Skip to content

set env var to disable macos code signing, try to fix conditional #20

set env var to disable macos code signing, try to fix conditional

set env var to disable macos code signing, try to fix conditional #20

Workflow file for this run

name: 'publish'
on:
push:
branches:
- release
jobs:
publish:
strategy:
fail-fast: false
matrix:
platform: [windows-2019, macos-12, macos-latest, ubuntu-22.04]
env:
MACOSX_DEPLOYMENT_TARGET: 10.13
permissions:
contents: write
runs-on: ${{ matrix.platform }}
steps:
- uses: actions/checkout@v2
- name: Setup for macOS code signing
if: matrix.platform == 'macos-12' || matrix.platform == 'macos-latest'
uses: matthme/import-codesign-certs@5565bb656f60c98c8fc515f3444dd8db73545dc2
with:
p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
- name: setup node
uses: actions/setup-node@v1
with:
node-version: 20
- name: Retrieve version
run: |
echo "Retrieved App version: $(node -p -e "require('./package.json').version")"
echo "APP_VERSION=$(node -p -e "require('./package.json').version")" >> $GITHUB_OUTPUT
id: version
shell: bash
- name: install Rust
uses: dtolnay/[email protected]
- name: install Go stable
uses: actions/setup-go@v4
with:
go-version: 'stable'
- name: Environment setup
run: |
yarn setup
# This step is only used for testing in the official kangaroo repo
- name: Overwrite Names for release testing and fetch kando webhapp from github
if: ${{ github.repository }} == 'holochain-apps/holochain-kangaroo-electron'
run: |
echo ${{ github.repository }}
echo "overwriting names for release testing"
curl -f -L --output ./pouch/presence.webhapp https://github.com/matthme/presence/releases/download/0.7.3/presence.webhapp
node ./scripts/overwrite-with-test-name.js
- name: Retrieve appId
run: |
echo "APP_ID=$(node ./scripts/read-app-id.js)" >> $GITHUB_OUTPUT
id: appId
shell: bash
- name: Retrieve whether Windows code signing should be attempted
run: |
echo "WINDOWS_CODE_SIGNING=$(node ./scripts/read-windows-code-signing.js)" >> $GITHUB_OUTPUT
id: shouldWindowsCodeSign
shell: bash
- name: Retrieve whether macOS code signing should be attempted
run: |
echo "MACOS_CODE_SIGNING=$(node ./scripts/read-macos-code-signing.js)" >> $GITHUB_OUTPUT
id: shouldMacOSCodeSign
shell: bash
# macOS WITHOUT code signing
#---------------------------------------------------------------------------------------
- name: build and upload the app (macOS x86)
if: matrix.platform == 'macos-12' && ${{ steps.shouldMacOSCodeSign.outputs.MACOS_CODE_SIGNING }} == false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CSC_IDENTITY_AUTO_DISCOVERY: false
run: |
yarn build:mac-x64
ls dist
- name: build and upload the app (macOS arm64)
if: matrix.platform == 'macos-latest' && ${{ steps.shouldMacOSCodeSign.outputs.MACOS_CODE_SIGNING }} == false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CSC_IDENTITY_AUTO_DISCOVERY: false
run: |
yarn build:mac-arm64
ls dist
# macOS WITH code signing
#---------------------------------------------------------------------------------------
- name: build and upload the app (macOS x86)
if: matrix.platform == 'macos-12' && ${{ steps.shouldMacOSCodeSign.outputs.MACOS_CODE_SIGNING }} == true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
APPLE_DEV_IDENTITY: ${{ secrets.APPLE_DEV_IDENTITY }}
APPLE_ID_EMAIL: ${{ secrets.APPLE_ID_EMAIL }}
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
DEBUG: electron-osx-sign*,electron-notarize*
run: |
yarn build:mac-x64
ls dist
- name: build and upload the app (macOS arm64)
if: matrix.platform == 'macos-latest' && ${{ steps.shouldMacOSCodeSign.outputs.MACOS_CODE_SIGNING }} == true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
APPLE_DEV_IDENTITY: ${{ secrets.APPLE_DEV_IDENTITY }}
APPLE_ID_EMAIL: ${{ secrets.APPLE_ID_EMAIL }}
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
DEBUG: electron-osx-sign*,electron-notarize*
run: |
yarn build:mac-arm64
ls dist
# Linux
#---------------------------------------------------------------------------------------
- name: build and upload the app (Ubuntu 22.04)
if: matrix.platform == 'ubuntu-22.04'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
yarn build:linux
ls dist
# Modify the postinst script of the .deb file
node ./scripts/extend-deb-postinst.mjs
gh release upload "v${{ steps.version.outputs.APP_VERSION }}" "latest-linux.yml" --clobber
gh release upload "v${{ steps.version.outputs.APP_VERSION }}" "dist/${{ steps.appId.outputs.APP_ID }}_${{ steps.version.outputs.APP_VERSION }}_amd64.deb" --clobber
# Windows
#---------------------------------------------------------------------------------------
- name: build, sign and upload the app (Windows)
shell: bash
if: matrix.platform == 'windows-2019'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
yarn build:win
ls dist
# If Windows EV code signing is set to true in kangaroo.config.ts, do code signing here
if [ "${{steps.shouldWindowsCodeSign.output.WINDOWS_CODE_SIGNING}}" == true ]; then
# Assumes this setup of EV certificates:
# https://melatonin.dev/blog/how-to-code-sign-windows-installers-with-an-ev-cert-on-github-actions/
# Sign the .exe file
dotnet tool install --global --version 4.0.1 AzureSignTool
echo "sha512 before code signing"
CertUtil -hashfile "dist/${{ steps.appId.outputs.APP_ID }}-${{ steps.version.outputs.APP_VERSION }}-setup.exe" SHA512
AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "dist/${{ steps.appId.outputs.APP_ID }}-${{ steps.version.outputs.APP_VERSION }}-setup.exe"
echo "sha512 after code signing"
CertUtil -hashfile "dist/${{ steps.appId.outputs.APP_ID }}-${{ steps.version.outputs.APP_VERSION }}-setup.exe" SHA512
# Overwrite the latest.yml one with one containing the sha512 of the code signed .exe file
node ./scripts/latest-yaml.js
gh release upload "v${{ steps.version.outputs.APP_VERSION }}" "latest.yml" --clobber
gh release upload "v${{ steps.version.outputs.APP_VERSION }}" "dist/${{ steps.appId.outputs.APP_ID }}-${{ steps.version.outputs.APP_VERSION }}-setup.exe" --clobber
fi
- name: Merge latest-mac.yml mac release files
if: matrix.platform == 'macos-latest' || matrix.platform == 'macos-12'
run: |
node ./scripts/merge-mac-yamls.mjs
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}