ci: switch notarization auth to App Store Connect API key, gate on en… #22
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| # Builds, signs, notarizes, and publishes a MicGuard release zip. | |
| # | |
| # Required repo secrets (one-time setup): | |
| # BUILD_CERTIFICATE_BASE64 - base64 of Developer ID Application .p12 | |
| # P12_PASSWORD - password protecting the .p12 | |
| # KEYCHAIN_PASSWORD - random string for the temporary keychain | |
| # SIGNING_IDENTITY - "Developer ID Application: Name (TEAMID)" | |
| # APP_STORE_CONNECT_KEY_BASE64 - base64 of the .p8 App Store Connect API key | |
| # APP_STORE_CONNECT_KEY_ID - 10-char Key ID | |
| # APP_STORE_CONNECT_ISSUER - issuer UUID | |
| # | |
| # Required GitHub Environment: `release`. The job binds to it so a tag push | |
| # pauses for manual approval before any signing material is decrypted on the | |
| # runner. Configure the environment at Settings -> Environments -> release | |
| # with required reviewer = the repo owner. | |
| # | |
| # The published zip is built by `zip -ry` post-staple so the notarization | |
| # ticket travels with the archive and Gatekeeper accepts the bundle offline | |
| # on first launch. | |
| on: | |
| push: | |
| tags: ['v*'] | |
| permissions: | |
| contents: write | |
| jobs: | |
| build: | |
| runs-on: macos-15 | |
| environment: release | |
| steps: | |
| - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | |
| with: | |
| fetch-depth: 0 | |
| - name: Import signing certificate | |
| env: | |
| BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} | |
| P12_PASSWORD: ${{ secrets.P12_PASSWORD }} | |
| KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
| run: | | |
| set -euo pipefail | |
| KEYCHAIN_PATH="$RUNNER_TEMP/build.keychain-db" | |
| CERT_PATH="$RUNNER_TEMP/cert.p12" | |
| echo "$BUILD_CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH" | |
| security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" | |
| security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" | |
| security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" | |
| security import "$CERT_PATH" -P "$P12_PASSWORD" \ | |
| -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" | |
| security list-keychain -d user -s "$KEYCHAIN_PATH" login.keychain | |
| security set-key-partition-list -S apple-tool:,apple:,codesign: \ | |
| -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" >/dev/null | |
| rm -f "$CERT_PATH" | |
| - name: Write App Store Connect API key | |
| env: | |
| APP_STORE_CONNECT_KEY_BASE64: ${{ secrets.APP_STORE_CONNECT_KEY_BASE64 }} | |
| run: | | |
| set -euo pipefail | |
| KEY_PATH="$RUNNER_TEMP/AuthKey.p8" | |
| echo "$APP_STORE_CONNECT_KEY_BASE64" | base64 --decode > "$KEY_PATH" | |
| chmod 600 "$KEY_PATH" | |
| - name: Build, sign, and zip | |
| env: | |
| SIGNING_IDENTITY: ${{ secrets.SIGNING_IDENTITY }} | |
| ENTITLEMENTS: Resources/MicGuard.entitlements | |
| run: make zip | |
| - name: Notarize, staple, and refresh zip | |
| env: | |
| APP_STORE_CONNECT_KEY_ID: ${{ secrets.APP_STORE_CONNECT_KEY_ID }} | |
| APP_STORE_CONNECT_ISSUER: ${{ secrets.APP_STORE_CONNECT_ISSUER }} | |
| run: | | |
| scripts/release-notarize.sh \ | |
| --key "$RUNNER_TEMP/AuthKey.p8" \ | |
| --key-id "$APP_STORE_CONNECT_KEY_ID" \ | |
| --issuer "$APP_STORE_CONNECT_ISSUER" | |
| - name: Verify signature and notarization | |
| run: | | |
| set -euo pipefail | |
| codesign --verify --strict --verbose=2 .build/MicGuard.app | |
| spctl --assess --type execute --verbose .build/MicGuard.app | |
| xcrun stapler validate .build/MicGuard.app | |
| - name: Publish release | |
| uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 | |
| with: | |
| files: .build/MicGuard.zip | |
| - name: Clean up secrets on runner | |
| if: always() | |
| run: | | |
| KEYCHAIN_PATH="$RUNNER_TEMP/build.keychain-db" | |
| KEY_PATH="$RUNNER_TEMP/AuthKey.p8" | |
| if [[ -f "$KEYCHAIN_PATH" ]]; then | |
| security delete-keychain "$KEYCHAIN_PATH" || true | |
| fi | |
| rm -f "$KEY_PATH" |