitrary volume size and hope it's big enough" workaround
- Adds what I think should be the necessary changes for automatic
  notarization of the DMG

Other changes:

- Removes need for `buildDMG.pl` with no new dependencies
- Reorders test *after* build, since the tests depend on `/tmp/QS/Configuration/Quicksilver.pch`
- Split uploads into separate named actions
- Copy the codesigned app to parent directory for easy acess
- Create a zip of QS.app as a convenience build artifact
- Specify release config for testing
- Use `working-directory` instead of `cd` for several actions
- Rename `release.yaml` to `ci.yaml` as it now has separate stages for
  build, sign, and release

.github/CODEOWNERS

@@ -0,0 +1 @@
+/.github/workflows @quicksilver/developers

.github/workflows/ci.yml

@@ -0,0 +1,95 @@
+name: build
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  build:
+    runs-on: macos-11
+    env:
+      QS_BUILD_ONLY: 1
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        submodules: recursive
+    - name: Run qrelease
+      working-directory: Quicksilver
+      run: ./Tools/qsrelease
+    - name: Upload unsigned app
+      uses: actions/upload-artifact@v2
+      with:
+        name: Quicksilver.zip
+        path: /tmp/QS/build/Release/Quicksilver.zip
+    - name: Prepare DMG_INGREDIENTS artifact
+      working-directory: /tmp/QS/build/Release/
+      run: |
+        cp /tmp/qs_build_settings ./dmg/
+        tar -czvf ./dmg_ingredients.tar.gz ./dmg
+    - name: Upload components for sign action
+      uses: actions/upload-artifact@v2
+      with:
+        name: DMG_INGREDIENTS
+        path: /tmp/QS/build/Release/dmg_ingredients.tar.gz
+
+  sign:
+    needs: build
+    runs-on: macos-11
+    env:
+      MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+      MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
+      KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+
+      SIGNING_IDENTITY: ${{ secrets.SIGNING_IDENTITY }}
+      NOTARIZING_ID: ${{ secrets.NOTARIZING_ID }}
+      NOTARIZING_PASS: ${{ secrets.NOTARIZING_PASS }}
+
+      KEYCHAIN_PROFILE: "Quicksilver Notarization"
+    steps:
+    - name: Download dmg folder artifact
+      uses: actions/download-artifact@v2
+      with:
+        name: DMG_INGREDIENTS
+        path: /tmp/QS/build/Release/
+    - name: Decompress DMG_INGREDIENTS
+      working-directory: /tmp/QS/build/Release/
+      run: |
+        tar -xzvf ./dmg_ingredients.tar.gz
+        mv ./dmg/qs_build_settings /tmp/
+
+        QS_INFO_VERSION=$(awk '/QS_INFO_VERSION/ { print $NF }' /tmp/qs_build_settings)
+        echo "QS_INFO_VERSION=${QS_INFO_VERSION}" >> $GITHUB_ENV
+    - uses: actions/checkout@v2
+      with:
+        submodules: recursive
+    - name: Run Tools/qssign
+      working-directory: Quicksilver
+      run: |
+        # https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development
+        KEYCHAIN_PATH=${RUNNER_TEMP}/app-signing.keychain-db
+        CERTIFICATE_PATH=${RUNNER_TEMP}/build_certificate.p12
+        echo -n "${MACOS_CERTIFICATE}" | base64 --decode --output "${CERTIFICATE_PATH}"
+
+        security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
+        security default-keychain -s "${KEYCHAIN_PATH}"
+        security set-keychain-settings -lut 21600 "${KEYCHAIN_PATH}"
+
+        security unlock-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
+
+        security import "${CERTIFICATE_PATH}" -P "${MACOS_CERTIFICATE_PASSWORD}" -A -t cert -f pkcs12 -k "${KEYCHAIN_PATH}"
+        xcrun notarytool store-credentials "${KEYCHAIN_PROFILE}" \
+          --apple-id "${NOTARIZING_ID}" \
+          --team-id "${SIGNING_IDENTITY}" \
+          --password "${NOTARIZING_PASS}"
+
+        ./Tools/qssign
+    - name: Upload document
+      uses: actions/upload-artifact@v2
+      with:
+        name: "Quicksilver_${{ env.QS_INFO_VERSION }}.dmg"
+        path: /tmp/QS/build/Release/Quicksilver*.dmg
+    - name: Release
+      uses: softprops/action-gh-release@v1
+      if: startsWith(github.ref, 'refs/tags/')
+      with:
+        files: /tmp/QS/build/Release/Quicksilver*.dmg

Quicksilver/Quicksilver.xcodeproj/project.pbxproj

@@ -1839,7 +1839,7 @@
 		CDC89A6027AB69C000727225 /* 0abb71f2bfffac67318c2f7605f99eff-manifest.xcbuild */ = {isa = PBXFileReference; lastKnownFileType = text; path = "0abb71f2bfffac67318c2f7605f99eff-manifest.xcbuild"; sourceTree = "<group>"; };
 		CDC89A6127AB69C000727225 /* 5d773d4601fc3ba5dcc3a4b8b9ba528d-manifest.xcbuild */ = {isa = PBXFileReference; lastKnownFileType = text; path = "5d773d4601fc3ba5dcc3a4b8b9ba528d-manifest.xcbuild"; sourceTree = "<group>"; };
 		CDC89A6227AB69C000727225 /* 4de1db05a982cc2692e138b3ba835189-desc.xcbuild */ = {isa = PBXFileReference; lastKnownFileType = file; path = "4de1db05a982cc2692e138b3ba835189-desc.xcbuild"; sourceTree = "<group>"; };
-		CDC89A6327AB69C000727225 /* BuildDescriptionCacheIndex-32883bd06d348fd96e55403013a8a975 */ = {isa = PBXFileReference; lastKnownFileType = file; path = "BuildDescriptionCacheIndex-32883bd06d348fd96e55403013a8a975"; sourceTree = "<group>"; };
+		CDC89A6327AB69C000727225 /* BuildDescriptionCacheIndex-32883bd06d348fd96e55403013a8a975 */ = {isa = PBXFileReference; lastKnownFileType = text; path = "BuildDescriptionCacheIndex-32883bd06d348fd96e55403013a8a975"; sourceTree = "<group>"; };
 		CDC89A6427AB69C000727225 /* build.db */ = {isa = PBXFileReference; lastKnownFileType = file; path = build.db; sourceTree = "<group>"; };
 		CDC9C6C413DA2B6D0053B09C /* Clipboard.icns */ = {isa = PBXFileReference; lastKnownFileType = image.icns; path = Clipboard.icns; sourceTree = "<group>"; };
 		CDCC200E10A4C14B009C4EED /* QSMDPredicate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = QSMDPredicate.h; sourceTree = "<group>"; usesTabs = 1; };
@@ -6502,7 +6502,6 @@
 			buildSettings = {
 				ARCHS = "$(ARCHS_STANDARD)";
 				CLANG_ENABLE_OBJC_ARC = YES;
-				CODE_SIGN_IDENTITY = "-";
 				INFOPLIST_FILE = "PropertyLists/Quicksilver-Info.plist";
 				PRODUCT_BUNDLE_IDENTIFIER = com.blacktree.Quicksilver;
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -6516,7 +6515,6 @@
 			buildSettings = {
 				ARCHS = "$(ARCHS_STANDARD)";
 				CLANG_ENABLE_OBJC_ARC = YES;
-				CODE_SIGN_IDENTITY = "-";
 				INFOPLIST_FILE = "PropertyLists/Quicksilver-Info.plist";
 				PRODUCT_BUNDLE_IDENTIFIER = com.blacktree.Quicksilver;
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -6598,7 +6596,6 @@
 			buildSettings = {
 				ARCHS = "$(ARCHS_STANDARD)";
 				CLANG_ENABLE_OBJC_WEAK = YES;
-				CODE_SIGN_IDENTITY = "-";
 				INFOPLIST_FILE = "QSDroplet/QSDroplet-Info.plist";
 				INSTALL_PATH = "$(HOME)/Applications";
 				PRODUCT_BUNDLE_IDENTIFIER = com.blacktree.Quicksilver.droplet;
@@ -6613,7 +6610,6 @@
 			buildSettings = {
 				ARCHS = "$(ARCHS_STANDARD)";
 				CLANG_ENABLE_OBJC_WEAK = YES;
-				CODE_SIGN_IDENTITY = "-";
 				INFOPLIST_FILE = "QSDroplet/QSDroplet-Info.plist";
 				INSTALL_PATH = "$(HOME)/Applications";
 				PRODUCT_BUNDLE_IDENTIFIER = com.blacktree.Quicksilver.droplet;