verify code signing #213
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release Dash Evo Tool | |
on: | |
push: | |
tags: | |
- 'v*' | |
- 'v*-dev.*' | |
release: | |
types: | |
- published | |
workflow_dispatch: | |
inputs: | |
tag: | |
description: "Version (i.e. v0.1.0)" | |
required: true | |
permissions: | |
id-token: write | |
attestations: write | |
contents: write | |
jobs: | |
build-and-release: | |
name: Build and Release Dash Evo Tool | |
strategy: | |
matrix: | |
include: | |
- name: "linux-x86_64" | |
runs-on: "ubuntu-20.04" | |
target: "x86_64-unknown-linux-gnu" | |
platform: "x86_64-linux" | |
release-ext: "zip" | |
- name: "linux-arm64" | |
runs-on: ["self-hosted", "Linux", "ARM64", "ubuntu20.04"] # Array of tags for ARM64 | |
target: "aarch64-unknown-linux-gnu" | |
platform: "arm64-linux" | |
release-ext: "zip" | |
- name: "macos-x86_64" | |
runs-on: "macos-13" | |
target: "x86_64-apple-darwin" | |
platform: "x86_64-mac" | |
release-ext: "dmg" | |
- name: "macos-arm64" | |
runs-on: "macos-latest" | |
target: "aarch64-apple-darwin" | |
platform: "arm64-mac" | |
release-ext: "dmg" | |
- name: "Windows" | |
runs-on: "ubuntu-20.04" | |
target: "x86_64-pc-windows-gnu" | |
platform: "windows" | |
ext: ".exe" | |
release-ext: "zip" | |
runs-on: ${{ matrix.runs-on }} | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Cache Cargo registry | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.cargo/registry | |
~/.cargo/git | |
target | |
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
restore-keys: | | |
${{ runner.os }}-cargo- | |
- name: Setup prerequisites | |
run: | | |
mkdir -p dash-evo-tool/ | |
cp .env.example dash-evo-tool/.env | |
cp -r dash_core_configs/ dash-evo-tool/dash_core_configs | |
- name: Install Rust toolchain | |
uses: actions-rs/toolchain@v1 | |
with: | |
toolchain: stable | |
target: ${{ matrix.target }} | |
override: true | |
- name: Install essentials | |
if: ${{ runner.os == 'Linux' }} | |
run: sudo apt-get update && sudo apt-get install -y build-essential pkg-config clang cmake unzip libsqlite3-dev gcc-mingw-w64 mingw-w64 libsqlite3-dev mingw-w64-x86-64-dev gcc-aarch64-linux-gnu zip && uname -a && cargo clean | |
- name: Install protoc (ARM) | |
if: ${{ matrix.platform == 'arm64' }} | |
run: curl -OL https://github.com/protocolbuffers/protobuf/releases/download/v25.2/protoc-25.2-linux-aarch_64.zip && sudo unzip -o protoc-25.2-linux-aarch_64.zip -d /usr/local bin/protoc && sudo unzip -o protoc-25.2-linux-aarch_64.zip -d /usr/local 'include/*' && rm -f protoc-25.2-linux-aarch_64.zip | |
env: | |
PROTOC: /usr/local/bin/protoc | |
- name: Install protoc (AMD) | |
if: ${{ matrix.target == 'x86_64-unknown-linux-gnu' }} | |
run: curl -OL https://github.com/protocolbuffers/protobuf/releases/download/v25.2/protoc-25.2-linux-x86_64.zip && sudo unzip -o protoc-25.2-linux-x86_64.zip -d /usr/local bin/protoc && sudo unzip -o protoc-25.2-linux-x86_64.zip -d /usr/local 'include/*' && rm -f protoc-25.2-linux-x86_64.zip | |
env: | |
PROTOC: /usr/local/bin/protoc | |
- name: Install protoc (Windows) | |
if: ${{ matrix.target == 'x86_64-pc-windows-gnu' }} | |
run: curl -OL https://github.com/protocolbuffers/protobuf/releases/download/v25.2/protoc-25.2-linux-x86_64.zip && sudo unzip -o protoc-25.2-linux-x86_64.zip -d /usr/local bin/protoc && sudo unzip -o protoc-25.2-linux-x86_64.zip -d /usr/local 'include/*' && rm -f protoc-25.2-linux-x86_64.zip | |
env: | |
PROTOC: /usr/local/bin/protoc | |
- name: Install protoc (Mac x64) | |
if: ${{ matrix.target == 'x86_64-apple-darwin' }} | |
run: curl -OL https://github.com/protocolbuffers/protobuf/releases/download/v25.2/protoc-25.2-osx-x86_64.zip && sudo unzip -o protoc-25.2-osx-x86_64.zip -d /usr/local bin/protoc && sudo unzip -o protoc-25.2-osx-x86_64.zip -d /usr/local 'include/*' && rm -f protoc-25.2-osx-x86_64.zip && uname -a | |
env: | |
PROTOC: /usr/local/bin/protoc | |
- name: Install protoc (Mac ARM) | |
if: ${{ matrix.target == 'aarch64-apple-darwin' }} | |
run: curl -OL https://github.com/protocolbuffers/protobuf/releases/download/v25.2/protoc-25.2-osx-aarch_64.zip && sudo unzip -o protoc-25.2-osx-aarch_64.zip -d /usr/local bin/protoc && sudo unzip -o protoc-25.2-osx-aarch_64.zip -d /usr/local 'include/*' && rm -f protoc-25.2-osx-aarch_64.zip | |
env: | |
PROTOC: /usr/local/bin/protoc | |
- name: Windows libsql | |
if: ${{ matrix.target == 'x86_64-pc-windows-gnu' }} | |
run: curl -OL https://www.sqlite.org/2024/sqlite-dll-win-x64-3460100.zip && sudo unzip -o sqlite-dll-win-x64-3460100.zip -d winlibs && sudo chown -R runner:docker winlibs/ && pwd && ls -lah && cd winlibs && x86_64-w64-mingw32-dlltool -d sqlite3.def -l libsqlite3.a && ls -lah && cd .. | |
- name: Set VERSION | |
run: | | |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then | |
echo "VERSION=${{ inputs.tag }}" >> $GITHUB_ENV | |
elif [ "${{ github.event_name }}" == "release" ]; then | |
echo "VERSION=${{ github.event.release.tag_name }}" >> $GITHUB_ENV | |
else | |
echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV | |
fi | |
- name: Build project | |
run: | | |
cargo build --release --target ${{ matrix.target }} | |
mv target/${{ matrix.target }}/release/dash-evo-tool${{ matrix.ext }} dash-evo-tool/dash-evo-tool${{ matrix.ext }} | |
env: | |
CC_x86_64_pc_windows_gnu: x86_64-w64-mingw32-gcc | |
AR_x86_64_pc_windows_gnu: x86_64-w64-mingw32-ar | |
CFLAGS_x86_64_pc_windows_gnu: "-O2" | |
# Install the Apple certificate | |
- name: Install the Apple certificate | |
if: contains(matrix.target, 'apple-darwin') | |
env: | |
BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE }} | |
P12_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} | |
run: | | |
# create variables | |
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 | |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
# import certificate from secrets | |
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH | |
# create temporary keychain | |
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
# import certificate to keychain | |
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
# List the keychains and set the temporary one as default | |
security list-keychains -d user -s $KEYCHAIN_PATH login.keychain-db | |
security default-keychain -s $KEYCHAIN_PATH | |
# Set key partition list to allow codesign to access the key without prompting | |
CODE_SIGN_IDENTITY=$(security find-identity -v -p codesigning $KEYCHAIN_PATH | grep -oE '"(.*)"' | sed 's/"//g') | |
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
# Export CODE_SIGN_IDENTITY for use in subsequent steps | |
echo "CODE_SIGN_IDENTITY=$CODE_SIGN_IDENTITY" >> $GITHUB_ENV | |
# Sign the binary for macOS | |
- name: Sign binary | |
if: contains(matrix.target, 'apple-darwin') | |
run: codesign --timestamp --sign "$CODE_SIGN_IDENTITY" dash-evo-tool/dash-evo-tool${{ matrix.ext }} | |
# Package release | |
- name: Package release | |
run: "${GITHUB_WORKSPACE}/scripts/pack.sh ${{ env.VERSION }} ${{ matrix.platform }} ${{ matrix.ext }}" | |
# Sign the .dmg for macOS | |
- name: Sign .dmg | |
if: contains(matrix.target, 'apple-darwin') | |
run: codesign --timestamp --sign "$CODE_SIGN_IDENTITY" dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} | |
- name: Verify Code Signing | |
if: contains(matrix.target, 'apple-darwin') | |
run: | | |
codesign --verify --deep --strict --verbose=2 dash-evo-tool/dash-evo-tool${{ matrix.ext }} | |
codesign --verify --deep --strict --verbose=2 dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} | |
# Notarize MacOS Release Build using xcrun notarytool | |
- name: Notarize MacOS Release Build | |
if: contains(matrix.target, 'apple-darwin') | |
run: | | |
xcrun notarytool submit "dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}" \ | |
--apple-id "${{ secrets.APPLE_ID }}" \ | |
--password "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}" \ | |
--team-id "${{ secrets.APPLE_TEAM_ID }}" \ | |
--wait | |
# Staple Notarization Ticket | |
- name: Staple Notarization Ticket | |
if: contains(matrix.target, 'apple-darwin') | |
run: xcrun stapler staple "dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}" | |
- name: Attest | |
uses: actions/attest-build-provenance@v1 | |
with: | |
subject-path: 'dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}' | |
- name: Upload build artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} | |
path: dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} | |
release: | |
name: Create GitHub Release | |
needs: build-and-release | |
runs-on: ubuntu-latest | |
steps: | |
- name: Download Linux AMD64 Artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: dash-evo-tool-x86_64-linux.zip | |
- name: Download Linux Arm64 Artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: dash-evo-tool-arm64-linux.zip | |
- name: Download MacOS AMD64 Artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: dash-evo-tool-x86_64-mac.dmg | |
- name: Download MacOS ARM64 Artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: dash-evo-tool-arm64-mac.dmg | |
- name: Download Windows Artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: dash-evo-tool-windows.zip | |
- name: Publish release | |
uses: softprops/action-gh-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: ${{ github.event.inputs.tag }} | |
files: | | |
./dash-evo-tool-x86_64-linux.zip | |
./dash-evo-tool-arm64-linux.zip | |
./dash-evo-tool-x86_64-mac.dmg | |
./dash-evo-tool-arm64-mac.dmg | |
./dash-evo-tool-windows.zip | |
draft: false | |
prerelease: true |