freeWispr/.github/workflows/release.yml at 3f0bf3754b0f60315756b4d923f413fd6fe5d5cf · ygivenx/freeWispr · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
name: Release

on:
  push:
    tags:
      - 'v*'

permissions:
  contents: write
  id-token: write
  attestations: write

jobs:
  build-and-release:
    runs-on: macos-14
    steps:
      - uses: actions/checkout@v4

      - name: Extract version from tag
        id: version
        run: echo "VERSION=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"

      - name: Install signing certificate
        env:
          CERTIFICATE_P12: ${{ secrets.CERTIFICATE_P12 }}
          CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
        run: |
          # Create a temporary keychain
          KEYCHAIN_PATH="$RUNNER_TEMP/signing.keychain-db"
          KEYCHAIN_PASSWORD="$(openssl rand -base64 32)"

          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

          # Import certificate
          CERT_PATH="$RUNNER_TEMP/certificate.p12"
          echo "$CERTIFICATE_P12" | base64 --decode > "$CERT_PATH"
          security import "$CERT_PATH" \
            -P "$CERTIFICATE_PASSWORD" \
            -A \
            -t cert \
            -f pkcs12 \
            -k "$KEYCHAIN_PATH"
          rm -f "$CERT_PATH"

          # Add keychain to search list
          security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

          # Store identity name for later steps
          IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | head -1 | sed 's/.*"\(.*\)".*/\1/')
          echo "SIGNING_IDENTITY=$IDENTITY" >> "$GITHUB_ENV"

      - name: Set up notarization credentials
        env:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
          APP_SPECIFIC_PASSWORD: ${{ secrets.APP_SPECIFIC_PASSWORD }}
        run: |
          xcrun notarytool store-credentials "FreeWispr-notarize" \
            --apple-id "$APPLE_ID" \
            --team-id "$APPLE_TEAM_ID" \
            --password "$APP_SPECIFIC_PASSWORD"

      - name: Build release binary
        run: |
          cd FreeWispr
          swift build -c release --arch arm64

      - name: Assemble .app bundle
        run: |
          APP_NAME="FreeWispr"
          VERSION="${{ steps.version.outputs.VERSION }}"
          BUILD_DIR="build"
          APP_BUNDLE="$BUILD_DIR/$APP_NAME.app"

          mkdir -p "$APP_BUNDLE/Contents/MacOS"
          mkdir -p "$APP_BUNDLE/Contents/Resources"

          cp "FreeWispr/.build/arm64-apple-macosx/release/$APP_NAME" "$APP_BUNDLE/Contents/MacOS/$APP_NAME"
          cp "FreeWispr/Sources/$APP_NAME/Info.plist" "$APP_BUNDLE/Contents/Info.plist"
          cp "FreeWispr/Sources/$APP_NAME/Resources/AppIcon.icns" "$APP_BUNDLE/Contents/Resources/"
          cp -R "FreeWispr/.build/arm64-apple-macosx/release/${APP_NAME}_${APP_NAME}.bundle" "$APP_BUNDLE/Contents/Resources/"

          /usr/libexec/PlistBuddy -c "Set :CFBundleShortVersionString $VERSION" "$APP_BUNDLE/Contents/Info.plist"
          /usr/libexec/PlistBuddy -c "Set :CFBundleVersion $VERSION" "$APP_BUNDLE/Contents/Info.plist"

      - name: Code sign
        run: |
          codesign --force --deep \
            --sign "$SIGNING_IDENTITY" \
            --options runtime \
            --entitlements "FreeWispr/FreeWispr.entitlements" \
            --timestamp \
            "build/FreeWispr.app"

      - name: Notarize
        run: |
          # Zip for notarization
          ditto -c -k --keepParent "build/FreeWispr.app" "build/FreeWispr-notarize.zip"

          xcrun notarytool submit "build/FreeWispr-notarize.zip" \
            --keychain-profile "FreeWispr-notarize" \
            --wait

          rm -f "build/FreeWispr-notarize.zip"

          # Staple the ticket
          xcrun stapler staple "build/FreeWispr.app"

      - name: Create DMG
        run: |
          APP_NAME="FreeWispr"
          VERSION="${{ steps.version.outputs.VERSION }}"
          DMG_PATH="build/$APP_NAME-$VERSION.dmg"
          DMG_STAGING="build/dmg-staging"

          mkdir -p "$DMG_STAGING"
          cp -R "build/$APP_NAME.app" "$DMG_STAGING/"
          ln -s /Applications "$DMG_STAGING/Applications"

          hdiutil create \
            -volname "$APP_NAME" \
            -srcfolder "$DMG_STAGING" \
            -ov \
            -format UDZO \
            "$DMG_PATH"

          rm -rf "$DMG_STAGING"

          # Sign the DMG too
          codesign --force --sign "$SIGNING_IDENTITY" --timestamp "$DMG_PATH"

      - name: Attest build provenance
        uses: actions/attest-build-provenance@v2
        with:
          subject-path: 'build/FreeWispr-${{ steps.version.outputs.VERSION }}.dmg'

      - name: Create GitHub Release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          VERSION="${{ steps.version.outputs.VERSION }}"
          gh release create "$GITHUB_REF_NAME" \
            "build/FreeWispr-$VERSION.dmg" \
            --title "FreeWispr v$VERSION" \
            --generate-notes

      - name: Clean up keychain
        if: always()
        run: |
          KEYCHAIN_PATH="$RUNNER_TEMP/signing.keychain-db"
          security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true