ci: update release workflow (#22)

* set CODE_SIGN_IDENTITY * use xcrun * use installer package * import both certs * restore notary jobs * designate appropriate signing identity * clean up release workflow
willswire · Sep 24, 2024 · 34e1ddb · 34e1ddb
1 parent 7bfe40c
commit 34e1ddb
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 45 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,19 +1,10 @@
 name: Release
 
 on:
-  workflow_dispatch:
   push:
     tags:
       - "v*"
 
-env:
-  DESTINATION: platform=macOS,arch=arm64
-  SCHEME: Cosmic
-  XCODE_PATH: /Applications/Xcode_16.0.app/Contents/Developer
-  PKL_VERSION: 0.26.3
-  PKL_ARCH: macos-aarch64
-  ARCHIVE: cosmic.xcarchive
-
 jobs:
   build_with_signing:
     name: Build & Sign
@@ -24,31 +15,28 @@ jobs:
 
       - name: Install the Apple certificate and provisioning profile
         env:
-          BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
+          APPLICATON_CERTIFICATE_BASE64: ${{ secrets.APPLICATON_CERTIFICATE_BASE64 }}
+          INSTALLER_CERTIFICATE_BASE64: ${{ secrets.INSTALLER_CERTIFICATE_BASE64 }}
           P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
           BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
           KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
         run: |
-          # create variables
-          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          APPLICATION_CERTIFICATE_PATH=$RUNNER_TEMP/application_certificate.p12
+          INSTALLER_CERTIFICATE_PATH=$RUNNER_TEMP/installer_certificate.p12
           PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile
           KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
 
-          # import certificate and provisioning profile from secrets
-          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
+          echo -n "$APPLICATON_CERTIFICATE_BASE64" | base64 --decode -o $APPLICATION_CERTIFICATE_PATH
+          echo -n "$INSTALLER_CERTIFICATE_BASE64" | base64 --decode -o $INSTALLER_CERTIFICATE_PATH
           echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
 
-          # create temporary keychain
           security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
           security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
           security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
-
-          # import certificate to keychain
-          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security import $APPLICATION_CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security import $INSTALLER_CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
           security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
           security list-keychain -d user -s $KEYCHAIN_PATH
-
-          # apply provisioning profile
           mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
           cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
 
@@ -58,12 +46,50 @@ jobs:
           chmod +x pkl
           sudo mv pkl /usr/local/bin/pkl
           pkl --version
+        env:
+          PKL_VERSION: 0.26.3
+          PKL_ARCH: macos-aarch64
 
       - name: Select Xcode version
         run: sudo xcode-select -s "${XCODE_PATH}"
+        env:
+          XCODE_PATH: /Applications/Xcode_16.0.app/Contents/Developer
 
       - name: Archive
-        run: xcodebuild archive -scheme "$SCHEME" -destination "$DESTINATION" -archivePath "$ARCHIVE" PROVISIONING_PROFILE="~/Library/MobileDevice/Provisioning\ Profiles/build_pp.provisionprofile" | xcpretty && exit ${PIPESTATUS[0]}
+        run: xcrun xcodebuild clean archive -scheme "$SCHEME" -destination "$DESTINATION" -archivePath "$ARCHIVE"
+        env:
+          PROVISIONING_PROFILE: "~/Library/MobileDevice/Provisioning\ Profiles/build_pp.provisionprofile"
+          DESTINATION: platform=macOS,arch=arm64
+          SCHEME: Cosmic
+          ARCHIVE: Cosmic.xcarchive
+
+      - name: Build installer package
+        run: |
+          pkgbuild --root "Cosmic.xcarchive/Products" \
+            --identifier "com.willswire.Cosmic" \
+            --version "${{ github.ref }}" \
+            --install-location "/" \
+            --sign="Developer ID Installer: William Walker (QSQY64SHJ5)" \
+            cosmic.pkg
+
+      - name: Notarize package
+        run: |
+          APP_STORE_CONNECT_KEY_PATH=$RUNNER_TEMP/key.p8
+
+          echo -n "$APP_STORE_CONNECT_KEY_BASE64" | base64 --decode -o $APP_STORE_CONNECT_KEY_PATH
+
+          xcrun notarytool submit cosmic.pkg \
+            --key="$APP_STORE_CONNECT_KEY_PATH" \
+            --key-id="$APP_STORE_CONNECT_KEY_ID" \
+            --issuer="$APP_STORE_CONNECT_ISSUER" \
+            --wait
+        env:
+          APP_STORE_CONNECT_KEY_BASE64: ${{ secrets.APP_STORE_CONNECT_KEY_BASE64 }}
+          APP_STORE_CONNECT_KEY_ID: ${{ secrets.APP_STORE_CONNECT_KEY_ID }}
+          APP_STORE_CONNECT_ISSUER: ${{ secrets.APP_STORE_CONNECT_ISSUER }}
+
+      - name: Staple notarization
+        run: xcrun stapler staple cosmic.pkg
 
       - name: Create release
         id: create_release
@@ -72,19 +98,16 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           tag_name: ${{ github.ref }}
-          release_name: Release ${{ github.ref }}
+          release_name: ${{ github.ref }}
           draft: false
           prerelease: false
 
-      - name: Mark binary as executable
-        run: chmod +x ./cosmic.xcarchive/Products/usr/local/bin/cosmic
-
       - name: Upload binary
         uses: actions/upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./cosmic.xcarchive/Products/usr/local/bin/cosmic
-          asset_name: cosmic
-          asset_content_type: application/octet-stream
+          asset_path: ./cosmic.pkg
+          asset_name: cosmic.pkg
+          asset_content_type: application/zip
diff --git a/.gitignore b/.gitignore
@@ -1,7 +1,6 @@
-# .github/workflows/test.yml artifacts
-build/
-TestResults.xcresult
-TestResults
+# .github/workflows artifacts
+*.xcresult
+*.xcarchive
 
 # macOS
 .DS_Store

diff --git a/Cosmic.xcodeproj/project.pbxproj b/Cosmic.xcodeproj/project.pbxproj
@@ -26,7 +26,6 @@
 /* End PBXCopyFilesBuildPhase section */
 
 /* Begin PBXFileReference section */
-		6B013A312C9DF6E500C45A8C /* Package.pkl */ = {isa = PBXFileReference; lastKnownFileType = text; path = Package.pkl; sourceTree = "<group>"; };
 		6B013A322C9DF6F500C45A8C /* LICENSE */ = {isa = PBXFileReference; lastKnownFileType = text; path = LICENSE; sourceTree = "<group>"; };
 		6B013A332C9DF6F500C45A8C /* README.md */ = {isa = PBXFileReference; lastKnownFileType = net.daringfireball.markdown; path = README.md; sourceTree = "<group>"; };
 		6B7F6F082C9F466300031547 /* CosmicTests.xctestplan */ = {isa = PBXFileReference; lastKnownFileType = text; name = CosmicTests.xctestplan; path = CosmicTests/CosmicTests.xctestplan; sourceTree = "<group>"; };
@@ -62,11 +61,6 @@
 			path = CosmicTests;
 			sourceTree = "<group>";
 		};
-		6BD783A92C98FC87009EEB33 /* Packages */ = {
-			isa = PBXFileSystemSynchronizedRootGroup;
-			path = Packages;
-			sourceTree = "<group>";
-		};
 /* End PBXFileSystemSynchronizedRootGroup section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -95,11 +89,9 @@
 			isa = PBXGroup;
 			children = (
 				6B7F6F082C9F466300031547 /* CosmicTests.xctestplan */,
-				6BD783A92C98FC87009EEB33 /* Packages */,
 				6BD7838D2C98FBD4009EEB33 /* Cosmic */,
 				6BD7839A2C98FBFF009EEB33 /* CosmicTests */,
 				6BD7838C2C98FBD4009EEB33 /* Products */,
-				6B013A312C9DF6E500C45A8C /* Package.pkl */,
 				6B013A322C9DF6F500C45A8C /* LICENSE */,
 				6B013A332C9DF6F500C45A8C /* README.md */,
 			);
@@ -131,7 +123,6 @@
 			);
 			fileSystemSynchronizedGroups = (
 				6BD7838D2C98FBD4009EEB33 /* Cosmic */,
-				6BD783A92C98FC87009EEB33 /* Packages */,
 			);
 			name = Cosmic;
 			packageProductDependencies = (
@@ -357,27 +348,37 @@
 		6BD783932C98FBD4009EEB33 /* Debug */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
+				ARCHS = arm64;
+				CODE_SIGN_IDENTITY = "Apple Development";
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application";
 				CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES;
-				CODE_SIGN_STYLE = Automatic;
-				DEVELOPMENT_TEAM = QSQY64SHJ5;
+				CODE_SIGN_STYLE = Manual;
+				DEVELOPMENT_TEAM = "";
+				"DEVELOPMENT_TEAM[sdk=macosx*]" = QSQY64SHJ5;
 				ENABLE_HARDENED_RUNTIME = YES;
 				MACOSX_DEPLOYMENT_TARGET = 14.6;
 				PRODUCT_BUNDLE_IDENTIFIER = com.willswire.Cosmic;
 				PRODUCT_NAME = cosmic;
+				PROVISIONING_PROFILE_SPECIFIER = "";
 				SWIFT_VERSION = 5.0;
 			};
 			name = Debug;
 		};
 		6BD783942C98FBD4009EEB33 /* Release */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
+				ARCHS = arm64;
+				CODE_SIGN_IDENTITY = "Apple Development";
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application";
 				CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES;
-				CODE_SIGN_STYLE = Automatic;
-				DEVELOPMENT_TEAM = QSQY64SHJ5;
+				CODE_SIGN_STYLE = Manual;
+				DEVELOPMENT_TEAM = "";
+				"DEVELOPMENT_TEAM[sdk=macosx*]" = QSQY64SHJ5;
 				ENABLE_HARDENED_RUNTIME = YES;
 				MACOSX_DEPLOYMENT_TARGET = 14.6;
 				PRODUCT_BUNDLE_IDENTIFIER = com.willswire.Cosmic;
 				PRODUCT_NAME = cosmic;
+				PROVISIONING_PROFILE_SPECIFIER = "";
 				SWIFT_VERSION = 5.0;
 			};
 			name = Release;