From 4f0e201ec9af4a1be582de7776eadf5699de6e09 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Wed, 28 Aug 2024 23:42:34 +0000 Subject: [PATCH 1/6] Use maintained gon fork to address Apple signing deprecation Signed-off-by: Dom Del Nano --- .github/workflows/cli_release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cli_release.yaml b/.github/workflows/cli_release.yaml index 0beeea9a4b5..76e48e72e60 100644 --- a/.github/workflows/cli_release.yaml +++ b/.github/workflows/cli_release.yaml @@ -88,7 +88,7 @@ jobs: - name: Add pwd to git safe dir run: git config --global --add safe.directory `pwd` - name: Install gon - run: brew install mitchellh/gon/gon + run: brew install Bearer/tap/gon - name: Sign CLI release env: REF: ${{ github.event.ref }} From 8ddbf7574bb1b700145c942e3e816c3de605dac5 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Thu, 29 Aug 2024 00:28:14 +0000 Subject: [PATCH 2/6] Ensure apple_id.provider is set to the team ID Signed-off-by: Dom Del Nano --- ci/gon.hcl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ci/gon.hcl b/ci/gon.hcl index 3702665306b..7ffee3f6729 100644 --- a/ci/gon.hcl +++ b/ci/gon.hcl @@ -9,6 +9,8 @@ bundle_id = "ai.pixielabs.px" apple_id { username = "zasgar@gmail.com" password = "@env:AC_PASSWD" + # Unfortunately gon's HCL doesn't allow declaring variables so this literal is specified twice + provider = "SZCNTABEXY" } sign { From d2e0e93bf057cc7495e7c5d37878f121790f538f Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Tue, 3 Sep 2024 20:55:27 +0000 Subject: [PATCH 3/6] Use new apple developer application and cert Signed-off-by: Dom Del Nano --- ci/gon.hcl | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/ci/gon.hcl b/ci/gon.hcl index 7ffee3f6729..a21fadf48b0 100644 --- a/ci/gon.hcl +++ b/ci/gon.hcl @@ -2,19 +2,16 @@ // using Gon. source = ["./cli_darwin_amd64", "./cli_darwin_arm64", "cli_darwin_universal"] -bundle_id = "ai.pixielabs.px" +bundle_id = "ai.getcosmic.px" -// TODO(zasgar): Update this to the orders@pixielabs.ai account. It has access to the certs, -// but does not have access to application passwords. apple_id { - username = "zasgar@gmail.com" + username = "apple-dev@getcosmic.ai" password = "@env:AC_PASSWD" - # Unfortunately gon's HCL doesn't allow declaring variables so this literal is specified twice - provider = "SZCNTABEXY" + provider = "769M9XJDG6" } sign { - application_identity = "Developer ID Application: Pixie Labs Inc. (SZCNTABEXY)" + application_identity = "Developer ID Application: Cosmic Observe, Inc." } zip { From ad6f51ca95d60c394a2abb19853773798ed79ec8 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Tue, 3 Sep 2024 22:44:50 +0000 Subject: [PATCH 4/6] Use correct password mechanism in gon fork (AC_PASSWORD env var) Signed-off-by: Dom Del Nano --- .github/workflows/cli_release.yaml | 2 +- ci/gon.hcl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cli_release.yaml b/.github/workflows/cli_release.yaml index 76e48e72e60..dfbfa653454 100644 --- a/.github/workflows/cli_release.yaml +++ b/.github/workflows/cli_release.yaml @@ -92,7 +92,7 @@ jobs: - name: Sign CLI release env: REF: ${{ github.event.ref }} - AC_PASSWD: ${{ secrets.APPLE_ID_PASSWORD }} + AC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} CERT_BASE64: ${{ secrets.APPLE_SIGN_CERT_B64 }} CERT_PASSWORD: ${{ secrets.APPLE_SIGN_CERT_PASSWORD }} diff --git a/ci/gon.hcl b/ci/gon.hcl index a21fadf48b0..624e84dd327 100644 --- a/ci/gon.hcl +++ b/ci/gon.hcl @@ -6,7 +6,7 @@ bundle_id = "ai.getcosmic.px" apple_id { username = "apple-dev@getcosmic.ai" - password = "@env:AC_PASSWD" + # Password is provided via AC_PASSWORD env var provider = "769M9XJDG6" } From ff89e27ad314b2a2c6f44a95964107774bbb6224 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Wed, 4 Sep 2024 15:31:28 +0000 Subject: [PATCH 5/6] Ensure artifact_utils functions won't silently fail. Add git safe directory during macos signed artifact push Signed-off-by: Dom Del Nano --- .github/workflows/cli_release.yaml | 3 +++ ci/cli_upload_signed.sh | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cli_release.yaml b/.github/workflows/cli_release.yaml index dfbfa653454..aaa3bc935f6 100644 --- a/.github/workflows/cli_release.yaml +++ b/.github/workflows/cli_release.yaml @@ -135,6 +135,9 @@ jobs: uses: ./.github/actions/gcloud_creds with: SERVICE_ACCOUNT_KEY: ${{ secrets.GH_RELEASE_SA_PEM_B64 }} + - name: Add pwd to git safe dir + run: | + git config --global --add safe.directory `pwd` - name: Upload signed CLI env: REF: ${{ github.event.ref }} diff --git a/ci/cli_upload_signed.sh b/ci/cli_upload_signed.sh index 5f56d5e4cce..8aef812b828 100755 --- a/ci/cli_upload_signed.sh +++ b/ci/cli_upload_signed.sh @@ -18,11 +18,11 @@ repo_path=$(bazel info workspace) +set -ex + # shellcheck source=ci/artifact_utils.sh . "${repo_path}/ci/artifact_utils.sh" -set -ex - printenv release_tag=${TAG_NAME##*/v} From 50462dafc3510f5bda710aebb70f219b09b8e7cd Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Thu, 5 Sep 2024 21:27:13 +0000 Subject: [PATCH 6/6] Consolidate set -ex into shebang line Signed-off-by: Dom Del Nano --- ci/cli_upload_signed.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ci/cli_upload_signed.sh b/ci/cli_upload_signed.sh index 8aef812b828..84653afc13c 100755 --- a/ci/cli_upload_signed.sh +++ b/ci/cli_upload_signed.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#!/bin/bash -ex # Copyright 2018- The Pixie Authors. # @@ -18,8 +18,6 @@ repo_path=$(bazel info workspace) -set -ex - # shellcheck source=ci/artifact_utils.sh . "${repo_path}/ci/artifact_utils.sh"