Skip to content
Package pull requests

docs(readme): adjust shields for consistency #27

Sign in to view logs

docs(readme): adjust shields for consistency

docs(readme): adjust shields for consistency #27

Workflow file for this run

.github/workflows/build_pr.yml at a907a68
name: "Package pull requests"
on:
pull_request_target:
types: [labeled]
jobs:
build:
name: "Build artifact"
runs-on: macos-15
if: contains(github.event.pull_request.labels.*.name, 'buildable')
env:
XCODE_PATH: "/Applications/Xcode_16.app"
# These variables are defined in the repository settings
PROJECT_NAME: ${{ vars.PROJECT_NAME }}
INSTALLER_CERTIFICATE: ${{ vars.DEV_INSTALLER_CERT_CN }}
steps:
- name: Checkout
uses: actions/checkout@v4 # v4
- name: Install app signing certificate
uses: apple-actions/import-codesign-certs@v3 # v3
with:
keychain-password: ${{ github.run_id }}
p12-file-base64: ${{ secrets.APP_CERTIFICATE_P12 }}
p12-password: ${{ secrets.APP_CERTIFICATE_P12_PASSWORD }}
- name: Install package signing certificate
uses: apple-actions/import-codesign-certs@v3 # v3
with:
create-keychain: false # do not create a new keychain for this value
keychain-password: ${{ github.run_id }}
p12-file-base64: ${{ secrets.PKG_CERTIFICATE_P12 }}
p12-password: ${{ secrets.PKG_CERTIFICATE_P12_PASSWORD }}
- name: Build and analyze bundle
run: |
xcodebuild -project "${{ env.PROJECT_NAME }}/${{ env.PROJECT_NAME }}.xcodeproj" clean build analyze -configuration Release
- name: Setup notarization
run: |
"${{ env.XCODE_PATH }}/Contents/Developer/usr/bin/notarytool" store-credentials \
--key /dev/stdin \
--key-id "${{ secrets.NOTARY_AUTH_KEY_ID }}" \
--issuer "${{ secrets.NOTARY_ISSUER_UUID }}" \
default <<< "${{ secrets.NOTARY_AUTH_KEY }}"
- name: Notarize bundle
run: |
BUNDLE="${{ env.PROJECT_NAME }}/build/Release/${{ env.PROJECT_NAME }}"
xattr -rc "${BUNDLE}.bundle"
ditto -c -k --keepParent "${BUNDLE}.bundle" "${BUNDLE}.zip"
"${{ env.XCODE_PATH }}/Contents/Developer/usr/bin/notarytool" submit \
"${BUNDLE}.zip" \
--keychain-profile "default" \
--wait
"${{ env.XCODE_PATH }}/Contents/Developer/usr/bin/stapler" staple \
"${BUNDLE}.bundle"
rm "${BUNDLE}.zip"
- name: Set environment variables
run: |
INFO_FILE="${{ env.PROJECT_NAME }}/build/Release/${{ env.PROJECT_NAME }}.bundle/Contents/Info.plist"
IDENTIFIER=$(/usr/libexec/PlistBuddy -c "Print:CFBundleIdentifier" "${INFO_FILE}")
echo "IDENTIFIER=${IDENTIFIER}" >> "$GITHUB_ENV"
VERSION=$(/usr/libexec/PlistBuddy -c "Print:CFBundleShortVersionString" "${INFO_FILE}")
echo "VERSION=${VERSION}" >> "$GITHUB_ENV"
echo "PKG_NAME=${{ env.PROJECT_NAME }}-${VERSION}" >> "$GITHUB_ENV"
echo "PKG_PATH=${{ env.PROJECT_NAME }}/build" >> "$GITHUB_ENV"
- name: Build installer package
run: |
ID="${{ env.IDENTIFIER }}"
PKGROOT=$(mktemp -d /tmp/${ID##*.}-build-root-XXXXXXXXXXX)
mkdir -p "${PKGROOT}/Library/Security/SecurityAgentPlugins"
cp -R "${{ env.PKG_PATH }}/Release/${{ env.PROJECT_NAME }}.bundle" "${PKGROOT}/Library/Security/SecurityAgentPlugins/${{ env.PROJECT_NAME }}.bundle"
pkgbuild --root "${PKGROOT}" \
--identifier "${ID}" \
--version "${{ env.VERSION }}" \
--scripts scripts/pkg \
"${{ env.PKG_PATH }}/${{ env.PKG_NAME }}.pkg"
rm -rf "${PKGROOT}"
- name: Convert to distribution package and sign
run: |
productbuild --sign "${{ env.INSTALLER_CERTIFICATE }}" \
--package "${{ env.PKG_PATH }}/${{ env.PKG_NAME }}.pkg" \
"${{ env.PKG_PATH }}/${{ env.PKG_NAME }}-signed.pkg"
rm -f "${{ env.PKG_PATH }}/${{ env.PKG_NAME }}.pkg"
- name: Notarize package
run: |
"${{ env.XCODE_PATH }}/Contents/Developer/usr/bin/notarytool" submit \
"${{ env.PKG_PATH }}/${{ env.PKG_NAME }}-signed.pkg" \
--keychain-profile "default" \
--wait
"${{ env.XCODE_PATH }}/Contents/Developer/usr/bin/stapler" staple \
"${{ env.PKG_PATH }}/${{ env.PKG_NAME }}-signed.pkg"
mkdir -p artifacts
mv "${{ env.PKG_PATH }}/${{ env.PKG_NAME }}-signed.pkg" "artifacts/${{ env.PKG_NAME }}.pkg"
- name: Upload package
uses: actions/upload-artifact@v4 # v4
with:
name: ${{ env.PKG_NAME }}
path: artifacts/
retention-days: 14