mirror of
https://github.com/ivabus/pantry
synced 2024-11-26 18:25:08 +03:00
parent
4ab112c592
commit
61426ebcb1
2 changed files with 85 additions and 33 deletions
76
.github/actions/apple-signing/action.yml
vendored
Normal file
76
.github/actions/apple-signing/action.yml
vendored
Normal file
|
@ -0,0 +1,76 @@
|
|||
name: Apple signing
|
||||
description: signs binaries for macOS
|
||||
inputs:
|
||||
p12-file-base64:
|
||||
description: Base64 encoded p12 file
|
||||
required: true
|
||||
p12-password:
|
||||
description: Password for p12 file
|
||||
required: true
|
||||
identity:
|
||||
description: Identity to use for signing
|
||||
required: true
|
||||
paths:
|
||||
description: Paths to search for libs/bins sign
|
||||
required: true
|
||||
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
# Only runs on macOS
|
||||
- name: Check platform
|
||||
shell: sh
|
||||
run: |
|
||||
if [[ "$RUNNER_OS" != "macOS" ]]; then
|
||||
echo "This action only runs on macOS"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# the next three steps bless our code for Apple. It might be the case they should be
|
||||
# encapulated separately.
|
||||
# FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
|
||||
# ago, and we need bugfixes.
|
||||
# FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
|
||||
# github has a doc with similar content, but it's not returning to me atm.
|
||||
- uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494
|
||||
with:
|
||||
p12-file-base64: ${{ inputs.p12-file-base64 }}
|
||||
p12-password: ${{ inputs.p12-password }}
|
||||
|
||||
# Codesign libs and bins
|
||||
- name: Codesign package
|
||||
shell: bash
|
||||
run: |
|
||||
for PATH in $PATHS; do
|
||||
/usr/bin/find $PATH -name '*.so' -or -name '*.dylib' -print0 | \
|
||||
/usr/bin/xargs -0 /usr/bin/codesign -s "$IDENTITY" --force -v --deep --timestamp --preserve-metadata=entitlements -o runtime
|
||||
if test -d $PATH/bin; then
|
||||
/usr/bin/find $PATH/bin -type f -print0 | \
|
||||
/usr/bin/xargs -0 /usr/bin/codesign -s "$IDENTITY" -v --force --deep --timestamp --preserve-metadata=entitlements -o runtime
|
||||
fi
|
||||
done
|
||||
env:
|
||||
PATHS: ${{ inputs.paths }}
|
||||
IDENTITY: ${{ inputs.identity }}
|
||||
|
||||
# This isn't very informative, but even a no-op is safer than none
|
||||
- name: Check codesigning
|
||||
shell: bash
|
||||
run: |
|
||||
for PATH in $PATHS; do
|
||||
LIBS="$(/usr/bin/find $PATH -name '*.so' -or -name '*.dylib')"
|
||||
if test -d $PATH/bin; then
|
||||
BINS="$(/usr/bin/find $PATH/bin -type f)"
|
||||
fi
|
||||
for SIGNED in $LIBS $BINS; do
|
||||
/usr/bin/codesign -vvv --deep --strict "$SIGNED"
|
||||
done
|
||||
done
|
||||
env:
|
||||
PATHS: ${{ inputs.paths }}
|
||||
|
||||
# Needed for self-hosted runner, since it doesn't destroy itself automatically.
|
||||
- name: Delete keychain
|
||||
if: always()
|
||||
shell: bash
|
||||
run: /usr/bin/security delete-keychain signing_temp.keychain
|
40
.github/workflows/bottle.yml
vendored
40
.github/workflows/bottle.yml
vendored
|
@ -77,42 +77,18 @@ jobs:
|
|||
echo "$file=$(cat $file)" >>$GITHUB_ENV
|
||||
done
|
||||
|
||||
# the next three steps bless our code for Apple. It might be the case they should be
|
||||
# encapulated separately.
|
||||
# FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
|
||||
# ago, and we need bugfixes.
|
||||
# FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
|
||||
# github has a doc with similar content, but it's not returning to me atm.
|
||||
- uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494
|
||||
- uses: actions/checkout@v3
|
||||
if: startsWith(inputs.platform, 'darwin+')
|
||||
with:
|
||||
path: pantry
|
||||
repository: teaxyz/pantry.core
|
||||
- uses: ./pantry/.github/actions/apple-signing
|
||||
if: startsWith(inputs.platform, 'darwin+')
|
||||
with:
|
||||
p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }}
|
||||
p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
|
||||
|
||||
# Codesign libs and bins
|
||||
- name: Codesign package
|
||||
if: startsWith(inputs.platform, 'darwin+')
|
||||
run: |
|
||||
for PKG in ${{ env.relative-paths }}; do
|
||||
find /opt/$PKG -name '*.so' -or -name '*.dylib' -print0 | \
|
||||
xargs -0 codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" --force -v --deep --timestamp --preserve-metadata=entitlements -o runtime || true
|
||||
codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" -v --force --deep --timestamp --preserve-metadata=entitlements -o runtime /opt/$PKG/bin/* || true
|
||||
done
|
||||
|
||||
# This isn't very informative, but even a no-op is safer than none
|
||||
- name: Check codesigning
|
||||
if: startsWith(inputs.platform, 'darwin+')
|
||||
run: |
|
||||
for PKG in ${{ env.relative-paths }}; do
|
||||
for SIG in `find /opt/$PKG -name '*.so' -or -name '*.dylib'` `find /opt/$PKG/bin -type f`; do
|
||||
codesign -vvv --deep --strict "$SIG"
|
||||
done
|
||||
done
|
||||
|
||||
# Needed for self-hosted runner, since it doesn't destroy itself automatically.
|
||||
- name: Delete keychain
|
||||
if: always() && inputs.platform == 'darwin+aarch64'
|
||||
run: security delete-keychain signing_temp.keychain
|
||||
identity: "Developer ID Application: Tea Inc. (7WV56FL599)"
|
||||
paths: ${{ env.relative-paths}}
|
||||
|
||||
- run: |
|
||||
tea +gnupg.org gpg-agent --daemon || true
|
||||
|
|
Loading…
Reference in a new issue