Print notary rejection details #21
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: Existing git tag to release, for example v14.0.0 | |
| required: true | |
| create_release: | |
| description: Create or update the GitHub Release after notarization | |
| required: false | |
| default: "true" | |
| push: | |
| tags: | |
| - "v*" | |
| permissions: | |
| contents: write | |
| jobs: | |
| notarized-release: | |
| name: Build, Notarize, and Publish | |
| runs-on: macos-14 | |
| timeout-minutes: 60 | |
| env: | |
| RELEASE_TAG: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.tag || github.ref_name }} | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.tag || github.ref }} | |
| - name: Select Xcode | |
| uses: maxim-lobanov/setup-xcode@ed7a3b1fda3918c0306d1b724322adc0b8cc0a90 # v1 | |
| with: | |
| xcode-version: latest-stable | |
| - name: Verify release tag exists | |
| run: | | |
| git show-ref --verify --quiet "refs/tags/${RELEASE_TAG}" | |
| git rev-parse --verify "${RELEASE_TAG}^{commit}" | |
| - name: Run test suite before archiving | |
| run: | | |
| xcodebuild test \ | |
| -project Core-Monitor.xcodeproj \ | |
| -scheme Core-Monitor \ | |
| -destination 'platform=macOS' \ | |
| CODE_SIGNING_ALLOWED=NO | |
| - name: Import Developer ID certificate | |
| env: | |
| BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} | |
| P12_PASSWORD: ${{ secrets.P12_PASSWORD }} | |
| KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
| run: | | |
| if [[ -z "${BUILD_CERTIFICATE_BASE64}" || -z "${P12_PASSWORD}" || -z "${KEYCHAIN_PASSWORD}" ]]; then | |
| echo "Missing signing secrets. Configure BUILD_CERTIFICATE_BASE64, P12_PASSWORD, and KEYCHAIN_PASSWORD." >&2 | |
| exit 1 | |
| fi | |
| KEYCHAIN_PATH="$RUNNER_TEMP/core-monitor-release.keychain-db" | |
| CERT_PATH="$RUNNER_TEMP/core-monitor-release.p12" | |
| echo -n "${BUILD_CERTIFICATE_BASE64}" | base64 -D > "${CERT_PATH}" | |
| security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}" | |
| security set-keychain-settings -lut 21600 "${KEYCHAIN_PATH}" | |
| security unlock-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}" | |
| security import "${CERT_PATH}" -P "${P12_PASSWORD}" -t cert -f pkcs12 -k "${KEYCHAIN_PATH}" -T /usr/bin/codesign -T /usr/bin/xcodebuild -T /usr/bin/security | |
| security list-keychains -d user -s "${KEYCHAIN_PATH}" $(security list-keychains -d user | tr -d '"') | |
| security set-key-partition-list -S apple-tool:,apple: -s -k "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}" | |
| - name: Install archive provisioning profile | |
| env: | |
| ARCHIVE_PROVISIONING_PROFILE_BASE64: ${{ secrets.ARCHIVE_PROVISIONING_PROFILE_BASE64 }} | |
| run: | | |
| if [[ -z "${ARCHIVE_PROVISIONING_PROFILE_BASE64}" ]]; then | |
| echo "Missing signing secret. Configure ARCHIVE_PROVISIONING_PROFILE_BASE64." >&2 | |
| exit 1 | |
| fi | |
| PROFILE_DIR="$HOME/Library/MobileDevice/Provisioning Profiles" | |
| PROFILE_PATH="$RUNNER_TEMP/core-monitor-archive.provisionprofile" | |
| PROFILE_PLIST="$RUNNER_TEMP/core-monitor-archive.plist" | |
| mkdir -p "${PROFILE_DIR}" | |
| echo -n "${ARCHIVE_PROVISIONING_PROFILE_BASE64}" | base64 -D > "${PROFILE_PATH}" | |
| security cms -D -i "${PROFILE_PATH}" > "${PROFILE_PLIST}" | |
| PROFILE_UUID=$(/usr/libexec/PlistBuddy -c "Print UUID" "${PROFILE_PLIST}") | |
| PROFILE_NAME=$(/usr/libexec/PlistBuddy -c "Print Name" "${PROFILE_PLIST}") | |
| cp "${PROFILE_PATH}" "${PROFILE_DIR}/${PROFILE_UUID}.provisionprofile" | |
| echo "ARCHIVE_PROVISIONING_PROFILE_SPECIFIER=${PROFILE_NAME}" >> "${GITHUB_ENV}" | |
| - name: Install direct distribution provisioning profile | |
| env: | |
| WEATHERKIT_PROVISIONING_PROFILE_BASE64: ${{ secrets.WEATHERKIT_PROVISIONING_PROFILE_BASE64 }} | |
| run: | | |
| if [[ -z "${WEATHERKIT_PROVISIONING_PROFILE_BASE64}" ]]; then | |
| echo "Missing signing secret. Configure WEATHERKIT_PROVISIONING_PROFILE_BASE64." >&2 | |
| exit 1 | |
| fi | |
| PROFILE_DIR="$HOME/Library/MobileDevice/Provisioning Profiles" | |
| PROFILE_PATH="$RUNNER_TEMP/core-monitor-weatherkit.provisionprofile" | |
| PROFILE_PLIST="$RUNNER_TEMP/core-monitor-weatherkit.plist" | |
| mkdir -p "${PROFILE_DIR}" | |
| echo -n "${WEATHERKIT_PROVISIONING_PROFILE_BASE64}" | base64 -D > "${PROFILE_PATH}" | |
| security cms -D -i "${PROFILE_PATH}" > "${PROFILE_PLIST}" | |
| PROFILE_UUID=$(/usr/libexec/PlistBuddy -c "Print UUID" "${PROFILE_PLIST}") | |
| PROFILE_NAME=$(/usr/libexec/PlistBuddy -c "Print Name" "${PROFILE_PLIST}") | |
| cp "${PROFILE_PATH}" "${PROFILE_DIR}/${PROFILE_UUID}.provisionprofile" | |
| echo "RELEASE_PROVISIONING_PROFILE_SPECIFIER=${PROFILE_NAME}" >> "${GITHUB_ENV}" | |
| - name: Build release archive | |
| env: | |
| RELEASE_PROVISIONING_PROFILE_SPECIFIER: ${{ env.RELEASE_PROVISIONING_PROFILE_SPECIFIER }} | |
| run: ./scripts/release/build_release.sh | |
| - name: Notarize and staple | |
| env: | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| APP_STORE_CONNECT_API_KEY_BASE64: ${{ secrets.APP_STORE_CONNECT_API_KEY_BASE64 }} | |
| APP_STORE_CONNECT_KEY_ID: ${{ secrets.APP_STORE_CONNECT_KEY_ID }} | |
| APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }} | |
| run: ./scripts/release/notarize_release.sh build/release/Core-Monitor.app.zip build/release/export/Core-Monitor.app | |
| - name: Build signed disk image | |
| run: ./scripts/release/build_dmg.sh build/release/export/Core-Monitor.app build/release/Core-Monitor.dmg | |
| - name: Notarize disk image | |
| env: | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| APP_STORE_CONNECT_API_KEY_BASE64: ${{ secrets.APP_STORE_CONNECT_API_KEY_BASE64 }} | |
| APP_STORE_CONNECT_KEY_ID: ${{ secrets.APP_STORE_CONNECT_KEY_ID }} | |
| APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }} | |
| run: ./scripts/release/notarize_disk_image.sh build/release/Core-Monitor.dmg | |
| - name: Collect release metadata | |
| env: | |
| RELEASE_TAG: ${{ env.RELEASE_TAG }} | |
| REPOSITORY: ${{ github.repository }} | |
| run: | | |
| APP_PATH="build/release/export/Core-Monitor.app" | |
| INFO_PLIST="${APP_PATH}/Contents/Info.plist" | |
| VERSION=$(/usr/libexec/PlistBuddy -c "Print :CFBundleShortVersionString" "${INFO_PLIST}") | |
| BUILD_NUMBER=$(/usr/libexec/PlistBuddy -c "Print :CFBundleVersion" "${INFO_PLIST}") | |
| ZIP_SHA256="$(shasum -a 256 build/release/Core-Monitor.app.zip | awk '{print $1}')" | |
| DMG_SHA256="$(shasum -a 256 build/release/Core-Monitor.dmg | awk '{print $1}')" | |
| ZIP_DOWNLOAD_URL="https://github.com/${REPOSITORY}/releases/download/${RELEASE_TAG}/Core-Monitor.app.zip" | |
| DMG_DOWNLOAD_URL="https://github.com/${REPOSITORY}/releases/download/${RELEASE_TAG}/Core-Monitor.dmg" | |
| printf '%s %s\n' "${ZIP_SHA256}" "Core-Monitor.app.zip" > build/release/Core-Monitor.app.zip.sha256 | |
| printf '%s %s\n' "${DMG_SHA256}" "Core-Monitor.dmg" > build/release/Core-Monitor.dmg.sha256 | |
| ./scripts/release/generate_homebrew_cask.sh "${VERSION}" "${ZIP_SHA256}" "${ZIP_DOWNLOAD_URL}" build/release/core-monitor.rb | |
| { | |
| echo "VERSION=${VERSION}" | |
| echo "BUILD_NUMBER=${BUILD_NUMBER}" | |
| echo "ZIP_SHA256=${ZIP_SHA256}" | |
| echo "DMG_SHA256=${DMG_SHA256}" | |
| echo "ZIP_DOWNLOAD_URL=${ZIP_DOWNLOAD_URL}" | |
| echo "DMG_DOWNLOAD_URL=${DMG_DOWNLOAD_URL}" | |
| } >> "${GITHUB_ENV}" | |
| - name: Upload release artifacts | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: core-monitor-release | |
| path: | | |
| build/release/Core-Monitor.app.zip | |
| build/release/Core-Monitor.app.zip.sha256 | |
| build/release/Core-Monitor.dmg | |
| build/release/Core-Monitor.dmg.sha256 | |
| build/release/core-monitor.rb | |
| build/release/Core-Monitor.xcarchive | |
| - name: Create or update GitHub Release | |
| if: github.event_name == 'push' || github.event.inputs.create_release == 'true' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| RELEASE_TAG: ${{ env.RELEASE_TAG }} | |
| run: | | |
| if gh release view "${RELEASE_TAG}" >/dev/null 2>&1; then | |
| gh release upload "${RELEASE_TAG}" \ | |
| build/release/Core-Monitor.app.zip \ | |
| build/release/Core-Monitor.app.zip.sha256 \ | |
| build/release/Core-Monitor.dmg \ | |
| build/release/Core-Monitor.dmg.sha256 \ | |
| build/release/core-monitor.rb \ | |
| --clobber | |
| else | |
| gh release create "${RELEASE_TAG}" \ | |
| build/release/Core-Monitor.app.zip \ | |
| build/release/Core-Monitor.app.zip.sha256 \ | |
| build/release/Core-Monitor.dmg \ | |
| build/release/Core-Monitor.dmg.sha256 \ | |
| build/release/core-monitor.rb \ | |
| --title "Core-Monitor ${VERSION}" \ | |
| --generate-notes | |
| fi |