mirror of
https://github.com/ivabus/pantry
synced 2024-11-27 02:35:08 +03:00
parent
4ab112c592
commit
61426ebcb1
2 changed files with 85 additions and 33 deletions
76
.github/actions/apple-signing/action.yml
vendored
Normal file
76
.github/actions/apple-signing/action.yml
vendored
Normal file
|
@ -0,0 +1,76 @@
|
||||||
|
name: Apple signing
|
||||||
|
description: signs binaries for macOS
|
||||||
|
inputs:
|
||||||
|
p12-file-base64:
|
||||||
|
description: Base64 encoded p12 file
|
||||||
|
required: true
|
||||||
|
p12-password:
|
||||||
|
description: Password for p12 file
|
||||||
|
required: true
|
||||||
|
identity:
|
||||||
|
description: Identity to use for signing
|
||||||
|
required: true
|
||||||
|
paths:
|
||||||
|
description: Paths to search for libs/bins sign
|
||||||
|
required: true
|
||||||
|
|
||||||
|
runs:
|
||||||
|
using: "composite"
|
||||||
|
steps:
|
||||||
|
# Only runs on macOS
|
||||||
|
- name: Check platform
|
||||||
|
shell: sh
|
||||||
|
run: |
|
||||||
|
if [[ "$RUNNER_OS" != "macOS" ]]; then
|
||||||
|
echo "This action only runs on macOS"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# the next three steps bless our code for Apple. It might be the case they should be
|
||||||
|
# encapulated separately.
|
||||||
|
# FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
|
||||||
|
# ago, and we need bugfixes.
|
||||||
|
# FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
|
||||||
|
# github has a doc with similar content, but it's not returning to me atm.
|
||||||
|
- uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494
|
||||||
|
with:
|
||||||
|
p12-file-base64: ${{ inputs.p12-file-base64 }}
|
||||||
|
p12-password: ${{ inputs.p12-password }}
|
||||||
|
|
||||||
|
# Codesign libs and bins
|
||||||
|
- name: Codesign package
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
for PATH in $PATHS; do
|
||||||
|
/usr/bin/find $PATH -name '*.so' -or -name '*.dylib' -print0 | \
|
||||||
|
/usr/bin/xargs -0 /usr/bin/codesign -s "$IDENTITY" --force -v --deep --timestamp --preserve-metadata=entitlements -o runtime
|
||||||
|
if test -d $PATH/bin; then
|
||||||
|
/usr/bin/find $PATH/bin -type f -print0 | \
|
||||||
|
/usr/bin/xargs -0 /usr/bin/codesign -s "$IDENTITY" -v --force --deep --timestamp --preserve-metadata=entitlements -o runtime
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
env:
|
||||||
|
PATHS: ${{ inputs.paths }}
|
||||||
|
IDENTITY: ${{ inputs.identity }}
|
||||||
|
|
||||||
|
# This isn't very informative, but even a no-op is safer than none
|
||||||
|
- name: Check codesigning
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
for PATH in $PATHS; do
|
||||||
|
LIBS="$(/usr/bin/find $PATH -name '*.so' -or -name '*.dylib')"
|
||||||
|
if test -d $PATH/bin; then
|
||||||
|
BINS="$(/usr/bin/find $PATH/bin -type f)"
|
||||||
|
fi
|
||||||
|
for SIGNED in $LIBS $BINS; do
|
||||||
|
/usr/bin/codesign -vvv --deep --strict "$SIGNED"
|
||||||
|
done
|
||||||
|
done
|
||||||
|
env:
|
||||||
|
PATHS: ${{ inputs.paths }}
|
||||||
|
|
||||||
|
# Needed for self-hosted runner, since it doesn't destroy itself automatically.
|
||||||
|
- name: Delete keychain
|
||||||
|
if: always()
|
||||||
|
shell: bash
|
||||||
|
run: /usr/bin/security delete-keychain signing_temp.keychain
|
40
.github/workflows/bottle.yml
vendored
40
.github/workflows/bottle.yml
vendored
|
@ -77,42 +77,18 @@ jobs:
|
||||||
echo "$file=$(cat $file)" >>$GITHUB_ENV
|
echo "$file=$(cat $file)" >>$GITHUB_ENV
|
||||||
done
|
done
|
||||||
|
|
||||||
# the next three steps bless our code for Apple. It might be the case they should be
|
- uses: actions/checkout@v3
|
||||||
# encapulated separately.
|
if: startsWith(inputs.platform, 'darwin+')
|
||||||
# FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
|
with:
|
||||||
# ago, and we need bugfixes.
|
path: pantry
|
||||||
# FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
|
repository: teaxyz/pantry.core
|
||||||
# github has a doc with similar content, but it's not returning to me atm.
|
- uses: ./pantry/.github/actions/apple-signing
|
||||||
- uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494
|
|
||||||
if: startsWith(inputs.platform, 'darwin+')
|
if: startsWith(inputs.platform, 'darwin+')
|
||||||
with:
|
with:
|
||||||
p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }}
|
p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }}
|
||||||
p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
|
p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
|
||||||
|
identity: "Developer ID Application: Tea Inc. (7WV56FL599)"
|
||||||
# Codesign libs and bins
|
paths: ${{ env.relative-paths}}
|
||||||
- name: Codesign package
|
|
||||||
if: startsWith(inputs.platform, 'darwin+')
|
|
||||||
run: |
|
|
||||||
for PKG in ${{ env.relative-paths }}; do
|
|
||||||
find /opt/$PKG -name '*.so' -or -name '*.dylib' -print0 | \
|
|
||||||
xargs -0 codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" --force -v --deep --timestamp --preserve-metadata=entitlements -o runtime || true
|
|
||||||
codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" -v --force --deep --timestamp --preserve-metadata=entitlements -o runtime /opt/$PKG/bin/* || true
|
|
||||||
done
|
|
||||||
|
|
||||||
# This isn't very informative, but even a no-op is safer than none
|
|
||||||
- name: Check codesigning
|
|
||||||
if: startsWith(inputs.platform, 'darwin+')
|
|
||||||
run: |
|
|
||||||
for PKG in ${{ env.relative-paths }}; do
|
|
||||||
for SIG in `find /opt/$PKG -name '*.so' -or -name '*.dylib'` `find /opt/$PKG/bin -type f`; do
|
|
||||||
codesign -vvv --deep --strict "$SIG"
|
|
||||||
done
|
|
||||||
done
|
|
||||||
|
|
||||||
# Needed for self-hosted runner, since it doesn't destroy itself automatically.
|
|
||||||
- name: Delete keychain
|
|
||||||
if: always() && inputs.platform == 'darwin+aarch64'
|
|
||||||
run: security delete-keychain signing_temp.keychain
|
|
||||||
|
|
||||||
- run: |
|
- run: |
|
||||||
tea +gnupg.org gpg-agent --daemon || true
|
tea +gnupg.org gpg-agent --daemon || true
|
||||||
|
|
Loading…
Reference in a new issue