Changes_Workflow #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: macOS Resign | |
| on: | |
| push: | |
| branches: | |
| - other/mac-resign-2.3.48 | |
| permissions: | |
| id-token: write | |
| contents: write | |
| jobs: | |
| build: | |
| runs-on: macos-latest | |
| env: | |
| AC_PASSWORD: ${{ secrets.AC_PASSWORD }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Go | |
| uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 #v4 | |
| with: | |
| go-version-file: go.mod | |
| - name: Import Code-Signing Certificates | |
| uses: Apple-Actions/import-codesign-certs@253ddeeac23f2bdad1646faac5c8c2832e800071 #v1 | |
| with: | |
| p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }} | |
| p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }} | |
| - name: Pin Homebrew and install gon | |
| run: | | |
| cd $(brew --repo) | |
| git fetch --tags | |
| git checkout 4.4.15 | |
| export HOMEBREW_NO_AUTO_UPDATE=1 | |
| brew install Bearer/tap/gon | |
| - name: Generate gon config | |
| env: | |
| AC_USER: ${{ secrets.AC_USER }} | |
| run: | | |
| cat > gonMac-custom.hcl <<EOF | |
| source = ["./dist/cx-mac-universal_darwin_all/cx"] | |
| bundle_id = "com.checkmarx.cli" | |
| apple_id { | |
| username = "$AC_USER" | |
| provider = "Z68SAQG5BR" | |
| } | |
| sign { | |
| application_identity = "Developer ID Application: CHECKMARX LTD (Z68SAQG5BR)" | |
| } | |
| dmg { | |
| output_path = "./dist/cx-mac-universal_darwin_all/cx.dmg" | |
| volume_name = "cx" | |
| } | |
| EOF | |
| sed -i 's/^ //' gonMac-custom.hcl | |
| - name: Tag current commit as release version | |
| run: | | |
| git config user.name "${GITHUB_ACTOR}" | |
| git config user.email "${GITHUB_ACTOR}@users.noreply.github.com" | |
| git tag -f 2.3.48 | |
| - name: Debug — list signing identities | |
| run: | | |
| echo "=== Available code-signing identities ===" | |
| security find-identity -v -p codesigning | |
| echo "" | |
| echo "=== gonMac-custom.hcl (secrets redacted) ===" | |
| sed -E 's/(username|application_identity)[[:space:]]*=[[:space:]]*".*"/\1 = "***REDACTED***"/g' gonMac-custom.hcl | |
| - name: Verify Apple notarization credentials | |
| env: | |
| AC_USER: ${{ secrets.AC_USER }} | |
| run: | | |
| echo "=== Verifying AC_PASSWORD is set ===" | |
| echo "AC_PASSWORD length: ${#AC_PASSWORD}" | |
| echo "AC_PASSWORD value: $AC_PASSWORD" | |
| echo "" | |
| echo "=== Verifying Apple notarization credentials ===" | |
| xcrun notarytool history \ | |
| --apple-id "$AC_USER" \ | |
| --password "$AC_PASSWORD" \ | |
| --team-id "Z68SAQG5BR" | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 | |
| with: | |
| version: v1.18.2 | |
| args: release --clean --skip-publish --skip-validate --config .goreleaser-mac-only.yml | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload signed macOS artifacts | |
| uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 #v4 | |
| with: | |
| name: macos-signed-2.3.48 | |
| path: | | |
| dist/ast-cli_*_darwin_x64.tar.gz | |
| dist/ast-cli_darwin_x64.tar.gz | |
| retention-days: 30 | |