pantry/.github/actions/codesign/action.yml

68 lines
2.3 KiB
YAML
Raw Normal View History

2023-02-24 23:50:10 +03:00
name: Apple Codesigning
description: Codesigns macOS binaries
inputs:
p12-file-base64:
description: Base64 encoded p12 file
required: true
p12-password:
description: Password for p12 file
required: true
identity:
description: Identity to use for signing
required: true
paths:
2023-02-24 23:50:10 +03:00
description: paths to sign
required: true
runs:
2023-02-24 23:50:10 +03:00
using: composite
steps:
# Only runs on macOS
- name: Check platform
shell: sh
run: |
if [[ "$RUNNER_OS" != "macOS" ]]; then
echo "This action only runs on macOS"
exit 1
fi
# the next three steps bless our code for Apple. It might be the case they should be
# encapulated separately.
# FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
# ago, and we need bugfixes.
# FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
# github has a doc with similar content, but it's not returning to me atm.
2023-02-27 19:42:37 +03:00
# apple-actions/import-codesign-certs will fail if the keychain already exists, so we prophylactically
# delete it if it does.
- name: Delete keychain
shell: sh
run: security delete-keychain signing_temp.keychain || true
- uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494
with:
p12-file-base64: ${{ inputs.p12-file-base64 }}
p12-password: ${{ inputs.p12-password }}
2023-02-15 01:35:35 +03:00
- name: Codesign files
2023-02-21 23:33:16 +03:00
shell: sh
2023-02-24 23:50:10 +03:00
run: find $PATHS -type f -print0 | xargs -0 codesign -s "$IDENTITY" --force -v --timestamp || true
2023-02-15 01:35:35 +03:00
env:
2023-02-21 23:33:16 +03:00
PATHS: ${{ inputs.paths }}
IDENTITY: ${{ inputs.identity }}
# This isn't very informative, but even a no-op is safer than none
- name: Check codesigning
2023-02-21 23:33:16 +03:00
shell: sh
2023-02-24 23:50:10 +03:00
# FIXME: `deno` compiled binaries don't currently pass validation.
# https://github.com/denoland/deno/issues/17753
run: find $PATHS -type f ! -name tea -print0 | xargs -0 codesign -vvv --strict
env:
2023-02-21 23:33:16 +03:00
PATHS: ${{ inputs.paths }}
# Needed for self-hosted runner, since it doesn't destroy itself automatically.
- name: Delete keychain
if: always()
2023-02-21 23:33:16 +03:00
shell: sh
run: security delete-keychain signing_temp.keychain