Skip to content

Commit 8a42f2d

Browse files
GioeeGioee
committed
Enhance release workflow with keychain management and codesigning for xcframework
1 parent 1a4306b commit 8a42f2d

File tree

1 file changed

+38
-5
lines changed

1 file changed

+38
-5
lines changed

.github/workflows/release.yml

Lines changed: 38 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
1-
name: release sqlite-js
1+
name: build, test and release sqlite-js
22
on:
33
push:
4+
workflow_dispatch:
45

56
permissions:
67
contents: write
@@ -86,6 +87,35 @@ jobs:
8687
- name: build sqlite-js
8788
run: ${{ matrix.name == 'linux-musl' && matrix.arch == 'arm64' && 'docker exec alpine' || '' }} make extension ${{ matrix.make && matrix.make || ''}}
8889

90+
- name: create keychain for codesign
91+
if: matrix.os == 'macos-15'
92+
run: |
93+
echo "${{ secrets.APPLE_CERTIFICATE }}" | base64 --decode > certificate.p12
94+
security create-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" build.keychain
95+
security default-keychain -s build.keychain
96+
security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" build.keychain
97+
security import certificate.p12 -k build.keychain -P "${{ secrets.CERTIFICATE_PASSWORD }}" -T /usr/bin/codesign
98+
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.KEYCHAIN_PASSWORD }}" build.keychain
99+
100+
- name: codesign dylib
101+
if: matrix.os == 'macos-15' && matrix.name != 'apple-xcframework'
102+
run: codesign --sign "${{ secrets.APPLE_TEAM_ID }}" --timestamp --options runtime dist/js.dylib
103+
104+
- name: codesign and notarize xcframework
105+
if: matrix.name == 'apple-xcframework'
106+
run: |
107+
find dist/js.xcframework -name "*.framework" -exec echo "Signing: {}" \; -exec codesign --sign "${{ secrets.APPLE_TEAM_ID }}" --timestamp --options runtime {} \; # Sign each individual framework FIRST
108+
codesign --sign "${{ secrets.APPLE_TEAM_ID }}" --timestamp --options runtime dist/js.xcframework # Then sign the xcframework wrapper
109+
ditto -c -k --keepParent dist/js.xcframework dist/js.xcframework.zip
110+
xcrun notarytool submit dist/js.xcframework.zip --apple-id "${{ secrets.APPLE_ID }}" --password "${{ secrets.APPLE_PASSWORD }}" --team-id "${{ secrets.APPLE_TEAM_ID }}" --wait
111+
rm dist/js.xcframework.zip
112+
113+
- name: cleanup keychain for codesign
114+
if: matrix.os == 'macos-15'
115+
run: |
116+
rm certificate.p12
117+
security delete-keychain build.keychain
118+
89119
- name: android setup test environment
90120
if: matrix.name == 'android' && matrix.arch != 'arm64-v8a'
91121
run: |
@@ -101,6 +131,7 @@ jobs:
101131
unzip sqlite-amalgamation-*.zip
102132
export ${{ matrix.make }}
103133
$ANDROID_NDK/toolchains/llvm/prebuilt/linux-x86_64/bin/${{ matrix.arch }}-linux-android26-clang sqlite-amalgamation-*/shell.c sqlite-amalgamation-*/sqlite3.c -o sqlite3 -ldl
134+
# remove unused folders to save up space
104135
rm -rf sqlite-amalgamation-*.zip sqlite-amalgamation-*
105136
echo "::endgroup::"
106137
@@ -130,6 +161,7 @@ jobs:
130161
run: ${{ matrix.name == 'linux-musl' && matrix.arch == 'arm64' && 'docker exec alpine' || '' }} make test ${{ matrix.make && matrix.make || ''}}
131162

132163
- uses: actions/[email protected]
164+
if: always()
133165
with:
134166
name: js-${{ matrix.name }}${{ matrix.arch && format('-{0}', matrix.arch) || '' }}
135167
path: dist/js.*
@@ -155,11 +187,10 @@ jobs:
155187
- name: release tag version from sqlitejs.h
156188
id: tag
157189
run: |
158-
FILE="src/sqlitejs.h"
159-
VERSION=$(grep -oP '#define SQLITE_JS_VERSION\s+"\K[^"]+' "$FILE")
190+
VERSION=$(make version)
160191
if [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
161192
LATEST=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r '.name')
162-
if [[ "$VERSION" != "$LATEST" ]]; then
193+
if [[ "$VERSION" != "$LATEST" || "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]]; then
163194
echo "version=$VERSION" >> $GITHUB_OUTPUT
164195
else
165196
echo "::warning file=src/sqlitejs.h::To release a new version, please update the SQLITE_JS_VERSION in src/sqlitejs.h to be different than the latest $LATEST"
@@ -174,8 +205,10 @@ jobs:
174205
for folder in "artifacts"/*; do
175206
if [ -d "$folder" ]; then
176207
name=$(basename "$folder")
208+
if [[ "$name" != "js-apple-xcframework" ]]; then
209+
tar -czf "${name}-${{ steps.tag.outputs.version }}.tar.gz" -C "$folder" .
210+
fi
177211
(cd "$folder" && zip -rq "../../${name}-${{ steps.tag.outputs.version }}.zip" .)
178-
tar -czf "${name}-${{ steps.tag.outputs.version }}.tar.gz" -C "$folder" .
179212
fi
180213
done
181214

0 commit comments

Comments
 (0)