From fc81d4dd3a0121604bd4eb4a04e483c22aadd0ee Mon Sep 17 00:00:00 2001
From: Nate Maninger <me@n8m.us>
Date: Thu, 24 Feb 2022 07:45:45 +0900
Subject: [PATCH] ci: add release and notarize process

---
 .github/workflows/main.yml    | 36 ++----------------
 .github/workflows/pr.yml      | 21 -----------
 .github/workflows/release.yml | 70 +++++++++++++++++++++++++++++++++++
 .gitignore                    |  9 +++--
 scripts/release.sh            | 35 ++++++++++++++++++
 5 files changed, 114 insertions(+), 57 deletions(-)
 delete mode 100644 .github/workflows/pr.yml
 create mode 100644 .github/workflows/release.yml
 create mode 100755 scripts/release.sh

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index dd250ee..64c22ff 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,12 +1,15 @@
 name: Main
 on:
+  pull_request:
+    branches:
+      - master
   push:
     branches:
       - master
 
 jobs:
   test:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     strategy:
       matrix:
         os: [ ubuntu-latest, macos-latest, windows-latest ]
@@ -21,34 +24,3 @@ jobs:
           go-version: ${{ matrix.go-version }}
       - name: Test
         uses: ./.github/actions/test
-  # TODO: set up release process
-  release:
-    needs: test
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        os: [ darwin, linux, windows ]
-        arch: [ arm64, amd64 ]
-    steps:
-      - uses: actions/checkout@v2
-      - name: Setup
-        uses: ./.github/actions/setup
-        with:
-          node_version: 16
-          go-version: 1.17
-      - name: Build web
-        shell: bash
-        run: npx nx build
-        working-directory: ./app
-      - name: Build ${{ matrix.os }}/${{ matrix.arch }}
-        shell: bash
-        env:
-          GOOS: ${{ matrix.os }}
-          GOARCH: ${{ matrix.arch }}
-        run: go build -o dist/ .
-      - name: Save artifacts
-        uses: actions/upload-artifact@v2
-        with:
-          name: embarcadero-${{ matrix.os }}-${{ matrix.arch }}
-          path: dist/*
-          retention-days: 30
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
deleted file mode 100644
index 6abfab9..0000000
--- a/.github/workflows/pr.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-name: PR
-on:
-  pull_request:
-
-jobs:
-  pr:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        os: [ ubuntu-latest, macos-latest, windows-latest ]
-        go-version: [ '1.16', '1.17' ]
-        node_version: [16]
-    steps:
-      - uses: actions/checkout@v2
-      - name: Setup
-        uses: ./.github/actions/setup
-        with:
-          node_version: ${{ matrix.node_version }}
-          go-version: ${{ matrix.go-version }}
-      - name: Test
-        uses: ./.github/actions/test
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..16100a9
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,70 @@
+name: Release
+on:
+  workflow_dispatch:
+  push:
+    branches:
+        - master
+    tags: 
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+      - 'v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+'
+
+jobs:
+  release:
+    runs-on: macos-latest
+    env:
+      APPLE_CERT_ID: ${{ secrets.APPLE_CERT_ID }}
+      APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+      APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+      APPLE_KEY_B64: ${{ secrets.APPLE_KEY_B64 }}
+      APPLE_CERT_B64: ${{ secrets.APPLE_CERT_B64 }}
+      APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }}
+      APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup
+        uses: ./.github/actions/setup
+        with:
+          node_version: 16
+          go-version: '1.17'
+      - name: Test
+        uses: ./.github/actions/test
+      - name: Setup notarization
+        run: |
+          # extract apple cert
+          APPLE_CERT_PATH=$RUNNER_TEMP/apple_cert.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          echo -n "$APPLE_CERT_B64" | base64 --decode --output $APPLE_CERT_PATH
+
+          # extract apple key
+          mkdir -p ~/private_keys
+          APPLE_API_KEY_PATH=~/private_keys/AuthKey_$APPLE_API_KEY.p8
+          echo -n "$APPLE_KEY_B64" | base64 --decode --output $APPLE_API_KEY_PATH
+
+          # create temp keychain
+          security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import keychain
+          security import $APPLE_CERT_PATH -P $APPLE_CERT_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $APPLE_KEYCHAIN_PASSWORD $KEYCHAIN_PATH
+      - name: Build web
+        shell: bash
+        run: npx nx build
+        working-directory: ./app
+      - name: Package
+        shell: bash
+        run: scripts/release.sh
+      - name: Save artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: releases
+          if-no-files-found: error
+          path: release/*
+          retention-days: 30
+      - name: cleanup
+        if: ${{ always() }}
+        run: |
+          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
+          rm -rf .env* build/bin $RUNNER_TEMP/* ~/private_keys 2> /dev/null
diff --git a/.gitignore b/.gitignore
index a4aed2d..fd48fcb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,12 +1,13 @@
 # See http://help.github.com/ignore-files/ for more about ignoring files.
 
 # compiled output
-*/dist
-*/tmp
-*/out-tsc
+dist/
+release/
+tmp/
+out-tsc/
 
 # dependencies
-*/node_modules
+node_modules/
 
 # IDEs and editors
 /.idea
diff --git a/scripts/release.sh b/scripts/release.sh
new file mode 100755
index 0000000..57d05df
--- /dev/null
+++ b/scripts/release.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# Must be run on macOS, does not support any other OS due to Apple Gatekeeper
+# notarization
+rm -rf release dist
+mkdir release
+
+cleanup() {
+	rm -rf dist
+}
+trap cleanup EXIT
+
+# use either the tag name or short commit hash
+RELEASE=$(git describe --tags --exact-match --abbrev=0)
+if [ $? -ne 0 ]; then
+	RELEASE=$(git log -1 --pretty=format:%h)
+fi
+
+for OS in linux windows darwin; do
+	for ARCH in amd64 arm64; do
+		echo "Building $RELEASE $OS/$ARCH"
+		rm -rf dist
+		mkdir -p dist/embarcadero
+		GOOS=$OS GOARCH=$ARCH go build -trimpath -ldflags='-s -w' -o dist/embarcadero/ .
+		# cp README.md dist/embarcadero/
+		ZIP_OUTPUT="release/embarcadero_${RELEASE}_${OS}_${ARCH}.zip"
+		if [ "$OS" = "darwin" ]; then
+			codesign --deep -f -v --timestamp -o runtime,library -s $APPLE_CERT_ID dist/embarcadero/embarcadero
+			ditto -ck dist/embarcadero $ZIP_OUTPUT
+			xcrun notarytool submit -k ~/.private_keys/AuthKey_39554JCL5N.p8 -d $APPLE_API_KEY -i $APPLE_API_ISSUER --wait --timeout 10m $ZIP_OUTPUT
+		else
+			zip -qj $ZIP_OUTPUT dist/embarcadero/*
+		fi
+		# TODO: sign releases with GitHub key
+	done
+done
\ No newline at end of file