Update release workflow to improve certificate handling and keychain … #3
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Release | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| jobs: | |
| build-sign-notarize: | |
| runs-on: macos-15 | |
| env: | |
| APP_NAME: "FastGit Menu" | |
| DMG_NAME: "FastGit-Menu" | |
| KEYCHAIN: "build.keychain-db" | |
| KEYCHAIN_PASSWORD: "ci-keychain-password" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Select Xcode | |
| run: sudo xcode-select -s /Applications/Xcode_16.app/Contents/Developer | |
| - name: Import signing certificate | |
| env: | |
| CERTIFICATE_P12: ${{ secrets.CERTIFICATE_P12 }} | |
| CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} | |
| run: | | |
| printf '%s' "$CERTIFICATE_P12" | base64 --decode > certificate.p12 | |
| security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN" | |
| security set-keychain-settings -lut 21600 "$KEYCHAIN" | |
| security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN" | |
| security import certificate.p12 \ | |
| -k "$KEYCHAIN" \ | |
| -P "$CERTIFICATE_PASSWORD" \ | |
| -T /usr/bin/codesign \ | |
| -T /usr/bin/productsign \ | |
| -f pkcs12 \ | |
| -A | |
| security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN" | |
| security list-keychains -d user -s "$KEYCHAIN" login.keychain-db | |
| rm certificate.p12 | |
| - name: Build with Developer ID signing | |
| run: make build-ci | |
| - name: Create DMG | |
| run: make dmg | |
| - name: Notarize DMG | |
| env: | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }} | |
| run: | | |
| SUBMIT_OUT=$(xcrun notarytool submit "build/$DMG_NAME.dmg" \ | |
| --apple-id "$APPLE_ID" \ | |
| --team-id "$APPLE_TEAM_ID" \ | |
| --password "$APPLE_APP_PASSWORD" \ | |
| --wait 2>&1) || true | |
| echo "$SUBMIT_OUT" | |
| SUBMISSION_ID=$(echo "$SUBMIT_OUT" | grep "id:" | head -1 | awk '{print $2}') | |
| if echo "$SUBMIT_OUT" | grep -q "status: Invalid"; then | |
| echo "--- Notarization failed. Fetching log ---" | |
| xcrun notarytool log "$SUBMISSION_ID" \ | |
| --apple-id "$APPLE_ID" \ | |
| --team-id "$APPLE_TEAM_ID" \ | |
| --password "$APPLE_APP_PASSWORD" \ | |
| notarization-log.json || true | |
| cat notarization-log.json | |
| exit 1 | |
| fi | |
| xcrun stapler staple "build/$DMG_NAME.dmg" | |
| - name: Cleanup keychain | |
| if: always() | |
| run: security delete-keychain "$KEYCHAIN" 2>/dev/null || true | |
| - name: Upload DMG artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: FastGit-Menu.dmg | |
| path: build/FastGit-Menu.dmg | |
| release: | |
| needs: build-sign-notarize | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Download artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: FastGit-Menu.dmg | |
| - name: Create GitHub Release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: FastGit-Menu.dmg | |
| generate_release_notes: true |