Skip to content

ci: update release workflow (#22) #11

ci: update release workflow (#22)

ci: update release workflow (#22) #11

Workflow file for this run

name: Release
on:
push:
tags:
- "v*"
jobs:
build_with_signing:
name: Build & Sign
runs-on: macos-14
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install the Apple certificate and provisioning profile
env:
APPLICATON_CERTIFICATE_BASE64: ${{ secrets.APPLICATON_CERTIFICATE_BASE64 }}
INSTALLER_CERTIFICATE_BASE64: ${{ secrets.INSTALLER_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
APPLICATION_CERTIFICATE_PATH=$RUNNER_TEMP/application_certificate.p12
INSTALLER_CERTIFICATE_PATH=$RUNNER_TEMP/installer_certificate.p12
PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
echo -n "$APPLICATON_CERTIFICATE_BASE64" | base64 --decode -o $APPLICATION_CERTIFICATE_PATH
echo -n "$INSTALLER_CERTIFICATE_BASE64" | base64 --decode -o $INSTALLER_CERTIFICATE_PATH
echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security import $APPLICATION_CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security import $INSTALLER_CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
- name: Install pkl
run: |
curl -L -o pkl "https://github.com/apple/pkl/releases/download/${PKL_VERSION}/pkl-${PKL_ARCH}"
chmod +x pkl
sudo mv pkl /usr/local/bin/pkl
pkl --version
env:
PKL_VERSION: 0.26.3
PKL_ARCH: macos-aarch64
- name: Select Xcode version
run: sudo xcode-select -s "${XCODE_PATH}"
env:
XCODE_PATH: /Applications/Xcode_16.0.app/Contents/Developer
- name: Archive
run: xcrun xcodebuild clean archive -scheme "$SCHEME" -destination "$DESTINATION" -archivePath "$ARCHIVE"
env:
PROVISIONING_PROFILE: "~/Library/MobileDevice/Provisioning\ Profiles/build_pp.provisionprofile"
DESTINATION: platform=macOS,arch=arm64
SCHEME: Cosmic
ARCHIVE: Cosmic.xcarchive
- name: Build installer package
run: |
pkgbuild --root "Cosmic.xcarchive/Products" \
--identifier "com.willswire.Cosmic" \
--version "${{ github.ref }}" \
--install-location "/" \
--sign="Developer ID Installer: William Walker (QSQY64SHJ5)" \
cosmic.pkg
- name: Notarize package
run: |
APP_STORE_CONNECT_KEY_PATH=$RUNNER_TEMP/key.p8
echo -n "$APP_STORE_CONNECT_KEY_BASE64" | base64 --decode -o $APP_STORE_CONNECT_KEY_PATH
xcrun notarytool submit cosmic.pkg \
--key="$APP_STORE_CONNECT_KEY_PATH" \
--key-id="$APP_STORE_CONNECT_KEY_ID" \
--issuer="$APP_STORE_CONNECT_ISSUER" \
--wait
env:
APP_STORE_CONNECT_KEY_BASE64: ${{ secrets.APP_STORE_CONNECT_KEY_BASE64 }}
APP_STORE_CONNECT_KEY_ID: ${{ secrets.APP_STORE_CONNECT_KEY_ID }}
APP_STORE_CONNECT_ISSUER: ${{ secrets.APP_STORE_CONNECT_ISSUER }}
- name: Staple notarization
run: xcrun stapler staple cosmic.pkg
- name: Create release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref }}
release_name: ${{ github.ref }}
draft: false
prerelease: false
- name: Upload binary
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ./cosmic.pkg
asset_name: cosmic.pkg
asset_content_type: application/zip