Test Building for Apple (option 2) #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test Building for Apple (option 2) | |
on: workflow_dispatch | |
defaults: | |
run: | |
# necessary for windows | |
shell: bash | |
jobs: | |
build-artifacts: | |
runs-on: macos-latest | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- uses: actions/checkout@v4 | |
# Authenticate to GCP using Workload Identity Federation. | |
# We set up the WI provider in the `github_actions_federation` resource in the | |
# `platform-infrastructure` repository. | |
- id: google-auth | |
uses: 'google-github-actions/auth@v2' | |
with: | |
workload_identity_provider: 'projects/865738624352/locations/global/workloadIdentityPools/github-d8bck/providers/github-d8bck' | |
service_account: apollosolutions-rhai-test@platform-mgmt-service-e0izz.iam.gserviceaccount.com | |
project_id: platform-cross-environment | |
# Gets some secrets from Google Secret Manager. | |
- id: gsm-secrets | |
uses: 'google-github-actions/get-secretmanager-secrets@v2' | |
with: | |
# The format of each line here is OUTPUTNAME:PROJECT/SECRET; you can | |
# read the secrets later in this file with | |
# `steps.gsm-secrets.outputs.OUTPUTNAME`. These secrets are created in | |
# the `argo` resource in the `domain-deployment` repository. | |
secrets: |- | |
MACOS_CERT_BUNDLE_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_CERT_BUNDLE_PASSWORD | |
MACOS_CERT_BUNDLE_BASE64:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_CERT_BUNDLE_BASE64 | |
MACOS_NOTARIZATION_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_NOTARIZATION_PASSWORD | |
MACOS_KEYCHAIN_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_KEYCHAIN_PASSWORD | |
- name: Sign Apple Binary | |
run: | | |
MACOS_CERT_BUNDLE_PASSWORD=${{ secrets.MACOS_CERT_BUNDLE_PASSWORD }} | |
OLD_MACOS_CERT_BUNDLE_PASSWORD=${{steps.gsm-secrets.outputs.MACOS_CERT_BUNDLE_PASSWORD}} | |
MACOS_CERT_BUNDLE_BASE64=${{ secrets.MACOS_CERT_BUNDLE_BASE64 }} | |
OLD_MACOS_CERT_BUNDLE_BASE64=${{steps.gsm-secrets.outputs.MACOS_CERT_BUNDLE_BASE64}} | |
MACOS_NOTARIZATION_PASSWORD=${{steps.gsm-secrets.outputs.MACOS_NOTARIZATION_PASSWORD}} | |
MACOS_KEYCHAIN_PASSWORD=${{steps.gsm-secrets.outputs.MACOS_KEYCHAIN_PASSWORD}} | |
# Create a temporary keychain | |
KEYCHAIN_NAME="rhaitest-keychain" | |
mkdir $KEYCHAIN_NAME | |
echo "Creating keychain..." | |
security create-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME | |
echo "Removing relock timeout on keychain..." | |
security set-keychain-settings $KEYCHAIN_NAME | |
echo "Decoding certificate bundle..." | |
echo "${MACOS_CERT_BUNDLE_BASE64}" | base64 --decode > $KEYCHAIN_NAME/certificate.p12 | |
echo "Importing codesigning certificate to build keychain..." | |
security import $KEYCHAIN_NAME/certificate.p12 -k $KEYCHAIN_NAME -P "${MACOS_CERT_BUNDLE_PASSWORD}" -T /usr/bin/codesign | |
echo "Adding the codesign tool to the security partition-list..." | |
security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME | |
echo "Setting default keychain..." | |
security default-keychain -d user -s $KEYCHAIN_NAME | |
echo "Unlocking keychain..." | |
security unlock-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME | |
echo "Verifying keychain is set up correctly..." | |
security find-identity -v -p codesigning | |