-
Notifications
You must be signed in to change notification settings - Fork 1
/
action.yml
146 lines (134 loc) · 4.55 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: "Codesign and Notarize"
description: "A GitHub Action to codesign and notarize macOS applications."
inputs:
certificate:
description: "The certificate for signing."
required: true
certificate-password:
description: "The password for the certificate."
required: true
username:
description: "The Apple ID username to use for notarization."
required: true
password:
description: "The Apple ID password to use for notarization."
required: true
apple-team-id:
description: "The Apple Team ID to use for signing and notarization."
required: true
app-path:
description: "The paths to the application to sign and notarize. One on each line."
required: true
entitlements-path:
description: "The path to the entitlements file to use for signing."
required: false
default: ""
runs:
using: "composite"
steps:
- name: Check that we are on macOS
if: ${{ runner.os != 'macos' }}
shell: bash
run: |
echo "This action only works on macOS."
exit 1
- name: Check that all inputs are given and non-empty
shell: bash
run: |
set -e
if [[ -z "${{ inputs.certificate }}" ]]; then
echo "Input certificate is missing."
exit 1
fi
if [[ -z "${{ inputs.certificate-password }}" ]]; then
echo "Input certificate-password is missing."
exit 1
fi
if [[ -z "${{ inputs.username }}" ]]; then
echo "Input username is missing."
exit 1
fi
if [[ -z "${{ inputs.password }}" ]]; then
echo "Input password is missing."
exit 1
fi
if [[ -z "${{ inputs.apple-team-id }}" ]]; then
echo "Input apple-team-id is missing."
exit 1
fi
if [[ -z "${{ inputs.app-path }}" ]]; then
echo "Input app-path is missing."
exit 1
fi
- name: Install dependencies
shell: bash
run: |
brew install zip
- name: Import signing keychain
uses: apple-actions/import-codesign-certs@v3
with:
keychain: signing_temp
p12-file-base64: ${{ inputs.certificate }}
p12-password: ${{ inputs.certificate-password }}
- name: Set Entitlements Argument Env Var
if: ${{ inputs.entitlements-path != '' }}
shell: bash
run: |
echo "entitlements_arg=--entitlements \"${{ inputs.entitlements-path }}\"" >> $GITHUB_ENV
- name: Code sign
shell: bash
run: |
security find-identity -v signing_temp.keychain | grep "${{ inputs.apple-team-id }}" | grep "Developer ID Application"
PATHS=$(cat << APP-PATH-DELIMITER-95654260
${{ inputs.app-path }}
APP-PATH-DELIMITER-95654260
)
echo "$PATHS" | tr '\n' '\0' | xargs -0 -r \
codesign --keychain signing_temp.keychain --force --deep --sign "${{ inputs.apple-team-id }}" ${{ env.entitlements_arg }} --options=runtime
- name: Create a tmp directory
id: tmp
shell: bash
run: |
echo "path=$(mktemp -d -t sign_notarize.XXXXXXXXXX)" >> $GITHUB_OUTPUT
- name: Create a ZIP
id: zip
shell: bash
run: |
TMP=${{ steps.tmp.outputs.path }}
ZIP_PATH="$TMP/app.zip"
PATHS=$(cat << APP-PATH-DELIMITER-95654260
${{ inputs.app-path }}
APP-PATH-DELIMITER-95654260
)
echo "$PATHS" | tr '\n' '\0' | xargs -0 -r \
zip "$ZIP_PATH"
echo "zip_path=$ZIP_PATH" >> $GITHUB_OUTPUT
- name: Notarize
shell: bash
run: |
TMP=${{ steps.tmp.outputs.path }}
xcrun notarytool submit \
"${{ steps.zip.outputs.zip_path }}" \
--wait \
--apple-id "${{ inputs.username }}" \
--password "${{ inputs.password }}" \
--team-id "${{ inputs.apple-team-id }}" \
--output-format json \
| tee "$TMP/out.json"
grep -q "Accepted" "$TMP/out.json"
- name: Check notarization
shell: bash
run: |
# See https://developer.apple.com/forums/thread/130560
PATHS=$(cat << APP-PATH-DELIMITER-95654260
${{ inputs.app-path }}
APP-PATH-DELIMITER-95654260
)
echo "$PATHS" | tr '\n' '\0' | xargs -0 -r \
codesign -vvvv -R="notarized" --check-notarization
- name: Cleanup keychain
if: always() # Always run this step to ensure the keychain is properly disposed of.
shell: bash
run: |
# Don't fail if the keychain doesn't exist.
security delete-keychain signing_temp.keychain || true