forked from p0deje/Maccy
-
Notifications
You must be signed in to change notification settings - Fork 0
489 lines (428 loc) · 22.2 KB
/
build+release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
name: Draft Cleepp Release
on:
create:
workflow_dispatch:
branches:
- forkmain
inputs:
releaseVersion:
description: "Version to title release with (like: 1.0rc3), blank for project's version"
type: string
required: false
isPrerelease:
description: "Prerelease"
type: boolean
required: true
default: true
updateAppcast:
description: "Update Sparkle Appcast"
type: boolean
required: true
default: true
env:
isPrereleaseDefault: true
updateAppcastDefault: true
projectfile: Maccy.xcodeproj
buildscheme: Cleepp
productname: "Batch Clipboard"
bundlename: "Batch Clipboard.app"
builddir: Build/Products/Release
jobs:
build:
name: Build Cleepp Non-AppStore Variant and Draft Release
runs-on: macos-15
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # required for 'git show-ref --tags' to work
- name: Patch Xcode 15.3
uses: jpmhouston/patch-package-resolved@v1
# this fixes a mysterious build failure
# xcodebuild: error: Could not resolve package dependencies:
# Package.resolved file is corrupted or malformed; fix or delete the file
# to continue: unknown 'PinsStorage' version '3'
# should probably remove this when upgrading the "runs-on" platform
- name: Install tools
# pandoc is used by sparkle step and by one of the xcode project's build rules
# create-dmg is to define dmg entirely from script below instead of using a tempplate
run: |
:
brew update
brew install pandoc create-dmg coreutils
- name: Validate
id: version
run: |
:
echo "- Extract version from project"
version=$(xcodebuild -scheme "${{ env.buildscheme }}" -configuration Release \
-project "${{ env.projectfile }}" -showBuildSettings \
| sed -nr 's/^.*MARKETING_VERSION = (.*)$/\1/p') 2>/dev/null
if [[ -z $version ]] ; then
echo "::error::Unable to determine a version number for the current state of the xcode project"
exit 1
fi
echo "- Check script inputs"
if [[ -z "${{ inputs.releaseVersion }}" || $version == "${{ inputs.releaseVersion }}" ]] ; then
echo "- Build version is $version"
else
echo "- Build version is $version but overriding with ${{ inputs.releaseVersion }} for release & file names"
version="${{ inputs.releaseVersion }}"
fi
releaseName="${{ env.productname }} $version"
releaseNameNoSpaces="${{ env.productname }}.$version"
if [[ -z "${{ inputs.isPrerelease }}" ]] ; then
echo "- Use default value for isPrerelease: ${{ env.isPrereleaseDefault }}"
isPrerelease=${{ env.isPrereleaseDefault }}
else
echo "- Use supplied value for isPrerelease: ${{ inputs.isPrerelease }}"
isPrerelease=${{ inputs.isPrerelease }}
fi
if [[ -z "${{ inputs.updateAppcast }}" ]] ; then
echo "- Use default value for updateAppcast: ${{ env.updateAppcastDefault }}"
updateAppcast=${{ env.updateAppcastDefault }}
else
echo "- Use supplied value for updateAppcast: ${{ inputs.updateAppcast }}"
updateAppcast=${{ inputs.updateAppcast }}
fi
echo "- Parse trigger"
if [[ "${{ github.event_name }}" == workflow_dispatch ]] ; then
if git show-ref --tags --verify refs/tags/v$version --quiet ; then
tag="v$version"
echo "- Will build and draft release \"$releaseName\" with matching tag \"$tag\""
else
echo "- Will build and draft untagged release \"$releaseName\" because triggered manually and no tag \"v$version\" was found"
echo "::notice::Will skip notarizing and updating sparkle appcast"
fi
elif [[ "${{ github.ref }}" == refs/tags/* ]] ; then
ref="${{ github.ref }}"
tag="${ref:10}" # magic number 10 being the length of "refs/tags/", stripping that to leave just the tag name
echo "- Will build and draft release \"$releaseName\" because triggered by pushed tag \"$tag\""
else
echo "::error::Not triggered manually or by a tag (github.event_name == ${{ github.event_name }}, gihub.ref == ${{ github.ref }})"
exit 1
fi
echo "version=$version" >> $GITHUB_OUTPUT
echo "releaseName=$releaseName" >> $GITHUB_OUTPUT
echo "releaseArchivename=$releaseNameNoSpaces" >> $GITHUB_OUTPUT
echo "isPrerelease=$isPrerelease" >> $GITHUB_OUTPUT
echo "updateAppcast=$updateAppcast" >> $GITHUB_OUTPUT
if [[ -n $tag ]] ; then
echo "tag=$tag" >> $GITHUB_OUTPUT
fi
- name: Build
id: build
run: |
:
if ! command -v xcodebuild >/dev/null 2>&1 || ! command -v xcbeautify >/dev/null 2>&1 \
|| ! command -v plutil >/dev/null 2>&1
then
echo "::error::Required executables not found: xcodebuild, xcbeautify, plutil"
exit 1
fi
echo "- Build with xcodebuild from $(xcodebuild -version)"
# requires that env.projectfile is the name of the .xcodeproj, env.buildscheme is
# a valid build scheme, and and env.bundlename is name of the produced .app
# note: not sure why ONLY_ACTIVE_ARCH=NO is required for xcodebuild, it should
# already be NO for Release configuration
set -o pipefail && xcodebuild ONLY_ACTIVE_ARCH=NO clean build analyze \
-scheme "${{ env.buildscheme }}" -configuration Release \
-project "${{ env.projectfile }}" -derivedDataPath . | \
xcbeautify --renderer github-actions --preserve-unbeautified
echo "- Extract bundle version from app"
plutil -extract CFBundleVersion raw \
"Build/Products/Release/${{ env.bundlename }}/Contents/Info.plist"
bundleVersion=$(plutil -extract CFBundleVersion raw \
"Build/Products/Release/${{ env.bundlename }}/Contents/Info.plist" 2> /dev/null)
if [[ -z $bundleVersion && "${{ steps.version.outputs.updateAppcast }}" == "true" ]] ; then
echo "::error::Unable to find app's bundle version"
exit 1
elif [[ -z $bundleVersion ]] ; then
echo "::warning::Unable to find app's bundle version, workflows updating Sparkle appcast require this, but this one can continue"
fi
echo "version=$bundleVersion" >> $GITHUB_OUTPUT
- name: "Codesign app bundle"
if: success()
run: |
:
test -d "${{ env.builddir }}/${{ env.bundlename }}" || exit 1
if ! command -v xcrun >/dev/null 2>&1 || ! command -v security >/dev/null 2>&1 ; then
echo "::error::Required executables not found: xcrun, security"
exit 1
fi
if [[ -z "${{ secrets.PROD_MACOS_CERTIFICATE }}" ]] ; then
echo "::error::Secret PROD_MACOS_CERTIFICATE not defined"
exit 1
fi
if [[ -z "${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}" ]] ; then
echo "::error::Secret PROD_MACOS_CI_KEYCHAIN_PWD not defined"
exit 1
fi
if [[ -z "${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}" ]] ; then
echo "::error::Secret PROD_MACOS_CERTIFICATE_PWD not defined"
exit 1
fi
if [[ -z "${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}" ]] ; then
echo "::error::Secret PROD_MACOS_CERTIFICATE_NAME not defined"
exit 1
fi
# Turn our base64-encoded certificate back to a regular .p12 file
echo "- Base64-encode certificate to make \"certificate.p12\""
echo "${{ secrets.PROD_MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
# We need to create a new keychain, otherwise using the certificate will prompt
# with a UI dialog asking for the certificate password, which we can't
# use in a headless CI environment
echo "- Create unlocked keychain \"build.keychain\""
security create-keychain -p "${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}" build.keychain
echo "- Import \"certificate.p12\" into \"build.keychain\""
security import certificate.p12 -k build.keychain \
-P "${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: \
-s -k "${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}" build.keychain
# We finally codesign our app bundle, specifying the Hardened runtime option
echo "- Sign subcomponents..."
# this is thanks to https://stackoverflow.com/a/11284404/592739
subitems=""
frameworksdir="${{ env.builddir }}/${{ env.bundlename }}/Contents/Frameworks"
if [ -d "$frameworksdir" ] ; then
frameworksdirframeworks=$(find "$frameworksdir" -depth -type d \
-name "*.framework" -print0 | xargs -0 -I % grealpath %/Versions/Current)
frameworksdirother=$(find "$frameworksdir" -depth -type d \
-name "*.dylib" -or -name "*.bundle")
subitems="$frameworksdirframeworks"'\n'"$frameworksdirother"
fi
# potentially grab more subitems from other places within the .app here
#resourcesdir="${{ env.builddir }}/${{ env.bundlename }}/Contents/Resources"
#..use find as above..
#subitems="$subitems"'\n'"$resourcesdiritems"
# changing the Internal Field Separator (IFS) makes spaces in paths not cause problems below
savedIFS=$IFS
IFS=$(echo -en "\n\b")
for subitem in $subitems; do
xcrun codesign --force -s "${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}" \
--options runtime "$subitem" -v
done
IFS=$savedIFS
echo "- Sign app"
xcrun codesign --force -s "${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}" \
--options runtime "${{ env.builddir }}/${{ env.bundlename }}" -v
- name: "Notarize app bundle"
if: success()
run: |
:
test -d "${{ env.builddir }}/${{ env.bundlename }}" || exit 1
if [[ -z "${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}" ]] ; then
echo "::error::Secret PROD_MACOS_NOTARIZATION_APPLE_ID not defined"
exit 1
fi
if [[ -z "${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}" ]] ; then
echo "::error::Secret PROD_MACOS_NOTARIZATION_TEAM_ID not defined"
exit 1
fi
if [[ -z "${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}" ]] ; then
echo "::error::Secret PROD_MACOS_NOTARIZATION_PWD not defined"
exit 1
fi
# Store the notarization credentials so that we can prevent a UI password dialog
# from blocking the CI
echo "- Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" \
--apple-id "${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}" \
--team-id "${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}" \
--password "${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}"
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
echo "- Create temp notarization archive"
ditto -c -k --keepParent "${{ env.builddir }}/${{ env.bundlename }}" "notarization.zip"
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious
echo "- Notarize"
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait \
2>&1 | tee notarytool-out.txt
if [ ${PIPESTATUS[0]} -ne 0 ] || grep -q Invalid notarytool-out.txt ; then
if sed -nr '/^[[:space:]]*id: (.*)$/{s//\1/p;q;}' notarytool-out.txt > notarytool-id.txt ; then
echo "- Extract notarytool failure log"
xcrun notarytool log "$(<notarytool-id.txt)" --keychain-profile "notarytool-profile"
fi
exit 1
fi
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
echo "- Attach staple"
xcrun stapler staple "${{ env.builddir }}/${{ env.bundlename }}"
- name: Build Zip File
id: zip
run: |
:
test -d "${{ env.builddir }}/${{ env.bundlename }}" || exit 1
archiveDir="${{ env.builddir }}/Sparkle"
archiveFileName="${{ steps.version.outputs.releaseArchivename }}.zip"
echo "- Compress built app to \"$(basename $archiveDir)/$archiveFileName\""
mkdir "$archiveDir"
ditto -c -k --sequesterRsrc --keepParent "${{ env.builddir }}/${{ env.bundlename }}" \
"$archiveDir/$archiveFileName"
echo "file=$archiveDir/$archiveFileName" >> $GITHUB_OUTPUT
echo "directory=$archiveDir" >> $GITHUB_OUTPUT
- name: Disk Image
id: dmg
run: |
:
test -d "${{ env.builddir }}/${{ env.bundlename }}" || exit 1
if ! command -v create-dmg >/dev/null 2>&1 ; then
echo "::warning::Required helper script not found: create-dmg. Skipping dmg creation"
# not sure if need to do `echo "file=whatever" >> $GITHUB_OUTPUT`
# to make release step work, or if empty/missing steps.dmg.output.file is ok
exit 0
fi
imageDir="${{ env.builddir }}/Image"
imageFileName="${{ steps.version.outputs.releaseArchivename }}.dmg"
readmeFilename="${{ env.productname }} version ${{ steps.version.outputs.version }} read me.rtf"
echo "- Copy built app to \"$(basename $imageDir)/${{ env.bundlename }}\""
mkdir "$imageDir"
ditto "${{ env.builddir }}/${{ env.bundlename }}" "$imageDir/${{ env.bundlename }}"
echo "- Copy readme file from source repo to \"$(basename $imageDir)/$readmeFilename\""
cp "Designs/Cleepp/Cleepp download read me.rtf" "$imageDir/$readmeFilename"
echo "- Build disk image \"${{ env.builddir }}/$imageFileName\""
create-dmg --hdiutil-quiet \
--volname "${{ steps.version.outputs.releaseName }}" \
--window-size 540 160 --icon-size 64 \
--icon "$readmeFilename" 40 60 \
--icon "${{ env.bundlename }}" 200 60 \
--app-drop-link 360 60 \
"${{ env.builddir }}/$imageFileName" "$imageDir"
# IMPORTANT: when notarize enabled above, enable this too
#echo "- Attach staple"
#xcrun stapler staple "${{ env.builddir }}/$imageFileName"
echo "file=${{ env.builddir }}/$imageFileName" >> $GITHUB_OUTPUT
- name: Release Notes
id: notes
run: |
:
echo "- Collect release notes"
changeLogFilename=CHANGELOG.md
currentNotesFilename="${{ steps.version.outputs.releaseName }}.md"
if [[ ! -f $changeLogFilename ]] ; then
echo "::warning::Release notes file is missing"
numlines=0
else
echo -n "" > "${{ env.builddir }}/$currentNotesFilename"
thisversion=''
prevversion=''
while read line || [[ -n $line ]] ; do
if [[ -z $thisversion ]]; then
thisversion=$(echo $line | sed -n -E 's/^#+ version ([0-9.dabrc]+) .*$/\1/p')
if [[ -n $thisversion && $thisversion != "${{ steps.version.outputs.version }}" ]] ; then
echo "::warning::Version $thisversion at the top of the release notes doesn't match build version ${{ steps.version.outputs.version }}"
break
fi
continue
fi
prevversion=$(echo $line | sed -n -E 's/^#+ version ([0-9.dabrc]+) .*$/\1/p')
if [[ -n $prevversion ]] ; then
break
fi
echo $line >> "${{ env.builddir }}/$currentNotesFilename"
done < "$changeLogFilename"
# sed command removes initial and trailing blank lines, don't ask me how it works
# from https://unix.stackexchange.com/a/552195
cat "${{ env.builddir }}/$currentNotesFilename" | sed -e '/./,$!d' -e :a -e '/^\n*$/{$d;N;ba' -e '}' \
| tee "${{ env.builddir }}/$currentNotesFilename" >/dev/null
numlines=$(wc -l "${{ env.builddir }}/$currentNotesFilename" | cut -w -f2)
fi
if [[ $numlines -gt 0 ]] ; then
echo "- Save $numlines lines of release notes to \"$currentNotesFilename\""
else
echo "- Save placeholder release notes to \"$currentNotesFilename\""
echo "Release notes unavailable at this time" > "${{ env.builddir }}/$currentNotesFilename"
fi
echo "file=${{ env.builddir }}/$currentNotesFilename" >> $GITHUB_OUTPUT
- name: Setup Sparkle
if: success() && steps.version.outputs.updateAppcast && steps.version.outputs.tag
uses: jozefizso/setup-sparkle@v1
with:
version: 2.6.0
- name: Generate Sparkle appcast.xml
id: sparkle
if: success() && steps.version.outputs.updateAppcast && steps.version.outputs.tag
run: |
:
echo "::add-mask::${{ secrets.SPARKLE_PRIVATE_KEY }}"
if [[ -z "${{ secrets.SPARKLE_PRIVATE_KEY }}" ]] ; then
echo "::warning::Secret SPARKLE_PRIVATE_KEY not defined. Skipping Sparkle step"
exit 0
fi
if ! command -v pandoc >/dev/null 2>&1 || ! command -v generate_appcast >/dev/null 2>&1 ; then
echo "::warning::Required executables not found: pandoc, generate_appcast. Skipping Sparkle step"
exit 0
fi
htmlNotesFilename="$(basename -s .zip "${{ steps.zip.outputs.file }}")".html
htmlTemplateFilename=htmlnotestemplate.html
releasesURL="https://github.com/${{ github.repository }}/releases"
downloadURLPrefix="https://github.com/${{ github.repository }}/releases/download/v${{ steps.version.outputs.version }}/"
echo "- Convert release notes to html"
echo '$body$' > "$htmlTemplateFilename"
if ! pandoc --standalone --template "$htmlTemplateFilename" --metadata title="Release Notes" \
"${{ steps.notes.outputs.file }}" \
> "${{ steps.zip.outputs.directory }}/$htmlNotesFilename"
then
echo "::warning::pandoc failed, no new appcast.xml file generated"
exit 0
fi
echo "- Update appcast"
cp ./appcast.xml "${{ steps.zip.outputs.directory }}/appcast.xml" # dir needs current xml file
if ! echo "${{ secrets.SPARKLE_PRIVATE_KEY }}" | generate_appcast --ed-key-file - \
--link "$releasesURL" --download-url-prefix "$downloadURLPrefix" \
--embed-release-notes -o ./appcast.xml "${{ steps.zip.outputs.directory }}"
then
echo "::warning::generate_appcast failed, no new appcast.xml file generated"
echo
echo "ls -alF \"${{ steps.zip.outputs.directory }}\""
ls -alF "${{ steps.zip.outputs.directory }}"
echo
echo "cat \"${{ steps.zip.outputs.directory }}/$htmlNotesFilename\""
cat "${{ steps.zip.outputs.directory }}/$htmlNotesFilename"
echo
exit 0
fi
echo "appcastGenerated=true" >> $GITHUB_OUTPUT
- name: Commit appcast.xml
if: success() && steps.version.outputs.updateAppcast && steps.version.outputs.tag && steps.sparkle.outputs.appcastGenerated
uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_message: Automated Change to appcast.xml
file_pattern: "appcast.xml"
status_options: "--untracked-files=no"
- name: Draft Untagged Release
if: success() && steps.version.outputs.tag == ''
uses: softprops/action-gh-release@v2
with:
name: ${{ steps.version.outputs.releaseName }}
draft: true
prerelease: ${{ steps.version.outputs.isPrerelease }}
body_path: ${{ steps.notes.outputs.file }}
files: |
${{ steps.zip.outputs.file }}
${{ steps.dmg.outputs.file }}
fail_on_unmatched_files: false
- name: Draft Tagged Release
if: success() && steps.version.outputs.tag
uses: softprops/action-gh-release@v2
with:
name: ${{ steps.version.outputs.releaseName }}
tag_name: ${{ steps.version.outputs.tag }}
draft: true
prerelease: ${{ steps.version.outputs.isPrerelease }}
body_path: ${{ steps.notes.outputs.file }}
files: |
${{ steps.zip.outputs.file }}
${{ steps.dmg.outputs.file }}
fail_on_unmatched_files: false
- name: Fin
run: |
:
echo "::notice::Release \"${{ steps.version.outputs.releaseName }}\" draft created continaing \"${{ steps.zip.outputs.file }}\""