Skip to content

Commit

Permalink
sign mac executables
Browse files Browse the repository at this point in the history
  • Loading branch information
Roy Razon committed Jan 10, 2024
1 parent 0beb432 commit 783c035
Show file tree
Hide file tree
Showing 2 changed files with 185 additions and 8 deletions.
78 changes: 78 additions & 0 deletions .github/workflows/gh-release.bak.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
# release package
name: Github Release

on:
workflow_dispatch:
push:
tags:
- "v*.*.*"

jobs:
build-binaries:
runs-on: macos-latest
permissions:
contents: read
id-token: write
strategy:
matrix:
arch: [x64,arm64]
platform: [linux,macos,win]
exclude:
- platform: win
arch: arm64

steps:
- name: Checkout
uses: actions/checkout@v4
- uses: depot/setup-action@v1
with:
oidc: true

- name: Build using Docker (with depot)
run: mkdir preevy-bin && depot build --project ${{ vars.DEPOT_PROJECT_ID }} --build-arg CLI_TARGET=${{ matrix.platform }}-${{ matrix.arch }} -f Dockerfile.cli --target=cli --output=type=tar,dest=./preevy-bin/preevy-${{ matrix.platform }}-${{ matrix.arch }}.tar --progress=plain --platform=linux/${{ matrix.arch == 'x64' && 'amd64' || matrix.arch }} .

- uses: apple-actions/import-codesign-certs@v2
if: ${{ matrix.platform == 'macos' }}
with:
p12-file-base64: ${{ secrets.APPLE_CERT_DATA }}
p12-password: ${{ secrets.APPLE_CERT_PASS }}

- name: Sign mac binaries
if: ${{ matrix.platform == 'macos' }}
env:
CERT_CN: ${{ vars.APPLE_CERT_CN }}
run: |
tar -xf ./preevy-bin/preevy-${{ matrix.platform }}-${{ matrix.arch }}.tar
codesign --remove-signature ./preevy
security find-identity -v
codesign --verbose=4 --sign "$CERT_CN" ./preevy
tar -cf ./preevy-bin/preevy-${{ matrix.platform }}-${{ matrix.arch }}.tar ./preevy
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: preevy-bin-${{ matrix.platform }}-${{ matrix.arch }}
path: ./preevy-bin/**

release:
runs-on: ubuntu-latest
needs: build-binaries
steps:
- name: Checkout
uses: actions/checkout@v4
- uses: depot/setup-action@v1
- name: Download artifacts
uses: actions/download-artifact@v4
with:
pattern: preevy-bin-*
path: ./preevy-bin
merge-multiple: true

- name: Release
uses: softprops/action-gh-release@v1
with:
generate_release_notes: true
draft: ${{ !startsWith(github.ref, 'refs/tags/') }}
prerelease: ${{ !startsWith(github.ref, 'refs/tags/') }}
files: |
./preevy-bin/**
115 changes: 107 additions & 8 deletions .github/workflows/gh-release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,23 +8,17 @@ on:
- "v*.*.*"

jobs:
build-binaries:
build-tarballs:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
contents: read
env:
TARBALL_TARGETS: linux-x64,linux-arm64,darwin-x64,darwin-arm64,win32-x64

steps:
- name: Checkout
uses: actions/checkout@v4

- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE }}
aws-region: us-west-2

- uses: actions/setup-node@v4
with:
node-version: '18.x'
Expand All @@ -51,10 +45,115 @@ jobs:
working-directory: packages/cli
run: yarn oclif pack tarballs --parallel --no-xz --targets $TARBALL_TARGETS

- name: Upload tarballs artifact
uses: actions/upload-artifact@v4
with:
name: preevy-tarballs
path: ./packages/cli/dist/preevy-v*
if-no-files-found: error
retention-days: 1
compression-level: 0

sign-mac-binaries:
runs-on: macos-latest
needs: build-tarballs
permissions:
contents: read

steps:
- name: Checkout
uses: actions/checkout@v4

- name: Download artifacts
uses: actions/download-artifact@v4
with:
name: preevy-tarballs
path: packages/cli/dist/

- uses: apple-actions/import-codesign-certs@v2
with:
p12-file-base64: ${{ secrets.APPLE_CERT_DATA }}
p12-password: ${{ secrets.APPLE_CERT_PASS }}

- name: Sign mac binaries
working-directory: packages/cli/dist
env:
CERT_CN: ${{ vars.APPLE_CERT_CN }}
run: |
work_dir="${RUNNER_TEMP}/preevy-package"
security find-identity -v
for tarball in $(find . -name 'preevy-v*-darwin-*.tar.gz' -type f -maxdepth 1); do
rm -rf "${work_dir}"
mkdir -p "${work_dir}"
echo "Extracting $tarball to ${work_dir}"
tar -xf "$tarball" -C "${work_dir}"
for binfile in "${work_dir}/preevy/bin/preevy" "${work_dir}/preevy/bin/node"; do
codesign --remove-signature "$binfile"
codesign --verbose=4 --sign "$CERT_CN" --options runtime "$binfile"
codesign -dvv "$binfile"
done
rm "$tarball"
tar -czf "$tarball" -C "${work_dir}" .
done
- name: Upload signed tarballs artifact
uses: actions/upload-artifact@v4
with:
name: preevy-tarballs-signed
path: ./packages/cli/dist/preevy-v*
if-no-files-found: error
retention-days: 1
compression-level: 0

upload-tarballs-to-s3:
runs-on: ubuntu-latest
needs: sign-mac-binaries
permissions:
contents: read
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4

- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE }}
aws-region: us-west-2

- uses: actions/setup-node@v4
with:
node-version: '18.x'
cache: yarn

- run: yarn

- name: Download artifacts
uses: actions/download-artifact@v4
with:
name: preevy-tarballs-signed
path: packages/cli/dist/

- name: Upload tarballs
working-directory: packages/cli
run: yarn oclif upload tarballs --no-xz --targets $TARBALL_TARGETS

create-gh-release:
runs-on: ubuntu-latest
needs: sign-mac-binaries
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Download artifacts
uses: actions/download-artifact@v4
with:
name: preevy-tarballs-signed
path: packages/cli/dist/

- name: Rename tarballs
# if: startsWith(github.ref, 'refs/tags/')
working-directory: packages/cli/dist
Expand Down

0 comments on commit 783c035

Please sign in to comment.