Skip to content

Code sign macOS binaries #61

Code sign macOS binaries

Code sign macOS binaries #61

Workflow file for this run

name: Build
on:
push:
pull_request:
jobs:
test:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [macos-latest, ubuntu-latest]
steps:
- uses: actions/checkout@v4
- name: Build and test
run: |
mkdir build
cd build
cmake ..
make
make check
package-source:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Make source tarball
run: |
./autogen.sh
./configure && make distcheck
- name: Archive production artifacts
uses: actions/upload-artifact@v4
with:
name: libdiscid-source
path: libdiscid-*.tar.gz
package-windows:
runs-on: windows-2019
env:
GENERATOR: Visual Studio 16 2019
CODESIGN: ${{ !!secrets.AZURE_CERT_PROFILE_NAME }}
steps:
- uses: actions/checkout@v4
- name: Prepare package
run: |
mkdir artifacts
cp .\COPYING artifacts
cp .\README artifacts
cp .\ChangeLog artifacts
- name: Build x64
run: |
mkdir _build_$env:ARCH
cd _build_$env:ARCH
cmake -G $env:GENERATOR -A $env:ARCH ..
cmake --build . --config Release
mkdir ..\artifacts\$env:ARCH
cp .\Release\* ..\artifacts\$env:ARCH
cp -R .\include ..\artifacts
env:
ARCH: x64
- name: Build Win32
run: |
mkdir _build_$env:ARCH
cd _build_$env:ARCH
cmake -G $env:GENERATOR -A $env:ARCH ..
cmake --build . --config Release
mkdir ..\artifacts\$env:ARCH
cp .\Release\* ..\artifacts\$env:ARCH
env:
ARCH: Win32
- name: Code signing binaries
uses: azure/[email protected]
if: env.CODESIGN == 'true'
with:
azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
endpoint: ${{ secrets.AZURE_ENDPOINT }}
trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }}
certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }}
files-folder: artifacts
files-folder-filter: exe,dll
files-folder-recurse: true
timestamp-rfc3161: http://timestamp.acs.microsoft.com
timestamp-digest: SHA256
- name: Archive production artifacts
uses: actions/upload-artifact@v4
with:
name: libdiscid-windows
path: artifacts/
- name: Test x64
run: |
cd _build_x64
cmake --build . --config Release --target test_core test_put test_read test_read_full
.\Release\test_core.exe
.\Release\test_put.exe
- name: Test Win32
run: |
cd _build_Win32
cmake --build . --config Release --target test_core test_put test_read test_read_full
.\Release\test_core.exe
.\Release\test_put.exe
package-macos:
runs-on: macos-13
env:
MACOSX_DEPLOYMENT_TARGET: "10.10"
CODESIGN: ${{ !!secrets.CODESIGN_MACOS_P12_URL }}
steps:
- uses: actions/checkout@v4
- name: Cache apple-codesign
uses: actions/cache@v2
with:
path: |
~/.cargo/bin
~/.cargo/git
~/.cargo/registry
key: ${{ runner.os }}-cargo }}
- name: Build
run: |
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -D "CMAKE_OSX_ARCHITECTURES=arm64;x86_64" ..
make
lipo libdiscid.0.dylib -verify_arch arm64 x86_64
- name: Package
run: |
cd build
mkdir -p artifacts/universal2
cp -Lv libdiscid.0.dylib artifacts/universal2/
for arch in arm64 x86_64; do
mkdir -p "artifacts/${arch}"
lipo artifacts/universal2/libdiscid.0.dylib \
-thin $arch \
-output artifacts/${arch}/libdiscid.0.dylib
done
cp -Rv include artifacts/
cp -v ../COPYING ../README ../ChangeLog artifacts
- name: Prepare code signing certificate
if: env.CODESIGN == 'true'
run: |
pip3 install awscli
aws s3 cp "$CODESIGN_MACOS_P12_URL" ./appledev.p12
cargo install apple-codesign
env:
AWS_DEFAULT_REGION: eu-central-1
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
CODESIGN_MACOS_P12_URL: ${{ secrets.CODESIGN_MACOS_P12_URL }}
- name: Code signing binaries
if: env.CODESIGN == 'true'
run: |
for arch in arm64 x86_64 universal2; do
rcodesign sign \
--p12-file appledev.p12 \
--p12-password "$CODESIGN_MACOS_P12_PASSWORD" \
build/artifacts/${arch}/libdiscid.0.dylib
done
env:
CODESIGN_MACOS_P12_PASSWORD: ${{ secrets.CODESIGN_MACOS_P12_PASSWORD }}
- name: Archive production artifacts
uses: actions/upload-artifact@v4
with:
name: libdiscid-macos
path: build/artifacts
- name: Code signing cleanup
run: rm ./appledev.p12
release:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
needs:
- test
- package-source
- package-macos
- package-windows
steps:
- uses: actions/checkout@v4
- name: Set version
run: |
TAG=${GITHUB_REF##*/}
echo "VERSION=$(echo $TAG | sed 's/^v//')" >> $GITHUB_ENV
- uses: actions/download-artifact@v4
with:
name: libdiscid-windows
path: artifacts/libdiscid-${{ env.VERSION }}-win/
- uses: actions/download-artifact@v4
with:
name: libdiscid-macos
path: artifacts/libdiscid-${{ env.VERSION }}-mac/
- uses: actions/download-artifact@v4
with:
name: libdiscid-source
path: artifacts/release/
- name: Make zips
run: |
cd artifacts/
dirs=$(find . -name 'libdiscid-*' -type d)
for dir in $dirs; do
name=$(basename $dir)
zip -r release/$name.zip $dir/*
done
- name: Generate checksums
run: |
cd artifacts/release/
sha256sum * > SHA256SUMS
- name: Release
uses: softprops/action-gh-release@v2
with:
files: artifacts/release/*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}