auto notorize on release (#240)

* #216 improve dmg design - auto notorize on build from electron * check conditionality --------- Co-authored-by: neil <neil@neils-MacBook-Pro.local>
2025-04-23 14:07:14 +03:00 · 2023-02-27 18:58:54 +08:00 · 2023-02-27 18:58:54 +08:00 · 85d0eb0ff4
commit 85d0eb0ff4
parent c2578dc453
5 changed files with 58 additions and 42 deletions
--- a/.github/workflows/build-sign-notarize.yml
+++ b/.github/workflows/build-sign-notarize.yml
@ -13,10 +13,12 @@ on:
        required: true
        type: string
    outputs:
-      s3-installers-artifact-key:
-        description: 'The S3 build key includes the installer files: [zip, dmg, etc, yml]'
+      s3-electron-dist-key:
+        description: 'The S3 build key includes the installer files: [zip, dmg, etc, yml] from electron'
+        value: ${{ jobs.build.outputs.s3-artifacts-key }}
+      s3-custom-notarized-installers-key:
+        description: 'The S3 build key includes the installer files: [zip, dmg, etc, yml] from notarization strategy done outside of electron'
        value: ${{ jobs.notarize-mac-installers.outputs.s3-installers-key }}
-
 jobs:
  get-platform:
    runs-on: ubuntu-latest
@ -77,8 +79,8 @@ jobs:
            ./modules/desktop/.svelte-kit
            ./modules/desktop/build

-      - name: build
-        if: startsWith(inputs.platform, 'darwin')
+      - name: build dev
+        if: inputs.s3-prefix != 'release'
        run: tea -SE xc dist
        env:
          PUBLIC_MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_PROJECT_TOKEN }}
@ -89,12 +91,23 @@ jobs:
          CSC_LINK: ${{ secrets.GUI_APPLE_CERTIFICATE }}
          CSC_KEY_PASSWORD: ${{ secrets.GUI_APPLE_CERTIFICATE_PASSWORD }}
          CSC_NAME: ${{ secrets.APPLE_IDENTITY_NO_PREFIX }}
-          # NOTE: you might think the ff will work, it wont unless PR is properly tagged
-          # TODO: get this notarized here to save time
-          # PUBLISH_FOR_PULL_REQUEST: true
-          # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # APPLE_ID: ${{ secrets.APPLE_ID }}
-          # APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
+
+      # slower build but dmg output is much nicer looking
+      - name: build release
+        if: inputs.s3-prefix == 'release'
+        run: tea -SE xc dist
+        env:
+          PUBLIC_MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_PROJECT_TOKEN }}
+          DEBUG_BUILD: ${{ inputs.debug }}
+          PUBLIC_VERSION: ${{ steps.gui-version.outputs.version }}
+          USE_HARD_LINKS: false
+          CSC_FOR_PULL_REQUEST: true
+          CSC_LINK: ${{ secrets.GUI_APPLE_CERTIFICATE }}
+          CSC_KEY_PASSWORD: ${{ secrets.GUI_APPLE_CERTIFICATE_PASSWORD }}
+          CSC_NAME: ${{ secrets.APPLE_IDENTITY_NO_PREFIX }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}

      - name: build artifacts for publishing and notarization
        run: |
@ -119,6 +132,7 @@ jobs:
          echo key=$S3_KEY >> $GITHUB_OUTPUT

  notarize-mac-installers:
+    if: ${{ inputs.s3-prefix }} != 'release'
    # TODO: run only for mac, create separate Job for linux
    needs: [get-platform, build]
    runs-on: macos-11
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -155,7 +155,7 @@ jobs:
        aws-region: us-east-1
    - name: s3 artifact download
      env:
-        S3_INSTALLER_KEY: ${{ needs.build_desktop.outputs.s3-installers-artifact-key }}
+        S3_INSTALLER_KEY: ${{ needs.build_desktop.outputs.s3-custom-notarized-installers-key }}
      run: aws s3 cp $S3_INSTALLER_KEY dist.tgz

    - run: mkdir dist
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -57,7 +57,7 @@ jobs:
        aws-region: us-east-1
    - name: s3 artifact download
      env:
-        S3_INSTALLER_KEY: ${{ needs.build_desktop.outputs.s3-installers-artifact-key }}
+        S3_INSTALLER_KEY: ${{ needs.build_desktop.outputs.s3-custom-notarized-installers-key }}
      run: aws s3 cp $S3_INSTALLER_KEY dist.tgz

    - run: |
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -9,7 +9,7 @@ jobs:
      matrix:
        platform:
          # X86+64 is built with ARM64 also
-          - darwin+aarch64
+          - darwin+x86-64
    uses: ./.github/workflows/build-sign-notarize.yml
    with:
      platform: ${{ matrix.platform }}
@ -35,7 +35,7 @@ jobs:
        aws-region: us-east-1
    - name: s3 artifact download
      env:
-        S3_INSTALLER_KEY: ${{ needs.build_desktop.outputs.s3-installers-artifact-key }}
+        S3_INSTALLER_KEY: ${{ needs.build_desktop.outputs.s3-electron-dist-key }}
      run: aws s3 cp $S3_INSTALLER_KEY dist.tgz

    - run: |
--- a/modules/desktop/electron-builder.config.cjs
+++ b/modules/desktop/electron-builder.config.cjs
@ -1,6 +1,6 @@
-// const { notarize } = require('@electron/notarize');
-// const fs = require('fs');
-// const path = require('path');
+const { notarize } = require("@electron/notarize");
+const fs = require("fs");
+const path = require("path");

 module.exports = {
 	appId: "xyz.tea.gui",
@ -19,36 +19,38 @@ module.exports = {
 	},
 	// TODO: if xcrun altool exists eventually in our self-hosted macos
 	// SOLUTION: is notarize separately in next pipeline step
-	// afterSign: async (params) => {
-	// 	if (process.platform !== 'darwin') {
-	// 		return;
-	// 	}
+	afterSign: async (params) => {
+		if (process.platform !== "darwin") {
+			return;
+		}

-	// 	console.log('afterSign hook triggered', params);
+		console.log("afterSign hook triggered", params);

-	// 	const appBundleId = 'xyz.tea.gui';
+		const appBundleId = "xyz.tea.gui";

-	// 	let appPath = path.join(params.appOutDir, `${params.packager.appInfo.productFilename}.app`);
-	// 	if (!fs.existsSync(appPath)) {
-	// 		console.log('skip');
-	// 		return;
-	// 	}
+		let appPath = path.join(params.appOutDir, `${params.packager.appInfo.productFilename}.app`);
+		if (!fs.existsSync(appPath)) {
+			console.log("skip");
+			return;
+		}

-	// 	console.log(`Notarizing ${appBundleId} found at ${appPath} with Apple ID ${process.env.APPLE_ID}`);
+		console.log(
+			`Notarizing ${appBundleId} found at ${appPath} with Apple ID ${process.env.APPLE_ID}`
+		);

-	// 	try {
-	// 		await notarize({
-	// 			appBundleId,
-	// 			appPath,
-	// 			appleId: process.env.APPLE_ID,
-	// 			appleIdPassword: process.env.APPLE_APP_SPECIFIC_PASSWORD
-	// 		});
-	// 	} catch (error) {
-	// 		console.error(error);
-	// 	}
+		try {
+			await notarize({
+				appBundleId,
+				appPath,
+				appleId: process.env.APPLE_ID,
+				appleIdPassword: process.env.APPLE_APP_SPECIFIC_PASSWORD
+			});
+		} catch (error) {
+			console.error(error);
+		}

-	// 	console.log(`Done notarizing`);
-	// },
+		console.log(`Done notarizing`);
+	},

 	// publish: {
 	// 	provider: "github",