-
Notifications
You must be signed in to change notification settings - Fork 0
110 lines (105 loc) · 4.5 KB
/
publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
name: Publish distributables into new GitHub release
on:
workflow_dispatch:
jobs:
mac:
strategy:
matrix:
app: [hostd, renterd]
runs-on: macos-latest
steps:
- uses: actions/checkout@v4
- name: Setup
uses: ./.github/actions/setup
with:
node_version: 20.10.0
- name: Setup signing
env:
APPLE_CERT_ID: ${{ secrets.APPLE_CERT_ID }}
APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
APPLE_KEY_B64: ${{ secrets.APPLE_KEY_B64 }}
APPLE_CERT_B64: ${{ secrets.APPLE_CERT_B64 }}
APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }}
APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
run: |
# extract apple cert
APPLE_CERT_PATH=$RUNNER_TEMP/apple_cert.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
echo -n "$APPLE_CERT_B64" | base64 --decode --output $APPLE_CERT_PATH
# extract apple key
mkdir -p ~/private_keys
APPLE_API_KEY_PATH=~/private_keys/AuthKey_$APPLE_API_KEY.p8
echo "APPLE_API_KEY_PATH=$APPLE_API_KEY_PATH" >> $GITHUB_ENV
echo -n "$APPLE_KEY_B64" | base64 --decode --output $APPLE_API_KEY_PATH
# create temp keychain
security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security default-keychain -s $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import keychain
security import $APPLE_CERT_PATH -P $APPLE_CERT_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security find-identity -v $KEYCHAIN_PATH -p codesigning
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $APPLE_KEYCHAIN_PASSWORD $KEYCHAIN_PATH
- name: Build
run: yarn workspace ${{ matrix.app }} build
shell: bash
- name: Package executable bundles, sign and notarize, make and publish distributables
env:
APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
APPLE_API_KEY_PATH: ${{ env.APPLE_API_KEY_PATH }}
BUCKET_ACCESS_KEY_ID: ${{ secrets.BUCKET_ACCESS_KEY_ID }}
BUCKET_SECRET_ACCESS_KEY: ${{ secrets.BUCKET_SECRET_ACCESS_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: yarn workspace ${{ matrix.app }} publish --arch=arm64,x64
shell: bash
linux:
strategy:
matrix:
app: [hostd, renterd]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup
uses: ./.github/actions/setup
with:
node_version: 20.10.0
- name: Build
run: yarn workspace ${{ matrix.app }} build
shell: bash
- name: Package executable bundles, make and publish distributables
env:
BUCKET_ACCESS_KEY_ID: ${{ secrets.BUCKET_ACCESS_KEY_ID }}
BUCKET_SECRET_ACCESS_KEY: ${{ secrets.BUCKET_SECRET_ACCESS_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: yarn workspace ${{ matrix.app }} publish --arch=arm64,x64
shell: bash
windows:
strategy:
matrix:
app: [hostd, renterd]
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
- name: Setup
uses: ./.github/actions/setup
with:
node_version: 20.10.0
- name: Setup signing
run: dotnet tool install --global AzureSignTool
- name: Build
run: yarn workspace ${{ matrix.app }} build
shell: bash
- name: Package executable bundles, sign and notarize, make and publish distributables
env:
BUCKET_ACCESS_KEY_ID: ${{ secrets.BUCKET_ACCESS_KEY_ID }}
BUCKET_SECRET_ACCESS_KEY: ${{ secrets.BUCKET_SECRET_ACCESS_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
yarn workspace ${{ matrix.app }} publish --arch=x64
# #TODO: probably not correct
# APP_PATH="out/${{ matrix.app }}-win32-x64/${{ matrix.app }}.app"
# BINARY_PATH="$APP_PATH/Contents/Windows/${{ matrix.app }}.exe"
# azuresigntool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v $BINARY_PATH
shell: bash