Skip to content
This repository has been archived by the owner on Feb 13, 2024. It is now read-only.

Commit

Permalink
Merge pull request #3554 from MartinBriza/actions-macos-advanced-code…
Browse files Browse the repository at this point in the history 
…-sign-continued

Add macOS to GitHub Actions
  • Loading branch information
@skel35
skel35 authored Nov 27, 2019
2 parents 84d8a3c + 0ff66cf commit 6ef0d4f
Show file tree
Hide file tree
Showing 2 changed files with 203 additions and 0 deletions.
62 changes: 62 additions & 0 deletions .github/workflows/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,68 @@ on:
types: [ created ]

jobs:
macos:
runs-on: macOS-latest
steps:
- uses: actions/checkout@v1
with:
fetch-depth: 1
- name: Import signing key
run: |
# Create a new keychian and make it default
security create-keychain -p password build.keychain
security default-keychain -s ~/Library/Keychains/build.keychain
# Mac Developer Certificate
base64 -D <<< "${{ secrets.CERT_MACOS }}" > Bundle_cert_macos_development.p12
security import ./Bundle_cert_macos_development.p12 -k ~/Library/Keychains/build.keychain -P ${{ secrets.CERT_MACOS_PASSWORD }} -T /usr/bin/codesign
# Application Certificate
base64 -D <<< "${{ secrets.CERT_MACOS_APPLICATION }}" > Bundle_cert_macos_distribution.p12
security import ./Bundle_cert_macos_distribution.p12 -k ~/Library/Keychains/build.keychain -P ${{ secrets.CERT_MACOS_APPLICATION_PASSWORD }} -T /usr/bin/codesign
# Installer Certificate
base64 -D <<< "${{ secrets.CERT_MACOS_INSTALLER }}" > Bundle_cert_macos_installer.p12
security import ./Bundle_cert_macos_installer.p12 -k ~/Library/Keychains/build.keychain -P ${{ secrets.CERT_MACOS_INSTALLER_PASSWORD }} -T /usr/bin/codesign
# Unlock
security unlock-keychain -p password ~/Library/Keychains/build.keychain
security set-keychain-settings -lu
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k password ~/Library/Keychains/build.keychain
- name: Build the dependencies
run: |
bash ./dist/osx/build.sh dependencies
- name: Get cocoapods
run: |
bash ./dist/osx/build.sh cocoapods
- name: Build the application
run: |
bash ./dist/osx/build.sh app
- name: Insert version string
if: github.event_name == 'release'
run: |
TAG_NAME=$(./dist/get-tag-name.sh)
bash ./dist/osx/build.sh plist
- name: Codesign
if: github.event_name == 'release'
run: |
bash ./dist/osx/build.sh sign
- name: Notarize
if: github.event_name == 'release'
run: |
export "APPLE_APPID_USER=${{ secrets.MACOS_APPID_USER }}"
export "APPLE_APPID_PASSWORD=${{ secrets.MACOS_APPID_PASSWORD }}"
bash ./dist/osx/build.sh notarize
- name: Compose dmg
if: github.event_name == 'release'
run: |
bash ./dist/osx/build.sh dmg
- name: Upload to GitHub Release
if: github.event_name == 'release'
run: |
TAG_NAME=$(./dist/get-tag-name.sh)
./dist/upload-github-release-asset.sh github_api_token=${{ secrets.GITHUB_TOKEN }} owner=MartinBriza repo=toggldesktop tag="$TAG_NAME" filename="TogglDesktop.dmg" renameto="TogglDesktop-${TAG_NAME/v/}.dmg"
linux-basic:
runs-on: ubuntu-latest
if: github.event_name != 'release'
Expand Down
141 changes: 141 additions & 0 deletions dist/osx/build.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
#!/usr/bin/env bash

set -e

# Force using sdk 10.11
export LDFLAGS="-mmacosx-version-min=10.11"
export CFLAGS="$LDFLAGS"
export CXXFLAGS="$LDFLAGS"

version=${TAG_NAME/v/}

function app_path() {
echo $(xcodebuild -scheme TogglDesktop -workspace src/ui/osx/TogglDesktop.xcworkspace -configuration Release -showBuildSettings \
| grep -w 'BUILT_PRODUCTS_DIR' \
| cut -d'=' -f 2 \
| sed -e 's/^[ \t]*//')/TogglDesktop.app
}

function dependencies() {
make deps
}

function cocoapods() {
make init_cocoapod
}

function app() {
make app_release
}

function plist() {
# Get app path
APP_PATH=$(app_path)

# Update the plist file (version, enable update check, UI logging to file etc)
mkdir -p tmp
#go run src/branding/osx/plist.go -path="$APP_PATH" -version=$version
awk '/CFBundleVersion/{print;getline;$0="\t<string>'"$version"'</string>"}1' $APP_PATH/Contents/Info.plist > tmp/Info.plist
mv tmp/Info.plist $APP_PATH/Contents/Info.plist
awk '/CFBundleShortVersionString/{print;getline;$0="\t<string>'"$version"'</string>"}1' $APP_PATH/Contents/Info.plist > tmp/Info.plist
# Overwrite built apps plist file
mv tmp/Info.plist $APP_PATH/Contents/Info.plist

rmdir tmp
}

function sign() {
security unlock-keychain -p 'password' ~/Library/Keychains/build.keychain
APP=$(app_path)
EXECUTABLE=$APP/Contents/MacOS/TogglDesktop
CERTIFICATE="Developer ID Application: TOGGL OU"

echo "== check that gatekeeper is enabled =="
spctl --status|grep "disabled" && echo "cannot continue"

codesign --force --options runtime --deep --sign "${CERTIFICATE}" $APP/Contents/Frameworks/Sparkle.framework/Resources/Autoupdate.app
codesign --force --options runtime --deep --sign "${CERTIFICATE}" $APP/Contents/Frameworks/Sparkle.framework/Resources/Autoupdate.app/Contents/MacOS/fileop

for filename in $APP/Contents/Frameworks/*; do
codesign -d --force --options runtime -vvvv --verify --strict -s "${CERTIFICATE}" -r='designated => anchor apple generic and certificate leaf[subject.OU] = "B227VTMZ94"' $filename
done

codesign -d --force --options runtime -vvvv --verify --strict -s "${CERTIFICATE}" -r='designated => anchor apple generic and identifier "com.toggl.toggldesktop.TogglDesktop" and certificate leaf[subject.OU] = "B227VTMZ94"' $EXECUTABLE

codesign -d --force --options runtime -vvvv --verify --strict -s "${CERTIFICATE}" -r='designated => anchor apple generic and identifier "com.toggl.toggldesktop.TogglDesktop" and certificate leaf[subject.OU] = "B227VTMZ94"' $APP

codesign --deep --verify --strict --verbose=4 $APP
}

function notarize() {
APP_PATH=$(app_path)
BUNDLE_APP=$(dirname "${APP_PATH}")
EXPORT_PATH=${BUNDLE_APP}/Submissions
BUNDLE_ZIP=${EXPORT_PATH}/TogglDesktop.zip
UPLOAD_INFO_PLIST=${EXPORT_PATH}/UploadInfo.plist
REQUEST_INFO_PLIST=${EXPORT_PATH}/RequestInfo.plist
AUDIT_INFO_JSON=${EXPORT_PATH}/AuditInfo.json
DEVELOPER_USERNAME=${APPLE_APPID_USER}
DEVELOPER_PASSWORD=${APPLE_APPID_PASSWORD}

echo "Notarization" "Building a ZIP archive…"
/usr/bin/ditto -c -k --keepParent ${APP_PATH} ${BUNDLE_ZIP}
echo "Notarization" "Uploading for notarization…"
/usr/bin/xcrun altool --notarize-app --primary-bundle-id "com.toggl.toggldesktop.TogglDesktop.zip" -itc_provider "B227VTMZ94" -u ${DEVELOPER_USERNAME} -p ${DEVELOPER_PASSWORD} -f ${BUNDLE_ZIP} --output-format xml > ${UPLOAD_INFO_PLIST} || cat ${UPLOAD_INFO_PLIST}
echo "Notarization" "Waiting while notarized…"
while true; do
/usr/bin/xcrun altool --notarization-info `/usr/libexec/PlistBuddy -c "Print :notarization-upload:RequestUUID" ${UPLOAD_INFO_PLIST}` -u ${DEVELOPER_USERNAME} -p ${DEVELOPER_PASSWORD} --output-format xml > ${REQUEST_INFO_PLIST} || cat ${REQUEST_INFO_PLIST}
if [[ `/usr/libexec/PlistBuddy -c "Print :notarization-info:Status" ${REQUEST_INFO_PLIST}` != "in progress" ]]; then
break
fi
echo '\n***** Notarization - waiting 60s'
sleep 60
done
echo "Notarization" "Downloading log file…"
/usr/bin/curl -o ${AUDIT_INFO_JSON} `/usr/libexec/PlistBuddy -c "Print :notarization-info:LogFileURL" ${REQUEST_INFO_PLIST}`
if [ `/usr/libexec/PlistBuddy -c "Print :notarization-info:Status" ${REQUEST_INFO_PLIST}` != "success" ]; then \
false; \
fi
echo "Notarization", "Stapling…"
/usr/bin/xcrun stapler staple ${APP_PATH}
echo "Notarization", "✅ Done!"
}

function dmg() {
APP_PATH=$(app_path)
npm install --global create-dmg
brew install graphicsmagick imagemagick
create-dmg $APP_PATH
mv *.dmg TogglDesktop.dmg
}

function debuginfo() {
# Compress main app debug info
export dsym_dylib=TogglDesktopLibrary.dylib-$escaped_version-$timestamp-dsym.tar.gz
rm -rf $dsym_dylib
tar cvfz $dsym_dylib $APP_PATH/../TogglDesktopLibrary.dylib.dSYM

# Compress dynamic library debug info
export dsym=TogglDesktop-$escaped_version-$timestamp-dsym.tar.gz
rm -rf $dsym
tar cvfz $dsym $APP_PATH/../TogglDesktop.app.dSYM
}


if [[ "$#" -ne 1 ]]; then
dependencies
cocoapods
app
plist
sign
notarize
debuginfo
dmg
else
$1
fi

# Update AppCast
# Upload the new version to Github releases
# Update releases.json
# Post to Slack

0 comments on commit 6ef0d4f

Please sign in to comment.