Test Building for Apple #26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test Building for Apple | |
| on: workflow_dispatch | |
| defaults: | |
| run: | |
| # necessary for windows | |
| shell: bash | |
| jobs: | |
| get-version: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.store-version.outputs.version }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Knope | |
| uses: knope-dev/[email protected] | |
| with: | |
| version: 0.18.0 | |
| - name: Store version | |
| id: store-version | |
| run: echo "version=$(knope get-version)" >> $GITHUB_OUTPUT | |
| build-artifacts: | |
| needs: get-version | |
| strategy: | |
| matrix: | |
| include: | |
| - target: aarch64-apple-darwin | |
| os: macos-latest | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| contents: read | |
| id-token: write | |
| env: | |
| archive_name: rhai-test | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions-rust-lang/setup-rust-toolchain@v1 | |
| - uses: arduino/setup-protoc@v3 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install Knope | |
| uses: knope-dev/[email protected] | |
| with: | |
| version: 0.18.0 | |
| # Authenticate to GCP using Workload Identity Federation. | |
| # We set up the WI provider in the `github_actions_federation` resource in the | |
| # `platform-infrastructure` repository. | |
| - id: google-auth | |
| uses: 'google-github-actions/auth@v2' | |
| with: | |
| workload_identity_provider: 'projects/865738624352/locations/global/workloadIdentityPools/github-d8bck/providers/github-d8bck' | |
| service_account: apollosolutions-rhai-test@platform-mgmt-service-e0izz.iam.gserviceaccount.com | |
| project_id: platform-cross-environment | |
| # Gets some secrets from Google Secret Manager. | |
| - id: gsm-secrets | |
| uses: 'google-github-actions/get-secretmanager-secrets@v2' | |
| with: | |
| # The format of each line here is OUTPUTNAME:PROJECT/SECRET; you can | |
| # read the secrets later in this file with | |
| # `steps.gsm-secrets.outputs.OUTPUTNAME`. These secrets are created in | |
| # the `argo` resource in the `domain-deployment` repository. | |
| secrets: |- | |
| MACOS_CERT_BUNDLE_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_CERT_BUNDLE_PASSWORD | |
| MACOS_CERT_BUNDLE_BASE64:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_CERT_BUNDLE_BASE64 | |
| MACOS_NOTARIZATION_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_NOTARIZATION_PASSWORD | |
| MACOS_KEYCHAIN_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_KEYCHAIN_PASSWORD | |
| - name: Build | |
| run: cargo build --release --target ${{ matrix.target }} | |
| - name: Sign Apple Binary | |
| run: | | |
| MACOS_CERT_BUNDLE_PASSWORD=${{ secrets.MACOS_CERT_BUNDLE_PASSWORD }} | |
| MACOS_CERT_BUNDLE_BASE64=${{ secrets.MACOS_CERT_BUNDLE_BASE64 }} | |
| MACOS_KEYCHAIN_PASSWORD=${{secrets.MACOS_KEYCHAIN_PASSWORD}} | |
| MACOS_NOTARIZATION_PASSWORD=${{secrets.MACOS_NOTARIZATION_PASSWORD}} | |
| APPLE_TEAM_ID="YQK948L752" | |
| APPLE_USERNAME="[email protected]" | |
| echo "Pre-check: Valid Codesigning Identify" | |
| security find-identity -v -p codesigning | |
| echo "Pre-check: Codesigning Identify" | |
| security find-identity -p codesigning | |
| echo "Pre-check: Any Identify" | |
| security find-identity | |
| echo "|||||||||||||||||||||||||||||||||||||||||||||" | |
| VERSION=${{ needs.get-version.outputs.version }} | |
| BINARY_PATH=target/${{ matrix.target }}/release/${{ env.archive_name }} | |
| ENTITLEMENTS_PATH="macos-entitlements.plist" | |
| # Create a temporary keychain | |
| KEYCHAIN_NAME="rhaitest-keychain" | |
| mkdir $KEYCHAIN_NAME | |
| echo "Creating keychain..." | |
| security create-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME | |
| echo "Removing relock timeout on keychain..." | |
| security set-keychain-settings $KEYCHAIN_NAME | |
| echo "Decoding certificate bundle..." | |
| echo "${MACOS_CERT_BUNDLE_BASE64}" | base64 --decode > $KEYCHAIN_NAME/certificate.p12 | |
| echo "Importing codesigning certificate to build keychain..." | |
| security import $KEYCHAIN_NAME/certificate.p12 -k $KEYCHAIN_NAME -P "${MACOS_CERT_BUNDLE_PASSWORD}" -T /usr/bin/codesign | |
| echo "Adding the codesign tool to the security partition-list..." | |
| security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME | |
| echo "Setting default keychain..." | |
| security default-keychain -d user -s $KEYCHAIN_NAME | |
| echo "Unlocking keychain..." | |
| security unlock-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME | |
| echo "Verifying keychain is set up correctly..." | |
| security find-identity -v -p codesigning | |
| echo "|||||||||||||||||||||||||||||||||||||||||||||" | |
| echo "Post-check: Valid Codesigning Identify" | |
| security find-identity -v -p codesigning | |
| echo "Post-check: Codesigning Identify" | |
| security find-identity -p codesigning | |
| echo "Post-check: Any Identify" | |
| security find-identity | |
| echo "|||||||||||||||||||||||||||||||||||||||||||||" | |
| # Sign the binary | |
| echo "Signing code (step 1)..." | |
| codesign --sign "$APPLE_TEAM_ID" --options runtime --entitlements $ENTITLEMENTS_PATH --force --timestamp "$BINARY_PATH" -v | |
| echo "Signing code (step 2)..." | |
| codesign -vvv --deep --strict "$BINARY_PATH" | |
| echo "Zipping dist..." | |
| mkdir "$KEYCHAIN_NAME/dist" | |
| cp "$BINARY_PATH" "$KEYCHAIN_NAME/dist/rhaitest" | |
| zip -r "$KEYCHAIN_NAME/rhaitest-$VERSION.zip" "$KEYCHAIN_NAME/dist" | |
| echo "Beginning notarization process..." | |
| xcrun notarytool submit "$KEYCHAIN_NAME/rhaitest-$VERSION.zip" --apple-id "$APPLE_USERNAME" --password "$MACOS_NOTARIZATION_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait --timeout 20m |