Skip to content

Test Building for Apple #22

Test Building for Apple

Test Building for Apple #22

Workflow file for this run

name: Test Building for Apple
on: workflow_dispatch
defaults:
run:
# necessary for windows
shell: bash
jobs:
get-version:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.store-version.outputs.sha }}
steps:
- uses: actions/checkout@v4
- name: Install Knope
uses: knope-dev/[email protected]
with:
version: 0.18.0
- name: Store version
id: store-version
run: echo "version=$(knope get-version)" >> $GITHUB_OUTPUT
build-artifacts:
needs: get-version
strategy:
matrix:
include:
- target: aarch64-apple-darwin
os: macos-latest
runs-on: ${{ matrix.os }}
permissions:
contents: read
id-token: write
env:
archive_name: rhai-test
steps:
- uses: actions/checkout@v4
- uses: actions-rust-lang/setup-rust-toolchain@v1
- uses: arduino/setup-protoc@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install Knope
uses: knope-dev/[email protected]
with:
version: 0.18.0
# Authenticate to GCP using Workload Identity Federation.
# We set up the WI provider in the `github_actions_federation` resource in the
# `platform-infrastructure` repository.
- id: google-auth
uses: 'google-github-actions/auth@v2'
with:
workload_identity_provider: 'projects/865738624352/locations/global/workloadIdentityPools/github-d8bck/providers/github-d8bck'
service_account: apollosolutions-rhai-test@platform-mgmt-service-e0izz.iam.gserviceaccount.com
project_id: platform-cross-environment
# Gets some secrets from Google Secret Manager.
- id: gsm-secrets
uses: 'google-github-actions/get-secretmanager-secrets@v2'
with:
# The format of each line here is OUTPUTNAME:PROJECT/SECRET; you can
# read the secrets later in this file with
# `steps.gsm-secrets.outputs.OUTPUTNAME`. These secrets are created in
# the `argo` resource in the `domain-deployment` repository.
secrets: |-
MACOS_CERT_BUNDLE_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_CERT_BUNDLE_PASSWORD
MACOS_CERT_BUNDLE_BASE64:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_CERT_BUNDLE_BASE64
MACOS_NOTARIZATION_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_NOTARIZATION_PASSWORD
MACOS_KEYCHAIN_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_KEYCHAIN_PASSWORD
- name: Build
run: cargo build --release --target ${{ matrix.target }}
- name: Sign Apple Binary
run: |
MACOS_CERT_BUNDLE_PASSWORD=${{steps.gsm-secrets.outputs.MACOS_CERT_BUNDLE_PASSWORD}}
MACOS_CERT_BUNDLE_BASE64=${{steps.gsm-secrets.outputs.MACOS_CERT_BUNDLE_BASE64}}
MACOS_NOTARIZATION_PASSWORD=${{steps.gsm-secrets.outputs.MACOS_NOTARIZATION_PASSWORD}}
MACOS_KEYCHAIN_PASSWORD=${{steps.gsm-secrets.outputs.MACOS_KEYCHAIN_PASSWORD}}
APPLE_TEAM_ID="YQK948L752"
APPLE_USERNAME="[email protected]"
VERSION=${{ needs.get-version.outputs.version }}
BINARY_PATH=target/${{ matrix.target }}/release/${{ env.archive_name }}
ENTITLEMENTS_PATH="public/macos-entitlements.plist"
# Create a temporary keychain
KEYCHAIN_NAME="rhaitest-keychain"
mkdir $KEYCHAIN_NAME
echo "Creating keychain..."
security create-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME
echo "Removing relock timeout on keychain..."
security set-keychain-settings $KEYCHAIN_NAME
echo "Decoding certificate bundle..."
echo "${MACOS_CERT_BUNDLE_BASE64}" | base64 --decode > $KEYCHAIN_NAME/certificate.p12
echo "Importing codesigning certificate to build keychain..."
security import $KEYCHAIN_NAME/certificate.p12 -k $KEYCHAIN_NAME -P "${MACOS_CERT_BUNDLE_PASSWORD}" -T /usr/bin/codesign
echo "Adding the codesign tool to the security partition-list..."
security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME
echo "Setting default keychain..."
security default-keychain -d user -s $KEYCHAIN_NAME
echo "Unlocking keychain..."
security unlock-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME
echo "Verifying keychain is set up correctly..."
security find-identity -v -p codesigning
# Sign the binary
echo "Signing code (step 1)..."
codesign --sign "$APPLE_TEAM_ID" --options runtime --entitlements $ENTITLEMENTS_PATH --force --timestamp "$BINARY_PATH" -v
echo "Signing code (step 2)..."
codesign -vvv --deep --strict "$BINARY_PATH"
echo "Zipping dist..."
mkdir "$KEYCHAIN_NAME/dist"
cp "$BINARY_PATH" "$KEYCHAIN_NAME/dist/rhaitest"
zip -r "$KEYCHAIN_NAME/rhaitest-$VERSION.zip" "$KEYCHAIN_NAME/dist"
echo "Beginning notarization process..."
xcrun notarytool submit "$KEYCHAIN_NAME/rhaitest-$VERSION.zip" --apple-id "$APPLE_USERNAME" --password "$MACOS_NOTARIZATION_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait --timeout 20m