From 2df6699d34637ea2bca92b6e8ed986f313000f4a Mon Sep 17 00:00:00 2001 From: Erik Gomez Date: Mon, 26 Feb 2024 11:46:38 -0600 Subject: [PATCH] make a new beta release workflow --- .github/workflows/build_munki.yml | 10 ++-- .github/workflows/build_munki_beta.yml | 82 ++++++++++++++++++++++++++ 2 files changed, 87 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/build_munki_beta.yml diff --git a/.github/workflows/build_munki.yml b/.github/workflows/build_munki.yml index 5818d5e..f2b2a99 100644 --- a/.github/workflows/build_munki.yml +++ b/.github/workflows/build_munki.yml @@ -1,4 +1,4 @@ -name: Build Munki (Manual) +name: Build Munki Release (Manual) env: APP_SIGNING_IDENTITY: "Developer ID Application: Mac Admins Open Source (T4SK8ZXCXG)" @@ -15,13 +15,13 @@ jobs: steps: - name: Checkout repo - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 path: munki-builds - name: Checkout munki repo - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 path: munki @@ -72,10 +72,10 @@ jobs: id: create_release uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 with: - name: Munki v${{env.MUNKI_VERSION}} Beta + name: Munki v${{env.MUNKI_VERSION}} tag_name: v${{env.MUNKI_VERSION}} draft: false - prerelease: true + prerelease: false token: ${{ secrets.GITHUB_TOKEN }} body: | This is a signed and notarized build of munki diff --git a/.github/workflows/build_munki_beta.yml b/.github/workflows/build_munki_beta.yml new file mode 100644 index 0000000..50129fc --- /dev/null +++ b/.github/workflows/build_munki_beta.yml @@ -0,0 +1,82 @@ +name: Build Munki Beta Release (Manual) + +env: + APP_SIGNING_IDENTITY: "Developer ID Application: Mac Admins Open Source (T4SK8ZXCXG)" + INSTALLER_SIGNING_IDENTITY: "Developer ID Installer: Mac Admins Open Source (T4SK8ZXCXG)" + NOTARY_APP_PASSWORD: ${{ secrets.NOTARY_APP_PASSWORD_MAOS }} + REVISION: 9e541a8e1a4ccd8df54df03c6e5495ebdb23b6f3 # hardcoded for now until we figure out how we want to tackle this - v6.5.0b1 + XCODE_PATH: "/Applications/Xcode_15.2.app" + +on: [workflow_dispatch] + +jobs: + build: + runs-on: macos-13 + + steps: + - name: Checkout repo + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + path: munki-builds + + - name: Checkout munki repo + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + path: munki + ref: ${{env.REVISION}} + repository: munki/munki + + - name: Install Apple Xcode certificates + uses: apple-actions/import-codesign-certs@8f3fb608891dd2244cdab3d69cd68c0d37a7fe93 # v2.0.0 + with: + keychain-password: ${{ github.run_id }} + p12-file-base64: ${{ secrets.APP_CERTIFICATES_P12_MAOS }} + p12-password: ${{ secrets.APP_CERTIFICATES_P12_PASSWORD_MAOS }} + + - name: Install Apple Installer certificates + uses: apple-actions/import-codesign-certs@8f3fb608891dd2244cdab3d69cd68c0d37a7fe93 # v2.0.0 + with: + create-keychain: false # do not create a new keychain for this value + keychain-password: ${{ github.run_id }} + p12-file-base64: ${{ secrets.PKG_CERTIFICATES_P12_MAOS }} + p12-password: ${{ secrets.PKG_CERTIFICATES_P12_PASSWORD_MAOS }} + + - name: Set Xcode Version + run: sudo xcode-select -s "$XCODE_PATH" + + - name: Build munki package + run: | + cd ./munki + ./code/tools/make_munki_mpkg.sh -p -S "$APP_SIGNING_IDENTITY" -s "$INSTALLER_SIGNING_IDENTITY" + echo "MUNKI_PKG_PATH=$(find . -type f -name "*.pkg")" >> $GITHUB_ENV + echo "MUNKI_VERSION=$(find . -type f -name "*.pkg" | sed 's/[^\-]*-//' | sed 's/\.[^.]*$//')" >> $GITHUB_ENV + + - name: Notarize and staple package + id: notarize_and_staple + run: | + "$XCODE_PATH/Contents/Developer/usr/bin/notarytool" store-credentials --apple-id "opensource@macadmins.io" --team-id "T4SK8ZXCXG" --password "$NOTARY_APP_PASSWORD" munki + "$XCODE_PATH/Contents/Developer/usr/bin/notarytool" submit "./munki/$MUNKI_PKG_PATH" --keychain-profile "munki" --wait + "$XCODE_PATH/Contents/Developer/usr/bin/stapler" staple "./munki/$MUNKI_PKG_PATH" + + - name: Generate changelog + if: ${{ false }} # disable job or now + id: changelog + uses: metcalfc/changelog-generator@afdcb9470aebdb2252c0c95a1c130723c9e21f3a # v4.1 + with: + myToken: ${{ secrets.GITHUB_TOKEN }} + reverse: 'true' + + - name: Create Release + id: create_release + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 + with: + name: Munki v${{env.MUNKI_VERSION}} Beta + tag_name: v${{env.MUNKI_VERSION}} + draft: false + prerelease: true + token: ${{ secrets.GITHUB_TOKEN }} + body: | + This is a signed and notarized build of munki betas + files: ${{github.workspace}}/munki/*.pkg