Improve MAS process (#24) #8
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: create-release-mac | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: 'Optional tag (starts with `v`). Default to the tag of the selected branch.' | |
| required: false | |
| type: string | |
| permissions: | |
| contents: write | |
| jobs: | |
| build: | |
| runs-on: macos-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Import Signing Certificate | |
| run: | | |
| # Create a temporary keychain | |
| security create-keychain -p "$KEYCHAIN_TEMP_PASSWORD" build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p "$KEYCHAIN_TEMP_PASSWORD" build.keychain | |
| echo "Unlock build.keychain" | |
| echo "$BASE64_DEV_APP_CERT" | base64 --decode > devapp.cert | |
| security import devapp.cert -k build.keychain -A -T /usr/bin/codesign | |
| echo "Imported dev app cert" | |
| echo "$BASE64_DEV_APP_PRIVATE_KEY" | base64 --decode > devapp.p12 | |
| security import devapp.p12 -k build.keychain -A -P opensesame -T /usr/bin/codesign | |
| echo "Imported dev app private key" | |
| echo "$BASE64_MAC_DEV_APP_CERT" | base64 --decode > macdevapp.cert | |
| security import macdevapp.cert -k build.keychain -A -T /usr/bin/codesign | |
| echo "Imported mac dev app cert" | |
| echo "$BASE64_MAC_DEV_APP_PRIVATE_KEY" | base64 --decode > macdevapp.p12 | |
| security import macdevapp.p12 -k build.keychain -A -P opensesame -T /usr/bin/codesign | |
| echo "Imported mac dev app private key" | |
| echo "$BASE64_MAC_DEV_INSTALL_CERT" | base64 --decode > macdevinstall.cert | |
| security import macdevinstall.cert -k build.keychain -A -T /usr/bin/codesign | |
| echo "Imported mac dev install cert" | |
| echo "$BASE64_MAC_DEV_INSTALL_PRIVATE_KEY" | base64 --decode > macdevinstall.p12 | |
| security import macdevinstall.p12 -k build.keychain -A -P opensesame -T /usr/bin/productbuild | |
| echo "Imported mac dev install private key" | |
| security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_TEMP_PASSWORD" build.keychain | |
| env: | |
| KEYCHAIN_TEMP_PASSWORD: opensesame | |
| BASE64_DEV_APP_CERT: ${{ secrets.BASE64_DEV_APP_CERT }} | |
| BASE64_DEV_APP_PRIVATE_KEY: ${{ secrets.BASE64_DEV_APP_PRIVATE_KEY }} | |
| BASE64_MAC_DEV_APP_CERT: ${{ secrets.BASE64_MAC_DEV_APP_CERT }} | |
| BASE64_MAC_DEV_APP_PRIVATE_KEY: ${{ secrets.BASE64_MAC_DEV_APP_PRIVATE_KEY }} | |
| BASE64_MAC_DEV_INSTALL_CERT: ${{ secrets.BASE64_MAC_DEV_INSTALL_CERT }} | |
| BASE64_MAC_DEV_INSTALL_PRIVATE_KEY: ${{ secrets.BASE64_MAC_DEV_INSTALL_PRIVATE_KEY }} | |
| - uses: actions/setup-java@v4 | |
| with: | |
| distribution: temurin | |
| java-version: '21' | |
| cache: 'gradle' | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v3 | |
| with: | |
| cache-read-only: ${{ github.ref != 'refs/heads/main' }} | |
| - name: Get version | |
| id: version | |
| run: echo "VERSION=$(./gradlew -q printInternalVersion)" >> "$GITHUB_OUTPUT" | |
| - name: Validate the tag name | |
| run: | | |
| if [ "${{ github.event_name }}" == "workflow_dispatch" ] && [ ! -z "${{ github.event.inputs.tag }}" ]; then | |
| TAG=${{ github.event.inputs.tag }} | |
| else | |
| TAG=${GITHUB_REF#refs/tags/} | |
| fi | |
| if [[ ! "$TAG" =~ ^v ]]; then | |
| echo "Error: Tag ($TAG) must start with 'v'" | |
| exit 1 | |
| fi | |
| if [[ ! $TAG == v${{ steps.version.outputs.VERSION }} ]]; then | |
| echo "Error: Git tag version ($TAG) doesn't match project version (v${{ steps.version.outputs.VERSION }})" | |
| exit 1 | |
| fi | |
| - name: Install Node modules | |
| run: npm install | |
| - name: Build & notarize the DMG | |
| run: ./gradlew clean staple | |
| env: | |
| APPLE_EMAIL: ${{ secrets.APPLE_EMAIL }} | |
| APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} | |
| - name: Upload Release Asset | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| draft: true | |
| prerelease: true | |
| files: ./build/dmg/*.dmg | |
| overwrite_files: true | |
| fail_on_unmatched_files: true | |
| generate_release_notes: true | |
| tag_name: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.tag || github.ref_name }} |