Build and upload Mac app artifact #120
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and upload Mac app artifact | |
on: | |
workflow_dispatch: | |
inputs: | |
buildBranch: | |
description: 'Headlamp ref/branch/tag' | |
required: true | |
default: 'main' | |
signBinaries: | |
description: Notarize app | |
default: false | |
type: boolean | |
jobs: | |
build-mac: | |
runs-on: macos-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.inputs.buildBranch }} | |
- name: Setup nodejs | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 18.x | |
cache: 'npm' | |
cache-dependency-path: | | |
app/package-lock.json | |
frontend/package-lock.json | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: '1.20.*' | |
cache-dependency-path: | | |
backend/go.sum | |
- name: Dependencies | |
run: brew install make | |
- name: Build Backend and Frontend | |
run: | | |
make | |
- name: Add MacOS certs | |
run: cd ./app/mac/scripts/ && sh ./setup-certificate.sh | |
env: | |
APPLE_CERTIFICATE: ${{ secrets.TEST_APPLE_DEV_CERT }} | |
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.TEST_APPLE_DEV_CERT_PASS }} | |
- name: Build Notarized App Mac | |
if: ${{ inputs.signBinaries }} | |
env: | |
APPLE_TEAM_ID: ${{ secrets.TEST_APPLE_TEAM_ID }} | |
run: | | |
make app-mac | |
ls ./app | |
ls ./app/dist | |
ls ./app/dist/mac* | |
# env: | |
# APPLEID: ${{ secrets.APPLEID }} | |
# APPLEIDPASS: ${{ secrets.APPLEIDPASS }} | |
# APPLETEAMID: ${{ secrets.APPLETEAMID }} | |
# - name: Build App Mac | |
# if: ${{ ! inputs.signBinaries }} | |
# run: | | |
# make app-mac | |
# - name: CodeSign | |
# run: | | |
# cd ./app/dist/mac && codesign -s ${{ secrets.TEST_APPLE_TEAM_ID }} --deep --force --options runtime --entitlements ../../mac/entitlements.mac.plist ./Headlamp.app | |
# - name: Zip Artifact | |
# run: | | |
# cd ./app/dist/mac/ && ditto -c -k --sequesterRsrc --keepParent Headlamp.app ./Headlamp.zip | |
- name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: DMGs | |
path: ./app/dist/Headlamp*.dmg | |
if-no-files-found: error | |
retention-days: 1 | |
notarize: | |
runs-on: windows-latest | |
needs: build-mac | |
if: ${{ inputs.signBinaries }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.inputs.buildBranch }} | |
- name: Setup nodejs | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 18.x | |
cache: 'npm' | |
cache-dependency-path: | | |
app/package-lock.json | |
frontend/package-lock.json | |
# - name: Download artifact | |
# id: download-artifact | |
# uses: dawidd6/action-download-artifact@v3 | |
# with: | |
# # Optional, GitHub token, a Personal Access Token with `public_repo` scope if needed | |
# # Required, if the artifact is from a different repo | |
# # Required, if the repo is private a Personal Access Token with `repo` scope is needed or GitHub token in a job where the permissions `action` scope set to `read` | |
# github_token: ${{secrets.GITHUB_TOKEN}} | |
# run_id: 8018373845 | |
- name: Download artifact | |
uses: actions/download-artifact@v2 | |
- name: Fetch certificates | |
if: ${{ inputs.signBinaries }} | |
shell: pwsh | |
run: | | |
az login --service-principal -u ${{ secrets.WINDOWS_CLIENT_ID }} -p ${{ secrets.AZ_LOGIN_PASS }} --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47 | |
az keyvault secret download --subscription ${{ secrets.AZ_SUBSCRIPTION_ID }} --vault-name headlamp --name HeadlampAuthCert --file c:\HeadlampAuthCert.pfx --encoding base64 | |
az keyvault secret download --subscription ${{ secrets.AZ_SUBSCRIPTION_ID }} --vault-name headlamp --name ESRPHeadlampReqCert --file c:\HeadlampReqCert.pfx --encoding base64 | |
- name: Set up certificates | |
if: ${{ inputs.signBinaries }} | |
shell: pwsh | |
run: | | |
Import-PfxCertificate -FilePath c:\HeadlampAuthCert.pfx -CertStoreLocation Cert:\LocalMachine\My -Exportable | |
Import-PfxCertificate -FilePath c:\HeadlampReqCert.pfx -CertStoreLocation Cert:\LocalMachine\My -Exportable | |
- name: Download and Set up ESRPClient | |
if: ${{ inputs.signBinaries }} | |
shell: pwsh | |
run: | | |
nuget.exe sources add -name esrp -source ${{ secrets.ESRP_NUGET_INDEX_URL }} -username headlamp -password ${{ secrets.AZ_DEVOPS_TOKEN }} | |
nuget.exe install Microsoft.EsrpClient -Version 1.2.87 -source ${{ secrets.ESRP_NUGET_INDEX_URL }} | out-null | |
- name: Sign App | |
shell: pwsh | |
run: | | |
ls app/mac/scripts | |
ls | |
ls DMGs* | |
if ("${{ inputs.signBinaries }}" -eq "true") { | |
$env:ESRP_PATH="$(Get-Location)\Microsoft.EsrpClient.1.2.87\tools\EsrpClient.exe" | |
$env:HEADLAMP_WINDOWS_CLIENT_ID="${{ secrets.WINDOWS_CLIENT_ID }}" | |
$env:HEADLAMP_WINDOWS_SIGN_EMAIL="${{ secrets.WINDOWS_SIGN_EMAIL }}" | |
} else { | |
echo "Not signing binaries" | |
} | |
cd ./app/mac/scripts | |
ls ../../../DMGs | |
node ./esrp-notarize.js SIGN ../../../DMGs/ | |
- name: Notarize App | |
shell: pwsh | |
run: | | |
ls app/mac/scripts | |
ls | |
if ("${{ inputs.signBinaries }}" -eq "true") { | |
$env:ESRP_PATH="$(Get-Location)\Microsoft.EsrpClient.1.2.87\tools\EsrpClient.exe" | |
$env:HEADLAMP_WINDOWS_CLIENT_ID="${{ secrets.WINDOWS_CLIENT_ID }}" | |
$env:HEADLAMP_WINDOWS_SIGN_EMAIL="${{ secrets.WINDOWS_SIGN_EMAIL }}" | |
} else { | |
echo "Not signing binaries" | |
} | |
cd ./app/mac/scripts | |
ls ../../../DMGs | |
node ./esrp-notarize.js NOTARIZE ../../../DMGs/ | |
- name: Upload Notarized | |
uses: actions/upload-artifact@v4 | |
with: | |
name: DMGs | |
path: ./DMGs/Headlamp*.dmg | |
if-no-files-found: error | |
retention-days: 2 | |
stapler: | |
runs-on: macos-latest | |
needs: notarize | |
steps: | |
- name: Download artifact | |
uses: actions/download-artifact@v2 | |
- name: Staple | |
run: | | |
ls DMGs | |
xcrun stapler staple ./DMGs/Headlamp*.dmg | |
- name: Upload Stapled | |
uses: actions/upload-artifact@v4 | |
with: | |
name: DMGs | |
path: ./DMGs/Headlamp*.dmg | |
if-no-files-found: error | |
retention-days: 2 |