FastGit-Menu/.github/workflows/release.yml at main · Eronred/FastGit-Menu · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
name: Build & Release

on:
  push:
    tags:
      - "v*"

jobs:
  build-sign-notarize:
    runs-on: macos-15
    env:
      APP_NAME: "FastGit Menu"
      DMG_NAME: "FastGit-Menu"
      KEYCHAIN: "build.keychain-db"
      KEYCHAIN_PASSWORD: "ci-keychain-password"
    steps:
      - uses: actions/checkout@v4

      - name: Select Xcode
        run: sudo xcode-select -s /Applications/Xcode_16.app/Contents/Developer

      - name: Import signing certificate
        env:
          CERTIFICATE_P12: ${{ secrets.CERTIFICATE_P12 }}
          CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
        run: |
          printf '%s' "$CERTIFICATE_P12" | base64 --decode > certificate.p12

          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN"
          security set-keychain-settings -lut 21600 "$KEYCHAIN"
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN"

          security import certificate.p12 \
            -k "$KEYCHAIN" \
            -P "$CERTIFICATE_PASSWORD" \
            -T /usr/bin/codesign \
            -T /usr/bin/productsign \
            -f pkcs12 \
            -A

          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN"
          security list-keychains -d user -s "$KEYCHAIN" login.keychain-db

          rm certificate.p12

      - name: Build with Developer ID signing
        run: make build-ci

      - name: Create DMG
        run: make dmg

      - name: Notarize DMG
        env:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
          APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }}
        run: |
          SUBMIT_OUT=$(xcrun notarytool submit "build/$DMG_NAME.dmg" \
            --apple-id "$APPLE_ID" \
            --team-id "$APPLE_TEAM_ID" \
            --password "$APPLE_APP_PASSWORD" \
            --wait 2>&1) || true
          echo "$SUBMIT_OUT"

          SUBMISSION_ID=$(echo "$SUBMIT_OUT" | grep "id:" | head -1 | awk '{print $2}')

          if echo "$SUBMIT_OUT" | grep -q "status: Invalid"; then
            echo "--- Notarization failed. Fetching log ---"
            xcrun notarytool log "$SUBMISSION_ID" \
              --apple-id "$APPLE_ID" \
              --team-id "$APPLE_TEAM_ID" \
              --password "$APPLE_APP_PASSWORD" \
              notarization-log.json || true
            cat notarization-log.json
            exit 1
          fi

          xcrun stapler staple "build/$DMG_NAME.dmg"

      - name: Cleanup keychain
        if: always()
        run: security delete-keychain "$KEYCHAIN" 2>/dev/null || true

      - name: Upload DMG artifact
        uses: actions/upload-artifact@v4
        with:
          name: FastGit-Menu.dmg
          path: build/FastGit-Menu.dmg

  release:
    needs: build-sign-notarize
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Download artifact
        uses: actions/download-artifact@v4
        with:
          name: FastGit-Menu.dmg

      - name: Create GitHub Release
        uses: softprops/action-gh-release@v2
        with:
          files: FastGit-Menu.dmg
          generate_release_notes: true