Skip to content
Sign and Upload Mac Installer

v5.2.4 #68

Sign in to view logs

v5.2.4

v5.2.4 #68

Workflow file for this run

.github/workflows/mac-pkg.yml at 76d0859
name: Sign and Upload Mac Installer
on:
release:
types: [created, published]
workflow_dispatch:
inputs:
version:
description: 'Release version to build and upload (e.g. "v9.8.7")'
required: true
dryrun:
description: 'Perform all the steps except uploading to the release page'
required: true
default: "true" # 'choice' type requires string value
type: choice
options:
- "true" # Must be quoted string, boolean value not supported.
- "false"
permissions:
contents: write
jobs:
build:
runs-on: macos-latest
env:
APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }}
CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }}
INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }}
PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }}
CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
steps:
- name: Consolidate dryrun setting to always be true or false
id: actual_dryrun
run: |
# The 'release' trigger will not have a 'dryrun' input set. Handle
# this case in a readable/maintainable way.
if [[ -z "${{ inputs.dryrun }}" ]]
then
echo "dryrun=false" >> $GITHUB_OUTPUT
else
echo "dryrun=${{ inputs.dryrun }}" >> $GITHUB_OUTPUT
fi
- name: Dry Run Status
run: |
echo "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}"
- name: Determine Version
id: getversion
run: |
if [[ -z "${{ inputs.version }}" ]]
then
VERSION=${{ github.event.release.tag_name }}
else
VERSION=${{ inputs.version }}
fi
echo
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Check uploads
id: check
run: |
URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}"
ARM_FILE="podman-installer-macos-arm64.pkg"
AMD_FILE="podman-installer-macos-amd64.pkg"
UNIVERSAL_FILE="podman-installer-macos-universal.pkg"
status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${ARM_FILE}")
if [[ "$status" == "404" ]] ; then
echo "buildarm=true" >> $GITHUB_OUTPUT
else
echo "::warning::ARM installer already exists, skipping"
echo "buildarm=false" >> $GITHUB_OUTPUT
fi
status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${AMD_FILE}")
if [[ "$status" == "404" ]] ; then
echo "buildamd=true" >> $GITHUB_OUTPUT
else
echo "::warning::AMD installer already exists, skipping"
echo "buildamd=false" >> $GITHUB_OUTPUT
fi
status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${UNIVERSAL_FILE}")
if [[ "$status" == "404" ]] ; then
echo "builduniversal=true" >> $GITHUB_OUTPUT
else
echo "::warning::Universal installer already exists, skipping"
echo "builduniversal=false" >> $GITHUB_OUTPUT
fi
- name: Checkout Version
if: >-
steps.check.outputs.buildamd == 'true' ||
steps.check.outputs.buildarm == 'true' ||
steps.check.outputs.builduniversal == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
uses: actions/checkout@v4
with:
ref: ${{steps.getversion.outputs.version}}
- name: Set up Go
# Conditional duplication sucks - GHA doesn't grok YAML anchors/aliases
if: >-
steps.check.outputs.buildamd == 'true' ||
steps.check.outputs.buildarm == 'true' ||
steps.check.outputs.builduniversal == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
uses: actions/setup-go@v5
with:
go-version: stable
- name: Create Keychain
if: >-
steps.check.outputs.buildamd == 'true' ||
steps.check.outputs.buildarm == 'true' ||
steps.check.outputs.builduniversal == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
run: |
echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12
echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12
security create-keychain -p "$KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain
security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign
security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain &> /dev/null
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null
- name: Build and Sign ARM
if: steps.check.outputs.buildarm == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
working-directory: contrib/pkginstaller
run: |
make ARCH=aarch64 notarize &> /dev/null
cd out && shasum -a 256 podman-installer-macos-arm64.pkg >> shasums
- name: Build and Sign AMD
if: steps.check.outputs.buildamd == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
working-directory: contrib/pkginstaller
run: |
make ARCH=amd64 notarize &> /dev/null
cd out && shasum -a 256 podman-installer-macos-amd64.pkg >> shasums
- name: Build and Sign Universal
if: steps.check.outputs.builduniversal == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
working-directory: contrib/pkginstaller
run: |
make ARCH=universal notarize &> /dev/null
cd out && shasum -a 256 podman-installer-macos-universal.pkg >> shasums
- name: Artifact
if: >-
steps.check.outputs.buildamd == 'true' ||
steps.check.outputs.buildarm == 'true' ||
steps.check.outputs.builduniversal == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
uses: actions/upload-artifact@v4
with:
name: installers
path: |
contrib/pkginstaller/out/podman-installer-macos-*.pkg
contrib/pkginstaller/out/shasums
- name: Upload to Release
if: >-
steps.actual_dryrun.outputs.dryrun == 'false' &&
(steps.check.outputs.buildamd == 'true' ||
steps.check.outputs.buildarm == 'true'||
steps.check.outputs.builduniversal == 'true' )
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
(gh release download ${{steps.getversion.outputs.version}} -p "shasums" || exit 0)
cat contrib/pkginstaller/out/shasums >> shasums
gh release upload ${{steps.getversion.outputs.version}} contrib/pkginstaller/out/podman-installer-macos-*.pkg
gh release upload ${{steps.getversion.outputs.version}} --clobber shasums