From c0197c27deddf97d5cfc914495efc3ee4456a5b4 Mon Sep 17 00:00:00 2001 From: GcsSloop Date: Mon, 6 Jul 2026 09:25:15 +0800 Subject: [PATCH] =?UTF-8?q?ci:=20=E7=A7=BB=E9=99=A4=20Apple=20=E7=AD=BE?= =?UTF-8?q?=E5=90=8D=E5=8F=91=E5=B8=83=E6=B5=81=E7=A8=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/dev-ci.yml | 3 +- .github/workflows/release.yml | 65 +------------------ .../2026-04-03-macos-signing-release-plan.md | 2 + scripts/test/release_apple_signing_test.sh | 40 ------------ scripts/test/release_no_apple_signing_test.sh | 36 ++++++++++ 5 files changed, 40 insertions(+), 106 deletions(-) delete mode 100644 scripts/test/release_apple_signing_test.sh create mode 100644 scripts/test/release_no_apple_signing_test.sh diff --git a/.github/workflows/dev-ci.yml b/.github/workflows/dev-ci.yml index d95f021..5f73a28 100644 --- a/.github/workflows/dev-ci.yml +++ b/.github/workflows/dev-ci.yml @@ -55,8 +55,7 @@ jobs: run: | bash scripts/test/desktop_updater_config_test.sh bash scripts/test/go_test_with_retry_test.sh - bash scripts/test/notarize_macos_test.sh - bash scripts/test/release_apple_signing_test.sh + bash scripts/test/release_no_apple_signing_test.sh bash scripts/test/release_updater_signing_key_test.sh bash scripts/test/release_version_helpers_test.sh bash scripts/test/sync_release_metadata_test.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c48a2b5..218033b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -49,8 +49,7 @@ jobs: run: | bash scripts/test/desktop_updater_config_test.sh bash scripts/test/go_test_with_retry_test.sh - bash scripts/test/notarize_macos_test.sh - bash scripts/test/release_apple_signing_test.sh + bash scripts/test/release_no_apple_signing_test.sh bash scripts/test/release_updater_signing_key_test.sh bash scripts/test/release_version_helpers_test.sh bash scripts/test/sync_release_metadata_test.sh @@ -134,68 +133,6 @@ jobs: --target "${{ matrix.tauri_target }}" \ --bundles "${{ matrix.bundles }}" - - name: Prepare notarization key - if: matrix.release_platform == 'macos' - env: - APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }} - APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} - APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} - run: | - if [[ -z "${APPLE_API_KEY:-}" || -z "${APPLE_API_KEY_ID:-}" || -z "${APPLE_API_ISSUER:-}" ]]; then - echo "Missing Apple notarization secrets. Required: APPLE_API_KEY, APPLE_API_KEY_ID, APPLE_API_ISSUER" >&2 - exit 1 - fi - key_path="$RUNNER_TEMP/AuthKey.p8" - printf '%s' "$APPLE_API_KEY" >"$key_path" - echo "APPLE_API_KEY_PATH=$key_path" >>"$GITHUB_ENV" - - - name: Import Apple signing certificate - if: matrix.release_platform == 'macos' - env: - APPLE_CERTIFICATE_P12: ${{ secrets.APPLE_CERTIFICATE_P12 }} - APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} - APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} - run: | - if [[ -z "${APPLE_CERTIFICATE_P12:-}" || -z "${APPLE_CERTIFICATE_PASSWORD:-}" || -z "${APPLE_SIGNING_IDENTITY:-}" ]]; then - echo "Missing Apple signing secrets. Required: APPLE_CERTIFICATE_P12, APPLE_CERTIFICATE_PASSWORD, APPLE_SIGNING_IDENTITY" >&2 - exit 1 - fi - - apple_cert_path="$RUNNER_TEMP/apple-signing-cert.p12" - APPLE_CERTIFICATE_P12="$APPLE_CERTIFICATE_P12" python3 -c 'import base64, os, sys; payload = os.environ.get("APPLE_CERTIFICATE_P12", ""); sys.exit("APPLE_CERTIFICATE_P12 is empty") if not payload else None; sys.stdout.buffer.write(base64.b64decode(payload, validate=True))' >"$apple_cert_path" - - APPLE_KEYCHAIN_PASSWORD="$(openssl rand -hex 20)" - APPLE_KEYCHAIN_PATH="$RUNNER_TEMP/apple-signing.keychain-db" - - security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" "$APPLE_KEYCHAIN_PATH" - security set-keychain-settings -lut 21600 "$APPLE_KEYCHAIN_PATH" - security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" "$APPLE_KEYCHAIN_PATH" - security import "$apple_cert_path" \ - -k "$APPLE_KEYCHAIN_PATH" \ - -P "$APPLE_CERTIFICATE_PASSWORD" \ - -T /usr/bin/codesign \ - -T /usr/bin/security - security set-key-partition-list -S apple-tool:,apple: -s -k "$APPLE_KEYCHAIN_PASSWORD" "$APPLE_KEYCHAIN_PATH" - - existing_keychains=() - while IFS= read -r keychain; do - existing_keychains+=("$keychain") - done < <(security list-keychains -d user | sed 's/^[[:space:]]*//; s/"//g') - security list-keychains -d user -s "$APPLE_KEYCHAIN_PATH" "${existing_keychains[@]}" - security default-keychain -d user -s "$APPLE_KEYCHAIN_PATH" - - echo "APPLE_KEYCHAIN_PASSWORD=$APPLE_KEYCHAIN_PASSWORD" >>"$GITHUB_ENV" - echo "APPLE_KEYCHAIN_PATH=$APPLE_KEYCHAIN_PATH" >>"$GITHUB_ENV" - - - name: Notarize macOS bundle - if: matrix.release_platform == 'macos' - env: - APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} - APPLE_API_KEY_PATH: ${{ env.APPLE_API_KEY_PATH }} - APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} - APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} - run: bash scripts/desktop/notarize_macos.sh - - name: Collect release assets env: RELEASE_VERSION: ${{ github.ref_name }} diff --git a/docs/plans/2026-04-03-macos-signing-release-plan.md b/docs/plans/2026-04-03-macos-signing-release-plan.md index fdf9c1b..ebbacee 100644 --- a/docs/plans/2026-04-03-macos-signing-release-plan.md +++ b/docs/plans/2026-04-03-macos-signing-release-plan.md @@ -1,5 +1,7 @@ # macOS Signing Release Implementation Plan +> **2026-07-06 状态:已废弃。** CI release workflow 已移除 Apple certificate import、keychain setup、codesign/notarization 调用以及对应的 Apple secret 依赖。原 `scripts/test/release_apple_signing_test.sh` 已替换为 `scripts/test/release_no_apple_signing_test.sh`,用于防止 Apple 签名/公证逻辑重新出现在 GitHub Actions workflow 中。 + > **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task. **Goal:** Make the release workflow import the Apple signing certificate into the macOS runner keychain so GitHub Actions can codesign and notarize release builds, then run the repository release loop. diff --git a/scripts/test/release_apple_signing_test.sh b/scripts/test/release_apple_signing_test.sh deleted file mode 100644 index efb822e..0000000 --- a/scripts/test/release_apple_signing_test.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)" -WORKFLOW_PATH="$ROOT_DIR/.github/workflows/release.yml" - -fail() { - echo "FAIL: $*" >&2 - exit 1 -} - -assert_not_contains() { - local pattern="$1" - if grep -Fq "$pattern" "$WORKFLOW_PATH"; then - fail "expected release workflow to not contain: $pattern" - fi -} - -assert_contains() { - local pattern="$1" - if ! grep -Fq "$pattern" "$WORKFLOW_PATH"; then - fail "expected release workflow to contain: $pattern" - fi -} - -assert_contains "name: Import Apple signing certificate" -assert_contains 'APPLE_CERTIFICATE_P12: ${{ secrets.APPLE_CERTIFICATE_P12 }}' -assert_contains 'APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}' -assert_contains 'APPLE_KEYCHAIN_PASSWORD=' -assert_contains 'security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD"' -assert_contains 'security import "$apple_cert_path"' -assert_contains 'security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD"' -assert_contains 'security set-key-partition-list -S apple-tool:,apple: -s -k "$APPLE_KEYCHAIN_PASSWORD"' -assert_not_contains 'mapfile -t existing_keychains' -assert_contains 'existing_keychains=()' -assert_contains 'while IFS= read -r keychain; do' -assert_contains 'security list-keychains -d user -s' -assert_contains "name: Notarize macOS bundle" - -echo "PASS: release_apple_signing_test" diff --git a/scripts/test/release_no_apple_signing_test.sh b/scripts/test/release_no_apple_signing_test.sh new file mode 100644 index 0000000..8b86f8d --- /dev/null +++ b/scripts/test/release_no_apple_signing_test.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash +set -euo pipefail + +ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)" +WORKFLOW_DIR="$ROOT_DIR/.github/workflows" + +fail() { + echo "FAIL: $*" >&2 + exit 1 +} + +assert_workflows_not_contains() { + local pattern="$1" + if grep -R -Fq "$pattern" "$WORKFLOW_DIR"; then + fail "expected GitHub Actions workflows to not contain: $pattern" + fi +} + +assert_workflows_not_contains "name: Prepare notarization key" +assert_workflows_not_contains "name: Import Apple signing certificate" +assert_workflows_not_contains "name: Notarize macOS bundle" +assert_workflows_not_contains "APPLE_API_KEY" +assert_workflows_not_contains "APPLE_API_KEY_ID" +assert_workflows_not_contains "APPLE_API_ISSUER" +assert_workflows_not_contains "APPLE_CERTIFICATE_P12" +assert_workflows_not_contains "APPLE_CERTIFICATE_PASSWORD" +assert_workflows_not_contains "APPLE_SIGNING_IDENTITY" +assert_workflows_not_contains "APPLE_KEYCHAIN" +assert_workflows_not_contains "scripts/desktop/notarize_macos.sh" +assert_workflows_not_contains "scripts/test/notarize_macos_test.sh" +assert_workflows_not_contains "security create-keychain" +assert_workflows_not_contains "security import" +assert_workflows_not_contains "security unlock-keychain" +assert_workflows_not_contains "security set-key-partition-list" + +echo "PASS: release_no_apple_signing_test"