fix: Use specific notary keychain to avoid issues with locking #9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow will build a Java project with Maven | |
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven | |
name: Beta builds | |
# on: | |
# push: | |
# tags: | |
# - "v[0-9]+.[0-9]+.[0-9]+-beta" | |
on: | |
push: | |
branches: [ master ] | |
pull_request: | |
branches: [ master ] | |
jobs: | |
build: | |
runs-on: macos-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v3 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- name: Build with Maven | |
run: | | |
export JARSIGNER_KEYSTORE_B64=${{secrets.JARSIGNER_REL_KEYSTORE_B64}} | |
export JARSIGNER_STOREPASS=${{secrets.JARSIGNER_REL_STOREPASS}} | |
export JARSIGNER_ALIAS=${{secrets.JARSIGNER_REL_ALIAS}} | |
KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}" | |
echo "${KEYSTORE_FILE}" | |
printf "%s" "${JARSIGNER_KEYSTORE_B64}" | base64 -d > "${KEYSTORE_FILE}" | |
mvn -e -X clean install -Djarsigner.keystore="${KEYSTORE_FILE}" -Djarsigner.alias="${JARSIGNER_ALIAS}" -Djarsigner.storepass="${JARSIGNER_STOREPASS}" -DskipTests=true | |
rm -v "${KEYSTORE_FILE}" | |
- name: Codesign Espressif-IDE | |
env: | |
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} | |
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} | |
run: | | |
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 | |
/usr/bin/security create-keychain -p espressif build.keychain | |
/usr/bin/security default-keychain -s build.keychain | |
/usr/bin/security unlock-keychain -p espressif build.keychain | |
/usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign | |
/usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain | |
echo "codesigning espressif-ide-macosx.cocoa.x86_64" | |
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v | |
/usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app | |
echo "codesigning espressif-ide-macosx.cocoa.aarch64" | |
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v | |
/usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app | |
echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64" | |
$PWD/releng/ide-dmg-builder/ide-dmg-builder.sh | |
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v | |
/usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg | |
echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64" | |
$PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh | |
/usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v | |
/usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg | |
- name: Notarization of Espressif-IDE-macosx-cocoa-x86_64.dmg | |
env: | |
NOTARIZATION_USERNAME: ${{ secrets.NOTARIZATION_USERNAME }} | |
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }} | |
NOTARIZATION_TEAM_ID: ${{ secrets.NOTARIZATION_TEAM_ID }} | |
run: | | |
echo "Create keychain profile" | |
xcrun notarytool store-credentials "ide-notarytool-profile" --apple-id $NOTARIZATION_USERNAME --team-id $NOTARIZATION_TEAM_ID --password $NOTARIZATION_PASSWORD | |
xcrun notarytool submit $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg --keychain-profile "ide-notarytool-profile" --wait | |
echo "Attach staple for x86_64.dmg" | |
xcrun stapler staple $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg | |
echo "Unlock the default keychain" | |
security unlock-keychain | |
xcrun notarytool submit $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg --keychain-profile "ide-notarytool-profile" --wait | |
echo "Attach staple for aarch64.dmg" | |
xcrun stapler staple $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg | |
# - name: Upload Espressif-IDE-macosx-cocoa-x86_64.dmg | |
# if: ${{ !cancelled() }} | |
# uses: actions/upload-artifact@v2 | |
# with: | |
# name: espressif-ide-macosx-cocoa-x86_64 | |
# path: releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg | |
# - name: Upload Espressif-IDE-macosx-cocoa-aarch64.dmg | |
# if: ${{ !cancelled() }} | |
# uses: actions/upload-artifact@v2 | |
# with: | |
# name: espressif-ide-macosx.cocoa.aarch64 | |
# path: releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg | |
# - name: Upload build artifacts | |
# if: ${{ !cancelled() }} | |
# uses: actions/upload-artifact@v2 | |
# with: | |
# name: com.espressif.idf.update | |
# path: releng/com.espressif.idf.update/target/repository | |
# - name: Upload windows rcp | |
# if: ${{ !cancelled() }} | |
# uses: actions/upload-artifact@v2 | |
# with: | |
# name: espressif-ide-win32 | |
# path: releng/com.espressif.idf.product/target/products/Espressif-IDE-*-win32.win32.x86_64.zip | |
# - name: Upload linux rcp | |
# if: ${{ !cancelled() }} | |
# uses: actions/upload-artifact@v2 | |
# with: | |
# name: espressif-ide-linux | |
# path: releng/com.espressif.idf.product/target/products/Espressif-IDE-*-linux.gtk.x86_64.tar.gz | |
# - name: Upload build assets to dl.espressif.com | |
# id: upload-release-asset-espressif | |
# env: | |
# AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
# AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
# AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} | |
# run: | | |
# ARCHIVE_DIR="/releng/com.espressif.idf.update/target/" | |
# ARCHIVE_NAME="com.espressif.idf.update*.zip" | |
# echo "${ARCHIVE_DIR}" | |
# echo ${PWD}${ARCHIVE_DIR} | |
# ARCHIVE_FILE_NAME="$(find ${PWD}${ARCHIVE_DIR}${ARCHIVE_NAME})" | |
# echo "${ARCHIVE_FILE_NAME}" | |
# ARCHIVE_PREFIX="com.espressif.idf.update-" | |
# ARCHIVE_SUFFIX="-SNAPSHOT.zip"; | |
# tmp=${ARCHIVE_FILE_NAME#*${ARCHIVE_PREFIX}} # remove prefix | |
# ARCHIVE_VERSION=${tmp%${ARCHIVE_SUFFIX}*} # remove suffix | |
# echo "${ARCHIVE_VERSION}" | |
# FOLDER_NAME="v${ARCHIVE_VERSION}-beta" | |
# mkdir "${FOLDER_NAME}" && cd "${FOLDER_NAME}" && unzip -q ${ARCHIVE_FILE_NAME} && cd .. | |
# echo ${PWD} | |
# ARCHIVE_VERSION_NEW="${ARCHIVE_PREFIX}${ARCHIVE_VERSION}.zip" | |
# echo ${ARCHIVE_VERSION_NEW} | |
# mv ${ARCHIVE_FILE_NAME} ${ARCHIVE_VERSION_NEW} | |
# mv releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg "releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64-${FOLDER_NAME}.dmg" | |
# mv releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg "releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64-${FOLDER_NAME}.dmg" | |
# aws s3 rm s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/updates/beta --recursive | |
# aws s3 cp --acl=public-read --recursive "./${FOLDER_NAME}/" s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/updates/beta | |
# aws s3 cp --acl=public-read "./releng/index.html" s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/updates/beta/ | |
# aws s3 cp --acl=public-read --recursive "./${FOLDER_NAME}/" s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/updates/${FOLDER_NAME} | |
# aws s3 cp --acl=public-read --recursive --exclude "*" --include "Espressif-IDE-*" ./releng/com.espressif.idf.product/target/products/ s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/ide/ | |
# aws s3 cp --acl=public-read "${ARCHIVE_VERSION_NEW}" s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/updates/ | |
# aws s3 cp --acl=public-read "./releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64-${FOLDER_NAME}.dmg" s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/ide/ | |
# aws s3 cp --acl=public-read "./releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64-${FOLDER_NAME}.dmg" s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/ide/ | |
# aws cloudfront create-invalidation --distribution-id ${{ secrets.DL_DISTRIBUTION_ID }} --paths "/dl/idf-eclipse-plugin/updates/beta/*" | |
# aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin/ide/Espressif-IDE-win32.win32.x86_64/beta" --website-redirect-location "/dl/idf-eclipse-plugin/ide/Espressif-IDE-${ARCHIVE_VERSION}-win32.win32.x86_64.zip" | |
# aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin/ide/Espressif-IDE-macosx-cocoa-x86_64/beta" --website-redirect-location "/dl/idf-eclipse-plugin/ide/Espressif-IDE-macosx-cocoa-x86_64-v${ARCHIVE_VERSION}.dmg" | |
# aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin/ide/Espressif-IDE-macosx-cocoa-aarch64/beta" --website-redirect-location "/dl/idf-eclipse-plugin/ide/Espressif-IDE-macosx-cocoa-aarch64-v${ARCHIVE_VERSION}.dmg" | |
# aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin/ide/Espressif-IDE-linux.gtk.x86_64/beta" --website-redirect-location "/dl/idf-eclipse-plugin/ide/Espressif-IDE-${ARCHIVE_VERSION}-linux.gtk.x86_64.tar.gz" |