Notarize macOS builds

1.0.10 Fix build variables 1.0.11 Remove teamID to fix notarization 1.0.12 Fix notarization option again Sorry folks, this isn't well documented. 1.0.13 Add hardenedRuntime option to macOS 1.0.14 Fix patch app-builder-lib with a working API notarization path
hypermodules · Dec 20, 2023 · a47a3e4 · a47a3e4
1 parent e71647e
commit a47a3e4
Show file tree

Hide file tree

Showing 5 changed files with 62 additions and 6 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,11 +4,11 @@ on:
   workflow_dispatch:
     inputs:
       newversion:
-        description: 'npm version {major,minor,patch}'
+        description: "npm version {major,minor,patch}"
         required: true
 
 env:
-  node_version: 'lts/*'
+  node_version: "lts/*"
   FORCE_COLOR: 1
 
 concurrency: # prevent concurrent releases
@@ -75,13 +75,22 @@ jobs:
       if: matrix.os != 'macos-latest'
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # built in actions token.  Passed tp gh-release if in use.
+    - name: Prep signing files
+      if: matrix.os == 'macos-latest'
+      run: |
+        echo "$APPLE_API_KEY_B64" | base64 -d > /tmp/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8
+      env:
+        APPLE_API_KEY_B64: ${{ secrets.APPLE_API_KEY_B64 }}
     - name: Build signed
       run: npm run pkg
       if: matrix.os == 'macos-latest'
       env:
         CSC_LINK: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION }}
         CSC_KEY_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION_PASSWORD }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # built in actions token.  Passed tp gh-release if in use.
+        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+        APPLE_API_KEY: "/tmp/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8"
     - name: Archive lockfile
       uses: actions/upload-artifact@v4
       with:

diff --git a/.npmrc b/.npmrc
@@ -0,0 +1 @@
+package-lock=true
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,7 +7,37 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
 
-## [v1.0.9](https://github.com/hypermodules/hyperamp/compare/v1.0.8...v1.0.9)
+## [v1.0.14](https://github.com/hypermodules/hyperamp/compare/v1.0.13...v1.0.14)
+
+### Commits
+
+- Add hardenedRuntime option to macOS [`9d45ba6`](https://github.com/hypermodules/hyperamp/commit/9d45ba649c8f62807bb7bbe8db150fcf3d2ef1b9)
+
+## [v1.0.13](https://github.com/hypermodules/hyperamp/compare/v1.0.12...v1.0.13) - 2023-12-19
+
+### Commits
+
+- Fix notarization option again [`cf30c80`](https://github.com/hypermodules/hyperamp/commit/cf30c80c539a2739dde68c0bdff5f014b5b82668)
+
+## [v1.0.12](https://github.com/hypermodules/hyperamp/compare/v1.0.11...v1.0.12) - 2023-12-19
+
+### Commits
+
+- Remove teamID to fix notarization [`277b598`](https://github.com/hypermodules/hyperamp/commit/277b5988adfb39b4deb413c40a818336588ee081)
+
+## [v1.0.11](https://github.com/hypermodules/hyperamp/compare/v1.0.10...v1.0.11) - 2023-12-19
+
+### Commits
+
+- Fix build variables [`acaac28`](https://github.com/hypermodules/hyperamp/commit/acaac28b28a599fcfec2d0fb372dbce9dd784075)
+
+## [v1.0.10](https://github.com/hypermodules/hyperamp/compare/v1.0.9...v1.0.10) - 2023-12-18
+
+### Commits
+
+- Notarize macOS builds [`ce59f1a`](https://github.com/hypermodules/hyperamp/commit/ce59f1a983f5d777b5e0113e9cafc28a951c5716)
+
+## [v1.0.9](https://github.com/hypermodules/hyperamp/compare/v1.0.8...v1.0.9) - 2023-12-17
 
 ### Merged
 

diff --git a/package.json b/package.json
@@ -27,6 +27,9 @@
     ],
     "mac": {
       "category": "public.app-category.music",
+      "appId": "com.hypermodules.hyperamp",
+      "notarize": true,
+      "hardenedRuntime": true,
       "target": [
         {
           "target": "dmg",
@@ -95,6 +98,7 @@
     "nanobus": "^4.4.0",
     "nanocomponent": "^6.5.2",
     "nanologger": "^2.0.0",
+    "patch-package": "^8.0.0",
     "pump": "^3.0.0",
     "through2-filter": "^3.0.0",
     "xtend": "^4.0.2"
@@ -108,7 +112,6 @@
     "bundle-collapser": "^1.3.0",
     "common-shakeify": "^1.1.2",
     "concat-stream": "^2.0.0",
-    "dependency-check": "^4.1.0",
     "electron": "^28.0.0",
     "electron-builder": "^24.4.0",
     "electron-renderify": "0.0.2",
@@ -158,7 +161,6 @@
     "start": "run-s watch",
     "test": "run-s test:*",
     "test-skip:tape": "xvfb-maybe tape test/* | tap-format-spec",
-    "test:deps": "dependency-check ./package.json renderer/player/index.js renderer/audio/index.js --no-dev --ignore-module electron",
     "test:lint": "standard | snazzy",
     "test:main": "tape main/lib/**/test.js | tap-format-spec",
     "test:renderer": "tape renderer/**/test.js | tap-format-spec",
@@ -168,6 +170,7 @@
     "version": "run-s version:*",
     "version:changelog": "auto-changelog -p --template keepachangelog auto-changelog --breaking-pattern 'BREAKING CHANGE:'",
     "version:git": "git add CHANGELOG.md",
-    "release": "git push --follow-tags && gh-release -y"
+    "release": "git push --follow-tags && gh-release -y",
+    "postinstall": "patch-package"
   }
 }
diff --git a/patches/app-builder-lib+24.9.1.patch b/patches/app-builder-lib+24.9.1.patch
@@ -0,0 +1,13 @@
+diff --git a/node_modules/app-builder-lib/out/macPackager.js b/node_modules/app-builder-lib/out/macPackager.js
+index 98ca598..107a786 100644
+--- a/node_modules/app-builder-lib/out/macPackager.js
++++ b/node_modules/app-builder-lib/out/macPackager.js
+@@ -459,7 +459,7 @@ class MacPackager extends platformPackager_1.PlatformPackager {
+             return proj;
+         }
+         const { teamId } = options;
+-        if (teamId && (legacyLogin || notaryToolLogin)) {
++        if ((teamId || options === true) && (legacyLogin || notaryToolLogin)) {
+             const proj = {
+                 appPath,
+                 ...(legacyLogin !== null && legacyLogin !== void 0 ? legacyLogin : notaryToolLogin),