macos codesign entitlements #8
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Release (macOS) | |
| on: | |
| push: | |
| tags: | |
| - '*' | |
| permissions: | |
| contents: write | |
| jobs: | |
| build-macos: | |
| runs-on: macos-latest | |
| # 1) Add a matrix strategy for x86_64 and aarch64 | |
| strategy: | |
| matrix: | |
| arch: [ x86_64, aarch64 ] | |
| env: | |
| # Build constants | |
| TARGET: macos | |
| # 2) Instead of hard-coding ARCH=x86_64, use matrix.arch | |
| ARCH: ${{ matrix.arch }} | |
| VERSION: ${{ github.ref_name }} | |
| # Build dir | |
| APP_DIR: /Users/runner/work/ore-app/ore-app/dist/OreApp.app | |
| # AWS publish constants | |
| AWS_REGION: us-east-1 | |
| S3_BUCKET_NAME: ore-app-xyz | |
| steps: | |
| # 1) Check out code | |
| - name: Check out code | |
| uses: actions/checkout@v3 | |
| # 2) Cache Cargo registry | |
| - name: Cache Cargo registry | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.cargo/registry | |
| key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-registry- | |
| # 3) Cache target directory | |
| - name: Cache target directory | |
| uses: actions/cache@v3 | |
| with: | |
| path: target | |
| key: ${{ runner.os }}-cargo-target-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-target- | |
| # 4) Install Rust (stable) | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| profile: minimal | |
| override: true | |
| # 5) Add Rust target based on matrix.arch | |
| - name: Add Rust target | |
| run: | | |
| rustup target add ${{ matrix.arch }}-apple-darwin | |
| # 6) Install CLI tools | |
| - name: Install dioxus-cli and cargo-packager | |
| run: | | |
| cargo install [email protected] [email protected] | |
| # 7) Build & Package for whichever arch is active | |
| - name: Build and Package | |
| run: | | |
| # Use the matrix.arch in CARGO_BUILD_TARGET | |
| CARGO_BUILD_TARGET=${{ matrix.arch }}-apple-darwin \ | |
| dx bundle --platform desktop --package-types macos --release | |
| # 8) Import Developer ID Certificate | |
| - name: Import Developer ID cert | |
| run: | | |
| echo "$DEVID_CERT_BASE64" | base64 --decode > developer_id.p12 | |
| security create-keychain -p "" build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p "" build.keychain | |
| security import developer_id.p12 -k ~/Library/Keychains/build.keychain -P "$DEVID_CERT_PASSWORD" -T /usr/bin/codesign | |
| security set-key-partition-list -S apple-tool:,apple: -s -k "" ~/Library/Keychains/build.keychain | |
| env: | |
| DEVID_CERT_BASE64: ${{ secrets.DEVID_CERT_BASE64 }} | |
| DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} | |
| # 9) Sign the .app | |
| - name: Code-sign .app | |
| run: | | |
| codesign --deep --force --verify --verbose --options runtime \ | |
| --sign "Developer ID Application: $DEVID_NAME ($DEVID_TEAM_ID)" \ | |
| --entitlements .github/macos/entitlements.plist \ | |
| "${{ env.APP_DIR }}" | |
| env: | |
| DEVID_NAME: ${{ secrets.DEVID_NAME }} | |
| DEVID_TEAM_ID: ${{ secrets.DEVID_TEAM_ID }} | |
| # 10) Notarize the signed .app | |
| - name: Notarize app | |
| run: | | |
| brew install jq || true | |
| set -euxo pipefail | |
| ZIP_FILE="ORE_${{ env.VERSION }}.app.zip" | |
| /usr/bin/zip -r "$ZIP_FILE" "${{ env.APP_DIR }}" | |
| xcrun notarytool submit "$ZIP_FILE" \ | |
| --apple-id "$NOTARIZE_APPLE_ID" \ | |
| --team-id "$DEVID_TEAM_ID" \ | |
| --password "$NOTARIZE_APP_PASSWORD" \ | |
| --verbose \ | |
| --wait | |
| xcrun stapler staple "${{ env.APP_DIR }}" | |
| env: | |
| NOTARIZE_APPLE_ID: ${{ secrets.NOTARIZE_APPLE_ID }} | |
| NOTARIZE_APP_PASSWORD: ${{ secrets.NOTARIZE_APP_PASSWORD }} | |
| DEVID_TEAM_ID: ${{ secrets.DEVID_TEAM_ID }} | |
| # 11) Configure AWS credentials | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v3 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| # 12) Use arch in S3 path & filename so each build is unique | |
| - name: Package and Upload | |
| run: | | |
| TAR_FILE="ORE_${{ env.VERSION }}.app.tar.gz" | |
| tar -czf "$TAR_FILE" -C "$(dirname "${{ env.APP_DIR }}")" "$(basename "${{ env.APP_DIR }}")" | |
| # Distinguish x86_64 vs aarch64 in final name (and path) | |
| if [ "${{ env.ARCH }}" = "x86_64" ]; then | |
| OUT_ARCH="x64" | |
| else | |
| OUT_ARCH="aarch64" | |
| fi | |
| aws s3 cp "$TAR_FILE" \ | |
| "s3://${{ env.S3_BUCKET_NAME }}/${{ env.TARGET }}/${{ env.ARCH }}/${{ env.VERSION }}/ore_${{ env.VERSION }}_${OUT_ARCH}.app.tar.gz" | |
| # 13) Print link for each arch | |
| - name: Print S3 download link | |
| run: | | |
| if [ "${{ env.ARCH }}" = "x86_64" ]; then | |
| OUT_ARCH="x64" | |
| else | |
| OUT_ARCH="aarch64" | |
| fi | |
| echo "Download macOS artifact for $OUT_ARCH at:" | |
| echo "https://${{ env.S3_BUCKET_NAME }}.s3.amazonaws.com/${{ env.TARGET }}/${{ env.ARCH }}/${{ env.VERSION }}/ore_${{ env.VERSION }}_${OUT_ARCH}.app.tar.gz" |