-
Notifications
You must be signed in to change notification settings - Fork 3
166 lines (138 loc) · 5.67 KB
/
release.yml
File metadata and controls
166 lines (138 loc) · 5.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
name: Release
on:
push:
tags:
- 'v*'
permissions:
contents: write
jobs:
build-and-release:
name: Build, sign, notarize, and release
runs-on: macos-15
env:
APP_BUNDLE: Reading List.app
steps:
- name: Select Xcode
run: sudo xcode-select -s /Applications/Xcode_26.3.app
- name: Checkout
uses: actions/checkout@v4
- name: Extract version from tag
id: version
run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
- name: Import signing certificate
env:
CERTIFICATE_BASE64: ${{ secrets.DEVELOPER_ID_CERTIFICATE_BASE64 }}
CERTIFICATE_PASSWORD: ${{ secrets.DEVELOPER_ID_CERTIFICATE_PASSWORD }}
run: |
KEYCHAIN_PATH="$RUNNER_TEMP/build.keychain-db"
KEYCHAIN_PASSWORD="$(openssl rand -base64 32)"
echo "::add-mask::$KEYCHAIN_PASSWORD"
# Create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Import certificate
CERT_PATH="$RUNNER_TEMP/certificate.p12"
echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH"
security import "$CERT_PATH" \
-k "$KEYCHAIN_PATH" \
-P "$CERTIFICATE_PASSWORD" \
-T /usr/bin/codesign
rm -f "$CERT_PATH"
# Allow codesign to access the keychain
security set-key-partition-list \
-S apple-tool:,apple:,codesign: \
-s -k "$KEYCHAIN_PASSWORD" \
"$KEYCHAIN_PATH"
# Add to search list
EXISTING_KEYCHAINS="$(security list-keychains -d user | tr -d '"' | tr '\n' ' ')"
security list-keychains -d user -s "$KEYCHAIN_PATH" $EXISTING_KEYCHAINS
- name: Build
run: swift build -c release
- name: Assemble app bundle
env:
VERSION: ${{ steps.version.outputs.version }}
run: |
# Find the compiled executable
BIN_PATH="$(swift build -c release --show-bin-path)"
EXECUTABLE="$BIN_PATH/Reading List"
if [[ ! -f "$EXECUTABLE" ]]; then
echo "ERROR: Executable not found at $EXECUTABLE"
ls -la "$BIN_PATH/"
exit 1
fi
# Assemble .app bundle
mkdir -p "$APP_BUNDLE/Contents/MacOS"
mkdir -p "$APP_BUNDLE/Contents/Resources"
cp "$EXECUTABLE" "$APP_BUNDLE/Contents/MacOS/Reading List"
cp Info.plist "$APP_BUNDLE/Contents/Info.plist"
# Copy pre-compiled icon assets (built locally via actool from AppIcon.icon)
cp Resources/AppIcon.icns "$APP_BUNDLE/Contents/Resources/AppIcon.icns"
cp Resources/Assets.car "$APP_BUNDLE/Contents/Resources/Assets.car"
cp Resources/PrivacyInfo.xcprivacy "$APP_BUNDLE/Contents/Resources/PrivacyInfo.xcprivacy"
# Set version in Info.plist
/usr/libexec/PlistBuddy -c "Set :CFBundleShortVersionString $VERSION" "$APP_BUNDLE/Contents/Info.plist"
/usr/libexec/PlistBuddy -c "Set :CFBundleVersion $(date +%Y%m%d%H%M%S)" "$APP_BUNDLE/Contents/Info.plist"
echo "App bundle assembled at $APP_BUNDLE"
ls -la "$APP_BUNDLE/Contents/MacOS/"
- name: Sign app
env:
DEVELOPER_ID_APPLICATION: ${{ secrets.DEVELOPER_ID_APPLICATION }}
run: |
codesign --force \
--sign "$DEVELOPER_ID_APPLICATION" \
--entitlements Entitlements.plist \
--options runtime \
--timestamp \
"$APP_BUNDLE"
codesign --verify --strict "$APP_BUNDLE"
- name: Notarize app
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
TEAM_ID: ${{ secrets.TEAM_ID }}
run: |
ditto -c -k --keepParent "$APP_BUNDLE" "ReadingList-notarize.zip"
xcrun notarytool submit "ReadingList-notarize.zip" \
--apple-id "$APPLE_ID" \
--password "$APPLE_ID_PASSWORD" \
--team-id "$TEAM_ID" \
--wait
xcrun stapler staple "$APP_BUNDLE"
rm -f "ReadingList-notarize.zip"
- name: Create DMG
env:
VERSION: ${{ steps.version.outputs.version }}
DEVELOPER_ID_APPLICATION: ${{ secrets.DEVELOPER_ID_APPLICATION }}
run: |
mkdir -p dmg-staging
cp -R "$APP_BUNDLE" dmg-staging/
ln -s /Applications dmg-staging/Applications
hdiutil create \
-volname "Reading List" \
-srcfolder dmg-staging \
-ov \
-format UDZO \
"Reading-List-${VERSION}.dmg"
codesign --force --sign "$DEVELOPER_ID_APPLICATION" --timestamp "Reading-List-${VERSION}.dmg"
rm -rf dmg-staging
- name: Create ZIP
env:
VERSION: ${{ steps.version.outputs.version }}
run: |
ditto -c -k --keepParent "$APP_BUNDLE" "Reading-List-${VERSION}.zip"
- name: Create GitHub Release
env:
GH_TOKEN: ${{ github.token }}
VERSION: ${{ steps.version.outputs.version }}
run: |
gh release create "$GITHUB_REF_NAME" \
--title "Reading List v${VERSION}" \
--generate-notes \
"Reading-List-${VERSION}.dmg#Reading List ${VERSION} (DMG)" \
"Reading-List-${VERSION}.zip#Reading List ${VERSION} (ZIP)"
- name: Cleanup keychain
if: always()
run: |
KEYCHAIN_PATH="$RUNNER_TEMP/build.keychain-db"
security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true