added app signing #17
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Application | |
| on: | |
| push: | |
| tags: | |
| - '*' | |
| permissions: | |
| contents: write | |
| jobs: | |
| build: | |
| name: Build Application | |
| runs-on: macos-14 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - uses: actions/cache@v4 | |
| name: Cache Derived Data | |
| with: | |
| path: | | |
| ${{ runner.temp }}/DerivedData/Build | |
| ${{ runner.temp }}/DerivedData/SourcePackages | |
| key: ${{ runner.os }}-derivedData-cache-${{ hashFiles('**/Package.resolved') }} | |
| restore-keys: | | |
| ${{ runner.os }}-derivedData-cache- | |
| - name: Avoid Inode Changes | |
| run: defaults write com.apple.dt.XCBuild IgnoreFileSystemDeviceInodeChanges -bool YES | |
| - uses: actions/cache@v4 | |
| name: Cache SPM Packages | |
| with: | |
| path: ${{ runner.temp }}/DerivedData/SourcePackages/checkouts | |
| key: ${{ runner.os }}-spm-${{ hashFiles('**/Package.resolved') }} | |
| restore-keys: | | |
| ${{ runner.os }}-spm- | |
| - name: Import Certificates | |
| env: | |
| CERTIFICATE_BASE64: ${{ secrets.DISTRIBUTION_CERTIFICATE }} | |
| CERTIFICATE_PASSWORD: ${{ secrets.DISTRIBUTION_CERTIFICATE_PASSWORD }} | |
| run: | | |
| CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12 | |
| KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
| KEYCHAIN_PASSWORD=$(openssl rand -base64 24) | |
| security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| security set-keychain-settings -lut 1800 $KEYCHAIN_PATH | |
| security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| echo -n "$CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH | |
| security import $CERTIFICATE_PATH -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
| security list-keychain -d user -s $KEYCHAIN_PATH | |
| - name: Import Provisioning Profile | |
| env: | |
| PROVISIONING_PROFILE: ${{ secrets.DISTRIBUTION_PROVISIONING_PROFILE }} | |
| run: | | |
| mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles | |
| echo -n "$PROVISIONING_PROFILE" | \ | |
| base64 --decode -o ~/Library/MobileDevice/Provisioning\ Profiles/profile.provisionprofile | |
| - name: Build LightCommander | |
| env: | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| run: | | |
| xcodebuild \ | |
| -scheme LightCommander \ | |
| -configuration Release \ | |
| -derivedDataPath "$RUNNER_TEMP/DerivedData" \ | |
| -archivePath "$RUNNER_TEMP/LightCommander.xcarchive" \ | |
| archive \ | |
| DEVELOPMENT_TEAM=$APPLE_TEAM_ID | |
| - name: Create DMG | |
| run: | | |
| npm i -g create-dmg | |
| create-dmg "$RUNNER_TEMP/LightCommander.xcarchive/Products/Applications/LightCommander.app" | |
| find . -maxdepth 1 -type f -name 'LightCommander*.dmg' -print -quit | while read -r file; do [ -f "$file" ] && mv "$file" "$(echo "$file" | sed 's/LightCommander.*\.dmg/LightCommander.dmg/')"; done | |
| - name: Notarize Release Build | |
| env: | |
| APPLE_USERNAME: ${{ secrets.APPLE_USERNAME }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} | |
| run: | | |
| xcrun notarytool store-credentials "LightCommander" \ | |
| --apple-id $APPLE_USERNAME \ | |
| --team-id $APPLE_TEAM_ID \ | |
| --password $APPLE_PASSWORD | |
| xcrun notarytool submit LightCommander.dmg --keychain-profile "LightCommander" --wait | |
| xcrun stapler staple LightCommander.dmg | |
| - name: Upload Release Bundle | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| file: LightCommander.dmg | |
| tag: ${{ github.ref }} | |
| overwrite: true | |
| - name: Clean Up Keychain | |
| if: ${{ always() }} | |
| run: | | |
| security delete-keychain $RUNNER_TEMP/app-signing.keychain-db | |
| rm -rf "~/Library/MobileDevice/Provisioning Profiles" |