feat: build, sign and notarize a binary for Apple Silicon macOS devices

.github/workflows/ci.yml

@@ -20,24 +20,20 @@ jobs:
       - run: npm run lint
   end_to_end_tests_macos:
     name: Run end to end tests (GitHub.com to GitHub.com on macOS)
+    needs: ['package-macos']
     runs-on: macos-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4.1.0
+      - name: Download macOS ARM64 binary
+        uses: actions/download-artifact@v4
         with:
-          node-version: 20.x
-          cache: 'npm'
-      - run: npm ci
-      - name: Generate binaries for macOS, Linux and Windows
-        run: npm run package
-      - name: Rename macOS binary to conform to GitHub CLI extension rules
-        run: mv bin/migrate-project-macos bin/gh-migrate-project-darwin-amd64
+          name: gh-migrate-project-darwin-arm64
+          path: bin
       - name: Create `output` directory
         run: mkdir output
       - name: Make macOS binary executable
-        run: chmod +x bin/gh-migrate-project-darwin-amd64
+        run: chmod +x bin/gh-migrate-project-darwin-arm64
       - name: Export a project from GitHub.com
-        run: ./bin/gh-migrate-project-darwin-amd64 export --project-owner gh-migrate-project-sandbox --project-number 1026 --disable-telemetry
+        run: ./bin/gh-migrate-project-darwin-arm64 export --project-owner gh-migrate-project-sandbox --project-number 1026 --disable-telemetry
         env:
           EXPORT_GITHUB_TOKEN: ${{ secrets.GH_MIGRATE_PROJECT_SANDBOX_TOKEN }}
       - name: Copy outputs to output/ directory
@@ -51,7 +47,7 @@ jobs:
           echo "source_repository,target_repository
           gh-migrate-project-sandbox/initial-repository,gh-migrate-project-sandbox/initial-repository" > completed-repository-mappings.csv
       - name: Import project to GitHub.com
-        run: ./bin/gh-migrate-project-darwin-amd64 import --input-path project.json --repository-mappings-path completed-repository-mappings.csv --project-owner gh-migrate-project-sandbox --disable-telemetry
+        run: ./bin/gh-migrate-project-darwin-arm64 import --input-path project.json --repository-mappings-path completed-repository-mappings.csv --project-owner gh-migrate-project-sandbox --disable-telemetry
         env:
           IMPORT_GITHUB_TOKEN: ${{ secrets.GH_MIGRATE_PROJECT_SANDBOX_TOKEN }}
       - name: Upload outputs as artifacts
@@ -62,17 +58,13 @@ jobs:
   end_to_end_tests_linux:
     name: Run end to end tests (GitHub.com to GitHub.com on Linux)
     runs-on: ubuntu-latest
+    needs: ['package']
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4.1.0
+      - name: Download Linux AMD64 binary
+        uses: actions/download-artifact@v4
         with:
-          node-version: 20.x
-          cache: 'npm'
-      - run: npm ci
-      - name: Generate binaries for macOS, Linux and Windows
-        run: npm run package
-      - name: Rename Linux binary to conform to GitHub CLI extension rules
-        run: mv bin/migrate-project-linux bin/gh-migrate-project-linux-amd64
+          name: gh-migrate-project-linux-amd64
+          path: bin
       - name: Create `output` directory
         run: mkdir output
       - name: Make Linux binary executable
@@ -103,17 +95,13 @@ jobs:
   end_to_end_tests_windows:
     name: Run end to end tests (GitHub.com to GitHub.com on Windows)
     runs-on: windows-latest
+    needs: ['package']
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4.1.0
+      - name: Download Windows AMD64 binary
+        uses: actions/download-artifact@v4
         with:
-          node-version: 20.x
-          cache: 'npm'
-      - run: npm ci
-      - name: Generate binaries for macOS, Linux and Windows
-        run: npm run package
-      - name: Rename Windows binary to conform to GitHub CLI extension rules
-        run: mv bin/migrate-project-win.exe bin/gh-migrate-project-windows-amd64.exe
+          name: gh-migrate-project-windows-amd64
+          path: bin
       - name: Create `output` directory
         run: mkdir output
       - name: Export a project from GitHub.com
@@ -142,17 +130,13 @@ jobs:
   end_to_end_tests_linux_ghes_315:
     name: Run end to end tests (GitHub.com to GHES v3.15 on Linux)
     runs-on: ubuntu-latest
+    needs: ['package']
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4.1.0
+      - name: Download Linux AMD64 binary
+        uses: actions/download-artifact@v4
         with:
-          node-version: 20.x
-          cache: 'npm'
-      - run: npm ci
-      - name: Generate binaries for macOS, Linux and Windows
-        run: npm run package
-      - name: Rename Linux binary to conform to GitHub CLI extension rules
-        run: mv bin/migrate-project-linux bin/gh-migrate-project-linux-amd64
+          name: gh-migrate-project-linux-amd64
+          path: bin
       - name: Create `output` directory
         run: mkdir output
       - name: Make Linux binary executable
@@ -183,17 +167,13 @@ jobs:
   end_to_end_tests_linux_ghes_314:
     name: Run end to end tests (GitHub.com to GHES v3.14 on Linux)
     runs-on: ubuntu-latest
+    needs: ['package']
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4.1.0
+      - name: Download Linux AMD64 binary
+        uses: actions/download-artifact@v4
         with:
-          node-version: 20.x
-          cache: 'npm'
-      - run: npm ci
-      - name: Generate binaries for macOS, Linux and Windows
-        run: npm run package
-      - name: Rename Linux binary to conform to GitHub CLI extension rules
-        run: mv bin/migrate-project-linux bin/gh-migrate-project-linux-amd64
+          name: gh-migrate-project-linux-amd64
+          path: bin
       - name: Create `output` directory
         run: mkdir output
       - name: Make Linux binary executable
@@ -224,17 +204,13 @@ jobs:
   end_to_end_tests_linux_ghes_313:
     name: Run end to end tests (GitHub.com to GHES v3.13 on Linux)
     runs-on: ubuntu-latest
+    needs: ['package']
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4.1.0
+      - name: Download Linux AMD64 binary
+        uses: actions/download-artifact@v4
         with:
-          node-version: 20.x
-          cache: 'npm'
-      - run: npm ci
-      - name: Generate binaries for macOS, Linux and Windows
-        run: npm run package
-      - name: Rename Linux binary to conform to GitHub CLI extension rules
-        run: mv bin/migrate-project-linux bin/gh-migrate-project-linux-amd64
+          name: gh-migrate-project-linux-amd64
+          path: bin
       - name: Create `output` directory
         run: mkdir output
       - name: Make Linux binary executable
@@ -265,17 +241,13 @@ jobs:
   end_to_end_tests_linux_ghes_312:
     name: Run end to end tests (GitHub.com to GHES v3.12 on Linux)
     runs-on: ubuntu-latest
+    needs: ['package']
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4.1.0
+      - name: Download Linux AMD64 binary
+        uses: actions/download-artifact@v4
         with:
-          node-version: 20.x
-          cache: 'npm'
-      - run: npm ci
-      - name: Generate binaries for macOS, Linux and Windows
-        run: npm run package
-      - name: Rename Linux binary to conform to GitHub CLI extension rules
-        run: mv bin/migrate-project-linux bin/gh-migrate-project-linux-amd64
+          name: gh-migrate-project-linux-amd64
+          path: bin
       - name: Create `output` directory
         run: mkdir output
       - name: Make Linux binary executable
@@ -306,17 +278,13 @@ jobs:
   end_to_end_tests_linux_ghes_311:
     name: Run end to end tests (GitHub.com to GHES v3.11 on Linux)
     runs-on: ubuntu-latest
+    needs: ['package']
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4.1.0
+      - name: Download Linux AMD64 binary
+        uses: actions/download-artifact@v4
         with:
-          node-version: 20.x
-          cache: 'npm'
-      - run: npm ci
-      - name: Generate binaries for macOS, Linux and Windows
-        run: npm run package
-      - name: Rename Linux binary to conform to GitHub CLI extension rules
-        run: mv bin/migrate-project-linux bin/gh-migrate-project-linux-amd64
+          name: gh-migrate-project-linux-amd64
+          path: bin
       - name: Create `output` directory
         run: mkdir output
       - name: Make Linux binary executable
@@ -344,8 +312,83 @@ jobs:
         with:
           name: linux-outputs-ghes-311
           path: output
+  package-macos:
+    name: Package macOS binaries
+    runs-on: macos-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Setup Node.js
+        uses: actions/setup-node@v4.0.4
+        with:
+          node-version: 20.x
+          cache: 'npm'
+      - name: Install dependencies
+        run: npm ci
+      - name: Create bin/ directory
+        run: mkdir bin
+      - name: Generate binaries for macOS
+        run: npm run package:macos
+      - name: Rename macOS ARM64 binary to conform to GitHub CLI extension rules
+        run: mv bin/migrate-project-arm64 bin/gh-migrate-project-darwin-arm64
+      - name: Rename macOS AMD64 binary to conform to GitHub CLI extension rules
+        run: mv bin/migrate-project-x64 bin/gh-migrate-project-darwin-amd64
+      - name: Write Apple signing key to a file
+        env:
+          APPLE_SIGNING_KEY_P12: ${{ secrets.APPLE_SIGNING_KEY_P12 }}
+        run: echo "$APPLE_SIGNING_KEY_P12" | base64 -d -o key.p12
+      - name: Write App Store Connect API key to a file
+        env:
+          APP_STORE_CONNECT_API_KEY: ${{ secrets.APP_STORE_CONNECT_API_KEY }}
+        run: echo "$APP_STORE_CONNECT_API_KEY" > app_store_connect_api_key.json
+      - name: Sign macOS ARM64 binary
+        uses: indygreg/apple-code-sign-action@v1
+        with:
+          input_path: bin/gh-migrate-project-darwin-arm64
+          p12_file: key.p12
+          p12_password: ${{ secrets.APPLE_SIGNING_KEY_PASSWORD }}
+          sign: true
+          sign_args: '--code-signature-flags=runtime'
+      - name: Upload macOS ARM64 binary as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          path: bin/gh-migrate-project-darwin-arm64
+          name: gh-migrate-project-darwin-arm64
+      - name: Archive macOS ARM64 binary for notarisation
+        run: zip gh-migrate-project-darwin-arm64.zip bin/gh-migrate-project-darwin-arm64
+      - name: Notarise signed macOS ARM64 binary
+        uses: indygreg/apple-code-sign-action@v1
+        with:
+          input_path: gh-migrate-project-darwin-arm64.zip
+          sign: false
+          notarize: true
+          app_store_connect_api_key_json_file: app_store_connect_api_key.json
+      - name: Sign macOS AMD64 binary
+        uses: indygreg/apple-code-sign-action@v1
+        with:
+          input_path: bin/gh-migrate-project-darwin-amd64
+          p12_file: key.p12
+          p12_password: ${{ secrets.APPLE_SIGNING_KEY_PASSWORD }}
+          sign: true
+          sign_args: '--code-signature-flags=runtime'
+      - name: Upload macOS AMD64 binary as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          path: bin/gh-migrate-project-darwin-amd64
+          name: gh-migrate-project-darwin-amd64
+      - name: Archive macOS AMD64 binary for notarisation
+        run: zip gh-migrate-project-darwin-amd64.zip bin/gh-migrate-project-darwin-amd64
+      - name: Notarise signed macOS AMD64 binary
+        uses: indygreg/apple-code-sign-action@v1
+        with:
+          input_path: gh-migrate-project-darwin-amd64.zip
+          sign: false
+          notarize: true
+          app_store_connect_api_key_json_file: app_store_connect_api_key.json
   package:
-    name: Package binaries
+    name: Package Windows and Linux binaries
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -359,35 +402,31 @@ jobs:
           cache: 'npm'
       - name: Install dependencies
         run: npm ci
-      - name: Generate binaries for macOS, Linux and Windows
+      - name: Create bin/ directory
+        run: mkdir bin
+      - name: Generate binaries for Linux and Windows
         run: npm run package
-      - name: Rename macOS binary to conform to GitHub CLI extension rules
-        run: mv bin/migrate-project-macos bin/gh-migrate-project-darwin-amd64
       - name: Rename Windows binary to conform to GitHub CLI extension rules
         run: mv bin/migrate-project-win.exe bin/gh-migrate-project-windows-amd64.exe
       - name: Rename Linux binary to conform to GitHub CLI extension rules
         run: mv bin/migrate-project-linux bin/gh-migrate-project-linux-amd64
-      - name: Upload macOS binary as artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: package-macos
-          path: bin/gh-migrate-project-darwin-amd64
       - name: Upload Linux binary as artifact
         uses: actions/upload-artifact@v4
         with:
-          name: package-linux
+          name: gh-migrate-project-linux-amd64
           path: bin/gh-migrate-project-linux-amd64
       - name: Upload Windows binary as artifact
         uses: actions/upload-artifact@v4
         with:
-          name: package-windows
+          name: gh-migrate-project-windows-amd64
           path: bin/gh-migrate-project-windows-amd64.exe
   check_release_tag_matches_version:
     name: Check release tag matches version
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
     needs: [
         'package',
+        'package-macos',
         'test_and_lint',
         #'end_to_end_tests_linux_ghes_315',
         'end_to_end_tests_linux_ghes_314',
@@ -421,10 +460,15 @@ jobs:
         with:
           name: package-windows
           path: bin
-      - name: Download macOS binary
+      - name: Download macOS AMD64 binary
+        uses: actions/download-artifact@v4
+        with:
+          name: gh-migrate-project-darwin-amd64
+          path: bin
+      - name: Download macOS ARM64 binary
         uses: actions/download-artifact@v4
         with:
-          name: package-macos
+          name: gh-migrate-project-darwin-arm64
           path: bin
       - name: Download Linux binary
         uses: actions/download-artifact@v4
@@ -436,6 +480,7 @@ jobs:
         with:
           files: |
             bin/gh-migrate-project-darwin-amd64
+            bin/gh-migrate-project-darwin-arm64
             bin/gh-migrate-project-linux-amd64
             bin/gh-migrate-project-windows-amd64.exe
           generate_release_notes: true

package.json

@@ -5,10 +5,11 @@
   "description": "A GitHub CLI (https://cli.github.com/) extension for migrating GitHub Projects (https://docs.github.com/en/issues/planning-and-tracking-with-projects) between GitHub accounts and products",
   "homepage": "https://github.com/timrogers/gh-migrate-project",
   "scripts": {
-    "package": "node build.js && npx pkg dist/migrate-project.cjs --out-path bin --targets node20-linux-x64,node20-macos-x64,node20-win-x64",
-    "lint": "eslint .",
+    "package": "node build.js && npx pkg dist/migrate-project.cjs --sea --out-path bin --targets node20-linux-x64,node20-win-x64",
+    "package:macos": "node build.js && npx pkg dist/migrate-project.cjs --sea --targets node20-macos-x64,node20-macos-arm64 --out-path bin",
+    "lint": "eslint ",
     "lint-and-fix": "eslint . --fix",
-    "dev": "npx tsx src/index.ts",
+    "dev": "npx tsx --esm src/index.ts",
     "clean-up-organization-projects": "npx tsx script/clean-up-organization-projects.ts",
     "configure-github-enterprise-server-instance": "npx tsx script/configure-github-enterprise-server-instance.ts"
   },