Add sign and notarize macOS x86_64 #35 (#53)

juliangruber · bajtos · web-flow · commit fe72d8e16a0e · 2022-09-27T11:24:54.000+02:00
* sign and notarize (wip) * always run for now * add install gon * try fixing the rate limiting issue * just always run on macos * change gon invocation * try again after updating env * try again after updating env * try again after updating env * try again after updating env * pass secrets to env * import cert into keychain * just pass the cert name (no secret) * fix build id * fix build id * build on all darwin architectures * add sign arm64 * fix hcl syntax * undo debug changes * clean up * attach artifacts to workflow run * run on push again * clean up * update bundle id * use hooks instead of signs * turn gon config into dotfile * add zip output * try "signs" again * try mirroring mitchellh/gon setup * update paths * 🤔 * looks like username needs to be hardcoded * clean up * attach everything from `./dist` * remove unnecessary dmg artifact * undo some changes * only archive macos * undo some changes * undo some changes * undo some changes * zip -> tar.gz * add arch to macos artifact * remove version from other builds too * skip folder artifact upload * Revert "zip -> tar.gz" This reverts commit c49d051. * docs * keep previous artifact naming * fix artifact name * build all darwin archs * sign macos archs independently * refactor, fix redundant signs ids * consistent naming * fix signing source paths * fix source path again * arm signing issues * clean up * always run * try manual arm script * fix path * fix paths * wait, why is x86_64 failing now * fix sign command * switch back to gon, remove arm signing attempts again * Update bundle_id Co-authored-by: Miroslav Bajtoš <saturn@bajtos.net> Co-authored-by: Miroslav Bajtoš <saturn@bajtos.net>
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,9 +2,6 @@ name: goreleaser
 
 on:
   push:
-    # run only against tags
-    tags:
-      - '*'
 
 permissions:
   contents: write
@@ -13,7 +10,7 @@ permissions:
 
 jobs:
   goreleaser:
-    runs-on: ubuntu-latest
+    runs-on: macos-latest
     steps:
       -
         name: Checkout
@@ -29,6 +26,7 @@ jobs:
           tag: v0.0.19
           fileName: saturn-webui.tar.gz
           out-file-path: resources/webui
+          token: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Unpack web UI archive
         run: |
@@ -43,6 +41,33 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.18
+      -
+        name: Install gon
+        run: |
+          brew tap mitchellh/gon
+          brew install mitchellh/gon/gon
+      -
+        name: Install the Apple certificate and provisioning profile
+        env:
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
+          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+          # import certificate and provisioning profile from secrets
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH
+
+          # create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
       -
         name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
@@ -53,5 +78,13 @@ jobs:
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
           # Your GoReleaser Pro key, if you are using the 'goreleaser-pro' distribution
           # GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      -
+        name: Attach produced packages to Github Action
+        uses: actions/upload-artifact@v2
+        with:
+          name: dist
+          path: dist/*.*
+          if-no-files-found: error
diff --git a/.gon.hcl b/.gon.hcl
@@ -0,0 +1,15 @@
+source = ["./dist/macos-x86-64_darwin_amd64_v1/L2-node"]
+bundle_id = "io.filecoin.saturn.l2-node"
+
+apple_id {
+  username = "oli@protocol.ai"
+  password = "@env:AC_PASSWORD"
+}
+
+sign {
+  application_identity = "Developer ID Application: Protocol Labs, Inc."
+}
+
+zip {
+  output_path="./dist/L2-node_Darwin_x86_64.zip"
+}
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -7,27 +7,52 @@ before:
     # you may remove this if you don't need go generate
     - go generate ./...
 builds:
-  - env:
+  - id: saturn
+    env:
       - CGO_ENABLED=0
     goos:
       - linux
       - windows
-      - darwin
     ignore:
     - goos: windows
       goarch: arm64
     main: ./cmd/saturn-l2
     binary: saturn-L2-node
-
+  - id: macos-x86-64
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+    goarch:
+      - amd64
+    main: ./cmd/saturn-l2
 archives:
-  - replacements:
-      darwin: Darwin
+  - builds:
+    - saturn
+    name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
+    replacements:
       linux: Linux
       windows: Windows
       386: i386
       amd64: x86_64
+  - builds:
+    - macos-x86-64
+    id: macos-x86-64-zip
+    format: zip
+    name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
+    replacements:
+      darwin: Darwin
+      amd64: x86_64
 checksum:
   name_template: 'checksums.txt'
+signs:
+  - id: macos-x86-64
+    ids:
+      - macos-x86-64-zip
+    cmd: gon
+    args:
+      - .gon.hcl
+    artifacts: all
 snapshot:
   name_template: "{{ incpatch .Version }}-next"
 changelog:
@@ -45,4 +70,3 @@ changelog:
     exclude:
       - '^docs:'
       - '^test:'
-
