ci: update Sparkle appcast generation step to include signing and app… #63
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build and release beta version | |
| on: | |
| push: | |
| branches: [dev] | |
| jobs: | |
| build: | |
| runs-on: macos-15 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Xcode | |
| uses: maxim-lobanov/setup-xcode@v1 | |
| with: | |
| xcode-version: '16.0' | |
| - name: Import signing certificate | |
| env: | |
| SIGNING_CERTIFICATE: ${{ secrets.SIGNING_CERTIFICATE }} | |
| SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }} | |
| run: | | |
| security create-keychain -p temporary_password build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p temporary_password build.keychain | |
| echo "$SIGNING_CERTIFICATE" | base64 --decode > certificate.p12 | |
| security import certificate.p12 -k build.keychain -P "$SIGNING_PASSWORD" -T /usr/bin/codesign | |
| security set-key-partition-list -S apple-tool:,apple: -s -k temporary_password build.keychain | |
| security find-identity -v -p codesigning build.keychain | |
| - name: Build with Xcode | |
| run: | | |
| xcodebuild clean build \ | |
| -project Micmute.xcodeproj \ | |
| -scheme Micmute \ | |
| -configuration Release \ | |
| -destination "platform=macOS" \ | |
| CODE_SIGNING_REQUIRED=NO \ | |
| -derivedDataPath build_output | |
| # - name: Verify code signing | |
| # run: | | |
| # cd ./build_output/Build/Products/Release | |
| # codesign --deep -vvv --verify Micmute.app | |
| # if [ $? -eq 0 ]; then | |
| # echo "Code signing verification succeeded." | |
| # else | |
| # echo "Code signing verification failed." | |
| # exit 1 | |
| # fi | |
| # spctl -a -t exec -vvv Micmute.app | |
| - name: Archive artifact | |
| run: | | |
| cd ./build_output/Build/Products/Release | |
| ditto -c -k --sequesterRsrc --keepParent Micmute.app Micmute-Beta.zip | |
| mv Micmute-Beta.zip $GITHUB_WORKSPACE/Micmute-Beta.zip | |
| - name: Generate Sparkle appcast and sign artifact | |
| run: | | |
| echo "${{ secrets.SPARKLE_PRIVATE_KEY }}" | base64 --decode > private_key.pem | |
| openssl dgst -sha256 -binary < $GITHUB_WORKSPACE/Micmute-Beta.zip | openssl dgst -sha256 -sign private_key.pem -out $GITHUB_WORKSPACE/Micmute-Beta.zip.sig | |
| generate_appcast --private-key ./private_key.pem --download-url-prefix "https://github.com/rokartur/Micmute/releases/latest/download/" $GITHUB_WORKSPACE | |
| mv appcast.xml $GITHUB_WORKSPACE/appcast.xml | |
| - name: Commit appcast.xml | |
| run: | | |
| cd $GITHUB_WORKSPACE | |
| git config user.email "action@github.com" | |
| git config user.name "GitHub Action" | |
| git add appcast.xml | |
| git commit -m "chore: update appcast.xml for beta release" || echo "No changes to commit" | |
| git push "https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" HEAD:${{ github.ref }} | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: Micmute-Beta.zip | |
| path: ${{ github.workspace }}/Micmute-Beta.zip | |
| release: | |
| needs: build | |
| runs-on: macos-15 | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Download artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: Micmute-Beta.zip | |
| path: . | |
| - name: Create release | |
| uses: marvinpinto/action-automatic-releases@master | |
| with: | |
| files: Micmute-Beta.zip | |
| automatic_release_tag: 'beta' | |
| title: 'Micmute 3.0.0 Beta (${{ github.run_number }})' | |
| draft: false | |
| prerelease: true | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} |