Merge pull request #44 from haowu1234/exp/dashboard-daemon-research #39

Workflow file for this run

.github/workflows/macos-latest-release.yml at 21b710f

	name: macOS Latest Release

	on:
	push:
	branches:
	- main
	workflow_dispatch:
	inputs:
	allow_unsigned:
	description: "Allow ad-hoc signed macOS artifacts when Apple signing secrets are unavailable"
	required: false
	default: "true"
	type: choice
	options:
	- "true"
	- "false"

	permissions:
	contents: write

	concurrency:
	group: macos-latest-release
	cancel-in-progress: true

	jobs:
	build-macos:
	name: Build macOS ${{ matrix.target }}
	runs-on: macos-latest
	outputs:
	signing_mode: ${{ steps.prepare-signing.outputs.signing_mode }}
	strategy:
	fail-fast: false
	matrix:
	target:
	- aarch64-apple-darwin
	- x86_64-apple-darwin
	env:
	ALLOW_UNSIGNED: ${{ github.event_name == 'workflow_dispatch' && inputs.allow_unsigned \|\| 'true' }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Setup Python
	uses: actions/setup-python@v5
	with:
	python-version: "3.12"

	- name: Prepare Apple signing
	id: prepare-signing
	shell: bash
	env:
	APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
	APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
	APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
	APPLE_ID: ${{ secrets.APPLE_ID }}
	APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
	APPLE_PASSWORD_FALLBACK: ${{ secrets.APPLE_PASSWORD }}
	APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
	run: \|
	set -euo pipefail

	notary_password="${APPLE_APP_SPECIFIC_PASSWORD:-${APPLE_PASSWORD_FALLBACK:-}}"
	missing=()
	for var in APPLE_CERTIFICATE_BASE64 APPLE_CERTIFICATE_PASSWORD APPLE_SIGNING_IDENTITY APPLE_ID APPLE_TEAM_ID; do
	if [ -z "${!var:-}" ]; then
	missing+=("$var")
	fi
	done
	if [ -z "${notary_password}" ]; then
	missing+=("APPLE_APP_SPECIFIC_PASSWORD or APPLE_PASSWORD")
	fi

	if [ "${#missing[@]}" -gt 0 ]; then
	if [ "${ALLOW_UNSIGNED}" = "true" ]; then
	echo "::warning::Apple signing secrets are missing; publishing ad-hoc signed artifacts. These are useful for CI artifacts but are not Gatekeeper-smooth for general users."
	printf 'Missing: %s\n' "${missing[*]}"
	echo "MACOS_SIGNING_IDENTITY=-" >> "$GITHUB_ENV"
	echo "MACOS_NOTARIZE=0" >> "$GITHUB_ENV"
	echo "MACOS_RELEASE_SIGNING_MODE=ad-hoc" >> "$GITHUB_ENV"
	echo "signing_mode=ad-hoc" >> "$GITHUB_OUTPUT"
	exit 0
	fi
	echo "::error::Apple signing/notarization secrets are required for automatic latest releases."
	printf 'Missing: %s\n' "${missing[*]}"
	exit 1
	fi

	echo "::add-mask::${notary_password}"
	keychain_path="${RUNNER_TEMP}/elephant-signing.keychain-db"
	keychain_password="$(openssl rand -base64 32)"
	certificate_path="${RUNNER_TEMP}/apple-signing.p12"
	echo "::add-mask::${keychain_password}"

	echo "${APPLE_CERTIFICATE_BASE64}" \| base64 --decode > "${certificate_path}"
	security create-keychain -p "${keychain_password}" "${keychain_path}"
	security set-keychain-settings -lut 21600 "${keychain_path}"
	security unlock-keychain -p "${keychain_password}" "${keychain_path}"
	security import "${certificate_path}" \
	-k "${keychain_path}" \
	-P "${APPLE_CERTIFICATE_PASSWORD}" \
	-T /usr/bin/codesign \
	-T /usr/bin/security
	security set-key-partition-list -S apple-tool:,apple: -s -k "${keychain_password}" "${keychain_path}"
	security list-keychains -d user -s "${keychain_path}" $(security list-keychains -d user \| tr -d '"')

	echo "MACOS_SIGNING_IDENTITY=${APPLE_SIGNING_IDENTITY}" >> "$GITHUB_ENV"
	echo "MACOS_NOTARIZE=1" >> "$GITHUB_ENV"
	echo "MACOS_RELEASE_SIGNING_MODE=developer-id-notarized" >> "$GITHUB_ENV"
	echo "signing_mode=developer-id-notarized" >> "$GITHUB_OUTPUT"
	echo "APPLE_ID=${APPLE_ID}" >> "$GITHUB_ENV"
	echo "APPLE_PASSWORD=${notary_password}" >> "$GITHUB_ENV"
	echo "APPLE_TEAM_ID=${APPLE_TEAM_ID}" >> "$GITHUB_ENV"

	- name: Build macOS artifact
	shell: bash
	env:
	MACOS_APP_BUILD_NUMBER: ${{ github.run_number }}
	run: \|
	make macos-build MACOS_TARGET="${{ matrix.target }}"

	- name: Upload macOS artifact
	uses: actions/upload-artifact@v4
	with:
	name: macos-${{ matrix.target }}
	path: apps/macos/.build/artifacts/${{ matrix.target }}/*
	if-no-files-found: error
	retention-days: 14

	publish-latest:
	name: Publish latest release
	runs-on: ubuntu-latest
	needs:
	- build-macos
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Download macOS artifacts
	uses: actions/download-artifact@v4
	with:
	pattern: macos-*
	path: release-assets
	merge-multiple: true

	- name: Replace latest release
	shell: bash
	env:
	GH_TOKEN: ${{ github.token }}
	GITHUB_TOKEN: ${{ github.token }}
	MACOS_ASSET_DIR: ${{ github.workspace }}/release-assets
	MACOS_RELEASE_TAG: latest
	MACOS_RELEASE_TITLE: Elephant Agent latest
	MACOS_RELEASE_SIGNING_MODE: ${{ needs.build-macos.outputs.signing_mode \|\| 'unknown' }}
	run: \|
	bash apps/macos/Scripts/release-latest.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #44 from haowu1234/exp/dashboard-daemon-research #39

Workflow file

Merge pull request #44 from haowu1234/exp/dashboard-daemon-research #39

Uh oh!

Workflow file for this run