Merge pull request #51 from ledhed2222/mac-code-signing #5

Workflow file for this run

.github/workflows/build-installers.yaml at eebbcef

	name: Build Native Installers

	on:
	push:
	tags:
	- 'v*' # Only builds on version tags like v2.4.3
	workflow_dispatch: # Manual trigger from the GitHub UI

	jobs:
	macos:
	runs-on: macos-latest # ARM runner (Apple Silicon, works on Intel via Rosetta 2)
	steps:
	- uses: actions/checkout@v4

	- name: Set up JDK 21
	uses: actions/setup-java@v4
	with:
	distribution: temurin
	java-version: 21

	- name: Extract version from pom.xml
	id: version
	run: \|
	VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
	echo "version=$VERSION" >> $GITHUB_OUTPUT
	echo "Building version: $VERSION"

	- name: Import Code Signing Certificate
	env:
	CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
	CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
	KEYCHAIN_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
	run: \|
	# Create variables
	CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12
	KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

	# Decode certificate
	echo -n "$CERTIFICATE_BASE64" \| base64 --decode -o $CERTIFICATE_PATH

	# Create temporary keychain
	security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
	security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

	# Import certificate to keychain
	security import $CERTIFICATE_PATH -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
	security list-keychain -d user -s $KEYCHAIN_PATH

	# Enable codesigning from a non user interactive shell
	security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

	- name: Build .jar
	run: mvn clean package

	- name: Run jpackage for macOS
	env:
	APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
	run: \|
	# Get the certificate identity name
	CERT_IDENTITY=$(security find-identity -v -p codesigning \| grep "Developer ID Application" \| head -1 \| sed -n 's/."$.$"/\1/p')
	echo "Using certificate: $CERT_IDENTITY"

	jpackage \
	--type dmg \
	--name EWItool \
	--input target \
	--main-jar EWItool-${{ steps.version.outputs.version }}.jar \
	--main-class com.github.ledhed2222.ewitool.Main \
	--dest target \
	--app-version ${{ steps.version.outputs.version }} \
	--vendor "Ledhed2222" \
	--icon src/main/resources/logo.icns \
	--mac-sign \
	--mac-signing-key-user-name "$CERT_IDENTITY"

	- name: Sign DMG
	run: \|
	CERT_IDENTITY=$(security find-identity -v -p codesigning \| grep "Developer ID Application" \| head -1 \| sed -n 's/."$.$"/\1/p')
	codesign --force --sign "$CERT_IDENTITY" --timestamp --options runtime target/EWItool-${{ steps.version.outputs.version }}.dmg

	# Verify signature
	codesign --verify --verbose=4 target/EWItool-${{ steps.version.outputs.version }}.dmg

	- name: Notarize DMG
	env:
	APPLE_ID: ${{ secrets.APPLE_ID }}
	APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }}
	APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
	run: \|
	# Submit for notarization
	xcrun notarytool submit target/EWItool-${{ steps.version.outputs.version }}.dmg \
	--apple-id "$APPLE_ID" \
	--password "$APPLE_APP_PASSWORD" \
	--team-id "$APPLE_TEAM_ID" \
	--wait

	# Staple the notarization ticket
	xcrun stapler staple target/EWItool-${{ steps.version.outputs.version }}.dmg

	# Verify notarization
	xcrun stapler validate target/EWItool-${{ steps.version.outputs.version }}.dmg

	- name: Rename DMG
	run: \|
	mv target/EWItool-${{ steps.version.outputs.version }}.dmg target/EWItool-${{ steps.version.outputs.version }}-macos.dmg

	- name: Upload to gh release
	uses: softprops/action-gh-release@v1
	with:
	files: target/*-macos.dmg
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	windows:
	runs-on: windows-latest
	steps:
	- uses: actions/checkout@v4

	- name: Set up JDK 21
	uses: actions/setup-java@v4
	with:
	distribution: temurin
	java-version: 21

	- name: Extract version from pom.xml
	id: version
	shell: pwsh
	run: \|
	[xml]$pom = Get-Content pom.xml
	$VERSION = $pom.project.version
	echo "version=$VERSION" >> $env:GITHUB_OUTPUT
	echo "Building version: $VERSION"

	- name: Build .jar
	run: mvn clean package

	- name: Convert PNG to ICO for Windows
	run: \|
	# jpackage will use PNG on Windows if ICO not available
	# We'll use the PNG file directly

	- name: Run jpackage for Windows
	run: \|
	jpackage `
	--type exe `
	--name EWItool `
	--input target `
	--main-jar EWItool-${{ steps.version.outputs.version }}.jar `
	--main-class com.github.ledhed2222.ewitool.Main `
	--dest target `
	--app-version ${{ steps.version.outputs.version }} `
	--vendor "Ledhed2222" `
	--icon src/main/resources/logo.png `
	--win-dir-chooser `
	--win-menu `
	--win-shortcut

	- name: Upload to gh release
	uses: softprops/action-gh-release@v1
	with:
	files: target/*.exe
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	linux:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- name: Set up JDK 21
	uses: actions/setup-java@v4
	with:
	distribution: temurin
	java-version: 21

	- name: Extract version from pom.xml
	id: version
	run: \|
	VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
	echo "version=$VERSION" >> $GITHUB_OUTPUT
	echo "Building version: $VERSION"

	- name: Install jpackage dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y libfreetype6-dev libasound2-dev fakeroot rpm

	- name: Build .jar
	run: mvn clean package

	- name: Run jpackage for Linux (DEB)
	run: \|
	jpackage \
	--type deb \
	--name ewitool \
	--input target \
	--main-jar EWItool-${{ steps.version.outputs.version }}.jar \
	--main-class com.github.ledhed2222.ewitool.Main \
	--dest target \
	--app-version ${{ steps.version.outputs.version }} \
	--vendor "Ledhed2222" \
	--icon src/main/resources/logo.png \
	--linux-shortcut

	- name: Run jpackage for Linux (RPM)
	run: \|
	jpackage \
	--type rpm \
	--name ewitool \
	--input target \
	--main-jar EWItool-${{ steps.version.outputs.version }}.jar \
	--main-class com.github.ledhed2222.ewitool.Main \
	--dest target \
	--app-version ${{ steps.version.outputs.version }} \
	--vendor "Ledhed2222" \
	--icon src/main/resources/logo.png \
	--linux-shortcut

	- name: Upload to gh release
	uses: softprops/action-gh-release@v1
	with:
	files: \|
	target/*.deb
	target/*.rpm
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #51 from ledhed2222/mac-code-signing #5

Workflow file

Merge pull request #51 from ledhed2222/mac-code-signing #5

Uh oh!

Workflow file for this run