sign in check #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: macOS Resign | |
| on: | |
| push: | |
| branches: | |
| - other/mac-resign-2.3.48 | |
| permissions: | |
| id-token: write | |
| contents: write | |
| jobs: | |
| build: | |
| runs-on: macos-latest | |
| env: | |
| AC_PASSWORD: ${{ secrets.AC_PASSWORD }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Go | |
| uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 #v4 | |
| with: | |
| go-version-file: go.mod | |
| - name: Import Code-Signing Certificates | |
| uses: Apple-Actions/import-codesign-certs@253ddeeac23f2bdad1646faac5c8c2832e800071 #v1 | |
| with: | |
| p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }} | |
| p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }} | |
| - name: Pin Homebrew and install gon | |
| run: | | |
| cd $(brew --repo) | |
| git fetch --tags | |
| git checkout 4.4.15 | |
| export HOMEBREW_NO_AUTO_UPDATE=1 | |
| brew install Bearer/tap/gon | |
| - name: Generate gon config | |
| env: | |
| AC_USER: ${{ secrets.AC_USER }} | |
| run: | | |
| python3 - <<'PYEOF' | |
| import os | |
| username = os.environ['AC_USER'] | |
| provider = "Z68SAQG5BR" | |
| identity = "Developer ID Application: CHECKMARX LTD (Z68SAQG5BR)" | |
| content = f'''source = ["./dist/cx-mac-universal_darwin_all/cx"] | |
| bundle_id = "com.checkmarx.cli" | |
| apple_id {{ | |
| username = "{username}" | |
| password = "@env:AC_PASSWORD" | |
| provider = "{provider}" | |
| }} | |
| sign {{ | |
| application_identity = "{identity}" | |
| }} | |
| dmg {{ | |
| output_path = "./dist/cx-mac-universal_darwin_all/cx.dmg" | |
| volume_name = "cx" | |
| }} | |
| ''' | |
| with open('gonMac-custom.hcl', 'w') as f: | |
| f.write(content) | |
| PYEOF | |
| - name: Tag current commit as release version | |
| run: | | |
| git config user.name "${GITHUB_ACTOR}" | |
| git config user.email "${GITHUB_ACTOR}@users.noreply.github.com" | |
| git tag -f 2.3.48 | |
| - name: Debug — list signing identities | |
| run: | | |
| echo "=== Available code-signing identities ===" | |
| security find-identity -v -p codesigning | |
| echo "" | |
| echo "=== gonMac-custom.hcl (secrets redacted) ===" | |
| sed -E 's/(username|application_identity)[[:space:]]*=[[:space:]]*".*"/\1 = "***REDACTED***"/g' gonMac-custom.hcl | |
| - name: Verify Apple notarization credentials | |
| env: | |
| AC_USER: ${{ secrets.AC_USER }} | |
| run: | | |
| echo "=== Verifying Apple notarization credentials ===" | |
| xcrun notarytool history \ | |
| --apple-id "$AC_USER" \ | |
| --password "$AC_PASSWORD" \ | |
| --team-id "Z68SAQG5BR" \ | |
| --limit 1 | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 | |
| with: | |
| version: v1.18.2 | |
| args: release --clean --skip-publish --skip-validate --config .goreleaser-mac-only.yml | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload signed macOS artifacts | |
| uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 #v4 | |
| with: | |
| name: macos-signed-2.3.48 | |
| path: | | |
| dist/ast-cli_*_darwin_x64.tar.gz | |
| dist/ast-cli_darwin_x64.tar.gz | |
| retention-days: 30 | |