diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 43ff4d38..1a89e0af 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -20,64 +20,19 @@ jobs: - name: Xcodebuild run: xcodebuild -project Cork.xcodeproj -scheme Cork -destination platform=macOS build -derivedDataPath ./build - - name: Codesign app bundle - # Extract the secrets we defined earlier as environment variables - env: - MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }} - MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }} - MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} - MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} - run: | - # Turn our base64-encoded certificate back to a regular .p12 file - - echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 - - # We need to create a new keychain, otherwise using the certificate will prompt - # with a UI dialog asking for the certificate password, which we can't - # use in a headless CI environment - security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - security default-keychain -s build.keychain - security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain - - # We finally codesign our app bundle, specifying the Hardened runtime option - - /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime build/Build/Products/Debug/Cork.app -v - - ----- - - name: "Notarize app bundle" - # Extract the secrets we defined earlier as environment variables - env: - PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }} - PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }} - PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }} - run: | - # Store the notarization credentials so that we can prevent a UI password dialog - # from blocking the CI - - echo "Create keychain profile" - xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD" - - # We can't notarize an app bundle directly, but we need to compress it as an archive. - # Therefore, we create a zip file containing our app bundle, so that we can send it to the - # notarization service - - echo "Creating temp notarization archive" - ditto -c -k --keepParent "build/Build/Products/Debug/Cork.app" "notarization.zip" - - # Here we send the notarization request to the Apple's Notarization service, waiting for the result. - # This typically takes a few seconds inside a CI environment, but it might take more depending on the App - # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if - # you're curious - - echo "Notarize app" - xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - - # Finally, we need to "attach the staple" to our executable, which will allow our app to be - # validated by macOS even when an internet connection is not available. - echo "Attach staple" - xcrun stapler staple "build/Build/Products/Debug/Cork.app" + - name: Notarize Release Build + uses: lando/notarize-action@v2 + with: + product-path: "build/Build/Products/Debug/Cork.app" + appstore-connect-username: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }} + appstore-connect-password: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }} + appstore-connect-team-id: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }} + verbose: true + + - name: "Staple Release Build" + uses: BoundfoxStudios/action-xcode-staple@v1 + with: + product-path: "build/Build/Products/Debug/Cork.app" - name: Create zip file run: cp -r build/Build/Products/Debug/Cork.app . && zip -r Cork.zip Cork.app