^ CI Build and notarize

buresdv · May 25, 2024 · 8c5beb6 · 8c5beb6
1 parent fbabba9
commit 8c5beb6
Showing 1 changed file with 13 additions and 58 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -20,64 +20,19 @@ jobs:
       - name: Xcodebuild
         run: xcodebuild -project Cork.xcodeproj -scheme Cork -destination platform=macOS build -derivedDataPath ./build
 
-      - name: Codesign app bundle
-        # Extract the secrets we defined earlier as environment variables
-        env: 
-          MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
-          MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
-          MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
-          MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
-        run: |
-          # Turn our base64-encoded certificate back to a regular .p12 file
-          
-          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
-      
-          # We need to create a new keychain, otherwise using the certificate will prompt
-          # with a UI dialog asking for the certificate password, which we can't
-          # use in a headless CI environment      
-          security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
-          security default-keychain -s build.keychain
-          security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
-          security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
-          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
-
-          # We finally codesign our app bundle, specifying the Hardened runtime option
-
-          /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime build/Build/Products/Debug/Cork.app -v
-
-          -----
-      - name: "Notarize app bundle"
-        # Extract the secrets we defined earlier as environment variables
-        env:
-          PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
-          PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
-          PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
-        run: |
-          # Store the notarization credentials so that we can prevent a UI password dialog
-          # from blocking the CI
-
-          echo "Create keychain profile"
-          xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
-
-          # We can't notarize an app bundle directly, but we need to compress it as an archive.
-          # Therefore, we create a zip file containing our app bundle, so that we can send it to the
-          # notarization service
-
-          echo "Creating temp notarization archive"
-          ditto -c -k --keepParent "build/Build/Products/Debug/Cork.app" "notarization.zip"
-
-          # Here we send the notarization request to the Apple's Notarization service, waiting for the result.
-          # This typically takes a few seconds inside a CI environment, but it might take more depending on the App
-          # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
-          # you're curious
-
-          echo "Notarize app"
-          xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
-
-          # Finally, we need to "attach the staple" to our executable, which will allow our app to be
-          # validated by macOS even when an internet connection is not available.
-          echo "Attach staple"
-          xcrun stapler staple "build/Build/Products/Debug/Cork.app"
+      - name: Notarize Release Build
+        uses: lando/notarize-action@v2
+        with:
+          product-path: "build/Build/Products/Debug/Cork.app"
+          appstore-connect-username: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
+          appstore-connect-password: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
+          appstore-connect-team-id: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
+          verbose: true
+
+      - name: "Staple Release Build"
+        uses: BoundfoxStudios/action-xcode-staple@v1
+        with:
+          product-path: "build/Build/Products/Debug/Cork.app"
 
       - name: Create zip file
         run: cp -r build/Build/Products/Debug/Cork.app . && zip -r Cork.zip Cork.app