Skip to content
Build

chore(actions): macos codesign #18

Sign in to view logs

chore(actions): macos codesign

chore(actions): macos codesign #18

Workflow file for this run

.github/workflows/build.yml at a38fcd7
name: Build
on:
push:
branches:
- develop
- release/*
- support/*
pull_request:
branches:
- develop
- release/*
- support/*
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 17
cache: 'maven'
- name: Build
run: ./mvnw -ntp clean verify -Dstyle.color=always
- name: Publish Test Report
uses: EnricoMi/publish-unit-test-result-action@v2
if: always()
with:
files: |
target/reports/*.xml
- name: Upload binaries
uses: actions/upload-artifact@v4
with:
name: binaries
path: |
target/binaries/bonita-data-repository-*
macOs-codesign:
needs: build
runs-on: macOs-11
strategy:
matrix:
max-parallel: 1

Check failure on line 53 in .github/workflows/build.yml

View workflow run for this annotation

GitHub Actions / Build

Invalid workflow file 

The workflow is not valid. .github/workflows/build.yml (Line: 53, Col: 23): Unexpected value '1' .github/workflows/build.yml (Line: 68, Col: 14): Unrecognized named-value: 'matix'. Located at position 1 within expression: matix.arch
arch: [macos-x64, macos-arm64]
steps:
- name: Download binaries
uses: actions/download-artifact@v4
with:
name: binaries
path: target/binaries
- name: Sign binaries
env:
MACOS_CERTIFICATE: ${{ secrets.APPLE_CERT_DATA }}
MACOS_CERTIFICATE_PWD: ${{ secrets.APPLE_CERT_PASSWORD }}
TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
APPLE_ENTITLEMENTS_XML: ${{ secrets.APPLE_ENTITLEMENTS_XML }}
run: |
echo $APPLE_ENTITLEMENTS_XML | base64 --decode > entitlements.xml
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
security create-keychain -p actions build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p actions build.keychain
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k actions build.keychain
/usr/bin/codesign --force --options runtime --entitlements entitlements.xml -s $TEAM_ID ./target/binaries/bonita-data-repository-${{ matix.arch}} -v
- name: Notorize binaries
env:
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.APPLE_NOTARY_USER }}
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
MACOS_NOTARIZATION_PWD: ${{ secrets.APPLE_NOTARY_PASSWORD }}
run: |
# Store the notarization credentials so that we can prevent a UI password dialog
# from blocking the CI
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
echo "Creating temp notarization archives"
ditto -c -k --keepParent "target/binaries/bonita-data-repository-${{ matix.arch}}" "notarization-${{ matix.arch}}.zip"
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious
echo "Notarize binary"
xcrun notarytool submit "notarization-${{ matix.arch}}.zip" --keychain-profile "notarytool-profile" --wait
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
echo "Attach staple"
xcrun stapler staple "target/binaries/bonita-data-repository-${{ matix.arch}}"
- name: Upload binaries
uses: actions/upload-artifact@v4
with:
name: binaries
path: |
target/binaries/bonita-data-repository-*
deploy:
needs: macOs-codesign
runs-on: ubuntu-22.04
strategy:
matrix:
arch: [ win-x64, linux-x64, macos-x64, macos-arm64 ]
steps:
- name: Retrieve secrets from Keeper
id: ksecrets
uses: Keeper-Security/ksm-action@master
with:
keeper-secret-config: ${{ secrets.KSM_CONFIG }}
secrets: |
YPOU0laqe0V0mq_qwQ_3wg/field/login > env:JFROG_USER
YPOU0laqe0V0mq_qwQ_3wg/field/password > env:JFROG_TOKEN
- uses: actions/checkout@v4
- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 17
cache: 'maven'
- name: Setup Maven configuration
uses: whelk-io/maven-settings-xml-action@v21
with:
servers: >
[
{
"id": "releases",
"username": "${{ env.JFROG_USER }}",
"password": "${{ env.JFROG_TOKEN }}"
},
{
"id": "snapshots",
"username": "${{ env.JFROG_USER }}",
"password": "${{ env.JFROG_TOKEN }}"
}
]
- name: Download binaries
uses: actions/download-artifact@v4
with:
name: binaries
path: target/binaries
- name: Deploy
env:
SNAPSHOT_REPOSITORY_URL: https://bonitasoft.jfrog.io/artifactory/libs-snapshot-local/
run: |
PROJECT_VERSION = echo $(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout)
./mvnw assemble:single@archive-${{ matrix.arch }}
./mvnw -ntp deploy:deploy-file -Dstyle.color=always -DaltDeploymentRepository=snapshots::${{ env.SNAPSHOT_REPOSITORY_URL}} \
-Dfile=/target/bonita-data-repository-${{ matrix.arch }}.zip \
-DgroupId=org.bonitasoft.web \
-DartifactId=bonita-data-repository \
-Dversion=$PROJECT_VERSION \
-Dclassifier=${{ matrix.arch }} \
-Dpackaging=zip