diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml deleted file mode 100644 index 193b3331..00000000 --- a/.github/workflows/checks.yml +++ /dev/null @@ -1,101 +0,0 @@ -name: Cargo Build & Test - -on: - push: - branches: - pull_request: - -env: - CARGO_TERM_COLOR: always - -jobs: - build_and_test: - name: Compilation - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: - - ubuntu-latest - - macos-latest - - windows-latest - toolchain: - - stable - - steps: - - name: Checkout repository - uses: actions/checkout@v5 - - - name: Install Rust toolchain - run: rustup update ${{ matrix.toolchain }} && rustup default ${{ matrix.toolchain }} - - - name: Cache build artifacts - uses: Swatinem/rust-cache@v2.8.0 - with: - cache-bin: "false" - prefix-key: "v5-maho-${{ matrix.os }}-${{ matrix.toolchain }}" - - - name: Install cargo-binstall - uses: cargo-bins/cargo-binstall@v1.15.3 - - - name: Install cargo-nextest - run: cargo binstall cargo-nextest just - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and Test - run: | - cargo build --workspace --verbose - cargo nextest run - just integration - - coverage: - name: Coverage - runs-on: ubuntu-latest - strategy: - matrix: - toolchain: - - stable - - steps: - - name: Checkout repository - uses: actions/checkout@v5 - - - name: Install Rust toolchain - run: rustup update ${{ matrix.toolchain }} && rustup default ${{ matrix.toolchain }} - - - name: Cache build artifacts - uses: Swatinem/rust-cache@v2.8.0 - with: - cache-bin: "false" - prefix-key: "v5-maho-${{ matrix.toolchain }}" - - - name: Install cargo-binstall - uses: cargo-bins/cargo-binstall@v1.15.3 - - - name: Install cargo-nextest - run: cargo binstall cargo-nextest cargo-llvm-cov just - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and Test - run: | - cargo build --workspace --verbose - just coverage - just coverage-codecov - - - name: Upload to Codecov - uses: codecov/codecov-action@v5 - with: - token: ${{ secrets.CODECOV_TOKEN }} - files: codecov.json - fail_ci_if_error: true - - formatting: - name: Formatting - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - name: Run formatter - run: cargo fmt --check diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ec556c9f..1961090d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,17 +25,17 @@ jobs: strategy: matrix: include: - - os: ubuntu-latest - target: x86_64-unknown-linux-gnu - - - os: ubuntu-latest - target: x86_64-unknown-linux-musl - + # - os: ubuntu-latest + # target: x86_64-unknown-linux-gnu + # + # - os: ubuntu-latest + # target: x86_64-unknown-linux-musl + # - os: macos-latest target: universal-apple-darwin - - - os: windows-latest - target: x86_64-pc-windows-msvc + # + # - os: windows-latest + # target: x86_64-pc-windows-msvc steps: - name: Checkout repository @@ -46,7 +46,50 @@ jobs: if: startsWith(matrix.os, 'ubuntu') with: target: ${{ matrix.target }} - + + - name: Install the Apple certificate, provisioning profile, and API key (macOS) + if: ${{ matrix.target == 'universal-apple-darwin' }} + id: keychain + env: + BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} + P12_PASSWORD: ${{ secrets.P12_PASSWORD }} + BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }} + KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + AUTH_KEY_BASE64: ${{ secrets.AUTH_KEY_BASE64 }} + run: | + # create variables + CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 + PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile + KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db + AUTH_KEY_PATH=$RUNNER_TEMP/AuthKey.p8 + + # import certificate and provisioning profile from secrets + echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH + echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH + + # create temporary keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security set-keychain-settings -lut 21600 $KEYCHAIN_PATH + security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + + # import certificate to keychain + security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security list-keychain -d user -s $KEYCHAIN_PATH + + # apply provisioning profile + mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles + cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles + + # create auth key file for notarization + echo -n "$AUTH_KEY_BASE64" | base64 --decode -o $AUTH_KEY_PATH + + # setup outputs + echo "auth_key_path=$AUTH_KEY_PATH" >> $GITHUB_OUTPUT + echo "keychain_path=$KEYCHAIN_PATH" >> $GITHUB_OUTPUT + echo "pp_path=$PP_PATH" >> $GITHUB_OUTPUT + echo "certificate_path=$CERTIFICATE_PATH" >> $GITHUB_OUTPUT + - name: Build and Release uses: taiki-e/upload-rust-binary-action@v1 with: @@ -57,3 +100,24 @@ jobs: locked: true target: ${{ matrix.target }} token: ${{ secrets.GITHUB_TOKEN }} + + # Sign build products using codesign on macOS + codesign: "47BE53B998AB29ED40729A647D0E481FE058CE9F" + codesign-prefix: "com.purefunctor." + codesign-options: "runtime" + + - name: Zip the binary for notarization (macOS) + if: ${{ matrix.target == 'universal-apple-darwin' }} + run: zip -r $RUNNER_TEMP/purescript-analyzer-signed.zip target/${{ matrix.target }}/release/purescript-analyzer + + - name: Upload the binary for notarization (macOS) + if: ${{ matrix.target == 'universal-apple-darwin' }} + env: + KEY_ID: ${{ secrets.KEY_ID }} + ISSUER: ${{ secrets.ISSUER }} + run: | + xcrun notarytool submit $RUNNER_TEMP/purescript-analyzer-signed.zip \ + --key "${{ steps.keychain.outputs.auth_key_path }}" \ + --key-id "$KEY_ID" \ + --issuer "$ISSUER" \ + --wait