InputMetrics/.github/workflows/release.yml at main · owieth/InputMetrics · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
name: Release

on:
  release:
    types: [released]

jobs:
  build-and-upload:
    runs-on: macos-26
    permissions:
      contents: write

    env:
      KEYCHAIN_NAME: build.keychain
      KEYCHAIN_PASSWORD: temporary

    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{ github.event.release.tag_name }}

      - name: Select Xcode
        run: sudo xcode-select -s /Applications/Xcode_26.3.app/Contents/Developer

      - name: Set version from tag
        run: |
          VERSION=${GITHUB_REF_NAME#v}
          BUILD_NUMBER=$(git rev-list --count HEAD)
          COMMIT_HASH=$(git rev-parse --short=5 HEAD)
          /usr/libexec/PlistBuddy -c "Set :CFBundleShortVersionString $VERSION" InputMetrics/InputMetrics/Info.plist
          /usr/libexec/PlistBuddy -c "Set :CFBundleVersion $BUILD_NUMBER" InputMetrics/InputMetrics/Info.plist
          /usr/libexec/PlistBuddy -c "Set :CommitHash $COMMIT_HASH" InputMetrics/InputMetrics/Info.plist

      - name: Import signing certificate
        env:
          CERTIFICATE_P12: ${{ secrets.DEVELOPER_ID_CERTIFICATE_P12 }}
          CERTIFICATE_PASSWORD: ${{ secrets.DEVELOPER_ID_CERTIFICATE_PASSWORD }}
        run: |
          echo "$CERTIFICATE_P12" | base64 --decode > certificate.p12
          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
          security set-keychain-settings -lut 21600 "$KEYCHAIN_NAME"
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
          security import certificate.p12 -k "$KEYCHAIN_NAME" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
          security list-keychains -d user -s "$KEYCHAIN_NAME" login.keychain-db
          rm certificate.p12

      - name: Install provisioning profile
        env:
          PROVISIONING_PROFILE_BASE64: ${{ secrets.PROVISIONING_PROFILE_BASE64 }}
        run: |
          echo "$PROVISIONING_PROFILE_BASE64" | base64 --decode > /tmp/build.provisionprofile
          PROFILE_UUID=$(/usr/libexec/PlistBuddy -c "Print :UUID" /dev/stdin <<< "$(security cms -D -i /tmp/build.provisionprofile)")
          mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
          cp /tmp/build.provisionprofile ~/Library/MobileDevice/Provisioning\ Profiles/"$PROFILE_UUID".provisionprofile
          rm /tmp/build.provisionprofile

      - name: Configure app target signing
        env:
          PROVISIONING_PROFILE_BASE64: ${{ secrets.PROVISIONING_PROFILE_BASE64 }}
        run: |
          echo "$PROVISIONING_PROFILE_BASE64" | base64 --decode > /tmp/build.provisionprofile
          PROFILE_NAME=$(/usr/libexec/PlistBuddy -c "Print :Name" /dev/stdin <<< "$(security cms -D -i /tmp/build.provisionprofile)")
          rm /tmp/build.provisionprofile
          perl -i -0pe 's/(TARGET_RELEASE_CONFIG.*?)(CODE_SIGN_STYLE = )Automatic;/${1}${2}Manual;\n\t\t\t\tCODE_SIGN_IDENTITY = "Developer ID Application";\n\t\t\t\tPROVISIONING_PROFILE_SPECIFIER = "'"$PROFILE_NAME"'";/s' InputMetrics.xcodeproj/project.pbxproj
          perl -i -0pe 's/(TARGET_RELEASE_CONFIG.*?)ENABLE_APP_SANDBOX = YES;/${1}ENABLE_APP_SANDBOX = NO;/s' InputMetrics.xcodeproj/project.pbxproj

      - name: Resolve package dependencies
        run: xcodebuild -resolvePackageDependencies -project InputMetrics.xcodeproj -scheme InputMetrics

      - name: Build archive
        run: |
          xcodebuild archive \
            -project InputMetrics.xcodeproj \
            -scheme InputMetrics \
            -configuration Release \
            -destination 'platform=macOS' \
            -archivePath build/InputMetrics.xcarchive

      - name: Inject provisioning profile into export options
        env:
          PROVISIONING_PROFILE_BASE64: ${{ secrets.PROVISIONING_PROFILE_BASE64 }}
        run: |
          echo "$PROVISIONING_PROFILE_BASE64" | base64 --decode > /tmp/build.provisionprofile
          PROFILE_NAME=$(/usr/libexec/PlistBuddy -c "Print :Name" /dev/stdin <<< "$(security cms -D -i /tmp/build.provisionprofile)")
          rm /tmp/build.provisionprofile
          /usr/libexec/PlistBuddy -c "Add :provisioningProfiles dict" ExportOptions.plist
          /usr/libexec/PlistBuddy -c "Add :provisioningProfiles:com.inputmetrics.InputMetrics string $PROFILE_NAME" ExportOptions.plist

      - name: Export app
        run: |
          xcodebuild -exportArchive \
            -archivePath build/InputMetrics.xcarchive \
            -exportPath build/export \
            -exportOptionsPlist ExportOptions.plist

      - name: Notarize app
        env:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        run: |
          cd build/export
          zip -r InputMetrics.zip InputMetrics.app

          SUBMIT_OUTPUT=$(xcrun notarytool submit InputMetrics.zip \
            --apple-id "$APPLE_ID" \
            --password "$APPLE_ID_PASSWORD" \
            --team-id "$APPLE_TEAM_ID" \
            --wait 2>&1) || true
          echo "$SUBMIT_OUTPUT"

          SUBMISSION_ID=$(echo "$SUBMIT_OUTPUT" | grep "id:" | head -1 | awk '{print $2}')

          if echo "$SUBMIT_OUTPUT" | grep -q "status: Invalid"; then
            echo "Notarization failed. Fetching log..."
            xcrun notarytool log "$SUBMISSION_ID" \
              --apple-id "$APPLE_ID" \
              --password "$APPLE_ID_PASSWORD" \
              --team-id "$APPLE_TEAM_ID"
            exit 1
          fi

          xcrun stapler staple InputMetrics.app
          rm InputMetrics.zip

      - name: Create DMG
        run: |
          TAG=${{ github.event.release.tag_name }}
          pip3 install dmgbuild --break-system-packages
          dmgbuild \
            -s scripts/dmg-settings.py \
            -D app=build/export/InputMetrics.app \
            -D background=assets/dmg-background.png \
            "InputMetrics" \
            "InputMetrics-${TAG}.dmg"

      - name: Notarize and staple DMG
        env:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        run: |
          TAG=${{ github.event.release.tag_name }}
          xcrun notarytool submit "InputMetrics-${TAG}.dmg" \
            --apple-id "$APPLE_ID" \
            --password "$APPLE_ID_PASSWORD" \
            --team-id "$APPLE_TEAM_ID" \
            --wait
          xcrun stapler staple "InputMetrics-${TAG}.dmg"

      - name: Upload to release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          TAG=${{ github.event.release.tag_name }}
          gh release upload "$TAG" "InputMetrics-${TAG}.dmg" --clobber

      - name: Cleanup keychain and provisioning profile
        if: always()
        run: |
          security delete-keychain "$KEYCHAIN_NAME" 2>/dev/null || true
          rm -f ~/Library/MobileDevice/Provisioning\ Profiles/*.provisionprofile