Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Integrate Apple notarization process into Github Actions release pipeline #578

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rsora merged 5 commits into master from rsora/notarization-ci
Feb 12, 2020
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/nightly.yaml
View file Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,6 @@ jobs:
PLUGIN_SOURCE: 'dist/*'
PLUGIN_TARGET: '/arduino-cli/nightly'
PLUGIN_STRIP_PREFIX: 'dist/'
PLUGIN_BUCKET: 'arduino-downloads-prod-beagle'
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
120 changes: 114 additions & 6 deletions .github/workflows/release.yaml
View file Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ on:
- '[0-9].[0-9].[0-9]*'

jobs:
publish-release:

create-release-artifacts:
runs-on: ubuntu-latest

container:
Expand All @@ -16,13 +17,120 @@ jobs:
- $PWD/go:/go

steps:
- name: checkout
- name: Checkout
uses: actions/checkout@v1

- name: build
- name: Build
run: goreleaser

- name: Upload artifacts
uses: actions/upload-artifact@v1
with:
name: dist
path: dist

notarize-macos:
runs-on: macos-latest
needs: create-release-artifacts

steps:
- name: Checkout
uses: actions/checkout@v1

- name: Download artifacts
uses: actions/download-artifact@v1
with:
name: dist

- name: Get the current release tag
id: get_tag
run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}

- name: Download Gon
run: |
wget -q https://github.com/mitchellh/gon/releases/download/v0.2.2/gon_0.2.2_macos.zip
unzip gon_0.2.2_macos.zip -d /usr/local/bin
rm -f gon_0.2.2_macos.zip

- name: Notarize binary, re-package it and update checksum
env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
TAG: ${{ steps.get_tag.outputs.VERSION }}
AC_USERNAME: ${{ secrets.AC_USERNAME }}
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
# This step performs the following:
# 1. Download keychain from GH secrets and decode it from base64
# 2. Add the keychain to the system keychains and unlock it
# 3. Call Gon to start notarization process (using AC_USERNAME and AC_PASSWORD)
# 4. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
# 5. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
# 6. Remove the keychain from disk
run: |
echo "${{ secrets.KEYCHAIN }}" | base64 --decode > ~/Library/Keychains/apple-developer.keychain-db
security list-keychains -s ~/Library/Keychains/apple-developer.keychain-db
security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" ~/Library/Keychains/apple-developer.keychain-db
gon gon.config.hcl
tar -czvf dist/arduino-cli_${TAG}_macOS_64bit.tar.gz \
-C dist/arduino_cli_osx_darwin_amd64/ arduino-cli \
-C ../../ LICENSE.txt
CLI_CHECKSUM=$(shasum -a 256 dist/arduino-cli_${TAG}_macOS_64bit.tar.gz | cut -d " " -f 1)
perl -pi -w -e "s/.*arduino-cli_${TAG}_macOS_64bit.tar.gz/${CLI_CHECKSUM} arduino-cli_${TAG}_macOS_64bit.tar.gz/g;" dist/*-checksums.txt
rm -f apple-developer.keychain-db
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be: rm -f ~/Library/Keychains/apple-developer.keychain-db?
BTW why deleting the file since the virtual machine is destroyed after the build?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extra paranoia + Typo 😄 but you're right, as per Github Documentation:

You can specify the runner type for each job in a workflow. Each job in a workflow executes in a fresh instance of the virtual machine. All steps in the job execute in the same instance of the virtual machine, allowing the actions in that job to share information using the filesystem.

We can remove that step, I'll update also the PR description.


- name: Upload artifacts
uses: actions/upload-artifact@v1
with:
name: dist
path: dist

create-release:
runs-on: ubuntu-latest
needs: notarize-macos

steps:
- name: Checkout
uses: actions/checkout@v1

- name: Download artifact
uses: actions/download-artifact@v1
with:
name: dist

- name: Read CHANGELOG
id: changelog
run: |
body=$(cat dist/CHANGELOG.md)
body="${body//'%'/'%25'}"
body="${body//$'\n'/'%0A'}"
body="${body//$'\r'/'%0D'}"
echo $body
echo "::set-output name=BODY::$body"

- name: Create Github Release
id: create_release
uses: actions/create-release@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref }}
release_name: ${{ github.ref }}
body: ${{ steps.changelog.outputs.BODY }}
draft: false
prerelease: false

- name: Upload binaries to release
uses: svenstaro/upload-release-action@v1-release
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: dist/*
tag: ${{ github.ref }}
file_glob: true

- name: Downloads upload
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WAT? 😃

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll rename it!

uses: docker://plugins/s3
env:
PLUGIN_SOURCE: 'dist/*'
PLUGIN_TARGET: '/arduino-cli/'
PLUGIN_STRIP_PREFIX: 'dist/'
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: 'us-east-1'
run: goreleaser
10 changes: 1 addition & 9 deletions .goreleaser.yml
View file Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ snapshot:
name_template: '{{ .Env.PACKAGE_NAME_PREFIX }}-{{ time "20060102" }}'

release:
prerelease: auto
disable: true

changelog:
filters:
Expand Down Expand Up @@ -112,11 +112,3 @@ archives:
windows: Windows
files:
- LICENSE.txt

blob:
-
provider: s3
bucket: arduino-downloads-prod-beagle
ids:
- arduino_cli
folder: "{{ .ProjectName }}"
10 changes: 10 additions & 0 deletions gon.config.hcl
View file Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
source = ["dist/arduino_cli_osx_darwin_amd64/arduino-cli"]
bundle_id = "cc.arduino.arduino-cli"

sign {
application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
}

zip {
output_path = "arduino-cli.zip"
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are ignoring the output zip file, can't we just remove this section and not produce it in the first place?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes you're right, I misread the documentation. I thought that at least one output format was mandatory 👍

AltStyle によって変換されたページ (->オリジナル) /