name: Apple Codesigning description: Codesigns macOS binaries inputs: p12-file-base64: description: Base64 encoded p12 file required: true p12-password: description: Password for p12 file required: true identity: description: Identity to use for signing required: true paths: description: paths to sign required: true runs: using: composite steps: # Only runs on macOS - name: Check platform shell: sh run: | if [[ "$RUNNER_OS" != "macOS" ]]; then echo "This action only runs on macOS" exit 1 fi # the next three steps bless our code for Apple. It might be the case they should be # encapulated separately. # FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years # ago, and we need bugfixes. # FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions # github has a doc with similar content, but it's not returning to me atm. # apple-actions/import-codesign-certs will fail if the keychain already exists, so we prophylactically # delete it if it does. - name: Delete keychain shell: sh run: security delete-keychain signing_temp.keychain || true - uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494 with: p12-file-base64: ${{ inputs.p12-file-base64 }} p12-password: ${{ inputs.p12-password }} - name: Codesign files shell: sh run: find $PATHS -type f -print0 | xargs -0 codesign -s "$IDENTITY" --force -v --timestamp || true env: PATHS: ${{ inputs.paths }} IDENTITY: ${{ inputs.identity }} # This isn't very informative, but even a no-op is safer than none - name: Check codesigning shell: sh # FIXME: `deno` compiled binaries don't currently pass validation. # https://github.com/denoland/deno/issues/17753 run: find $PATHS -type f ! -name tea -print0 | xargs -0 codesign -vvv --strict env: PATHS: ${{ inputs.paths }} # Needed for self-hosted runner, since it doesn't destroy itself automatically. - name: Delete keychain if: always() shell: sh run: security delete-keychain signing_temp.keychain