freeWispr/.github/workflows/tip.yml at 285afa2383be8af855c1f6e01908b361e5a86eaf · ygivenx/freeWispr · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: Tip Release

on:
  workflow_dispatch:  # manual trigger from any branch via Actions UI

permissions:
  contents: write

jobs:
  tip:
    runs-on: macos-26
    steps:
      - uses: actions/checkout@v4

      - name: Install signing certificate
        env:
          CERTIFICATE_P12: ${{ secrets.CERTIFICATE_P12 }}
          CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
        run: |
          KEYCHAIN_PATH="$RUNNER_TEMP/signing.keychain-db"
          KEYCHAIN_PASSWORD="$(openssl rand -base64 32)"

          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

          CERT_PATH="$RUNNER_TEMP/certificate.p12"
          echo "$CERTIFICATE_P12" | base64 --decode > "$CERT_PATH"
          security import "$CERT_PATH" \
            -P "$CERTIFICATE_PASSWORD" \
            -A \
            -t cert \
            -f pkcs12 \
            -k "$KEYCHAIN_PATH"
          rm -f "$CERT_PATH"

          security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

          IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | head -1 | sed 's/.*"\(.*\)".*/\1/')
          echo "SIGNING_IDENTITY=$IDENTITY" >> "$GITHUB_ENV"

      - name: Set up notarization credentials
        env:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
          APP_SPECIFIC_PASSWORD: ${{ secrets.APP_SPECIFIC_PASSWORD }}
        run: |
          xcrun notarytool store-credentials "FreeWispr-notarize" \
            --apple-id "$APPLE_ID" \
            --team-id "$APPLE_TEAM_ID" \
            --password "$APP_SPECIFIC_PASSWORD"

      - name: Build release binary
        run: |
          cd FreeWispr
          swift build -c release --arch arm64

      - name: Assemble .app bundle
        run: |
          APP_NAME="FreeWispr"
          SHORT_SHA="$(git rev-parse --short HEAD)"
          BUILD_DIR="build"
          APP_BUNDLE="$BUILD_DIR/$APP_NAME.app"

          mkdir -p "$APP_BUNDLE/Contents/MacOS"
          mkdir -p "$APP_BUNDLE/Contents/Resources"

          cp "FreeWispr/.build/arm64-apple-macosx/release/$APP_NAME" "$APP_BUNDLE/Contents/MacOS/$APP_NAME"
          cp "FreeWispr/Sources/$APP_NAME/Info.plist" "$APP_BUNDLE/Contents/Info.plist"
          cp "FreeWispr/Sources/$APP_NAME/Resources/AppIcon.icns" "$APP_BUNDLE/Contents/Resources/"
          cp -R "FreeWispr/.build/arm64-apple-macosx/release/${APP_NAME}_${APP_NAME}Core.bundle" "$APP_BUNDLE/Contents/Resources/"

          # Stamp version as <plist-version>-tip+<sha>
          PLIST_VERSION=$(/usr/libexec/PlistBuddy -c "Print :CFBundleShortVersionString" "$APP_BUNDLE/Contents/Info.plist")
          TIP_VERSION="${PLIST_VERSION}-tip+${SHORT_SHA}"
          /usr/libexec/PlistBuddy -c "Set :CFBundleShortVersionString $TIP_VERSION" "$APP_BUNDLE/Contents/Info.plist"
          /usr/libexec/PlistBuddy -c "Set :CFBundleVersion $TIP_VERSION" "$APP_BUNDLE/Contents/Info.plist"

      - name: Code sign
        run: |
          codesign --force --deep \
            --sign "$SIGNING_IDENTITY" \
            --options runtime \
            --entitlements "FreeWispr/FreeWispr.entitlements" \
            --timestamp \
            "build/FreeWispr.app"

      - name: Notarize
        run: |
          ditto -c -k --keepParent "build/FreeWispr.app" "build/FreeWispr-notarize.zip"

          xcrun notarytool submit "build/FreeWispr-notarize.zip" \
            --keychain-profile "FreeWispr-notarize" \
            --wait

          rm -f "build/FreeWispr-notarize.zip"
          xcrun stapler staple "build/FreeWispr.app"

      - name: Create DMG
        run: |
          DMG_PATH="build/FreeWispr-tip.dmg"
          DMG_STAGING="build/dmg-staging"

          mkdir -p "$DMG_STAGING"
          cp -R "build/FreeWispr.app" "$DMG_STAGING/"
          ln -s /Applications "$DMG_STAGING/Applications"

          hdiutil create \
            -volname "FreeWispr" \
            -srcfolder "$DMG_STAGING" \
            -ov \
            -format UDZO \
            "$DMG_PATH"

          rm -rf "$DMG_STAGING"
          codesign --force --sign "$SIGNING_IDENTITY" --timestamp "$DMG_PATH"

      - name: Update tip release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          SHORT_SHA="$(git rev-parse --short HEAD)"
          BRANCH="${GITHUB_REF_NAME}"
          DATE="$(date -u +%Y-%m-%d)"

          # Delete existing tip release and tag
          gh release delete tip --yes --cleanup-tag 2>/dev/null || true

          gh release create tip \
            build/FreeWispr-tip.dmg \
            --title "FreeWispr tip" \
            --notes "$(cat <<EOF
          Built from \`${SHORT_SHA}\` on branch \`${BRANCH}\` (${DATE}).

          **This is a pre-release build for testing.**
          For daily use, grab the [latest stable release](https://github.com/ygivenx/freeWispr/releases/latest).
          EOF
          )" \
            --prerelease

      - name: Clean up keychain
        if: always()
        run: |
          KEYCHAIN_PATH="$RUNNER_TEMP/signing.keychain-db"
          security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true