-
Notifications
You must be signed in to change notification settings - Fork 3
/
action.yml
63 lines (61 loc) · 2.25 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
name: 'Xcode Notarization Action'
description: 'Runs notarytool to upload a file to Apple''s notary service'
branding:
icon: 'award'
color: 'green'
inputs:
app-path:
description: 'Path of the software to notarize. Globbing is supported'
requires: true
staple:
description: 'Whether to run `stapler staple`'
requires: true
default: 'true'
keychain-profile:
description: 'notarytool --keychain-profile parameter'
required: true
default: 'notary'
apple-id:
description: 'notarytool --apple-id parameter'
required: true
password:
description: 'notarytool --password parameter'
required: true
team-id:
description: 'notarytool --team-id parameter'
required: true
xcode-path:
description: 'Path of the Xcode version to use'
required: true
default: '/Applications/Xcode_13.2.1.app' # available on both macos-11 and macos-12 environments
runs:
using: 'composite'
steps:
- name: Setup Xcode
run: sudo xcode-select -s ${{ inputs.xcode-path }}
shell: bash
- name: Prepare Notarization Credentials
run: |
# create temporary keychain
KEYCHAIN_PATH=$RUNNER_TEMP/notarization.keychain-db
KEYCHAIN_PASS=$(uuidgen)
security create-keychain -p "${KEYCHAIN_PASS}" ${KEYCHAIN_PATH}
security set-keychain-settings -lut 900 ${KEYCHAIN_PATH}
security unlock-keychain -p "${KEYCHAIN_PASS}" ${KEYCHAIN_PATH}
# import credentials from secrets
xcrun notarytool store-credentials "${{ inputs.keychain-profile }}" --apple-id "${{ inputs.apple-id }}" --password "${{ inputs.password }}" --team-id "${{ inputs.team-id }}" --keychain "${KEYCHAIN_PATH}"
shell: bash
- name: Notarize ${{ inputs.app-path }}
run: |
KEYCHAIN_PATH=$RUNNER_TEMP/notarization.keychain-db
xcrun notarytool submit ${{ inputs.app-path }} --keychain-profile "${{ inputs.keychain-profile }}" --keychain "${KEYCHAIN_PATH}" --wait
shell: bash
- name: Staple
if: ${{ inputs.staple == 'true' }}
run: xcrun stapler staple ${{ inputs.app-path }}
shell: bash
- name: Cleanup
if: ${{ always() }}
run: security delete-keychain $RUNNER_TEMP/notarization.keychain-db
shell: bash
continue-on-error: true