Update build pipeline to notarize macOS releases

Author: conradev

.github/actions/archive/action.yml

@@ -29,11 +29,12 @@ runs:
       xcodebuild clean archive \
         -allowProvisioningUpdates \
         -allowProvisioningDeviceRegistration \
+        -skipPackagePluginValidation \
+        -skipMacroValidation \
+        -onlyUsePackageVersionsFromResolvedFile \
         -authenticationKeyID ${{ inputs.app-store-key-id }} \
         -authenticationKeyIssuerID ${{ inputs.app-store-key-issuer-id }} \
         -authenticationKeyPath "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8" \
-        -onlyUsePackageVersionsFromResolvedFile \
-        -skipPackagePluginValidation \
         -scheme '${{ inputs.scheme }}' \
         -destination '${{ inputs.destination }}' \
         -archivePath '${{ inputs.archive-path }}' \

.github/actions/build-for-testing/action.yml

@@ -26,11 +26,12 @@ runs:
       xcodebuild build-for-testing \
         -allowProvisioningUpdates \
         -allowProvisioningDeviceRegistration \
+        -skipPackagePluginValidation \
+        -skipMacroValidation \
+        -onlyUsePackageVersionsFromResolvedFile \
         -authenticationKeyID ${{ inputs.app-store-key-id }} \
         -authenticationKeyIssuerID ${{ inputs.app-store-key-issuer-id }} \
         -authenticationKeyPath "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8" \
-        -onlyUsePackageVersionsFromResolvedFile \
-        -skipPackagePluginValidation \
         -scheme '${{ inputs.scheme }}' \
         -destination '${{ inputs.destination }}' \
         -resultBundlePath BuildResults.xcresult

.github/actions/import-cert/action.yml

@@ -11,29 +11,16 @@ runs:
   steps:
   - shell: bash
     run: |
-      security list-keychains -d user -s login.keychain Developer.keychain
-
-      if [[ ! -f "$HOME/Library/Keychains/Developer.keychain-db" ]]; then
-        security create-keychain -p "${{ inputs.password }}" Developer.keychain
-        security set-keychain-settings -lut 21600 Developer.keychain
-
-        for CERT_INDEX in {2..8}; do
-          CERT_FILE=AppleWWDRCAG${CERT_INDEX}.cer
-          curl --proto '=https' --tlsv1.2 -sSOf "https://www.apple.com/certificateauthority/$CERT_FILE"
-          security import $CERT_FILE -k Developer.keychain -f openssl
-          rm $CERT_FILE
-        done
-      fi
-
-      security unlock-keychain -p "${{ inputs.password }}" Developer.keychain
-
       echo -n "${{ inputs.certificate }}" | base64 -d > Developer.p12
+      security create-keychain -p password Developer.keychain
+      security set-keychain-settings -lut 21600 Developer.keychain
+      security unlock-keychain -p password Developer.keychain
       security import Developer.p12 \
         -k Developer.keychain \
         -f pkcs12 \
         -A \
         -T /usr/bin/codesign \
         -T /usr/bin/security \
-        -P "${{ inputs.password }}"
-
-      security set-key-partition-list -S apple-tool:,apple: -k "${{ inputs.password }}" Developer.keychain
+        -P ${{ inputs.password }}
+      security set-key-partition-list -S apple-tool:,apple: -k password Developer.keychain
+      security list-keychains -d user -s login.keychain Developer.keychain

.github/actions/notarize/action.yml

@@ -28,34 +28,32 @@ runs:
     run: |
       echo "${{ inputs.app-store-key }}" > AuthKey_${{ inputs.app-store-key-id }}.p8
 
-      echo '{"destination":"upload","method":"developer-id"}' \
+      echo '{"destination":"export","method":"developer-id"}' \
         | plutil -convert xml1 -o ExportOptions.plist -
 
-      xcodebuild \
-        -exportArchive \
+      xcodebuild -exportArchive \
         -allowProvisioningUpdates \
         -allowProvisioningDeviceRegistration \
+        -skipPackagePluginValidation \
+        -skipMacroValidation \
+        -onlyUsePackageVersionsFromResolvedFile \
         -authenticationKeyID ${{ inputs.app-store-key-id }} \
         -authenticationKeyIssuerID ${{ inputs.app-store-key-issuer-id }} \
         -authenticationKeyPath "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8" \
         -archivePath '${{ inputs.archive-path }}' \
+        -exportPath Release \
         -exportOptionsPlist ExportOptions.plist
 
-      until xcodebuild \
-        -exportNotarizedApp \
-        -allowProvisioningUpdates \
-        -allowProvisioningDeviceRegistration \
-        -authenticationKeyID ${{ inputs.app-store-key-id }} \
-        -authenticationKeyIssuerID ${{ inputs.app-store-key-issuer-id }} \
-        -authenticationKeyPath "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8" \
-        -archivePath '${{ inputs.archive-path }}' \
-        -exportPath Release
-      do
-        echo "Failed to export app, trying again in 10s..."
-        sleep 10
-      done
+      rm ExportOptions.plist
+
+      ditto -c -k --keepParent Release/${{ inputs.product-name }} Upload.zip
+      SUBMISSION_ID=$(xcrun notarytool submit --issuer ${{ inputs.app-store-key-issuer-id }} --key-id ${{ inputs.app-store-key-id }} --key "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8" Upload.zip | awk '/ id:/ { print $2; exit }')
+
+      xcrun notarytool wait $SUBMISSION_ID --issuer ${{ inputs.app-store-key-issuer-id }} --key-id ${{ inputs.app-store-key-id }} --key "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8"
+      xcrun stapler staple Release/${{ inputs.product-name }}
 
       aa archive -a lzma -b 8m -d Release -subdir ${{ inputs.product-name }} -o ${{ inputs.product-name }}.aar
-      echo "notarized-app=Apple/${{ inputs.product-name }}.aar" >> $GITHUB_OUTPUT
 
-      rm -rf AuthKey_${{ inputs.app-store-key-id }}.p8 Release ExportOptions.plist
+      rm -rf Upload.zip Release AuthKey_${{ inputs.app-store-key-id }}.p8 ExportOptions.plist
+
+      echo "notarized-app=Apple/${{ inputs.product-name }}.aar" >> $GITHUB_OUTPUT

.github/workflows/build-apple.yml

@@ -8,18 +8,18 @@ on:
     - "*"
 jobs:
   build:
-    name: Build (${{ matrix.configuration['platform'] }})
+    name: Build (${{ matrix.platform }})
     runs-on: macos-13
     strategy:
       fail-fast: false
       matrix:
-        configuration:
+        include:
         - scheme: App
           destination: generic/platform=iOS
           platform: iOS
           sdk-name: iphoneos
         - scheme: App
-          destination: platform=iOS Simulator,OS=17.0,name=iPhone 14 Pro
+          destination: platform=iOS Simulator,OS=17.2,name=iPhone 14 Pro
           platform: iOS Simulator
           sdk-name: iphonesimulator
           xcode-unit-test: UnitTests
@@ -33,7 +33,7 @@ jobs:
           xcode-ui-test: UITests-macOS
           gradle-test: macosX64Test
     env:
-      DEVELOPER_DIR: /Applications/Xcode_15.0.app/Contents/Developer
+      DEVELOPER_DIR: /Applications/Xcode_15.2.app/Contents/Developer
     steps:
     - name: Checkout
       uses: actions/checkout@v3
@@ -60,44 +60,44 @@ jobs:
         password: ${{ secrets.DEVELOPER_CERT_PASSWORD }}
     - name: Build External Libraries
       shell: bash
-      run: External/build-darwin.sh ${{ matrix.configuration['sdk-name'] }}
+      run: External/build-darwin.sh ${{ matrix.sdk-name }}
     - name: Build
       id: build
       uses: ./.github/actions/build-for-testing
       with:
-        scheme: ${{ matrix.configuration['scheme'] }}
-        destination: ${{ matrix.configuration['destination'] }}
+        scheme: ${{ matrix.scheme }}
+        destination: ${{ matrix.destination }}
         app-store-key: ${{ secrets.APPSTORE_KEY }}
         app-store-key-id: ${{ secrets.APPSTORE_KEY_ID }}
         app-store-key-issuer-id: ${{ secrets.APPSTORE_KEY_ISSUER_ID }}
     - name: Xcode Unit Test
-      if: ${{ matrix.configuration['xcode-unit-test'] != '' }}
+      if: ${{ matrix.xcode-unit-test != '' }}
       continue-on-error: true
       uses: ./.github/actions/test-without-building
       with:
-        scheme: ${{ matrix.configuration['scheme'] }}
-        destination: ${{ matrix.configuration['destination'] }}
-        test-plan: ${{ matrix.configuration['xcode-unit-test'] }}
-        artifact-prefix: unit-tests-${{ matrix.configuration['sdk-name'] }}
-        check-name: Xcode Unit Tests (${{ matrix.configuration['platform'] }})
+        scheme: ${{ matrix.scheme }}
+        destination: ${{ matrix.destination }}
+        test-plan: ${{ matrix.xcode-unit-test }}
+        artifact-prefix: unit-tests-${{ matrix.sdk-name }}
+        check-name: Xcode Unit Tests (${{ matrix.platform }})
     - name: Build Kotlin Tests
-      if: ${{ matrix.configuration['gradle-test'] != '' }}
+      if: ${{ matrix.gradle-test != '' }}
       shell: bash
-      run: ./gradlew :Shared:${{ matrix.configuration['gradle-test'] }}Klibrary
+      run: ./gradlew :Shared:${{ matrix.gradle-test }}Klibrary
     - name: Kotlin Unit Test
-      if: ${{ matrix.configuration['gradle-test'] != '' }}
+      if: ${{ matrix.gradle-test != '' }}
       continue-on-error: true
       uses: ./.github/actions/gradle-test
       with:
-        task: :Shared:${{ matrix.configuration['gradle-test'] }}
-        check-name: Kotlin Tests (${{ matrix.configuration['platform'] }})
+        task: :Shared:${{ matrix.gradle-test }}
+        check-name: Kotlin Tests (${{ matrix.platform }})
     - name: Xcode UI Test
-      if: ${{ matrix.configuration['xcode-ui-test'] != '' }}
+      if: ${{ matrix.xcode-ui-test != '' }}
       continue-on-error: true
       uses: ./.github/actions/test-without-building
       with:
-        scheme: ${{ matrix.configuration['scheme'] }}
-        destination: ${{ matrix.configuration['destination'] }}
-        test-plan: ${{ matrix.configuration['xcode-ui-test'] }}
-        artifact-prefix: ui-tests-${{ matrix.configuration['sdk-name'] }}
-        check-name: Xcode UI Tests (${{ matrix.configuration['platform'] }})
+        scheme: ${{ matrix.scheme }}
+        destination: ${{ matrix.destination }}
+        test-plan: ${{ matrix.xcode-ui-test }}
+        artifact-prefix: ui-tests-${{ matrix.sdk-name }}
+        check-name: Xcode UI Tests (${{ matrix.platform }})

.github/workflows/release-apple.yml

@@ -5,26 +5,22 @@ on:
     - created
 jobs:
   build:
-    name: Build ${{ matrix.configuration['platform'] }} Release
+    name: Build ${{ matrix.platform }} Release
     runs-on: macos-13
     strategy:
       fail-fast: false
       matrix:
-        configuration:
+        include:
         - scheme: App
           build-destination: generic/platform=iOS
           platform: iOS
-          method: ad-hoc
-          export-destination: export
           artifact-file: Apple/Release/Wallet.ipa
         - scheme: App (macOS)
           build-destination: generic/platform=macOS
           platform: macOS
-          method: developer-id
-          export-destination: upload
           artifact-file: Apple/Wallet.app.aar
     env:
-      DEVELOPER_DIR: /Applications/Xcode_15.0.app/Contents/Developer
+      DEVELOPER_DIR: /Applications/Xcode_15.2.app/Contents/Developer
     steps:
     - name: Checkout
       uses: actions/checkout@v3
@@ -47,32 +43,33 @@ jobs:
     - name: Import Certificate
       uses: ./.github/actions/import-cert
       with:
-        certificate: ${{ secrets.DEVELOPER_ID_CERT }}
-        password: ${{ secrets.DEVELOPER_ID_CERT_PASSWORD }}
+        certificate: ${{ secrets.DEVELOPER_CERT }}
+        password: ${{ secrets.DEVELOPER_CERT_PASSWORD }}
     - name: Build External Libraries
       shell: bash
-      run: External/build-darwin.sh ${{ matrix.configuration['sdk-name'] }}
+      run: External/build-darwin.sh ${{ matrix.sdk-name }}
     - name: Archive
       uses: ./.github/actions/archive
       with:
-        scheme: ${{ matrix.configuration['scheme'] }}
-        destination: ${{ matrix.configuration['build-destination'] }}
+        scheme: ${{ matrix.scheme }}
+        destination: ${{ matrix.build-destination }}
         app-store-key: ${{ secrets.APPSTORE_KEY }}
         app-store-key-id: ${{ secrets.APPSTORE_KEY_ID }}
         app-store-key-issuer-id: ${{ secrets.APPSTORE_KEY_ISSUER_ID }}
         archive-path: Wallet.xcarchive
     - name: Export
+      if: ${{ matrix.platform == 'iOS' }}
       uses: ./.github/actions/export
       with:
-        method: ${{ matrix.configuration['method'] }}
-        destination: ${{ matrix.configuration['export-destination'] }}
+        method: ad-hoc
+        destination: export
         app-store-key: ${{ secrets.APPSTORE_KEY }}
         app-store-key-id: ${{ secrets.APPSTORE_KEY_ID }}
         app-store-key-issuer-id: ${{ secrets.APPSTORE_KEY_ISSUER_ID }}
         archive-path: Wallet.xcarchive
         export-path: Release
     - name: Notarize
-      if: ${{ matrix.configuration['platform'] == 'macOS' }}
+      if: ${{ matrix.platform == 'macOS' }}
       uses: ./.github/actions/notarize
       with:
         app-store-key: ${{ secrets.APPSTORE_KEY }}
@@ -84,5 +81,6 @@ jobs:
       uses: SierraSoftworks/[email protected]
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
+        release_tag: ${{ github.ref_name }}
         overwrite: 'false'
-        files: ${{ matrix.configuration['artifact-file'] }}
+        files: ${{ matrix.artifact-file }}