pantry/.github/actions/apple-signing/action.yml

name: Apple signing
description: signs binaries for macOS
inputs:
  p12-file-base64:
    description: Base64 encoded p12 file
    required: true
  p12-password:
    description: Password for p12 file
    required: true
  identity:
    description: Identity to use for signing
    required: true
  paths:
    description: Paths to search for files to sign
    required: true

runs:
  using: "composite"
  steps:
    # Only runs on macOS
    - name: Check platform
      shell: sh
      run: |
        if [[ "$RUNNER_OS" != "macOS" ]]; then
          echo "This action only runs on macOS"
          exit 1
        fi

    # the next three steps bless our code for Apple. It might be the case they should be
    # encapulated separately.
    # FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
    # ago, and we need bugfixes.
    # FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
    # github has a doc with similar content, but it's not returning to me atm.
    - uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494
      with:
        p12-file-base64: ${{ inputs.p12-file-base64 }}
        p12-password: ${{ inputs.p12-password }}


    - name: Codesign files
      shell: sh
      run: |
        find $PATHS -type f -print0 | \
          xargs -0 /usr/bin/codesign -s "$IDENTITY" --force -v \
          --timestamp || true
      env:
        PATHS: ${{ inputs.paths }}
        IDENTITY: ${{ inputs.identity }}

    # This isn't very informative, but even a no-op is safer than none
    - name: Check codesigning
      shell: sh
      run: |
        # FIXME: `deno` compiled binaries don't currently pass validation.
        # https://github.com/denoland/deno/issues/17753
        find $PATHS -type f ! -name tea -print0 | xargs -0 codesign -vvv --strict
      env:
        PATHS: ${{ inputs.paths }}

    # Needed for self-hosted runner, since it doesn't destroy itself automatically.
    - name: Delete keychain
      if: always()
      shell: sh
      run: security delete-keychain signing_temp.keychain
extract signing action ref https://github.com/teaxyz/cli/issues/376 2023-02-12 10:07:11 +03:00			`name: Apple signing`
			`description: signs binaries for macOS`
			`inputs:`
			`p12-file-base64:`
			`description: Base64 encoded p12 file`
			`required: true`
			`p12-password:`
			`description: Password for p12 file`
			`required: true`
			`identity:`
			`description: Identity to use for signing`
			`required: true`
			`paths:`
fix(nodejs) 2023-02-21 23:33:16 +03:00			`description: Paths to search for files to sign`
extract signing action ref https://github.com/teaxyz/cli/issues/376 2023-02-12 10:07:11 +03:00			`required: true`

			`runs:`
			`using: "composite"`
			`steps:`
			`# Only runs on macOS`
			`- name: Check platform`
			`shell: sh`
			`run: \|`
			`if [[ "$RUNNER_OS" != "macOS" ]]; then`
			`echo "This action only runs on macOS"`
			`exit 1`
			`fi`

			`# the next three steps bless our code for Apple. It might be the case they should be`
			`# encapulated separately.`
			`# FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years`
			`# ago, and we need bugfixes.`
			`# FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions`
			`# github has a doc with similar content, but it's not returning to me atm.`
			`- uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494`
			`with:`
			`p12-file-base64: ${{ inputs.p12-file-base64 }}`
			`p12-password: ${{ inputs.p12-password }}`

add *.bundle to codesigning 2023-02-15 01:35:35 +03:00
			`- name: Codesign files`
fix(nodejs) 2023-02-21 23:33:16 +03:00			`shell: sh`
add *.bundle to codesigning 2023-02-15 01:35:35 +03:00			`run: \|`
fix(nodejs) 2023-02-21 23:33:16 +03:00			`find $PATHS -type f -print0 \| \`
			`xargs -0 /usr/bin/codesign -s "$IDENTITY" --force -v \`
			`--timestamp \|\| true`
add *.bundle to codesigning 2023-02-15 01:35:35 +03:00			`env:`
fix(nodejs) 2023-02-21 23:33:16 +03:00			`PATHS: ${{ inputs.paths }}`
extract signing action ref https://github.com/teaxyz/cli/issues/376 2023-02-12 10:07:11 +03:00			`IDENTITY: ${{ inputs.identity }}`

			`# This isn't very informative, but even a no-op is safer than none`
			`- name: Check codesigning`
fix(nodejs) 2023-02-21 23:33:16 +03:00			`shell: sh`
extract signing action ref https://github.com/teaxyz/cli/issues/376 2023-02-12 10:07:11 +03:00			`run: \|`
file names with spaces. 2023-02-23 01:41:16 +03:00			# FIXME: `deno` compiled binaries don't currently pass validation.
			`# https://github.com/denoland/deno/issues/17753`
			`find $PATHS -type f ! -name tea -print0 \| xargs -0 codesign -vvv --strict`
extract signing action ref https://github.com/teaxyz/cli/issues/376 2023-02-12 10:07:11 +03:00			`env:`
fix(nodejs) 2023-02-21 23:33:16 +03:00			`PATHS: ${{ inputs.paths }}`
extract signing action ref https://github.com/teaxyz/cli/issues/376 2023-02-12 10:07:11 +03:00
			`# Needed for self-hosted runner, since it doesn't destroy itself automatically.`
			`- name: Delete keychain`
			`if: always()`
fix(nodejs) 2023-02-21 23:33:16 +03:00			`shell: sh`
			`run: security delete-keychain signing_temp.keychain`