Render polished journal content in Today #11

Workflow file for this run

.github/workflows/release.yml at b5a4c8b

	name: Release

	on:
	push:
	tags:
	- "v*"
	workflow_dispatch:
	inputs:
	tag:
	description: "Release tag, for example v0.1.0"
	required: true
	type: string

	concurrency:
	group: release-${{ github.workflow }}-${{ github.ref \|\| inputs.tag }}
	cancel-in-progress: false

	jobs:
	release:
	runs-on: macos-15
	permissions:
	contents: write
	timeout-minutes: 45
	env:
	APP_NAME: Openbird.app
	BUNDLE_ID: com.computelesscomputer.openbird
	ENTITLEMENTS: packaging/Openbird.entitlements
	GH_TOKEN: ${{ github.token }}

	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Resolve tag
	id: meta
	shell: bash
	run: \|
	if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
	TAG="${{ inputs.tag }}"
	else
	TAG="${GITHUB_REF_NAME}"
	fi

	if [[ -z "${TAG}" ]]; then
	echo "Tag is required" >&2
	exit 1
	fi

	echo "tag=${TAG}" >> "$GITHUB_OUTPUT"

	- name: Show toolchain
	run: \|
	swift --version
	xcodebuild -version

	- name: Build release binaries
	run: swift build -c release

	- name: Package app bundle
	run: \|
	chmod +x scripts/package-release.sh
	scripts/package-release.sh "${{ steps.meta.outputs.tag }}" dist "${BUNDLE_ID}"

	- name: Prepare artifact paths
	shell: bash
	run: \|
	TAG="${{ steps.meta.outputs.tag }}"
	echo "APP_PATH=${GITHUB_WORKSPACE}/dist/${APP_NAME}" >> "$GITHUB_ENV"
	echo "DMG_PATH=${RUNNER_TEMP}/openbird-${TAG}-macos-arm64.dmg" >> "$GITHUB_ENV"
	echo "DIST_DMG_PATH=${GITHUB_WORKSPACE}/dist/openbird-${TAG}-macos-arm64.dmg" >> "$GITHUB_ENV"
	echo "CHECKSUM_PATH=${GITHUB_WORKSPACE}/dist/openbird-${TAG}-macos-arm64.sha256" >> "$GITHUB_ENV"

	- name: Import certificate
	shell: bash
	env:
	APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
	APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
	run: \|
	CERT_PATH=$RUNNER_TEMP/certificate.p12
	KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
	KEYCHAIN_PASSWORD=$(uuidgen)

	echo -n "$APPLE_CERTIFICATE" \| base64 --decode -o $CERT_PATH

	security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
	security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security import $CERT_PATH -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
	security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security list-keychain -d user -s $KEYCHAIN_PATH

	- name: Resolve signing identity
	shell: bash
	run: \|
	IDENTITY=$(security find-identity -v -p codesigning \| grep "Developer ID Application" \| head -1 \| sed -E 's/."(.)"$/\1/')

	if [ -z "$IDENTITY" ]; then
	echo "Developer ID Application identity not found" >&2
	exit 1
	fi

	echo "SIGNING_IDENTITY=$IDENTITY" >> "$GITHUB_ENV"

	- name: Sign app
	shell: bash
	run: \|
	/usr/bin/codesign --force --sign "$SIGNING_IDENTITY" \
	--entitlements "$ENTITLEMENTS" \
	--options runtime \
	--timestamp \
	--deep \
	--verbose \
	"$APP_PATH"

	codesign --verify --strict --deep --verbose=4 "$APP_PATH"

	- name: Notarize app
	shell: bash
	env:
	APPLE_ID: ${{ secrets.APPLE_ID }}
	APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
	APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
	run: \|
	ZIP_PATH=$RUNNER_TEMP/Openbird.zip

	ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"

	SUBMIT_OUTPUT=$(xcrun notarytool submit "$ZIP_PATH" \
	--apple-id "$APPLE_ID" \
	--password "$APPLE_PASSWORD" \
	--team-id "$APPLE_TEAM_ID" \
	--wait 2>&1)
	echo "$SUBMIT_OUTPUT"

	SUBMISSION_ID=$(echo "$SUBMIT_OUTPUT" \| grep 'id:' \| head -1 \| awk '{print $2}')

	if echo "$SUBMIT_OUTPUT" \| grep -q "status: Invalid"; then
	echo "Notarization failed. Fetching log..."
	xcrun notarytool log "$SUBMISSION_ID" \
	--apple-id "$APPLE_ID" \
	--password "$APPLE_PASSWORD" \
	--team-id "$APPLE_TEAM_ID"
	exit 1
	fi

	xcrun stapler staple "$APP_PATH"
	spctl -a -vv -t exec "$APP_PATH"

	- name: Create DMG
	shell: bash
	run: \|
	DMG_STAGING=$(mktemp -d)

	cp -R "$APP_PATH" "$DMG_STAGING/"
	ln -s /Applications "$DMG_STAGING/Applications"

	hdiutil create -volname "Openbird" \
	-srcfolder "$DMG_STAGING" \
	-ov -format UDZO \
	"$DMG_PATH"

	- name: Sign and notarize DMG
	shell: bash
	env:
	APPLE_ID: ${{ secrets.APPLE_ID }}
	APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
	APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
	run: \|
	/usr/bin/codesign --force --sign "$SIGNING_IDENTITY" \
	--timestamp \
	"$DMG_PATH"

	SUBMIT_OUTPUT=$(xcrun notarytool submit "$DMG_PATH" \
	--apple-id "$APPLE_ID" \
	--password "$APPLE_PASSWORD" \
	--team-id "$APPLE_TEAM_ID" \
	--wait 2>&1)
	echo "$SUBMIT_OUTPUT"

	SUBMISSION_ID=$(echo "$SUBMIT_OUTPUT" \| grep 'id:' \| head -1 \| awk '{print $2}')

	if echo "$SUBMIT_OUTPUT" \| grep -q "status: Invalid"; then
	echo "Notarization failed. Fetching log..."
	xcrun notarytool log "$SUBMISSION_ID" \
	--apple-id "$APPLE_ID" \
	--password "$APPLE_PASSWORD" \
	--team-id "$APPLE_TEAM_ID"
	exit 1
	fi

	xcrun stapler staple "$DMG_PATH"
	xcrun stapler validate "$DMG_PATH"
	codesign --verify --verbose=4 "$DMG_PATH"
	cp "$DMG_PATH" "$DIST_DMG_PATH"

	- name: Create checksum
	shell: bash
	run: \|
	shasum -a 256 "$DIST_DMG_PATH" > "$CHECKSUM_PATH"

	- name: Publish GitHub release
	shell: bash
	run: \|
	TAG="${{ steps.meta.outputs.tag }}"
	DMG="dist/openbird-${TAG}-macos-arm64.dmg"
	CHECKSUM="dist/openbird-${TAG}-macos-arm64.sha256"

	if gh release view "${TAG}" --repo "${GITHUB_REPOSITORY}" >/dev/null 2>&1; then
	gh release upload "${TAG}" "$DMG" "$CHECKSUM" --clobber --repo "${GITHUB_REPOSITORY}"
	else
	gh release create "${TAG}" \
	"$DMG" \
	"$CHECKSUM" \
	--target "${GITHUB_SHA}" \
	--title "${TAG}" \
	--generate-notes \
	--repo "${GITHUB_REPOSITORY}"
	fi

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Render polished journal content in Today #11

Workflow file

Render polished journal content in Today #11

Uh oh!

Workflow file for this run