|
46 | 46 | if: startsWith(matrix.os, 'ubuntu') |
47 | 47 | with: |
48 | 48 | target: ${{ matrix.target }} |
49 | | - |
| 49 | + |
| 50 | + - name: Install the Apple certificate, provisioning profile, and API key (macOS) |
| 51 | + if: ${{ matrix.target == 'universal-apple-darwin' }} |
| 52 | + id: keychain |
| 53 | + env: |
| 54 | + BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} |
| 55 | + P12_PASSWORD: ${{ secrets.P12_PASSWORD }} |
| 56 | + BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }} |
| 57 | + KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} |
| 58 | + AUTH_KEY_BASE64: ${{ secrets.AUTH_KEY_BASE64 }} |
| 59 | + run: | |
| 60 | + # create variables |
| 61 | + CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 |
| 62 | + PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile |
| 63 | + KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db |
| 64 | + AUTH_KEY_PATH=$RUNNER_TEMP/AuthKey.p8 |
| 65 | +
|
| 66 | + # import certificate and provisioning profile from secrets |
| 67 | + echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH |
| 68 | + echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH |
| 69 | +
|
| 70 | + # create temporary keychain |
| 71 | + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH |
| 72 | + security set-keychain-settings -lut 21600 $KEYCHAIN_PATH |
| 73 | + security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH |
| 74 | +
|
| 75 | + # import certificate to keychain |
| 76 | + security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH |
| 77 | + security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH |
| 78 | + security list-keychain -d user -s $KEYCHAIN_PATH |
| 79 | +
|
| 80 | + # apply provisioning profile |
| 81 | + mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles |
| 82 | + cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles |
| 83 | +
|
| 84 | + # create auth key file for notarization |
| 85 | + echo -n "$AUTH_KEY_BASE64" | base64 --decode -o $AUTH_KEY_PATH |
| 86 | +
|
| 87 | + # setup outputs |
| 88 | + echo "auth_key_path=$AUTH_KEY_PATH" >> $GITHUB_OUTPUT |
| 89 | + echo "keychain_path=$KEYCHAIN_PATH" >> $GITHUB_OUTPUT |
| 90 | + echo "pp_path=$PP_PATH" >> $GITHUB_OUTPUT |
| 91 | + echo "certificate_path=$CERTIFICATE_PATH" >> $GITHUB_OUTPUT |
| 92 | +
|
50 | 93 | - name: Build and Release |
51 | 94 | uses: taiki-e/upload-rust-binary-action@v1 |
52 | 95 | with: |
|
55 | 98 | include: README.md,LICENSE,ACKNOWLEDGEMENTS.md,THIRDPARTY.toml |
56 | 99 | leading-dir: true |
57 | 100 | locked: true |
58 | | - target: ${{ matrix.target }} |
| 101 | + target: universal-apple-darwin |
59 | 102 | token: ${{ secrets.GITHUB_TOKEN }} |
| 103 | + |
| 104 | + # Sign build products using codesign on macOS |
| 105 | + codesign: "7FP48PW9TN" |
| 106 | + codesign-prefix: "fi.matiaskorhonen." |
| 107 | + codesign-options: "runtime" |
| 108 | + |
| 109 | + - name: Zip the binary for notarization (macOS) |
| 110 | + if: ${{ matrix.target == 'universal-apple-darwin' }} |
| 111 | + run: zip -r $RUNNER_TEMP/purescript-analyzer-signed.zip target/${{ matrix.target }}/release/purescript-analyzer |
| 112 | + |
| 113 | + - name: Upload the binary for notarization (macOS) |
| 114 | + if: ${{ matrix.target == 'universal-apple-darwin' }} |
| 115 | + env: |
| 116 | + KEY_ID: ${{ secrets.KEY_ID }} |
| 117 | + ISSUER: ${{ secrets.ISSUER }} |
| 118 | + run: | |
| 119 | + xcrun notarytool submit $RUNNER_TEMP/purescript-analyzer-signed.zip \ |
| 120 | + --key "${{ steps.keychain.outputs.auth_key_path }}" \ |
| 121 | + --key-id "$KEY_ID" \ |
| 122 | + --issuer "$ISSUER" \ |
| 123 | + --wait |
0 commit comments