-
Notifications
You must be signed in to change notification settings - Fork 0
173 lines (151 loc) · 5.88 KB
/
Copy pathdevelop.yml
File metadata and controls
173 lines (151 loc) · 5.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
name: Develop Build
on:
push:
branches:
- develop
permissions:
contents: read
jobs:
build:
name: Build QC artifacts
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- name: Check out repository
uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version-file: go.mod
cache: true
- name: Run GoReleaser (all platforms, unsigned)
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
docker run --rm \
-v "${PWD}:/workspace" \
-w /workspace \
-e GITHUB_TOKEN \
ghcr.io/goreleaser/goreleaser-cross:v1.25-v2.12.7 \
release --snapshot --config .goreleaser/config-qc.yaml --clean --parallelism 2
- name: Upload build artifacts
uses: actions/upload-artifact@v4
with:
name: qc-artifacts-${{ github.run_number }}
if-no-files-found: error
path: |
dist/*.tar.gz
dist/*.zip
dist/checksums.txt
dist/artifacts.json
dist/metadata.json
sign-macos:
name: Sign macOS artifacts
runs-on: macos-latest
needs: build
timeout-minutes: 30
steps:
- name: Check out repository
uses: actions/checkout@v5
- name: Check for Apple signing secrets
id: secrets_check
env:
APPLE_CERT_P12: ${{ secrets.APPLE_CERT_P12 }}
run: |
if [ -n "$APPLE_CERT_P12" ]; then
echo "has_signing_cert=true" >> "$GITHUB_OUTPUT"
else
echo "has_signing_cert=false" >> "$GITHUB_OUTPUT"
echo "::warning::APPLE_CERT_P12 not configured — skipping Apple code signing."
fi
- name: Import Apple certificate
if: ${{ steps.secrets_check.outputs.has_signing_cert == 'true' }}
env:
APPLE_CERT_P12: ${{ secrets.APPLE_CERT_P12 }}
APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
set -e
for var_name in APPLE_CERT_PASSWORD KEYCHAIN_PASSWORD; do
if [ -z "${!var_name}" ]; then
echo "::error::$var_name is required when APPLE_CERT_P12 is configured."
exit 1
fi
done
printf '%s' "$APPLE_CERT_P12" | base64 -D > cert.p12
KEYCHAIN_PATH="$RUNNER_TEMP/build.keychain-db"
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security import cert.p12 -k "$KEYCHAIN_PATH" -P "$APPLE_CERT_PASSWORD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"' | xargs)
- name: Download build artifacts
uses: actions/download-artifact@v4
with:
name: qc-artifacts-${{ github.run_number }}
path: dist
- name: Sign macOS artifacts
if: ${{ steps.secrets_check.outputs.has_signing_cert == 'true' }}
env:
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
KEYCHAIN_PATH: ${{ runner.temp }}/build.keychain-db
run: |
set -e
if [ -z "$APPLE_SIGNING_IDENTITY" ]; then
echo "::error::APPLE_SIGNING_IDENTITY is required for signing."
exit 1
fi
if [ ! -f dist/checksums.txt ]; then
echo "::error::dist/checksums.txt not found."
exit 1
fi
for archive in dist/*-darwin-*.tar.gz; do
[ -f "$archive" ] || continue
tmpdir="$(mktemp -d)"
orig_members=$(tar -tzf "$archive")
tar -xzf "$archive" -C "$tmpdir"
while IFS= read -r -d '' bin; do
codesign --force --options runtime --timestamp \
--keychain "$KEYCHAIN_PATH" \
--sign "$APPLE_SIGNING_IDENTITY" "$bin"
codesign --verify --deep --strict "$bin"
done < <(find "$tmpdir" -type f -perm -111 -print0)
# shellcheck disable=SC2086
tar -czf "${archive}.signed" -C "$tmpdir" $orig_members
mv "${archive}.signed" "$archive"
rm -rf "$tmpdir"
filename="$(basename "$archive")"
sha="$(shasum -a 256 "$archive" | awk '{print $1}')"
grep -v " $filename\$" dist/checksums.txt > dist/checksums.new || true
printf "%s %s\n" "$sha" "$filename" >> dist/checksums.new
mv dist/checksums.new dist/checksums.txt
PATCH_NAME="$filename" PATCH_SHA="$sha" python3 << 'PYEOF'
import json, os
data = json.load(open('dist/artifacts.json'))
name = os.environ['PATCH_NAME']
checksum = os.environ['PATCH_SHA']
for a in data:
if a.get('name') == name:
a.setdefault('extra', {})['Checksum'] = 'sha256:' + checksum
with open('dist/artifacts.json', 'w') as f:
json.dump(data, f, indent=2)
PYEOF
done
- name: Upload signed macOS artifacts
if: ${{ steps.secrets_check.outputs.has_signing_cert == 'true' }}
uses: actions/upload-artifact@v4
with:
name: qc-artifacts-macos-signed-${{ github.run_number }}
if-no-files-found: error
path: |
dist/*-darwin-amd64.tar.gz
dist/*-darwin-arm64.tar.gz
dist/checksums.txt
- name: Clean up keychain and cert
if: always()
run: |
security delete-keychain "$RUNNER_TEMP/build.keychain-db" 2>/dev/null || true
rm -f cert.p12