Skip to content

ci: switch notarization auth to App Store Connect API key, gate on en… #22

ci: switch notarization auth to App Store Connect API key, gate on en…

ci: switch notarization auth to App Store Connect API key, gate on en… #22

Workflow file for this run

name: Release
# Builds, signs, notarizes, and publishes a MicGuard release zip.
#
# Required repo secrets (one-time setup):
# BUILD_CERTIFICATE_BASE64 - base64 of Developer ID Application .p12
# P12_PASSWORD - password protecting the .p12
# KEYCHAIN_PASSWORD - random string for the temporary keychain
# SIGNING_IDENTITY - "Developer ID Application: Name (TEAMID)"
# APP_STORE_CONNECT_KEY_BASE64 - base64 of the .p8 App Store Connect API key
# APP_STORE_CONNECT_KEY_ID - 10-char Key ID
# APP_STORE_CONNECT_ISSUER - issuer UUID
#
# Required GitHub Environment: `release`. The job binds to it so a tag push
# pauses for manual approval before any signing material is decrypted on the
# runner. Configure the environment at Settings -> Environments -> release
# with required reviewer = the repo owner.
#
# The published zip is built by `zip -ry` post-staple so the notarization
# ticket travels with the archive and Gatekeeper accepts the bundle offline
# on first launch.
on:
push:
tags: ['v*']
permissions:
contents: write
jobs:
build:
runs-on: macos-15
environment: release
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
fetch-depth: 0
- name: Import signing certificate
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
set -euo pipefail
KEYCHAIN_PATH="$RUNNER_TEMP/build.keychain-db"
CERT_PATH="$RUNNER_TEMP/cert.p12"
echo "$BUILD_CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH"
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security import "$CERT_PATH" -P "$P12_PASSWORD" \
-A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
security list-keychain -d user -s "$KEYCHAIN_PATH" login.keychain
security set-key-partition-list -S apple-tool:,apple:,codesign: \
-s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" >/dev/null
rm -f "$CERT_PATH"
- name: Write App Store Connect API key
env:
APP_STORE_CONNECT_KEY_BASE64: ${{ secrets.APP_STORE_CONNECT_KEY_BASE64 }}
run: |
set -euo pipefail
KEY_PATH="$RUNNER_TEMP/AuthKey.p8"
echo "$APP_STORE_CONNECT_KEY_BASE64" | base64 --decode > "$KEY_PATH"
chmod 600 "$KEY_PATH"
- name: Build, sign, and zip
env:
SIGNING_IDENTITY: ${{ secrets.SIGNING_IDENTITY }}
ENTITLEMENTS: Resources/MicGuard.entitlements
run: make zip
- name: Notarize, staple, and refresh zip
env:
APP_STORE_CONNECT_KEY_ID: ${{ secrets.APP_STORE_CONNECT_KEY_ID }}
APP_STORE_CONNECT_ISSUER: ${{ secrets.APP_STORE_CONNECT_ISSUER }}
run: |
scripts/release-notarize.sh \
--key "$RUNNER_TEMP/AuthKey.p8" \
--key-id "$APP_STORE_CONNECT_KEY_ID" \
--issuer "$APP_STORE_CONNECT_ISSUER"
- name: Verify signature and notarization
run: |
set -euo pipefail
codesign --verify --strict --verbose=2 .build/MicGuard.app
spctl --assess --type execute --verbose .build/MicGuard.app
xcrun stapler validate .build/MicGuard.app
- name: Publish release
uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
with:
files: .build/MicGuard.zip
- name: Clean up secrets on runner
if: always()
run: |
KEYCHAIN_PATH="$RUNNER_TEMP/build.keychain-db"
KEY_PATH="$RUNNER_TEMP/AuthKey.p8"
if [[ -f "$KEYCHAIN_PATH" ]]; then
security delete-keychain "$KEYCHAIN_PATH" || true
fi
rm -f "$KEY_PATH"