@@ -15,6 +15,10 @@ permissions:
1515jobs :
1616 build :
1717 runs-on : macos-latest
18+ env :
19+ APP_NAME : ContextEditor.app
20+ APP_PATH : build-universal/output/ContextEditor.app
21+ ZIP_PATH : ContextEditor-macOS.zip
1822
1923 steps :
2024 - name : Checkout
@@ -26,20 +30,78 @@ jobs:
2630 - name : Generate Xcode project
2731 run : xcodegen generate
2832
33+ - name : Import signing certificate
34+ if : startsWith(github.ref, 'refs/tags/v')
35+ env :
36+ BUILD_CERTIFICATE_BASE64 : ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
37+ P12_PASSWORD : ${{ secrets.P12_PASSWORD }}
38+ KEYCHAIN_PASSWORD : ${{ secrets.KEYCHAIN_PASSWORD }}
39+ run : |
40+ CERT_PATH="$RUNNER_TEMP/build_certificate.p12"
41+ KEYCHAIN_PATH="$RUNNER_TEMP/contexteditor-build.keychain-db"
42+
43+ echo "$BUILD_CERTIFICATE_BASE64" | base64 -D > "$CERT_PATH"
44+
45+ security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
46+ security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
47+ security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
48+ security import "$CERT_PATH" -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
49+ security list-keychains -d user -s "$KEYCHAIN_PATH" login.keychain-db
50+ security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
51+
2952name : Build app
53+ env :
54+ SIGNING_IDENTITY : ${{ startsWith(github.ref, 'refs/tags/v') && 'Developer ID Application' || '' }}
3055 run : ./scripts/build_universal.sh
3156
57+ - name : Verify signature
58+ if : startsWith(github.ref, 'refs/tags/v')
59+ run : codesign -dv --verbose=4 "${APP_PATH}"
60+
61+ - name : Store notarization credentials
62+ if : startsWith(github.ref, 'refs/tags/v')
63+ env :
64+ APPLE_ID : ${{ secrets.APPLE_ID }}
65+ APPLE_APP_SPECIFIC_PASSWORD : ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
66+ APPLE_TEAM_ID : ${{ secrets.APPLE_TEAM_ID }}
67+ KEYCHAIN_PATH : ${{ runner.temp }}/contexteditor-build.keychain-db
68+ run : |
69+ xcrun notarytool store-credentials "ContextEditorNotary" \
70+ --apple-id "$APPLE_ID" \
71+ --password "$APPLE_APP_SPECIFIC_PASSWORD" \
72+ --team-id "$APPLE_TEAM_ID" \
73+ --keychain "$KEYCHAIN_PATH"
74+
75+ name : Notarize app
76+ if : startsWith(github.ref, 'refs/tags/v')
77+ env :
78+ KEYCHAIN_PATH : ${{ runner.temp }}/contexteditor-build.keychain-db
79+ run : |
80+ ditto -c -k --sequesterRsrc --keepParent "${APP_PATH}" "${ZIP_PATH}"
81+ xcrun notarytool submit "${ZIP_PATH}" \
82+ --keychain-profile "ContextEditorNotary" \
83+ --keychain "$KEYCHAIN_PATH" \
84+ --wait
85+ xcrun stapler staple "${APP_PATH}"
86+ xcrun stapler validate "${APP_PATH}"
87+ spctl -a -vv "${APP_PATH}"
88+
3289name : Package app
33- run : ditto -c -k --sequesterRsrc --keepParent build-universal/output/ContextEditor.app ContextEditor-macOS.zip
90+ if : ${{ !startsWith(github.ref, 'refs/tags/v') }}
91+ run : ditto -c -k --sequesterRsrc --keepParent "${APP_PATH}" "${ZIP_PATH}"
92+
93+ - name : Package notarized app
94+ if : startsWith(github.ref, 'refs/tags/v')
95+ run : ditto -c -k --sequesterRsrc --keepParent "${APP_PATH}" "${ZIP_PATH}"
3496
3597 - name : Upload artifact
3698 uses : actions/upload-artifact@v4
3799 with :
38100 name : ContextEditor-macOS
39- path : ContextEditor-macOS.zip
101+ path : ${{ env.ZIP_PATH }}
40102
41103 - name : Publish release asset
42104 if : startsWith(github.ref, 'refs/tags/v')
43105 uses : softprops/action-gh-release@v2
44106 with :
45- files : ContextEditor-macOS.zip
107+ files : ${{ env.ZIP_PATH }}
0 commit comments