-
Notifications
You must be signed in to change notification settings - Fork 0
136 lines (110 loc) Β· 5.15 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Release
on:
push:
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'
- 'v[0-9]+.[0-9]+.[0-9]+-beta'
- 'v[0-9]+.[0-9]+.[0-9]+-alpha'
jobs:
release:
name: Xcode Build (Release)
runs-on: macos-13
steps:
- name: Select Xcode Version
run: sudo xcrun xcode-select -s /Applications/Xcode_14.3.app
- name: Set Environment Variables
run: |
APP_NAME="BeezyLight"
echo "APP_NAME=${APP_NAME}" >> $GITHUB_ENV
echo "XCARCHIVE_PATH=${PWD}/${APP_NAME}.xcarchive" >> $GITHUB_ENV
echo "APP_PATH=${PWD}/${APP_NAME}.xcarchive/Products/Applications/${APP_NAME}.app" >> $GITHUB_ENV
echo "ZIP_PATH=${RUNNER_TEMP}/${APP_NAME}.zip" >> $GITHUB_ENV
echo "BUILD_CERTIFICATE_PATH=${RUNNER_TEMP}/build_certificate.p12" >> $GITHUB_ENV
echo "NOTARIZATION_KEY_PATH=${RUNNER_TEMP}/notarization_key.p8" >> $GITHUB_ENV
echo "KEYCHAIN_PATH=${RUNNER_TEMP}/app-signing.keychain-db" >> $GITHUB_ENV
- name: Checkout repository
uses: actions/checkout@v3
- name: Generate Release Config
run: './Scripts/generate-release-config "${{ secrets.PRODUCT_BUNDLE_IDENTIFIER }}" "${GITHUB_REF_NAME#v}" "$GITHUB_RUN_NUMBER" "${{ secrets.XCODE_DEVELOPMENT_TEAM }}"'
- name: Install Developer ID Certificate
run: |
# import build certificate from secrets
echo -n "${{ secrets.BUILD_CERTIFICATE_BASE64 }}" | base64 --decode --output="$BUILD_CERTIFICATE_PATH"
# create temporary keychain
security create-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" "$KEYCHAIN_PATH"
# import certificate to keychain
security import "$BUILD_CERTIFICATE_PATH" -P "${{ secrets.P12_PASSWORD }}" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
security list-keychain -d user -s "$KEYCHAIN_PATH"
rm "$BUILD_CERTIFICATE_PATH"
- name: Run xcode-build Script
run: './Scripts/xcode-build release "$XCARCHIVE_PATH"'
- name: Notarize App
run: |
# Save Notarization Credentials to Keychain
echo -n "${{ secrets.NOTARIZATION_KEY_BASE64 }}" | base64 --decode --output="$NOTARIZATION_KEY_PATH"
xcrun notarytool store-credentials "AppNotarization" \
-k "$NOTARIZATION_KEY_PATH" \
-d "${{ secrets.NOTARIZATION_KEY_ID }}" \
-i "${{ secrets.NOTARIZATION_KEY_ISSUER }}" \
--keychain "$KEYCHAIN_PATH"
# create temporary .zip for notarization purposes
ditto -c -k --sequesterRsrc --keepParent "$APP_PATH" "$ZIP_PATH"
# notarize the app and log the result to stdout
SUBMISSION_ID="$(xcrun notarytool submit "$ZIP_PATH" --keychain-profile "AppNotarization" | awk '$1 ~ /^id:$/ { id=$2 } END { print id }')"
xcrun notarytool wait "$SUBMISSION_ID" --keychain-profile "AppNotarization"
xcrun notarytool log "$SUBMISSION_ID" --keychain-profile "AppNotarization"
# staple .app bundle with the notarization ticket
xcrun stapler staple -vvv "$APP_PATH"
rm "$ZIP_PATH" "$NOTARIZATION_KEY_PATH"
- name: Validate .app bundle
run: |
xcrun stapler validate -vvv "$APP_PATH"
codesign --verify --deep --strict --verbose=1 "$APP_PATH"
spctl --assess --verbose --type open --type exec "$APP_PATH"
- name: Compress .app bundle
run: 'ditto -c -k --sequesterRsrc --keepParent "$APP_PATH" "$ZIP_PATH"'
- name: Upload App to Artifacts
uses: actions/upload-artifact@v3
with:
name: ${{ env.APP_NAME }}
path: ${{ env.ZIP_PATH }}
if-no-files-found: error
- name: Upload Archive to Artifacts
uses: actions/upload-artifact@v3
with:
name: ${{ env.APP_NAME }}.xcarchive
path: ${{ env.XCARCHIVE_PATH }}
if-no-files-found: error
- name: Check Git Status
run: git status --porcelain
- name: Create Release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref_name }}
release_name: ${{ github.ref_name }}
draft: true
prerelease: false
- name: Upload Release Asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ${{ env.ZIP_PATH }}
asset_name: ${{ env.APP_NAME }}.zip
asset_content_type: application/zip
- name: Publish Release
run: "hub release edit --draft=false -m '' \"${GITHUB_REF_NAME}\""
env:
GITHUB_REPOSITORY: ${{ github.repository }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Delete keychain
if: ${{ always() }}
run: |
security delete-keychain "$KEYCHAIN_PATH"
rm -f "$BUILD_CERTIFICATE_PATH" "$NOTARIZATION_KEY_PATH" "$KEYCHAIN_PATH"