|
7 | 7 |
|
8 | 8 | env: |
9 | 9 | GO_VERSION: "1.25.1" |
10 | | - PROJECT_NAME: "arduino-flasher" |
| 10 | + PROJECT_NAME: "arduino-flasher-cli" |
11 | 11 | GITHUB_TOKEN: ${{ secrets.ARDUINOBOT_TOKEN }} |
12 | 12 | GITHUB_USERNAME: ArduinoBot |
13 | 13 | DIST_DIR: build |
@@ -134,9 +134,134 @@ jobs: |
134 | 134 | - name: Cleanup |
135 | 135 | run: rm ${{ env.RELEASE_NAME }}.tar.gz |
136 | 136 |
|
| 137 | + notarize-macos: |
| 138 | + name: Notarize macOS |
| 139 | + runs-on: macos-13 |
| 140 | + needs: build |
| 141 | + permissions: |
| 142 | + contents: read |
| 143 | + |
| 144 | + env: |
| 145 | + GON_CONFIG_PATH: gon.config.hcl |
| 146 | + |
| 147 | + strategy: |
| 148 | + matrix: |
| 149 | + build: [macos-13-amd64, macos-13-arm64] |
| 150 | + steps: |
| 151 | + - name: Set environment variables |
| 152 | + run: | |
| 153 | + TAG_NAME="${GITHUB_REF##*/}" |
| 154 | + VERSION="${TAG_NAME#flasher-}" |
| 155 | + echo "PACKAGE_FILENAME=${{ env.PROJECT_NAME }}-${VERSION}-${{ matrix.build }}.tar.gz" >>$GITHUB_ENV |
| 156 | +
|
| 157 | + - name: Checkout repository |
| 158 | + uses: actions/checkout@v5 |
| 159 | + |
| 160 | + - name: Download artifacts |
| 161 | + uses: actions/download-artifact@v5 |
| 162 | + with: |
| 163 | + name: ${{ env.PROJECT_NAME }}-${{ matrix.build }} |
| 164 | + path: ${{ env.DIST_DIR }} |
| 165 | + |
| 166 | + - name: Extract build |
| 167 | + working-directory: ${{ env.DIST_DIR }} |
| 168 | + run: | |
| 169 | + tar -xvf ${{ env.PACKAGE_FILENAME }} |
| 170 | +
|
| 171 | + - name: Import Code-Signing Certificates |
| 172 | + env: |
| 173 | + KEYCHAIN: "sign.keychain" |
| 174 | + INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12" |
| 175 | + # Arbitrary password for a keychain that exists only for the duration of the job, so not secret |
| 176 | + KEYCHAIN_PASSWORD: keychainpassword |
| 177 | + run: | |
| 178 | + echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode >"${{ env.INSTALLER_CERT_MAC_PATH }}" |
| 179 | +
|
| 180 | + security create-keychain \ |
| 181 | + -p "${{ env.KEYCHAIN_PASSWORD }}" \ |
| 182 | + "${{ env.KEYCHAIN }}" |
| 183 | +
|
| 184 | + security default-keychain \ |
| 185 | + -s "${{ env.KEYCHAIN }}" |
| 186 | +
|
| 187 | + security unlock-keychain \ |
| 188 | + -p "${{ env.KEYCHAIN_PASSWORD }}" \ |
| 189 | + "${{ env.KEYCHAIN }}" |
| 190 | +
|
| 191 | + security import \ |
| 192 | + "${{ env.INSTALLER_CERT_MAC_PATH }}" \ |
| 193 | + -k "${{ env.KEYCHAIN }}" \ |
| 194 | + -f pkcs12 \ |
| 195 | + -A \ |
| 196 | + -T "/usr/bin/codesign" \ |
| 197 | + -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}" |
| 198 | +
|
| 199 | + security set-key-partition-list \ |
| 200 | + -S apple-tool:,apple: \ |
| 201 | + -s \ |
| 202 | + -k "${{ env.KEYCHAIN_PASSWORD }}" \ |
| 203 | + "${{ env.KEYCHAIN }}" |
| 204 | +
|
| 205 | + - name: Install gon for code signing and app notarization |
| 206 | + run: | |
| 207 | + wget \ |
| 208 | + -q https://github.com/Bearer/gon/releases/download/v0.0.27/gon_macos.zip |
| 209 | +
|
| 210 | + unzip \ |
| 211 | + gon_macos.zip \ |
| 212 | + -d /usr/local/bin |
| 213 | +
|
| 214 | + - name: Write gon config to file |
| 215 | + # gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20) |
| 216 | + run: | |
| 217 | + cat >"${{ env.GON_CONFIG_PATH }}" \ |
| 218 | + <<EOF |
| 219 | + # See: https://github.com/Bearer/gon#configuration-file |
| 220 | + source = ["${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}"] |
| 221 | + bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}" |
| 222 | +
|
| 223 | + sign { |
| 224 | + application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)" |
| 225 | + } |
| 226 | +
|
| 227 | + # Ask Gon for zip output to force notarization process to take place. |
| 228 | + # The CI will ignore the zip output, using the signed binary only. |
| 229 | + zip { |
| 230 | + output_path = "unused.zip" |
| 231 | + } |
| 232 | + EOF |
| 233 | +
|
| 234 | + - name: Sign and notarize binary |
| 235 | + env: |
| 236 | + AC_USERNAME: ${{ secrets.AC_USERNAME }} |
| 237 | + AC_PASSWORD: ${{ secrets.AC_PASSWORD }} |
| 238 | + AC_PROVIDER: ${{ secrets.AC_PROVIDER }} |
| 239 | + run: | |
| 240 | + gon "${{ env.GON_CONFIG_PATH }}" |
| 241 | +
|
| 242 | + - name: Re-package binary |
| 243 | + working-directory: ${{ env.DIST_DIR }} |
| 244 | + # Repackage the signed binary replaced in place by Gon (ignoring the output zip file) |
| 245 | + run: | |
| 246 | + # GitHub's upload/download-artifact actions don't preserve file permissions, |
| 247 | + # so we need to add execution permission back until the action is made to do this. |
| 248 | + chmod \ |
| 249 | + +x \ |
| 250 | + "${{ env.PROJECT_NAME }}" |
| 251 | +
|
| 252 | + tar -czf ${{ env.PACKAGE_FILENAME }} ${{ env.PROJECT_NAME }} |
| 253 | +
|
| 254 | + - name: Replace artifact with notarized build |
| 255 | + uses: actions/upload-artifact@v4 |
| 256 | + with: |
| 257 | + if-no-files-found: error |
| 258 | + name: ${{ env.PROJECT_NAME }}-${{ matrix.build }} |
| 259 | + overwrite: true |
| 260 | + path: ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }} |
| 261 | + |
137 | 262 | create-release: |
138 | 263 | runs-on: ubuntu-22.04 |
139 | | - needs: [build, sign-windows-executable] |
| 264 | + needs: [build, sign-windows-executable, notarize-macos] |
140 | 265 | steps: |
141 | 266 | - name: Checkout |
142 | 267 | uses: actions/checkout@v4 |
|
0 commit comments