Skip to content
Release

fix: add secure timestamp and strip get-task-allow for notarization #10

Sign in to view logs

fix: add secure timestamp and strip get-task-allow for notarization

fix: add secure timestamp and strip get-task-allow for notarization #10

Workflow file for this run

.github/workflows/release.yml at 4b5ec3b
name: Release
on:
push:
tags:
- "v*"
permissions:
contents: write
jobs:
build-and-release:
name: Build, Sign, Notarize & Release
runs-on: macos-15
env:
KEYCHAIN_NAME: build.keychain
KEYCHAIN_PASSWORD: ${{ github.run_id }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install create-dmg
run: brew install create-dmg
# ── Import Developer ID certificate into a temporary keychain ──────
- name: Import signing certificate
env:
CERTIFICATE_P12: ${{ secrets.CERTIFICATE_P12 }}
CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
run: |
# Decode the .p12 from base64
echo "$CERTIFICATE_P12" | base64 --decode > certificate.p12
# Create a temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
security set-keychain-settings -lut 21600 "$KEYCHAIN_NAME"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
# Import the certificate
security import certificate.p12 \
-k "$KEYCHAIN_NAME" \
-P "$CERTIFICATE_PASSWORD" \
-T /usr/bin/codesign \
-T /usr/bin/productsign
# Allow codesign to access the keychain without prompting
security set-key-partition-list -S apple-tool:,apple: \
-s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
# Add the temporary keychain to the search list
security list-keychains -d user -s "$KEYCHAIN_NAME" $(security list-keychains -d user | tr -d '"')
# Clean up certificate file
rm certificate.p12
# ── Build and sign the app ─────────────────────────────────────────
- name: Build DMG
env:
CODE_SIGN_IDENTITY: ${{ secrets.CODE_SIGN_IDENTITY }}
TEAM_ID: ${{ secrets.TEAM_ID }}
KEYCHAIN_NAME: ${{ env.KEYCHAIN_NAME }}
run: |
chmod +x Scripts/build-dmg.sh
./Scripts/build-dmg.sh
# ── Notarize the DMG with Apple ────────────────────────────────────
- name: Notarize DMG
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }}
TEAM_ID: ${{ secrets.TEAM_ID }}
run: |
DMG_PATH=$(ls build/QuotaBar-*.dmg | head -1)
echo "📤 Submitting ${DMG_PATH} for notarization..."
# Submit and capture the submission ID
SUBMIT_OUTPUT=$(xcrun notarytool submit "$DMG_PATH" \
--apple-id "$APPLE_ID" \
--password "$APPLE_APP_PASSWORD" \
--team-id "$TEAM_ID" \
--wait 2>&1) || true
echo "$SUBMIT_OUTPUT"
# Extract submission ID
SUBMISSION_ID=$(echo "$SUBMIT_OUTPUT" | grep "id:" | head -1 | awk '{print $2}')
# Check if notarization succeeded
if echo "$SUBMIT_OUTPUT" | grep -q "status: Accepted"; then
echo "📎 Stapling notarization ticket..."
xcrun stapler staple "$DMG_PATH"
echo "✅ Notarization complete"
else
echo "❌ Notarization failed! Fetching detailed log..."
xcrun notarytool log "$SUBMISSION_ID" \
--apple-id "$APPLE_ID" \
--password "$APPLE_APP_PASSWORD" \
--team-id "$TEAM_ID" \
developer_log.json 2>&1 || true
cat developer_log.json
exit 1
fi
# ── Clean up keychain ──────────────────────────────────────────────
- name: Clean up keychain
if: always()
run: security delete-keychain "$KEYCHAIN_NAME" 2>/dev/null || true
# ── Create the GitHub Release ──────────────────────────────────────
- name: Get version from tag
id: version
run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
name: "QuotaBar v${{ steps.version.outputs.version }}"
draft: false
prerelease: false
generate_release_notes: true
files: build/QuotaBar-*.dmg