From 3248e8fa30d4878a51ae5b9c61a8dca1f1f51a90 Mon Sep 17 00:00:00 2001
From: Jacob Heider <jacob@tea.xyz>
Date: Tue, 7 Mar 2023 23:40:54 -0500
Subject: [PATCH] faster codesigning with file extension blacklisting

second test


repeat second test


repeat first test


repeat repeating second test


more test two


test 2


test 3


test 3.1


test 3.2


test 3.2.1


test 3.2.2


test 3.2.3


test 3.3


test 4


test 4.1


test 4.2


test 4.3


test 4.4 (I hate shell escaping)
---
 .DS_Store                           | Bin 6148 -> 0 bytes
 .github/actions/codesign/action.yml |  42 ++++++++++++++++++++++++----
 2 files changed, 36 insertions(+), 6 deletions(-)
 delete mode 100644 .DS_Store

diff --git a/.DS_Store b/.DS_Store
deleted file mode 100644
index 3569ebf461e9e4b57b6a6c0b4ed9027681aafe35..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeHKzi-n(6n>YwjYC1o02QMJj1i<k4T@My2of6-u3&&F*mX!u9iL@8$q+>f3xa`v
zgPDn$0r(S;nBZT44T*twKdk!drb7pWs(aGicYgQY-RCdoyBq+J?!?~)r~`nBg`sf{
zt7DAyvr@8(^lTv#HbywycJ}EwE=6jGRzNH8KPte!T?4Me5CX`Q@At~&Rk3eOdp$3t
z9{SAlzkeLSmrr-pe*eV&cvRRM-dUIm)qGwU!2~>IcGykI5k(I1^uhhNpE-vk<BaJc
zlhsiQANZK_nL-NtK*5KB$_JiHK81)PpPjv5-wJ$`s6#%hqf|a@KgLZrh6K61fB|yK
zAXONVm*0<zDRO$>x_NC~{7$8@iYlEHr|{ZnGG0}#QGzQbF0+C+<%lAupMP38rz7JO
z8Lf^|_*8714EbcJkc+E{;yTK_SsKfg`oW9CAkCW1ucWeOtZ!7!s<~<IIU_oAGB=x~
zT{n5co^~k>y}a#ukAlIhU%z;lMwuH#gM=pp{s2RsJ`N(E&bo9G`6<tJM2A^3YyJAx
zeBNwWty`T%!<u(G?S|EE?<^KI^U~EDw;%Qo!f`}jGtziu;+e_qg2Wtzg33Ehog@lr
zG{lfRD~~=s%8|^?(+{CDwE|j!GpYdFA1o{kZHY^PeCxo9UjYyebaTTtKf4eu=0LP1
zE(M|ojfhl4kxJwhgNStWTQbg;xD+VTf$*7e962+QHx$BWN593xf!G3dtrgG;s0yr!
z$2vRz@2$T7t4aDvE1(rPQwk8H=k&VxO7d(iy&OAhEiBKlFk^8`fjk8(c^vZwJBlx3
c;f8${YarSZmjcm)rvC_V8FZx;_@@f|1&46#3;+NC

diff --git a/.github/actions/codesign/action.yml b/.github/actions/codesign/action.yml
index dea90be5..7648423c 100644
--- a/.github/actions/codesign/action.yml
+++ b/.github/actions/codesign/action.yml
@@ -45,21 +45,51 @@ runs:
         p12-file-base64: ${{ inputs.p12-file-base64 }}
         p12-password: ${{ inputs.p12-password }}
 
-    - name: Codesign files
+    - name: Create file list
       shell: sh
-      run: find $PATHS -type f -print0 | xargs -0 codesign -s "$IDENTITY" --force -v --timestamp || true
+      id: files
+      run: |
+        echo "sign<<EOF" >> $GITHUB_OUTPUT
+        /usr/bin/find $PATHS \
+          -type f \
+          -not -name '*.py' \
+          -not -name '*.pyc' \
+          -not -name '*.txt' \
+          -not -name '*.h' | \
+          /usr/bin/sed -e 's/ /\\ /g' >> $GITHUB_OUTPUT
+        echo "EOF" >> $GITHUB_OUTPUT
+
+        # `tea` won't pass strict checking due to a deno bug with the way
+        # MachO headers are created
+        # https://github.com/denoland/deno/issues/17753
+        echo "check<<EOF" >> $GITHUB_OUTPUT
+        /usr/bin/find $PATHS \
+          -type f \
+          -not -name '*.py' \
+          -not -name '*.pyc' \
+          -not -name '*.txt' \
+          -not -name '*.h' \
+          -not -name tea | \
+          /usr/bin/sed -e 's/ /\\ /g' >> $GITHUB_OUTPUT
+        echo "EOF" >> $GITHUB_OUTPUT
       env:
         PATHS: ${{ inputs.paths }}
+
+    - name: Codesign files
+      shell: sh
+      run: |
+        echo "$FILES" | \
+          /usr/bin/xargs /usr/bin/codesign -s "$IDENTITY" --force -v --timestamp || true
+      env:
+        FILES: ${{ steps.files.outputs.sign }}
         IDENTITY: ${{ inputs.identity }}
 
     # This isn't very informative, but even a no-op is safer than none
     - name: Check codesigning
       shell: sh
-      # FIXME: `deno` compiled binaries don't currently pass validation.
-      # https://github.com/denoland/deno/issues/17753
-      run: find $PATHS -type f ! -name tea -print0 | xargs -0 codesign -vvv --strict
+      run: echo "$FILES" | /usr/bin/xargs /usr/bin/codesign -vvv --strict
       env:
-        PATHS: ${{ inputs.paths }}
+        FILES: ${{ steps.files.outputs.check }}
 
     # Needed for self-hosted runner, since it doesn't destroy itself automatically.
     - name: Delete keychain