Skip to content
Build Sign Notarize and Release Cleepp

Build Sign Notarize and Release Cleepp #32

Sign in to view logs

Build Sign Notarize and Release Cleepp

Build Sign Notarize and Release Cleepp #32

Workflow file for this run

.github/workflows/xcodebuild-nonappstore.yml at 03f4312
name: Build Sign Notarize and Release Cleepp
on:
push:
branches:
- forkmain
paths-ignore:
- '.github/**'
workflow_dispatch:
branches:
- forkmain
inputs:
buildRelease:
description: 'Also draft a release?'
required: false
type: boolean
jobs:
build:
name: Non-AppStore Cleep Build, Conditionally Release
runs-on: macos-14
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Build
# requires "runs-on: macos-14" above to use Xcode 15, "macos-latest" is actually older and uses Xcode 14
run: |
xcodebuild clean build analyze -scheme Cleepp -configuration Release -project Maccy.xcodeproj -derivedDataPath . | xcpretty && exit ${PIPESTATUS[0]}
- name: "Codesign app bundle"
# Extract the secrets we defined earlier as environment variables
env:
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
run: |
echo "Codesigning"
test -d Build/Products/Release/Cleepp.app || exit 1
ls -ald Build/Products/Release/*.app
exit 0 # !!! until the above env vars are correctly defined
# Turn our base64-encoded certificate back to a regular .p12 file
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
# We need to create a new keychain, otherwise using the certificate will prompt
# with a UI dialog asking for the certificate password, which we can't
# use in a headless CI environment
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
# We finally codesign our app bundle, specifying the Hardened runtime option
/usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime Build/Products/Release/Cleepp.app -v
- name: "Notarize app bundle"
# Extract the secrets we defined earlier as environment variables
env:
PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
run: |
echo "Notarizing"
test -d Build/Products/Release/Cleepp.app || exit 1
exit 0 # !!! until the above env vars are correctly defined
# Store the notarization credentials so that we can prevent a UI password dialog
# from blocking the CI
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
echo "Creating temp notarization archive"
ditto -c -k --keepParent "target/mac/Cleepp.app" "notarization.zip"
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious
echo "Notarize app"
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
echo "Attach staple"
xcrun stapler staple "Build/Products/Release/Cleepp.app"
- name: Extract Version Number
run: |
echo "Fetching Version"
test -d Build/Products/Release/Cleepp.app || exit 1
test -f Build/Products/Release/Cleepp.app/Contents/Info.plist || exit 2
VERSION=$(/usr/libexec/PlistBuddy -c 'Print :CFBundleShortVersionString' Build/Products/Release/Cleepp.app/Contents/Info.plist)
echo "$VERSION"
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "to debug conditional release steps that follow:"
echo "github.ref: $github.ref"
echo "inputs.buildRelease: ${{ inputs.buildRelease }}"
id: version
- name: Build Zip File
if: startsWith(github.ref, 'refs/tags/') || ("${{ inputs.buildRelease != '' }}" && fromJSON(inputs.buildRelease))
run: |
echo "Making Archive Directory"
test -d Build/Products/Release/Cleepp.app || exit 1
ARCHIVEDIR=Build/Products/Release/Cleepp\ ${{ steps.version.outputs.version }}
mkdir "$ARCHIVEDIR"
cp Designs/Cleepp/Cleepp\ download\ read\ me.rtf "$ARCHIVEDIR"/Cleepp\ version\ ${{ steps.version.outputs.version }}\ read\ me.rtf
mv Build/Products/Release/Cleepp.app "$ARCHIVEDIR"
echo "Building ${ARCHIVEDIR}.zip"
ditto -c -k --sequesterRsrc --keepParent "$ARCHIVEDIR" "${ARCHIVEDIR}.zip"
- name: Draft Release
if: startsWith(github.ref, 'refs/tags/') || ("${{ inputs.buildRelease != '' }}" && fromJSON(inputs.buildRelease))
uses: softprops/action-gh-release@v2
with:
name: "Cleepp ${{ steps.version.outputs.version }}"
tag_name: "v${{ steps.version.outputs.version }}"
draft: true
prerelease: true
files: Build/Products/Release/Cleepp*.zip
fail_on_unmatched_files: true