From 783c03593254b9df04a8d539306950cac4104423 Mon Sep 17 00:00:00 2001
From: Roy Razon <roy@livecycle.io>
Date: Wed, 10 Jan 2024 15:46:33 +0200
Subject: [PATCH] sign mac executables

---
 .github/workflows/gh-release.bak.yaml |  78 +++++++++++++++++
 .github/workflows/gh-release.yaml     | 115 ++++++++++++++++++++++++--
 2 files changed, 185 insertions(+), 8 deletions(-)
 create mode 100644 .github/workflows/gh-release.bak.yaml

diff --git a/.github/workflows/gh-release.bak.yaml b/.github/workflows/gh-release.bak.yaml
new file mode 100644
index 00000000..9376a0aa
--- /dev/null
+++ b/.github/workflows/gh-release.bak.yaml
@@ -0,0 +1,78 @@
+# release package
+name: Github Release
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - "v*.*.*"
+
+jobs:
+  build-binaries:
+    runs-on: macos-latest
+    permissions:
+      contents: read
+      id-token: write
+    strategy:
+      matrix:
+        arch: [x64,arm64]
+        platform: [linux,macos,win]
+        exclude:
+          - platform: win
+            arch: arm64
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: depot/setup-action@v1
+        with:
+          oidc: true
+
+      - name: Build using Docker (with depot)
+        run: mkdir preevy-bin && depot build --project ${{ vars.DEPOT_PROJECT_ID }} --build-arg CLI_TARGET=${{ matrix.platform }}-${{ matrix.arch }}  -f Dockerfile.cli --target=cli --output=type=tar,dest=./preevy-bin/preevy-${{ matrix.platform }}-${{ matrix.arch }}.tar --progress=plain  --platform=linux/${{ matrix.arch == 'x64' && 'amd64' || matrix.arch }} .
+
+      - uses: apple-actions/import-codesign-certs@v2
+        if: ${{ matrix.platform == 'macos' }}
+        with:
+          p12-file-base64: ${{ secrets.APPLE_CERT_DATA }}
+          p12-password: ${{ secrets.APPLE_CERT_PASS }}
+
+      - name: Sign mac binaries
+        if: ${{ matrix.platform == 'macos' }}
+        env:
+          CERT_CN: ${{ vars.APPLE_CERT_CN }}
+        run: |
+          tar -xf ./preevy-bin/preevy-${{ matrix.platform }}-${{ matrix.arch }}.tar
+          codesign --remove-signature ./preevy
+          security find-identity -v
+          codesign --verbose=4 --sign "$CERT_CN" ./preevy
+          tar -cf ./preevy-bin/preevy-${{ matrix.platform }}-${{ matrix.arch }}.tar ./preevy
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: preevy-bin-${{ matrix.platform }}-${{ matrix.arch }}
+          path: ./preevy-bin/**
+
+  release:
+    runs-on: ubuntu-latest
+    needs: build-binaries
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: depot/setup-action@v1
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: preevy-bin-*
+          path: ./preevy-bin
+          merge-multiple: true
+
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        with:
+          generate_release_notes: true
+          draft: ${{ !startsWith(github.ref, 'refs/tags/') }}
+          prerelease: ${{ !startsWith(github.ref, 'refs/tags/') }}
+          files: |
+            ./preevy-bin/**
diff --git a/.github/workflows/gh-release.yaml b/.github/workflows/gh-release.yaml
index 83d6ce6c..4b0e6843 100644
--- a/.github/workflows/gh-release.yaml
+++ b/.github/workflows/gh-release.yaml
@@ -8,11 +8,10 @@ on:
       - "v*.*.*"
 
 jobs:
-  build-binaries:
+  build-tarballs:
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      id-token: write
+      contents: read
     env:
       TARBALL_TARGETS: linux-x64,linux-arm64,darwin-x64,darwin-arm64,win32-x64
 
@@ -20,11 +19,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ secrets.AWS_ROLE }}
-          aws-region: us-west-2
-
       - uses: actions/setup-node@v4
         with:
           node-version: '18.x'
@@ -51,10 +45,115 @@ jobs:
         working-directory: packages/cli
         run: yarn oclif pack tarballs --parallel --no-xz --targets $TARBALL_TARGETS
 
+      - name: Upload tarballs artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: preevy-tarballs
+          path: ./packages/cli/dist/preevy-v*
+          if-no-files-found: error
+          retention-days: 1
+          compression-level: 0
+
+  sign-mac-binaries:
+    runs-on: macos-latest
+    needs: build-tarballs
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: preevy-tarballs
+          path: packages/cli/dist/
+
+      - uses: apple-actions/import-codesign-certs@v2
+        with:
+          p12-file-base64: ${{ secrets.APPLE_CERT_DATA }}
+          p12-password: ${{ secrets.APPLE_CERT_PASS }}
+
+      - name: Sign mac binaries
+        working-directory: packages/cli/dist
+        env:
+          CERT_CN: ${{ vars.APPLE_CERT_CN }}
+        run: |
+          work_dir="${RUNNER_TEMP}/preevy-package"
+
+          security find-identity -v
+
+          for tarball in $(find . -name 'preevy-v*-darwin-*.tar.gz' -type f -maxdepth 1); do
+            rm -rf "${work_dir}"
+            mkdir -p "${work_dir}"
+            echo "Extracting $tarball to ${work_dir}"
+            tar -xf "$tarball" -C "${work_dir}"
+            for binfile in "${work_dir}/preevy/bin/preevy" "${work_dir}/preevy/bin/node"; do
+              codesign --remove-signature "$binfile"
+              codesign --verbose=4 --sign "$CERT_CN" --options runtime "$binfile"
+              codesign -dvv "$binfile"
+            done
+            rm "$tarball"
+            tar -czf "$tarball" -C "${work_dir}" .
+          done
+
+      - name: Upload signed tarballs artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: preevy-tarballs-signed
+          path: ./packages/cli/dist/preevy-v*
+          if-no-files-found: error
+          retention-days: 1
+          compression-level: 0
+
+  upload-tarballs-to-s3:
+    runs-on: ubuntu-latest
+    needs: sign-mac-binaries
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          aws-region: us-west-2
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '18.x'
+          cache: yarn
+
+      - run: yarn
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: preevy-tarballs-signed
+          path: packages/cli/dist/
+
       - name: Upload tarballs
         working-directory: packages/cli
         run: yarn oclif upload tarballs --no-xz --targets $TARBALL_TARGETS
 
+  create-gh-release:
+    runs-on: ubuntu-latest
+    needs: sign-mac-binaries
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: preevy-tarballs-signed
+          path: packages/cli/dist/
+
       - name: Rename tarballs
         # if: startsWith(github.ref, 'refs/tags/')
         working-directory: packages/cli/dist