Skip to content
Build Sign Notarize and Release Cleepp

Build Sign Notarize and Release Cleepp #25

Sign in to view logs

Build Sign Notarize and Release Cleepp

Build Sign Notarize and Release Cleepp #25

Workflow file for this run

.github/workflows/xcodebuild-nonappstore.yml at e2487e4
name: Build Sign Notarize and Release Cleepp
on:
push:
branches:
- forkmain
paths-ignore:
- '.github/**'
workflow_dispatch:
branches:
- forkmain
inputs:
buildRelease:
description: 'Also draft a release?'
required: false
type: boolean
jobs:
build:
name: Build and analyse default scheme using xcodebuild command
runs-on: macos-14
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Set Default Scheme
run: |
default=Cleepp
echo $default | cat >default
echo Using scheme: $default
- name: Build
# requires "runs-on: macos-14" above to use Xcode 15, "macos-latest" is actually older and uses Xcode 14
env:
scheme: ${{ 'default' }}
run: |
if [ $scheme = default ]; then scheme=$(cat default); fi
if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi
file_to_build=`echo $file_to_build | awk '{$1=$1;print}'`
xcodebuild clean build analyze -scheme "$scheme" -configuration Release -"$filetype_parameter" "$file_to_build" -derivedDataPath . | xcpretty && exit ${PIPESTATUS[0]}
- name: "Codesign app bundle"
# Extract the secrets we defined earlier as environment variables
env:
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
run: |
echo "Codesigning"
test -d Build/Products/Release/Cleepp.app || exit 1
ls -ald Build/Products/Release/*.app
exit 0 # !!! until the above env vars are correctly defined
# Turn our base64-encoded certificate back to a regular .p12 file
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
# We need to create a new keychain, otherwise using the certificate will prompt
# with a UI dialog asking for the certificate password, which we can't
# use in a headless CI environment
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
# We finally codesign our app bundle, specifying the Hardened runtime option
/usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime Build/Products/Release/Cleepp.app -v
- name: "Notarize app bundle"
# Extract the secrets we defined earlier as environment variables
env:
PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
run: |
echo "Notarizing"
test -d Build/Products/Release/Cleepp.app || exit 1
exit 0 # !!! until the above env vars are correctly defined
# Store the notarization credentials so that we can prevent a UI password dialog
# from blocking the CI
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
echo "Creating temp notarization archive"
ditto -c -k --keepParent "target/mac/Cleepp.app" "notarization.zip"
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious
echo "Notarize app"
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
echo "Attach staple"
xcrun stapler staple "Build/Products/Release/Cleepp.app"
- name: Extract Version Number
run: |
echo "Fetching Version"
test -d Build/Products/Release/Cleepp.app || exit 1
test -f Build/Products/Release/Cleepp.app/Contents/Info.plist || exit 2
echo "version=$(/usr/libexec/PlistBuddy -c 'Print :CFBundleShortVersionString' Build/Products/Release/Cleepp.app/Contents/Info.plist)" >> $GITHUB_OUTPUT
id: version
- name: Build Zip File
if: startsWith(github.ref, 'refs/tags/') || fromJSON(inputs.buildRelease)
run: |
echo "Making Archive Directory"
test -d Build/Products/Release/Cleepp.app || exit 1
ARCHIVEDIR=Build/Products/Release/Cleepp\ ${{ steps.version.outputs.version }}
mkdir "$ARCHIVEDIR"
cp Designs/Cleepp/Cleepp\ download\ read\ me.rtf "$ARCHIVEDIR"/Cleepp\ version\ ${{ steps.version.outputs.version }}\ read\ me.rtf
mv Build/Products/Release/Cleepp.app "$ARCHIVEDIR"
echo "Building .zip"
ditto -c -k --sequesterRsrc --keepParent "$ARCHIVEDIR" "${ARCHIVEDIR}.zip"
- name: Draft Release
if: startsWith(github.ref, 'refs/tags/') || fromJSON(inputs.buildRelease)
uses: softprops/action-gh-release@v2
with:
name: "Cleepp ${{ steps.version.outputs.version }}"
draft: true
prerelease: true
files: Build/Products/Release/Cleepp*.zip
fail_on_unmatched_files: true