mirror of
https://github.com/ivabus/pantry
synced 2024-11-14 20:45:09 +03:00
54 lines
2 KiB
YAML
54 lines
2 KiB
YAML
name: pkgx/pantry/setup-codesign
|
|
description: Codesigns macOS binaries using Apple tools
|
|
|
|
inputs:
|
|
p12-file-base64:
|
|
description: Base64 encoded p12 file
|
|
required: true
|
|
p12-password:
|
|
description: Password for p12 file
|
|
required: true
|
|
APPLE_IDENTITY:
|
|
required: false
|
|
|
|
runs:
|
|
using: composite
|
|
steps:
|
|
# - name: purge tool PATH
|
|
# run: |
|
|
# if [ -d /usr/local/bin ]; then
|
|
# tmp=$(mktemp -d)
|
|
# sudo mv /usr/local/bin $tmp
|
|
# fi
|
|
# shell: bash
|
|
|
|
- name: export APPLE_IDENTITY
|
|
run: echo 'APPLE_IDENTITY=${{inputs.identity || '-'}}' >> $GITHUB_ENV
|
|
shell: bash
|
|
|
|
# the next three steps bless our code for Apple. It might be the case they should be
|
|
# encapulated separately.
|
|
# FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
|
|
# ago, and we need bugfixes.
|
|
# FIXME: replace this with a pkgx script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
|
|
# github has a doc with similar content, but it's not returning to me atm.
|
|
|
|
# apple-actions/import-codesign-certs will fail if the keychain already exists, so we prophylactically
|
|
# delete it if it does.
|
|
- name: Delete keychain
|
|
shell: sh
|
|
if: runner.os == 'macOS' && inputs.p12-file-password && inputs.p12-file-base64
|
|
run: security delete-keychain signing_temp.keychain || true
|
|
|
|
- uses: apple-actions/import-codesign-certs@v2
|
|
if: runner.os == 'macOS' && inputs.p12-file-password && inputs.p12-file-base64
|
|
with:
|
|
p12-file-base64: ${{ inputs.p12-file-base64 }}
|
|
p12-password: ${{ inputs.p12-password }}
|
|
|
|
# Needed for self-hosted runner, since it doesn't destroy itself automatically.
|
|
- name: Delete keychain
|
|
uses: webiny/action-post-run@3.0.0
|
|
if: runner.os == 'macOS' && inputs.p12-file-password && inputs.p12-file-base64
|
|
with:
|
|
run: security delete-keychain signing_temp.keychain
|