Build & Verify #66

Workflow file for this run

.github/workflows/build.yml at 1914002

	name: Build & Verify

	on:
	push:
	branches: [master, main, open]
	tags: ['v*']
	pull_request:
	branches: [master, main]

	jobs:
	build:
	runs-on: macos-15
	steps:
	- uses: actions/checkout@v4
	with:
	submodules: recursive

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: deps/App-Store-Connect-CLI-helper/go.mod

	- name: Select Xcode
	run: sudo xcode-select -s /Applications/Xcode.app/Contents/Developer

	- name: Build (release)
	run: swift build -c release

	- name: Run tests
	run: swift test

	- name: Bundle .app
	run: \|
	APPLE_SIGNING_IDENTITY="-" bash scripts/bundle.sh release

	- name: Generate checksums
	run: \|
	cd .build
	ditto -c -k --sequesterRsrc --keepParent Blitz.app Blitz.app.zip
	shasum -a 256 Blitz.app.zip > Blitz.app.zip.sha256
	cat Blitz.app.zip.sha256

	- name: Upload build artifact
	uses: actions/upload-artifact@v4
	with:
	name: Blitz-${{ github.sha }}
	path: \|
	.build/Blitz.app.zip
	.build/Blitz.app.zip.sha256

	build_x86_64:
	runs-on: macos-15-intel
	steps:
	- uses: actions/checkout@v4
	with:
	submodules: recursive

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: deps/App-Store-Connect-CLI-helper/go.mod

	- name: Select Xcode
	run: sudo xcode-select -s /Applications/Xcode.app/Contents/Developer

	- name: Build (release)
	run: swift build -c release

	- name: Run tests
	run: swift test

	- name: Bundle .app
	run: \|
	APPLE_SIGNING_IDENTITY="-" bash scripts/bundle.sh release

	- name: Generate checksums
	run: \|
	cd .build
	ditto -c -k --sequesterRsrc --keepParent Blitz.app Blitz-x86_64.app.zip
	shasum -a 256 Blitz-x86_64.app.zip > Blitz-x86_64.app.zip.sha256
	cat Blitz-x86_64.app.zip.sha256

	- name: Upload build artifact
	uses: actions/upload-artifact@v4
	with:
	name: Blitz-x86_64-${{ github.sha }}
	path: \|
	.build/Blitz-x86_64.app.zip
	.build/Blitz-x86_64.app.zip.sha256

	release:
	if: startsWith(github.ref, 'refs/tags/v')
	needs: [build, build_x86_64]
	runs-on: macos-15
	permissions:
	contents: write
	steps:
	- uses: actions/checkout@v4
	with:
	submodules: recursive

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: deps/App-Store-Connect-CLI-helper/go.mod

	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version: '20'

	- name: Install dependencies
	run: npm install

	- name: Select Xcode
	run: sudo xcode-select -s /Applications/Xcode.app/Contents/Developer

	- name: Import signing certificate
	if: env.APPLE_CERTIFICATE_BASE64 != ''
	env:
	APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
	APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
	run: \|
	# Create temporary keychain
	KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
	KEYCHAIN_PASSWORD=$(openssl rand -base64 32)

	security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
	security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
	security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

	# Import certificate
	CERT_PATH=$RUNNER_TEMP/certificate.p12
	echo "$APPLE_CERTIFICATE_BASE64" \| base64 --decode > "$CERT_PATH"
	security import "$CERT_PATH" -P "$APPLE_CERTIFICATE_PASSWORD" \
	-A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
	security set-key-partition-list -S apple-tool:,apple: \
	-k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

	# Add to search list
	security list-keychains -d user -s "$KEYCHAIN_PATH" login.keychain-db

	- name: Validate production signing inputs
	env:
	APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
	APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
	APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
	APPLE_INSTALLER_IDENTITY: ${{ secrets.APPLE_INSTALLER_IDENTITY }}
	APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
	APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
	APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
	BLITZ_ANALYTICS_ENDPOINT: ${{ secrets.BLITZ_ANALYTICS_ENDPOINT }}
	BLITZ_ANALYTICS_TOKEN: ${{ secrets.ANALYTICS_INGEST_TOKEN }}
	run: \|
	[ -n "$APPLE_CERTIFICATE_BASE64" ] \|\| { echo "Missing APPLE_CERTIFICATE_BASE64"; exit 1; }
	[ -n "$APPLE_CERTIFICATE_PASSWORD" ] \|\| { echo "Missing APPLE_CERTIFICATE_PASSWORD"; exit 1; }
	[ -n "$APPLE_SIGNING_IDENTITY" ] \|\| { echo "Missing APPLE_SIGNING_IDENTITY"; exit 1; }
	[ -n "$APPLE_INSTALLER_IDENTITY" ] \|\| { echo "Missing APPLE_INSTALLER_IDENTITY"; exit 1; }
	[ -n "$APPLE_API_KEY" ] \|\| { echo "Missing APPLE_API_KEY"; exit 1; }
	[ -n "$APPLE_API_ISSUER" ] \|\| { echo "Missing APPLE_API_ISSUER"; exit 1; }
	[ -n "$APPLE_API_KEY_BASE64" ] \|\| { echo "Missing APPLE_API_KEY_BASE64"; exit 1; }
	[ -n "$BLITZ_ANALYTICS_ENDPOINT" ] \|\| { echo "Missing BLITZ_ANALYTICS_ENDPOINT"; exit 1; }
	[ -n "$BLITZ_ANALYTICS_TOKEN" ] \|\| { echo "Missing ANALYTICS_INGEST_TOKEN"; exit 1; }

	- name: Build release .app
	env:
	APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
	BLITZ_REQUIRE_SIGNED_RELEASE: "1"
	BLITZ_ANALYTICS_ENDPOINT: ${{ secrets.BLITZ_ANALYTICS_ENDPOINT }}
	BLITZ_ANALYTICS_TOKEN: ${{ secrets.ANALYTICS_INGEST_TOKEN }}
	run: \|
	swift build -c release
	bash scripts/bundle.sh release

	- name: Build .pkg
	env:
	APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
	APPLE_INSTALLER_IDENTITY: ${{ secrets.APPLE_INSTALLER_IDENTITY }}
	BLITZ_REQUIRE_SIGNED_RELEASE: "1"
	run: bash scripts/build-pkg.sh

	- name: Notarize .pkg
	env:
	APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
	APPLE_API_KEY_PATH: ${{ runner.temp }}/AuthKey.p8
	APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
	APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
	run: \|
	echo "$APPLE_API_KEY_BASE64" \| base64 --decode > "$APPLE_API_KEY_PATH"
	VERSION=$(node -e "process.stdout.write(require('./package.json').version)")
	xcrun notarytool submit "build/Blitz-$VERSION.pkg" \
	--key "$APPLE_API_KEY_PATH" \
	--key-id "$APPLE_API_KEY" \
	--issuer "$APPLE_API_ISSUER" \
	--wait
	xcrun stapler staple "build/Blitz-$VERSION.pkg"

	- name: Create checksums
	run: \|
	cd .build
	ditto -c -k --sequesterRsrc --keepParent Blitz.app Blitz.app.zip
	shasum -a 256 Blitz.app.zip > SHA256SUMS.txt
	find Blitz.app/Contents/MacOS -type f -perm +111 -exec shasum -a 256 {} + >> SHA256SUMS.txt
	# Checksum the .pkg too
	VERSION=$(node -e "process.stdout.write(require('../package.json').version)")
	PKG_PATH="../build/Blitz-$VERSION.pkg"
	if [ -f "$PKG_PATH" ]; then
	shasum -a 256 "$PKG_PATH" >> SHA256SUMS.txt
	fi
	cat SHA256SUMS.txt

	- name: Get version
	id: version
	run: \|
	VERSION=$(node -p "require('./package.json').version")
	echo "version=$VERSION" >> "$GITHUB_OUTPUT"

	- name: Extract changelog notes
	id: changelog
	run: \|
	VERSION="${{ steps.version.outputs.version }}"
	# Extract lines between "## $VERSION" and the next "## " heading
	NOTES=$(awk "/^## ${VERSION}$/{found=1; next} /^## /{if(found) exit} found{print}" CHANGELOG.md)
	# Write to multiline output
	{
	echo "notes<<CHANGELOG_EOF"
	echo "$NOTES"
	echo "CHANGELOG_EOF"
	} >> "$GITHUB_OUTPUT"

	- name: Create GitHub Release
	uses: softprops/action-gh-release@v2
	with:
	files: \|
	.build/Blitz.app.zip
	.build/SHA256SUMS.txt
	build/Blitz-${{ steps.version.outputs.version }}.pkg
	body: \|
	## What's New

	${{ steps.changelog.outputs.notes }}

	## Install

	First install: Download `Blitz-${{ steps.version.outputs.version }}.pkg` and double-click to install.

	Already installed: The app will auto-update, or download `Blitz.app.zip` to update manually.

	Intel Macs: Download `Blitz-${{ steps.version.outputs.version }}-x86_64.app.zip` from the release assets for a native x86_64 build.

	## Verify this build

	Download `SHA256SUMS.txt` and verify:
	```bash
	shasum -a 256 -c SHA256SUMS.txt
	```

	Or build from source and compare:
	```bash
	bash scripts/verify-build.sh ${{ github.ref_name }}
	```

	- name: Cleanup keychain
	if: always()
	run: security delete-keychain $RUNNER_TEMP/app-signing.keychain-db 2>/dev/null \|\| true

	release_x86_64:
	if: startsWith(github.ref, 'refs/tags/v')
	needs: [build, build_x86_64, release]
	runs-on: macos-15-intel
	permissions:
	contents: write
	steps:
	- uses: actions/checkout@v4
	with:
	submodules: recursive

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: deps/App-Store-Connect-CLI-helper/go.mod

	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version: '20'

	- name: Select Xcode
	run: sudo xcode-select -s /Applications/Xcode.app/Contents/Developer

	- name: Import signing certificate
	if: env.APPLE_CERTIFICATE_BASE64 != ''
	env:
	APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
	APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
	run: \|
	# Create temporary keychain
	KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
	KEYCHAIN_PASSWORD=$(openssl rand -base64 32)

	security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
	security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
	security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

	# Import certificate
	CERT_PATH=$RUNNER_TEMP/certificate.p12
	echo "$APPLE_CERTIFICATE_BASE64" \| base64 --decode > "$CERT_PATH"
	security import "$CERT_PATH" -P "$APPLE_CERTIFICATE_PASSWORD" \
	-A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
	security set-key-partition-list -S apple-tool:,apple: \
	-k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

	# Add to search list
	security list-keychains -d user -s "$KEYCHAIN_PATH" login.keychain-db

	- name: Get version
	id: version
	run: \|
	VERSION=$(node -p "require('./package.json').version")
	echo "version=$VERSION" >> "$GITHUB_OUTPUT"

	- name: Validate x86_64 signing inputs
	env:
	APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
	APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
	APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
	BLITZ_ANALYTICS_ENDPOINT: ${{ secrets.BLITZ_ANALYTICS_ENDPOINT }}
	BLITZ_ANALYTICS_TOKEN: ${{ secrets.ANALYTICS_INGEST_TOKEN }}
	run: \|
	[ -n "$APPLE_CERTIFICATE_BASE64" ] \|\| { echo "Missing APPLE_CERTIFICATE_BASE64"; exit 1; }
	[ -n "$APPLE_CERTIFICATE_PASSWORD" ] \|\| { echo "Missing APPLE_CERTIFICATE_PASSWORD"; exit 1; }
	[ -n "$APPLE_SIGNING_IDENTITY" ] \|\| { echo "Missing APPLE_SIGNING_IDENTITY"; exit 1; }
	[ -n "$BLITZ_ANALYTICS_ENDPOINT" ] \|\| { echo "Missing BLITZ_ANALYTICS_ENDPOINT"; exit 1; }
	[ -n "$BLITZ_ANALYTICS_TOKEN" ] \|\| { echo "Missing ANALYTICS_INGEST_TOKEN"; exit 1; }

	- name: Build x86_64 .app artifact
	env:
	APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
	BLITZ_REQUIRE_SIGNED_RELEASE: "1"
	BLITZ_ANALYTICS_ENDPOINT: ${{ secrets.BLITZ_ANALYTICS_ENDPOINT }}
	BLITZ_ANALYTICS_TOKEN: ${{ secrets.ANALYTICS_INGEST_TOKEN }}
	run: \|
	swift build -c release
	bash scripts/bundle.sh release
	mkdir -p build
	ditto -c -k --sequesterRsrc --keepParent .build/Blitz.app "build/Blitz-${{ steps.version.outputs.version }}-x86_64.app.zip"
	shasum -a 256 "build/Blitz-${{ steps.version.outputs.version }}-x86_64.app.zip" > "build/Blitz-${{ steps.version.outputs.version }}-x86_64.app.zip.sha256"

	- name: Upload x86_64 release assets
	uses: softprops/action-gh-release@v2
	with:
	tag_name: ${{ github.ref_name }}
	files: \|
	build/Blitz-${{ steps.version.outputs.version }}-x86_64.app.zip
	build/Blitz-${{ steps.version.outputs.version }}-x86_64.app.zip.sha256

	- name: Cleanup keychain
	if: always()
	run: security delete-keychain $RUNNER_TEMP/app-signing.keychain-db 2>/dev/null \|\| true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build & Verify #66

Workflow file

Build & Verify #66

Uh oh!

Workflow file for this run