Skip to content

MacOS release with codesign and notarization #24

MacOS release with codesign and notarization

MacOS release with codesign and notarization #24

Workflow file for this run

---
name: Release
on:
push:
tags:
- "*"
jobs:
buildMac:
name: Build macOS
runs-on: ${{ matrix.macos }}
strategy:
matrix:
xcode: [ Xcode_15.2 ]
abi: [ x86 ]
macos: [ macos-13 ]
include:
- macos: macos-14
abi: arm64
xcode: Xcode
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: true
- name: Investigate available XCode versions
run: ls -n /Applications/ | grep Xcode*
- name: Set XCode Version
run: sudo xcode-select -s /Applications/${{ matrix.xcode }}.app
- name: install qt 5
run: brew install qt@5
- name: install build environment
run: scripts/darwin/install.sh
- name: Build project
run: scripts/darwin/build.sh
- name: Codesign app bundle
if: "! github.event.pull_request.head.repo.fork " # not running on a fork
# Extract the secrets we defined earlier as environment variables
env:
MACOS_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.P12_PASSWORD }}
MACOS_CERTIFICATE_NAME: ${{ secrets.APPLE_CERTIFICATE_NAME }}
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
# Turn our base64-encoded certificate back to a regular .p12 file
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
# We need to create a new keychain, otherwise using the certificate will prompt
# with a UI dialog asking for the certificate password, which we can't
# use in a headless CI environment
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
# We finally codesign our app bundle, specifying the Hardened runtime option
/usr/bin/codesign --timestamp --options=runtime -s "$MACOS_CERTIFICATE_NAME" -f -v /Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.app/Contents/Frameworks/*
/usr/bin/codesign --timestamp --options=runtime -s "$MACOS_CERTIFICATE_NAME" -f -v /Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.app/Contents/Resources/*
/usr/bin/codesign --timestamp --options=runtime -s "$MACOS_CERTIFICATE_NAME" -f -v /Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.app/Contents/PlugIns/bearer/*
/usr/bin/codesign --timestamp --options=runtime -s "$MACOS_CERTIFICATE_NAME" -f -v /Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.app/Contents//PlugIns/iconengines/*
/usr/bin/codesign --timestamp --options=runtime -s "$MACOS_CERTIFICATE_NAME" -f -v /Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.app/Contents/PlugIns/imageformats/*
/usr/bin/codesign --timestamp --options=runtime -s "$MACOS_CERTIFICATE_NAME" -f -v /Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.app/Contents/PlugIns/platforminputcontexts/*
/usr/bin/codesign --timestamp --options=runtime -s "$MACOS_CERTIFICATE_NAME" -f -v /Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.app/Contents/PlugIns/platforms/*
/usr/bin/codesign --timestamp --options=runtime -s "$MACOS_CERTIFICATE_NAME" -f -v /Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.app/Contents/PlugIns/printsupport/*
/usr/bin/codesign --timestamp --options=runtime -s "$MACOS_CERTIFICATE_NAME" -f -v /Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.app/Contents/PlugIns/styles/*
/usr/bin/codesign --timestamp --options=runtime -s "$MACOS_CERTIFICATE_NAME" -f -v /Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.app/Contents/PlugIns/virtualkeyboard/*
/usr/bin/codesign --timestamp --options=runtime -s "$MACOS_CERTIFICATE_NAME" -f -v /Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.app/Contents/MacOS/plugins/*
/usr/bin/codesign --timestamp --options=runtime -s "$MACOS_CERTIFICATE_NAME" -f -v /Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.app/Contents/MacOS/dlt-commander
/usr/bin/codesign --timestamp --options=runtime -s "$MACOS_CERTIFICATE_NAME" -f -v /Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.app/Contents/MacOS/dlt-viewer
/usr/bin/codesign --timestamp --options=runtime -s "$MACOS_CERTIFICATE_NAME" -f -v /Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.app
- name: Notarize app bundle
if: "! github.event.pull_request.head.repo.fork " # not running on a fork
env:
PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.APPLE_ID }}
PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.TEAM_ID }}
PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.APP_PASSWORD }}
run: |
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
echo "Creating temp notarization archive"
ditto -c -k --keepParent "/Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.app" "/Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.zip"
echo "Notarize app"
xcrun notarytool submit "/Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.zip" --keychain-profile "notarytool-profile" --wait
echo "Attach staple"
xcrun stapler staple "/Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.app"
rm -r /Users/runner/work/dlt-viewer/dlt-viewer/build/install/DLTViewer.zip
- name: Artifact Creation
run: |
cd /Users/runner/work/dlt-viewer/dlt-viewer/build
mkdir -p dist
cp ../scripts/darwin/install.md dist
tar -czvf "dist/DLTViewer.tgz" -C /Users/runner/work/dlt-viewer/dlt-viewer/build/install .
- name: Archive artifact
run: zip DLT-macOS-${{ matrix.abi }}.zip -r build/dist
- name: Archive artifact
uses: actions/upload-artifact@v4
if: ${{ success() }}
with:
name: DLT-Mac-${{ matrix.abi }}
path: build/dist/DLTViewer*.tgz
buildLinux:
name: Build ${{ matrix.ubuntu }}
strategy:
matrix:
ubuntu: [ ubuntu-20.04 ]
runs-on: ${{ matrix.ubuntu }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: true
- name: install build environment
run: scripts/linux/install.sh
- name: Build project
run: scripts/linux/build.sh
- name: Make artifact executable
run: chmod -R +x build/dist
- name: Archive artifact
run: zip DLT-Linux.zip -r build/dist
- name: Upload DLT artifact
uses: actions/upload-artifact@v4
with:
name: DLT-Linux
path: DLT-Linux.zip
buildWindows:
name: Build Windows
strategy:
matrix:
task: [ parser, sdk ]
runs-on: windows-2019
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: true
- name: Install qt
uses: jurplel/install-qt-action@v4
with:
mirror: http://ftp.fau.de/qtproject/
version: 5.15.2
- name: Build with CMake ${{ matrix.task }}
run: >
$env:WORKSPACE=$env:GITHUB_WORKSPACE;
$env:QTDIR=$env:Qt5_DIR.Replace('/','\');
$env:CPACK_7Z="true";
$env:CPACK_NSIS="true";
./build_sdk_windows_qt5_MSVC_cmake.bat
- name: Archive artifact
run: >
Compress-Archive -Path .\build\dist -DestinationPath
DLT-Windows-${{ matrix.task }}.zip
- name: Upload DLT artifact
uses: actions/upload-artifact@v4
if: ${{ success() }}
with:
name: DLT-Windows-${{ matrix.task }}
path: DLT-*.zip
createRelease:
name: Create release
runs-on: ubuntu-20.04
needs: [ buildMac, buildLinux, buildWindows ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: true
- name: Download DLT Linux artifacts
uses: actions/download-artifact@v4
with:
name: DLT-Linux
- name: Download DLT macOS artifacts arm64
uses: actions/download-artifact@v4
with:
name: DLT-Mac-arm64
- name: Download DLT macOS artifacts x86
uses: actions/download-artifact@v4
with:
name: DLT-Mac-x86
- name: Download DLT Windows parser artifacts
uses: actions/download-artifact@v4
with:
name: DLT-Windows-parser
- name: Download DLT Windows sdk artifacts
uses: actions/download-artifact@v4
with:
name: DLT-Windows-sdk
- name: Find Tag
id: tagger
uses: jimschubert/[email protected]
with:
skip-unshallow: 'true'
abbrev: false
commit-ish: HEAD
- name: Check pre-release
run: |
echo "tag=${{steps.tagger.outputs.tag}}"
if [[ ${{ steps.tagger.outputs.tag }} == *alpha* || ${{ steps.tagger.outputs.tag }} == *beta* ]]
then
prerelease=true
else
prerelease=false
fi
echo "PRE_RELEASE=$prerelease" >> $GITHUB_ENV
echo "prerelease=$prerelease"
- name: Create Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{steps.tagger.outputs.tag}}
generate_release_notes: true
prerelease: ${{ env.PRE_RELEASE }}
name: ${{steps.tagger.outputs.tag}}
files: |
DLT-*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}