diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5cb7f13c..a9baec83 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,7 +7,7 @@ on: jobs: build: - runs-on: macos-latest + runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3306c344..88960f73 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,7 +7,7 @@ on: jobs: release: - runs-on: macos-latest + runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 @@ -17,8 +17,8 @@ jobs: with: go-version-file: go.mod - - name: Set up gon - run: brew install mitchellh/gon/gon + - name: Setup rcodesign + uses: indygreg/apple-code-sign-action@v1 - name: Import GPG key id: import_gpg @@ -30,7 +30,9 @@ jobs: - name: Decrypt Secrets env: SECRETS_PASSWORD: ${{ secrets.SECRETS_PASSWORD }} - run: bash script/decrypt_secrets.sh + run: | + gpg --quiet --batch --yes --decrypt --passphrase="$SECRETS_PASSWORD" \ + --output .github/secrets/hcloud_cli.p12 .github/secrets/hcloud_cli.p12.gpg - name: Run GoReleaser uses: goreleaser/goreleaser-action@v5 @@ -39,6 +41,4 @@ jobs: args: release --clean --skip=validate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - HC_APPLE_DEVELOPER_USER: ${{ secrets.HC_APPLE_DEVELOPER_USER }} - HC_APPLE_DEVELOPER_PASSWORD: ${{ secrets.HC_APPLE_DEVELOPER_PASSWORD }} - HC_APPLE_IDENTITY: ${{ secrets.HC_APPLE_IDENTITY }} + APPLE_P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }} diff --git a/.goreleaser.yml b/.goreleaser.yml index 6a700432..1252e086 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -41,7 +41,12 @@ builds: - arm64 hooks: post: - - cmd: bash script/gon.sh "{{ .Path }}" + - cmd: > + rcodesign sign + --p12-file .github/secrets/hcloud_cli.p12 + --p12-password "$APPLE_P12_PASSWORD" + --code-signature-flags runtime + "{{ .Path }}" output: true snapshot: diff --git a/script/decrypt_secrets.sh b/script/decrypt_secrets.sh deleted file mode 100755 index 0f1f61b5..00000000 --- a/script/decrypt_secrets.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh - -gpg --quiet --batch --yes --decrypt --passphrase="$SECRETS_PASSWORD" --output ./.github/secrets/hcloud_cli.p12 ./.github/secrets/hcloud_cli.p12.gpg - -security create-keychain -p "" build.keychain -# Use long timeout for keychain to avoid issues where codesign fails because the keychain is locked -# before it was used. Default timeout is 300s -security set-keychain-settings -u -t 3600 ~/Library/Keychains/build.keychain -security import ./.github/secrets/hcloud_cli.p12 -t agg -k ~/Library/Keychains/build.keychain -P "$CERT_PASSWORD" -A - -security list-keychains -s ~/Library/Keychains/build.keychain -security default-keychain -s ~/Library/Keychains/build.keychain -security unlock-keychain -p "" ~/Library/Keychains/build.keychain - -security set-key-partition-list -S apple-tool:,apple: -s -k "" ~/Library/Keychains/build.keychain diff --git a/script/gon.sh b/script/gon.sh deleted file mode 100755 index 751a79ba..00000000 --- a/script/gon.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env bash - -set -eu -o posix - -# Only sign on releasing -if [[ "${GITHUB_REF_TYPE:-}" != "tag" ]]; then - exit 0 -fi - -BINARY_PATH="$1" - -GON_CONFIG="gon_$RANDOM.json" -cleanup() { - rm -f "$GON_CONFIG" -} -trap cleanup EXIT - -printf '{ - "source": ["%s"], - "bundle_id": "cloud.hetzner.cli", - "apple_id": { - "username": "integrations@hetzner-cloud.de", - "password": "@env:HC_APPLE_DEVELOPER_PASSWORD" - }, - "sign": { - "application_identity": "Developer ID Application: Hetzner Cloud GmbH (4PM38G6W5R)" - } -}' "$BINARY_PATH" > "$GON_CONFIG" - -gon -log-level=debug "$GON_CONFIG"