Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,7 @@ jobs:
- name: Build App
run: |
xcodebuild -scheme scrobble -destination 'platform=macOS' -configuration Release build CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO

- name: Run Tests
run: |
xcodebuild -scheme scrobbleTests -destination 'platform=macOS' test CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO
118 changes: 109 additions & 9 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,59 @@ jobs:
release:
runs-on: macos-26

env:
KEYCHAIN_PASSWORD: ${{ github.run_id }}

steps:
- uses: actions/checkout@v4

- name: Set keychain path
run: echo "KEYCHAIN_PATH=$RUNNER_TEMP/build.keychain-db" >> "$GITHUB_ENV"

- name: Install certificates
env:
DEVELOPER_ID_APPLICATION_P12: ${{ secrets.DEVELOPER_ID_APPLICATION_P12 }}
DEVELOPER_ID_INSTALLER_P12: ${{ secrets.DEVELOPER_ID_INSTALLER_P12 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
run: |
# Create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

# Import Developer ID Application certificate + private key (for app signing)
echo "$DEVELOPER_ID_APPLICATION_P12" | base64 --decode > /tmp/app_cert.p12
security import /tmp/app_cert.p12 \
-P "$P12_PASSWORD" \
-A \
-f pkcs12 \
-k "$KEYCHAIN_PATH"

# Import Developer ID Installer certificate + private key (for pkg signing)
echo "$DEVELOPER_ID_INSTALLER_P12" | base64 --decode > /tmp/installer_cert.p12
security import /tmp/installer_cert.p12 \
-P "$P12_PASSWORD" \
-A \
-f pkcs12 \
-k "$KEYCHAIN_PATH"

# Add keychain to search list
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
security default-keychain -s "$KEYCHAIN_PATH"

# Allow codesign to access keychain without UI prompt
security set-key-partition-list -S apple-tool:,apple:,codesign:,productsign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

# Clean up cert files
rm -f /tmp/app_cert.p12 /tmp/installer_cert.p12

# Debug: list all identities in keychain
echo "=== All identities ==="
security find-identity -v "$KEYCHAIN_PATH"
echo "=== Codesigning identities ==="
security find-identity -v -p codesigning "$KEYCHAIN_PATH"


- name: Set up Secrets
run: |
mkdir -p Configs
Expand All @@ -28,8 +78,10 @@ jobs:
-archivePath $PWD/build/scrobble.xcarchive \
-configuration Release \
archive \
CODE_SIGN_IDENTITY="-" \
CODE_SIGNING_REQUIRED=NO
CODE_SIGN_STYLE=Manual \
CODE_SIGN_IDENTITY="Developer ID Application: Brett Henderson (94XUGF9CU7)" \
DEVELOPMENT_TEAM=94XUGF9CU7 \
OTHER_CODE_SIGN_FLAGS="--keychain $KEYCHAIN_PATH"

- name: Export App
run: |
Expand All @@ -45,24 +97,72 @@ jobs:
<string>export</string>
<key>signingStyle</key>
<string>manual</string>
<key>signingCertificate</key>
<string>Developer ID Application: Brett Henderson (94XUGF9CU7)</string>
<key>teamID</key>
<string>94XUGF9CU7</string>
</dict>
</plist>
EOF

xcodebuild -exportArchive \
-archivePath $PWD/build/scrobble.xcarchive \
-exportOptionsPlist ExportOptions.plist \
-exportPath $PWD/build \
CODE_SIGN_IDENTITY="-" \
CODE_SIGNING_REQUIRED=NO
-exportPath $PWD/build

- name: Zip Application

- name: Extract version from tag
id: version
run: echo "VERSION=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"

- name: Store notarization credentials
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
run: |
xcrun notarytool store-credentials "notary-profile" \
--apple-id "$APPLE_ID" \
--password "$APPLE_ID_PASSWORD" \
--team-id "94XUGF9CU7" \
--keychain "$KEYCHAIN_PATH"

- name: Build, sign, notarize, and staple pkg
run: |
cd build
zip -r scrobble.zip scrobble.app
VERSION="${{ steps.version.outputs.VERSION }}"

# Build unsigned pkg
pkgbuild \
--component build/scrobble.app \
--install-location /Applications \
--identifier computerdata.scrobble \
--version "$VERSION" \
build/scrobble-unsigned.pkg

# Sign pkg with Developer ID Installer certificate
productsign \
--sign "Developer ID Installer: Brett Henderson (94XUGF9CU7)" \
--keychain "$KEYCHAIN_PATH" \
build/scrobble-unsigned.pkg \
build/scrobble.pkg

rm build/scrobble-unsigned.pkg

# Notarize using stored credentials (avoids secrets in process args)
xcrun notarytool submit build/scrobble.pkg \
--keychain-profile "notary-profile" \
--keychain "$KEYCHAIN_PATH" \
--wait

# Staple the notarization ticket
xcrun stapler staple build/scrobble.pkg


- name: Release
uses: softprops/action-gh-release@v1
with:
files: build/scrobble.zip
files: build/scrobble.pkg
generate_release_notes: true

- name: Clean up keychain
if: always()
run: security delete-keychain "$KEYCHAIN_PATH"
Loading
Loading