qs-push-plugin.swift (#3081)

* CI and tooling rework for plugins

Summary of changes:

qs-push-plugin:

- convert from ruby to Swift
- the initial version in this commit was generated by chatgpt 5 pro on
20251022 using the historical ruby implementation of qs-push-plugin as
input and the simple prompt `Convert the below Ruby script to a Swift
script that only uses the stdlib.`
- minor changes from the LLM output (e.g. dispatchGroup instead of semaphore)

.github/workflows/ci.yml, Quicksilver/Tools/qsrelease, Quicksilver/Tools/qssign, Quicksilver/Tools/qstest:

- some much needed maintenance as these have accumulated a little cruft in the last few years
- `QS_BUILD_ONLY` removed as functionality was duplicated with QS_DONT_SIGN
- `QS_DONT_SIGN` removed as we weren't automatically signing using `qsrelease`
  - signing happens via XCode if running interactively
  - previously CI was using `QS_DONT_SIGN` and manually calling `qssign` when appropriate
  - this change just makes the above more explicit by removing `qssign` from `qsrelease`, so `QS_DONT_SIGN` is no longer useful
- added `QS_DONT_TEST` which allows us to skip testing in `qsrelease`
  - this can be helpful for example when building plugins, as the Quicksilver build is done from a tagged release (for which we can be confident tests have already been run)
  - alternatively could consider mirroring the `qssign` changes and just make `qstest` a manual thing
- moved much of the signing logic from yaml to qssign
  - much easier to write and maintain with appropriate linters, formatters, highighting, etc.
- removed calls to set up the self-signed cert, as this process is not useful or needed in CI

Quicksilver/Quicksilver.xcodeproj/project.pbxproj:

- set signing identity to ad-hoc (`-`) for the testing scheme
  - our current tests do not require special permissions, therefore do not require the special cert

Quicksilver/Tools/utils.sh

- new file to hold shell functions that are useful to share between our other scripts
- should reduce duplicated code and help with readability and maintainability

Quicksilver/Tools/build-qs-plugin:

- new script to build a plugin
- given that the QS frameworks are required to build a plugin, we already clone the QS source as part of building a plugin
- therefore adding a script to the QS source lets us keep the bulk of the logic in one place
- works in conjunction with the new <https://github.com/quicksilver/qs-plugin-action>
- this lets us remove a *ton* of build logic from the CI scripts in each individual plugin repo; they can essentially be reduced to just passing in the required secrets and `use`ing the new action

* Rename build-qs-plugin qs-build-plugin

For consistency with other tooling

Author: n8henrie

.github/workflows/ci.yml

@@ -14,16 +14,13 @@ on:
 jobs:
   build:
     runs-on: macos-latest
-    env:
-      QS_DONT_SIGN: 1
     steps:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
       - name: Build debug version
         working-directory: Quicksilver
         run: |
-          ./Tools/codesign/setup_cert.sh
           ./Tools/qsrelease Debug
           mv /tmp/QS/build/Debug/Quicksilver{,-debug}.zip
       - name: Upload debug version
@@ -37,12 +34,7 @@ jobs:
           ./Tools/qsrelease
       - name: Prepare DMG_INGREDIENTS artifact
         working-directory: /tmp/QS/build/Release/
-        run: |
-          cp \
-            /tmp/qs_build_settings \
-            /tmp/Quicksilver.entitlements \
-            ./dmg/
-          tar -czvf ./dmg_ingredients.tar.gz ./dmg
+        run: tar -czvf ./dmg_ingredients.tar.gz ./dmg
       - name: Upload components for sign action
         uses: actions/upload-artifact@v4
         with:
@@ -53,16 +45,6 @@ jobs:
     needs: build
     runs-on: macos-latest
     if: startsWith(github.ref, 'refs/tags/v')
-    env:
-      MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
-      MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
-      KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
-
-      SIGNING_IDENTITY: ${{ secrets.SIGNING_IDENTITY }}
-      NOTARIZING_ID: ${{ secrets.NOTARIZING_ID }}
-      NOTARIZING_PASS: ${{ secrets.NOTARIZING_PASS }}
-
-      KEYCHAIN_PROFILE: "Quicksilver Notarization"
     steps:
       - name: Download dmg folder artifact
         uses: actions/download-artifact@v4
@@ -77,37 +59,23 @@ jobs:
             ./dmg/qs_build_settings \
             ./dmg/Quicksilver.entitlements \
             /tmp/
-          QS_INFO_VERSION=$(awk '/QS_INFO_VERSION/ { print $NF }' \
-            /tmp/qs_build_settings)
+          QS_INFO_VERSION=$(
+            awk '/QS_INFO_VERSION/ { print $NF }' /tmp/qs_build_settings
+          )
           echo "QS_INFO_VERSION=${QS_INFO_VERSION}" >> "${GITHUB_ENV}"
       - uses: actions/checkout@v4
         with:
           submodules: recursive
-      - name: Run Tools/qssign
+      - name: qssign
         working-directory: Quicksilver
+        env:
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
+          SIGNING_IDENTITY: ${{ secrets.SIGNING_IDENTITY }}
+          NOTARIZING_ID: ${{ secrets.NOTARIZING_ID }}
+          NOTARIZING_PASS: ${{ secrets.NOTARIZING_PASS }}
         run: |
-          # https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development
-          KEYCHAIN_PATH=${RUNNER_TEMP}/app-signing.keychain-db
-          CERTIFICATE_PATH=${RUNNER_TEMP}/build_certificate.p12
-          base64 --decode --output "${CERTIFICATE_PATH}" <<<"${MACOS_CERTIFICATE}"
-          trap "rm -rf -- '${RUNNER_TEMP}'" EXIT
-
-          security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
-          security default-keychain -s "${KEYCHAIN_PATH}"
-          security set-keychain-settings -lut 21600 "${KEYCHAIN_PATH}"
-
-          security unlock-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
-
-          security import "${CERTIFICATE_PATH}" \
-            -P "${MACOS_CERTIFICATE_PASSWORD}" \
-            -A -t cert -f pkcs12 -k "${KEYCHAIN_PATH}"
-          rm -- "${CERTIFICATE_PATH}"
-          xcrun notarytool store-credentials "${KEYCHAIN_PROFILE}" \
-            --apple-id "${NOTARIZING_ID}" \
-            --team-id "${SIGNING_IDENTITY}" \
-            --password "${NOTARIZING_PASS}"
-
-          ./Tools/qssign
+          ./Tools/qssign ./Quicksilver.app
       - name: Download debug artifact
         uses: actions/download-artifact@v4
         with:
@@ -135,4 +103,4 @@ jobs:
           files: |
             /tmp/QS/build/Release/Quicksilver*.dmg
             /tmp/QS/build/Release/checksum.txt
-            /tmp/Quicksilver-debug.zip
+            /tmp/Quicksilver-debug.zip

Quicksilver/Quicksilver.xcodeproj/project.pbxproj

@@ -6383,7 +6383,7 @@
 				ARCHS = "$(ARCHS_STANDARD)";
 				CLANG_ENABLE_OBJC_ARC = YES;
 				CODE_SIGN_ENTITLEMENTS = Quicksilver.entitlements;
-				CODE_SIGN_IDENTITY = "Local Self-Signed";
+				CODE_SIGN_IDENTITY = "-";
 				DEVELOPMENT_TEAM = "";
 				FRAMEWORK_SEARCH_PATHS = (
 					"$(inherited)",

Quicksilver/Tools/qs-build-plugin

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+
+set -Eeuf -o pipefail
+
+TOOLSDIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+readonly TOOLSDIR
+. "${TOOLSDIR}/utils.sh"
+
+usage() {
+  printf 'USAGE:
+  CONFIGURATION=Release Tools/build-plugin /path/to/plugin
+'
+}
+
+main() {
+  local plugin_dir=${1:-}
+  # Fail early if plugin directory doesn't exit
+  if [[ ! -d "${plugin_dir}" ]]; then
+    usage
+    err "Plugin directory '${plugin_dir}' doesn't seem to exist"
+  fi
+
+  export CONFIGURATION=${CONFIGURATION:-Debug}
+
+  # build quicksilver to provide necessary frameworks
+  pushd "$(dirname "${BASH_SOURCE[0]}")"
+  ./qsrelease
+  popd
+
+  pushd "${plugin_dir}"
+  local project=$(find . -maxdepth 1 -name '*.xcodeproj' -not -iname "*test.xcodeproj" -print -quit)
+  local scheme_list
+  if [[ -z "${project}" ]]; then
+    scheme_list=$(xcodebuild -list -json || true)
+  else
+    scheme_list=$(xcodebuild -list -json -project "${project}")
+  fi
+
+  if [[ -z "${scheme_list}" ]]; then
+    err "unable to determine scheme list"
+  fi
+
+  local scheme=$(json '["project"]["targets"][0]' <<< "${scheme_list}")
+  log "Using default scheme: ${scheme}"
+
+  # Absence of a project can still build, but will error if `-project` is specified
+  local opts=(
+    -configuration "${CONFIGURATION}"
+    -scheme "${scheme}"
+    -destination 'generic/platform=macos'
+  )
+  if [[ -n "${project}" ]]; then
+    opts+=(-project "${project}")
+  fi
+  xcodebuild build -quiet "${opts[@]}"
+
+  local settings=$(xcodebuild -configuration "${CONFIGURATION}" -showBuildSettings -json)
+  local plugin_name=$(json '[0]["buildSettings"]["FULL_PRODUCT_NAME"]' <<< "${settings}")
+  local build_dir=$(json '[0]["buildSettings"]["BUILT_PRODUCTS_DIR"]' <<< "${settings}")
+  local expected="${build_dir}/${plugin_name}"
+
+  if [[ -d "${expected}" ]]; then
+    log "Plugin successfully built to ${expected}"
+  else
+    err "Did not find built plugin at ${expected}"
+  fi
+}
+main "$@"