2023-02-24 23:50:10 +03:00
|
|
|
name: Apple Codesigning
|
|
|
|
description: Codesigns macOS binaries
|
|
|
|
|
2023-02-12 10:07:11 +03:00
|
|
|
inputs:
|
|
|
|
p12-file-base64:
|
|
|
|
description: Base64 encoded p12 file
|
|
|
|
required: true
|
|
|
|
p12-password:
|
|
|
|
description: Password for p12 file
|
|
|
|
required: true
|
|
|
|
identity:
|
|
|
|
description: Identity to use for signing
|
|
|
|
required: true
|
|
|
|
paths:
|
2023-02-24 23:50:10 +03:00
|
|
|
description: paths to sign
|
2023-02-12 10:07:11 +03:00
|
|
|
required: true
|
|
|
|
|
|
|
|
runs:
|
2023-02-24 23:50:10 +03:00
|
|
|
using: composite
|
2023-02-12 10:07:11 +03:00
|
|
|
steps:
|
|
|
|
# Only runs on macOS
|
|
|
|
- name: Check platform
|
|
|
|
shell: sh
|
|
|
|
run: |
|
|
|
|
if [[ "$RUNNER_OS" != "macOS" ]]; then
|
|
|
|
echo "This action only runs on macOS"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
# the next three steps bless our code for Apple. It might be the case they should be
|
|
|
|
# encapulated separately.
|
|
|
|
# FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
|
|
|
|
# ago, and we need bugfixes.
|
|
|
|
# FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
|
|
|
|
# github has a doc with similar content, but it's not returning to me atm.
|
2023-02-27 19:42:37 +03:00
|
|
|
|
|
|
|
# apple-actions/import-codesign-certs will fail if the keychain already exists, so we prophylactically
|
|
|
|
# delete it if it does.
|
|
|
|
- name: Delete keychain
|
|
|
|
shell: sh
|
|
|
|
run: security delete-keychain signing_temp.keychain || true
|
|
|
|
|
2023-02-12 10:07:11 +03:00
|
|
|
- uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494
|
|
|
|
with:
|
|
|
|
p12-file-base64: ${{ inputs.p12-file-base64 }}
|
|
|
|
p12-password: ${{ inputs.p12-password }}
|
|
|
|
|
2023-03-08 07:40:54 +03:00
|
|
|
- name: Create file list
|
2023-02-21 23:33:16 +03:00
|
|
|
shell: sh
|
2023-03-08 07:40:54 +03:00
|
|
|
id: files
|
|
|
|
run: |
|
|
|
|
echo "sign<<EOF" >> $GITHUB_OUTPUT
|
|
|
|
/usr/bin/find $PATHS \
|
|
|
|
-type f \
|
|
|
|
-not -name '*.py' \
|
|
|
|
-not -name '*.pyc' \
|
|
|
|
-not -name '*.txt' \
|
|
|
|
-not -name '*.h' | \
|
|
|
|
/usr/bin/sed -e 's/ /\\ /g' >> $GITHUB_OUTPUT
|
|
|
|
echo "EOF" >> $GITHUB_OUTPUT
|
|
|
|
|
|
|
|
# `tea` won't pass strict checking due to a deno bug with the way
|
|
|
|
# MachO headers are created
|
|
|
|
# https://github.com/denoland/deno/issues/17753
|
|
|
|
echo "check<<EOF" >> $GITHUB_OUTPUT
|
|
|
|
/usr/bin/find $PATHS \
|
|
|
|
-type f \
|
|
|
|
-not -name '*.py' \
|
|
|
|
-not -name '*.pyc' \
|
|
|
|
-not -name '*.txt' \
|
|
|
|
-not -name '*.h' \
|
|
|
|
-not -name tea | \
|
|
|
|
/usr/bin/sed -e 's/ /\\ /g' >> $GITHUB_OUTPUT
|
|
|
|
echo "EOF" >> $GITHUB_OUTPUT
|
2023-02-15 01:35:35 +03:00
|
|
|
env:
|
2023-02-21 23:33:16 +03:00
|
|
|
PATHS: ${{ inputs.paths }}
|
2023-03-08 07:40:54 +03:00
|
|
|
|
|
|
|
- name: Codesign files
|
|
|
|
shell: sh
|
|
|
|
run: |
|
|
|
|
echo "$FILES" | \
|
|
|
|
/usr/bin/xargs /usr/bin/codesign -s "$IDENTITY" --force -v --timestamp || true
|
|
|
|
env:
|
|
|
|
FILES: ${{ steps.files.outputs.sign }}
|
2023-02-12 10:07:11 +03:00
|
|
|
IDENTITY: ${{ inputs.identity }}
|
|
|
|
|
|
|
|
# This isn't very informative, but even a no-op is safer than none
|
|
|
|
- name: Check codesigning
|
2023-02-21 23:33:16 +03:00
|
|
|
shell: sh
|
2023-03-08 07:40:54 +03:00
|
|
|
run: echo "$FILES" | /usr/bin/xargs /usr/bin/codesign -vvv --strict
|
2023-02-12 10:07:11 +03:00
|
|
|
env:
|
2023-03-08 07:40:54 +03:00
|
|
|
FILES: ${{ steps.files.outputs.check }}
|
2023-02-12 10:07:11 +03:00
|
|
|
|
|
|
|
# Needed for self-hosted runner, since it doesn't destroy itself automatically.
|
|
|
|
- name: Delete keychain
|
|
|
|
if: always()
|
2023-02-21 23:33:16 +03:00
|
|
|
shell: sh
|
|
|
|
run: security delete-keychain signing_temp.keychain
|