Distribute standalone macOS installer #311
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publishing | |
on: | |
push: | |
branches: | |
- develop | |
- hotfix/* | |
- release/* | |
tags: | |
- v*.*.* | |
jobs: | |
build: | |
name: Build | |
runs-on: macos-latest | |
environment: apple-app-store | |
strategy: | |
matrix: | |
platform: | |
- iOS | |
- macOS | |
distribution: | |
- app-store | |
- standalone | |
exclude: | |
- platform: iOS | |
distribution: standalone | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
submodules: true | |
- name: Cache packages | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/Library/Developer/Xcode/DerivedData/**/SourcePackages/checkouts | |
key: ${{ runner.os }}-spm-${{ hashFiles('**/Package.resolved') }} | |
restore-keys: | | |
${{ runner.os }}-spm- | |
- name: Set up signing certificate | |
env: | |
CERTIFICATE_DISTRIBUTION_B64: ${{ vars.CERTIFICATE_DISTRIBUTION_B64 }} | |
CERTIFICATE_DISTRIBUTION_PRIVATE_KEY_B64: ${{ secrets.CERTIFICATE_DISTRIBUTION_PRIVATE_KEY_B64 }} | |
CERTIFICATE_MAC_INSTALLER_B64: ${{ vars.CERTIFICATE_MAC_INSTALLER_B64 }} | |
CERTIFICATE_MAC_INSTALLER_PRIVATE_KEY_B64: ${{ secrets.CERTIFICATE_MAC_INSTALLER_PRIVATE_KEY_B64 }} | |
CERTIFICATE_DEVELOPER_ID_APPLICATION_B64: ${{ vars.CERTIFICATE_DEVELOPER_ID_APPLICATION_B64 }} | |
CERTIFICATE_DEVELOPER_ID_APPLICATION_PRIVATE_KEY_B64: ${{ secrets.CERTIFICATE_DEVELOPER_ID_APPLICATION_PRIVATE_KEY_B64 }} | |
CERTIFICATE_DEVELOPER_ID_INSTALLER_B64: ${{ vars.CERTIFICATE_DEVELOPER_ID_INSTALLER_B64 }} | |
CERTIFICATE_DEVELOPER_ID_INSTALLER_PRIVATE_KEY_B64: ${{ secrets.CERTIFICATE_DEVELOPER_ID_INSTALLER_PRIVATE_KEY_B64 }} | |
run: | | |
security create-keychain -p password build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p password build.keychain | |
security set-keychain-settings build.keychain | |
for CERTIFICATE in \ | |
$CERTIFICATE_DISTRIBUTION_B64 \ | |
$CERTIFICATE_MAC_INSTALLER_B64 \ | |
$CERTIFICATE_DEVELOPER_ID_APPLICATION_B64 \ | |
$CERTIFICATE_DEVELOPER_ID_INSTALLER_B64; \ | |
do | |
echo $CERTIFICATE | base64 --decode > /tmp/certificate.cer | |
security import /tmp/certificate.cer -k build.keychain -P '' -T /usr/bin/codesign -T /usr/bin/productsign | |
done | |
for KEY in \ | |
$CERTIFICATE_DISTRIBUTION_PRIVATE_KEY_B64 \ | |
$CERTIFICATE_MAC_INSTALLER_PRIVATE_KEY_B64 \ | |
$CERTIFICATE_DEVELOPER_ID_APPLICATION_PRIVATE_KEY_B64 \ | |
$CERTIFICATE_DEVELOPER_ID_INSTALLER_PRIVATE_KEY_B64; \ | |
do | |
echo $KEY | base64 --decode > /tmp/key.p12 | |
security import /tmp/key.p12 -k build.keychain -P '' -T /usr/bin/codesign -T /usr/bin/productsign | |
done | |
security set-key-partition-list -S apple-tool:,apple: -s -k password build.keychain | |
- name: Set up App Store Connect authentication | |
env: | |
APP_STORE_CONNECT_PRIVATE_KEY_B64: ${{ secrets.APP_STORE_CONNECT_PRIVATE_KEY_B64 }} | |
run: echo $APP_STORE_CONNECT_PRIVATE_KEY_B64 | base64 --decode > /tmp/connect-key.p8 | |
- name: Select Xcode version | |
run: sudo xcode-select -s /Applications/Xcode_$(cat .xcode-version).app/Contents/Developer | |
- name: Prepare files | |
if: ${{ matrix.distribution == 'app-store' }} | |
env: | |
SENTRY_DSN: ${{ matrix.platform == 'iOS' && secrets.SENTRY_DSN_IOS || secrets.SENTRY_DSN_MACOS }} | |
SENTRY_ORG: ${{ vars.SENTRY_ORG }} | |
SENTRY_PROJECT: ${{ matrix.platform == 'iOS' && vars.SENTRY_PROJECT_IOS || vars.SENTRY_PROJECT_MACOS }} | |
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
run: make | |
- name: Prepare files | |
if: ${{ matrix.distribution == 'standalone' }} | |
run: make | |
- name: Set up Sentry | |
if: ${{ matrix.distribution == 'app-store' }} | |
run: curl -sL https://sentry.io/get-cli/ | sh | |
- name: Build app | |
env: | |
CODE_SIGN_IDENTITY: Apple Distribution | |
PROVISIONING_PROFILE_SPECIFIER: Fyreplace | |
run: | | |
if [ '${{ matrix.distribution }}' = 'standalone' ] | |
then | |
CODE_SIGN_IDENTITY="Developer ID Application" | |
PROVISIONING_PROFILE_SPECIFIER=Fyreplace.macOS.standalone | |
elif [ '${{ matrix.platform }}' = 'macOS' ] | |
then | |
PROVISIONING_PROFILE_SPECIFIER=Fyreplace.macOS | |
fi | |
xcodebuild archive \ | |
DEVELOPMENT_TEAM=${{ vars.TEAM_ID }} \ | |
CODE_SIGN_IDENTITY="$CODE_SIGN_IDENTITY" \ | |
PROVISIONING_PROFILE_SPECIFIER="$PROVISIONING_PROFILE_SPECIFIER" \ | |
-allowProvisioningUpdates \ | |
-authenticationKeyPath /tmp/connect-key.p8 \ | |
-authenticationKeyID ${{ vars.APP_STORE_CONNECT_KEY_ID }} \ | |
-authenticationKeyIssuerID ${{ vars.APP_STORE_CONNECT_ISSUER_ID }} \ | |
-scheme Fyreplace \ | |
-destination generic/platform=${{ matrix.platform }} \ | |
-archivePath archive.xcarchive | |
- name: Export to IPA | |
if: ${{ matrix.platform == 'iOS' }} | |
run: | | |
/usr/libexec/PlistBuddy -c "Add :method string" ExportOptions.plist | |
/usr/libexec/PlistBuddy -c "Set :method app-store-connect" ExportOptions.plist | |
/usr/libexec/PlistBuddy -c "Add :teamId string" ExportOptions.plist | |
/usr/libexec/PlistBuddy -c "Set :teamId ${{ vars.TEAM_ID }}" ExportOptions.plist | |
/usr/libexec/PlistBuddy -c "Add :provisioningProfiles dict" ExportOptions.plist | |
/usr/libexec/PlistBuddy -c "Add :provisioningProfiles:${{ vars.APP_ID }} string ${{ vars.PROVISIONING_PROFILE_NAME }}" ExportOptions.plist | |
xcodebuild export \ | |
-allowProvisioningUpdates \ | |
-authenticationKeyPath /tmp/connect-key.p8 \ | |
-authenticationKeyID ${{ vars.APP_STORE_CONNECT_KEY_ID }} \ | |
-authenticationKeyIssuerID ${{ vars.APP_STORE_CONNECT_ISSUER_ID }} \ | |
-archivePath archive.xcarchive \ | |
-exportArchive \ | |
-exportOptionsPlist ExportOptions.plist \ | |
-exportPath Export | |
- name: Export to PKG | |
if: ${{ matrix.platform == 'macOS' }} | |
env: | |
SIGNING_CERTIFICATE: ${{ matrix.distribution == 'app-store' && '3rd Party Mac Developer Installer' || 'Developer ID Installer' }} | |
run: | | |
mkdir Export | |
productbuild \ | |
--component archive.xcarchive/Products/Applications/Fyreplace.app \ | |
/Applications \ | |
Export/Fyreplace.unsigned.pkg | |
productsign \ | |
--sign "$SIGNING_CERTIFICATE" \ | |
Export/Fyreplace.unsigned.pkg \ | |
Export/Fyreplace.pkg | |
- name: Notorize PKG | |
if: ${{ matrix.distribution == 'standalone' }} | |
env: | |
APP_STORE_CONNECT_PRIVATE_KEY_B64: ${{ secrets.APP_STORE_CONNECT_PRIVATE_KEY_B64 }} | |
run: | | |
echo $APP_STORE_CONNECT_PRIVATE_KEY_B64 | base64 --decode > /tmp/connect-key.p8 | |
xcrun notarytool \ | |
submit \ | |
--wait \ | |
--key /tmp/connect-key.p8 \ | |
--key-id ${{ vars.APP_STORE_CONNECT_KEY_ID }} \ | |
--issuer ${{ vars.APP_STORE_CONNECT_ISSUER_ID }} \ | |
Export/Fyreplace.pkg | |
xcrun stapler staple Export/Fyreplace.pkg | |
- name: Upload IPA | |
uses: actions/upload-artifact@v4 | |
if: ${{ matrix.platform == 'iOS' }} | |
with: | |
name: Fyreplace.ipa | |
path: Export/*.ipa | |
if-no-files-found: error | |
- name: Upload PKG | |
uses: actions/upload-artifact@v4 | |
if: ${{ matrix.platform == 'macOS' }} | |
with: | |
name: ${{ matrix.distribution == 'standalone' && 'Fyreplace.standalone.pkg' || 'Fyreplace.pkg' }} | |
path: Export/*.pkg | |
if-no-files-found: error | |
publish: | |
name: Publish | |
needs: build | |
runs-on: macos-latest | |
environment: apple-app-store | |
strategy: | |
matrix: | |
platform: | |
- ios | |
- osx | |
steps: | |
- name: Download IPA | |
uses: actions/download-artifact@v4 | |
if: ${{ matrix.platform == 'ios' }} | |
with: | |
name: Fyreplace.ipa | |
path: /tmp | |
- name: Download PKG | |
uses: actions/download-artifact@v4 | |
if: ${{ matrix.platform == 'osx' }} | |
with: | |
name: Fyreplace.pkg | |
path: /tmp | |
- name: Set up App Store Connect authentication | |
env: | |
APP_STORE_CONNECT_PRIVATE_KEY_B64: ${{ secrets.APP_STORE_CONNECT_PRIVATE_KEY_B64 }} | |
run: | | |
mkdir ~/private_keys | |
echo $APP_STORE_CONNECT_PRIVATE_KEY_B64 | base64 --decode > ~/private_keys/AuthKey_${{ vars.APP_STORE_CONNECT_KEY_ID }}.p8 | |
- name: Upload to App Store Connect | |
run: | | |
for OPERATION in '--validate-app' '--upload-app' | |
do | |
xcrun altool \ | |
$OPERATION \ | |
--type ${{ matrix.platform }} \ | |
--file /tmp/Fyreplace.* \ | |
--apiKey ${{ vars.APP_STORE_CONNECT_KEY_ID }} \ | |
--apiIssuer ${{ vars.APP_STORE_CONNECT_ISSUER_ID }} | |
done |