Skip to content

CI: Correctly import signing certificate #29

CI: Correctly import signing certificate

CI: Correctly import signing certificate #29

Workflow file for this run

name: CI - Patch latest Sequoia metallib's
on:
schedule:
- cron: "0 */3 * * *"
push:
branches:
- main
concurrency:
cancel-in-progress: true
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }}
jobs:
build:
name: CI - Patch latest Sequoia metallib's
runs-on: macos-latest
env:
# PKG Signing
ORG_MAC_DEVELOPER_ID_INSTALLER_IDENTITY: ${{ secrets.ORG_MAC_DEVELOPER_ID_INSTALLER_IDENTITY }}
# Notarization
ORG_MAC_NOTARIZATION_TEAM_ID: ${{ secrets.ORG_MAC_NOTARIZATION_TEAM_ID }}
ORG_MAC_NOTARIZATION_APPLE_ID: ${{ secrets.ORG_MAC_NOTARIZATION_APPLE_ID }}
ORG_MAC_NOTARIZATION_PASSWORD: ${{ secrets.ORG_MAC_NOTARIZATION_PASSWORD }}
steps:
- uses: actions/checkout@v4
- name: Set up Python 3.11
uses: actions/setup-python@v2
with:
python-version: 3.11
- name: Import Installer Signing Certificate
uses: dhinakg/import-codesign-certs@master
with:
p12-file-base64: ${{ secrets.ORG_MAC_DEVELOPER_ID_INSTALLER_CERT_P12_BASE64 }}
p12-password: ${{ secrets.ORG_MAC_DEVELOPER_ID_INSTALLER_CERT_P12_PASSWORD }}
- name: Install dependencies
run: python3 -m pip install -r requirements.txt
- name: Download latest Sequoia IPSW
run: echo "IPSW_FILE=$(python3 metallib.py --download --continuous-integration)" >> $GITHUB_OUTPUT
id: download
- name: Extract system volume
if: steps.download.outputs.IPSW_FILE != ''
run: echo "DMG_FILE=$(python3 metallib.py --extract ${{ steps.download.outputs.IPSW_FILE }})" >> $GITHUB_OUTPUT
id: extract
- name: Fetch metal libraries
if: steps.extract.outputs.DMG_FILE != ''
run: echo "BACKUP_FOLDER=$(python3 metallib.py --fetch ${{ steps.extract.outputs.DMG_FILE }})" >> $GITHUB_OUTPUT
id: fetch
- name: Patch metal libraries
if: steps.fetch.outputs.BACKUP_FOLDER != ''
run: python3 metallib.py --patch ${{ steps.fetch.outputs.BACKUP_FOLDER }}
- name: Build sys_patch_dict.py
if: steps.fetch.outputs.BACKUP_FOLDER != ''
run: python3 metallib.py --build-sys-patch ${{ steps.fetch.outputs.BACKUP_FOLDER }} --continuous-integration
- name: Build Package
if: steps.fetch.outputs.BACKUP_FOLDER != ''
run: python3 metallib.py --build-pkg ${{ steps.fetch.outputs.BACKUP_FOLDER }} --pkg-signing-identity "${{env.ORG_MAC_DEVELOPER_ID_INSTALLER_IDENTITY}}" --notarization-team-id "${{env.ORG_MAC_NOTARIZATION_TEAM_ID}}" --notarization-apple-id "${{env.ORG_MAC_NOTARIZATION_APPLE_ID}}" --notarization-password "${{env.ORG_MAC_NOTARIZATION_PASSWORD}}"
- name: Upload metal libraries to Artifacts
if: steps.fetch.outputs.BACKUP_FOLDER != ''
uses: actions/upload-artifact@v3
with:
name: MetallibSupportPkg.pkg
path: ./MetallibSupportPkg-*.pkg
- name: Upload sys_patch_dict.py to Artifacts
if: steps.fetch.outputs.BACKUP_FOLDER != ''
uses: actions/upload-artifact@v3
with:
name: sys_patch_dict.py
path: sys_patch_dict.py
- name: Upload manifest to Artifacts
if: steps.fetch.outputs.BACKUP_FOLDER != ''
uses: actions/upload-artifact@v3
with:
name: manifest.json
path: deploy/manifest.json
- name: Sync GitHub Pages
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && steps.fetch.outputs.BACKUP_FOLDER != '' }}
uses: JamesIves/[email protected]
with:
ACCESS_TOKEN: ${{ secrets.ACCESS_TOKEN }}
BRANCH: gh-pages
FOLDER: deploy/
CLEAN: true
- name: Create GitHub release
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && steps.fetch.outputs.BACKUP_FOLDER != '' }}
uses: softprops/action-gh-release@v1
with:
files: |
MetallibSupportPkg-*.pkg
sys_patch_dict.py
token: ${{ secrets.GITHUB_TOKEN }}
tag_name: ${{ steps.fetch.outputs.BACKUP_FOLDER }}