|
| 1 | +name: Build Syncthing macOS v2 |
| 2 | + |
| 3 | +on: |
| 4 | + pull_request: |
| 5 | + branches: |
| 6 | + - v2 |
| 7 | + push: |
| 8 | + |
| 9 | +# A note on actions and third party code... The actions under actions/ (like |
| 10 | +# `uses: actions/checkout`) are maintained by GitHub, and we need to trust |
| 11 | +# GitHub to maintain their code and infrastructure or we're in deep shit in |
| 12 | +# general. The same doesn't necessarily apply to other actions authors, so |
| 13 | +# some care needs to be taken when adding steps, especially in the paths |
| 14 | +# that lead up to code being packaged and signed. |
| 15 | + |
| 16 | +jobs: |
| 17 | +# build-debug: |
| 18 | +# name: Build debug |
| 19 | +# if: github.event_name == 'push' && github.ref != 'refs/heads/release' # Debug not necessary on release branch (develop is intermediate branch) |
| 20 | +# runs-on: macos-13 |
| 21 | +# steps: |
| 22 | +# - uses: actions/checkout@v4 |
| 23 | +# with: |
| 24 | +# fetch-depth: 0 |
| 25 | +# |
| 26 | +# - name: Build debug target |
| 27 | +# run: make debug |
| 28 | +# |
| 29 | +# - name: Prepare debug build for artifact |
| 30 | +# run: make debug-dist |
| 31 | +# |
| 32 | +# - name: Archive artifacts |
| 33 | +# uses: actions/upload-artifact@v4 |
| 34 | +# with: |
| 35 | +# name: syncthing-macos-debug |
| 36 | +# path: Build/Products/Debug/dist |
| 37 | + |
| 38 | + build-release: |
| 39 | + name: Build release |
| 40 | + if: github.event_name == 'push' && github.ref == 'refs/heads/v2' |
| 41 | + environment: signing |
| 42 | + runs-on: macos-13 |
| 43 | + steps: |
| 44 | + - uses: actions/checkout@v4 |
| 45 | + with: |
| 46 | + fetch-depth: 0 |
| 47 | + submodules: 'true' |
| 48 | + |
| 49 | + - name: Import signing certificate |
| 50 | + run: | |
| 51 | + # Set up a run-specific keychain, making it available for the |
| 52 | + # `codesign` tool. |
| 53 | + umask 066 |
| 54 | + KEYCHAIN_PATH=$RUNNER_TEMP/codesign.keychain |
| 55 | + KEYCHAIN_PASSWORD=$(uuidgen) |
| 56 | + security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" |
| 57 | + security default-keychain -s "$KEYCHAIN_PATH" |
| 58 | + security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" |
| 59 | + security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" |
| 60 | +
|
| 61 | + # Import the certificate |
| 62 | + CERTIFICATE_PATH=$RUNNER_TEMP/codesign.p12 |
| 63 | + echo "$DEVELOPER_ID_CERTIFICATE_BASE64" | base64 -d -o "$CERTIFICATE_PATH" |
| 64 | + security import "$CERTIFICATE_PATH" -k "$KEYCHAIN_PATH" -P "$DEVELOPER_ID_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/productsign |
| 65 | + security set-key-partition-list -S apple-tool:,apple: -s -k actions "$KEYCHAIN_PATH" |
| 66 | +
|
| 67 | + # Set the codesign identity for following steps |
| 68 | + echo "CODESIGN_IDENTITY=$CODESIGN_IDENTITY" >> $GITHUB_ENV |
| 69 | + env: |
| 70 | + DEVELOPER_ID_CERTIFICATE_BASE64: ${{ secrets.DEVELOPER_ID_CERTIFICATE_BASE64 }} |
| 71 | + DEVELOPER_ID_CERTIFICATE_PASSWORD: ${{ secrets.DEVELOPER_ID_CERTIFICATE_PASSWORD }} |
| 72 | + CODESIGN_IDENTITY: ${{ secrets.CODESIGN_IDENTITY }} |
| 73 | + |
| 74 | + - name: Build release dmg |
| 75 | + run: | |
| 76 | + make release-dmg |
| 77 | +
|
| 78 | + - name: Archive artifacts |
| 79 | + uses: actions/upload-artifact@v4 |
| 80 | + with: |
| 81 | + name: syncthing-macos-v2-dmg-release |
| 82 | + path: Build/Products/Release/*.dmg |
| 83 | + |
| 84 | + notarize: |
| 85 | + name: Notarize for macOS |
| 86 | + if: github.event_name == 'push' && github.ref == 'refs/heads/v2' |
| 87 | + environment: signing |
| 88 | + needs: |
| 89 | + - build-release |
| 90 | + runs-on: macos-latest |
| 91 | + steps: |
| 92 | + - name: Download artifacts |
| 93 | + uses: actions/download-artifact@v4 |
| 94 | + with: |
| 95 | + name: syncthing-macos-v2-dmg-release |
| 96 | + |
| 97 | + - name: Notarize binaries |
| 98 | + run: | |
| 99 | + APPSTORECONNECT_API_KEY_PATH="$RUNNER_TEMP/apikey.p8" |
| 100 | + echo "$APPSTORECONNECT_API_KEY" | base64 -d -o "$APPSTORECONNECT_API_KEY_PATH" |
| 101 | + for file in Syncthing-*.dmg ; do |
| 102 | + xcrun notarytool submit \ |
| 103 | + -k "$APPSTORECONNECT_API_KEY_PATH" \ |
| 104 | + -d "$APPSTORECONNECT_API_KEY_ID" \ |
| 105 | + -i "$APPSTORECONNECT_API_KEY_ISSUER" \ |
| 106 | + $file |
| 107 | + done |
| 108 | + env: |
| 109 | + APPSTORECONNECT_API_KEY: ${{ secrets.APPSTORECONNECT_API_KEY }} |
| 110 | + APPSTORECONNECT_API_KEY_ID: ${{ secrets.APPSTORECONNECT_API_KEY_ID }} |
| 111 | + APPSTORECONNECT_API_KEY_ISSUER: ${{ secrets.APPSTORECONNECT_API_KEY_ISSUER }} |
0 commit comments