Skip to content
Build

chore(actions): macos codesign #28

Sign in to view logs

chore(actions): macos codesign

chore(actions): macos codesign #28

Workflow file for this run

.github/workflows/build.yml at 64173bc
name: Build
on:
push:
branches:
- develop
- release/*
- support/*
pull_request:
branches:
- develop
- release/*
- support/*
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 17
cache: 'maven'
- name: Build
run: ./mvnw -ntp clean verify -Dstyle.color=always
- name: Publish Test Report
uses: EnricoMi/publish-unit-test-result-action@v2
if: always()
with:
files: |
target/reports/*.xml
- name: Upload macos-x64 binary
uses: actions/upload-artifact@v4
with:
name: macos-x64-unsigned
path: |
target/binaries/bonita-data-repository-macos-x64
- name: Upload macos-arm64 binary
uses: actions/upload-artifact@v4
with:
name: macos-arm64-unsigned
path: |
target/binaries/bonita-data-repository-macos-arm64
- name: Upload linux-x64 binary
uses: actions/upload-artifact@v4
with:
name: linux-x64
path: |
target/binaries/bonita-data-repository-linux-x64
- name: Upload win-x64 binary
uses: actions/upload-artifact@v4
with:
name: win-x64
path: |
target/binaries/bonita-data-repository-win-x64.exe
macOs-codesign:
needs: build
runs-on: macOs-11
strategy:
matrix:
arch: [macos-x64, macos-arm64]
steps:
- name: Download binaries
uses: actions/download-artifact@v4
with:
name: ${{ matrix.arch}}-unsigned
path: target/binaries
- name: Sign binaries
env:
MACOS_CERTIFICATE: ${{ secrets.APPLE_CERT_DATA }}
MACOS_CERTIFICATE_PWD: ${{ secrets.APPLE_CERT_PASSWORD }}
TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
APPLE_ENTITLEMENTS_XML: ${{ secrets.APPLE_ENTITLEMENTS_XML }}
run: |
echo $APPLE_ENTITLEMENTS_XML | base64 --decode > entitlements.xml
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
security create-keychain -p actions build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p actions build.keychain
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k actions build.keychain
/usr/bin/codesign --force --options runtime --entitlements entitlements.xml -s $TEAM_ID ./target/binaries/bonita-data-repository-${{ matrix.arch}} -v
- name: Notorize binaries
env:
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.APPLE_NOTARY_USER }}
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
MACOS_NOTARIZATION_PWD: ${{ secrets.APPLE_NOTARY_PASSWORD }}
run: |
# Store the notarization credentials so that we can prevent a UI password dialog
# from blocking the CI
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
echo "Creating temp notarization archives"
ditto -c -k --keepParent "target/binaries/bonita-data-repository-${{ matrix.arch}}" "notarization-${{ matrix.arch}}.zip"
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious
echo "Notarize binary"
xcrun notarytool submit "notarization-${{ matrix.arch}}.zip" --keychain-profile "notarytool-profile" --wait
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
# echo "Attach staple"
# xcrun stapler staple "target/binaries/bonita-data-repository-${{ matrix.arch }}"
- name: Upload binaries
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.arch}}
path: |
target/binaries/bonita-data-repository-${{ matrix.arch}}
deploy:
needs: macOs-codesign
runs-on: ubuntu-22.04
strategy:
matrix:
arch: [ win-x64, linux-x64, macos-x64, macos-arm64 ]
steps:
- name: Retrieve secrets from Keeper
id: ksecrets
uses: Keeper-Security/ksm-action@master
with:
keeper-secret-config: ${{ secrets.KSM_CONFIG }}
secrets: |
YPOU0laqe0V0mq_qwQ_3wg/field/login > env:JFROG_USER
YPOU0laqe0V0mq_qwQ_3wg/field/password > env:JFROG_TOKEN
- uses: actions/checkout@v4
- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 17
cache: 'maven'
- name: Setup Maven configuration
uses: whelk-io/maven-settings-xml-action@v21
with:
servers: >
[
{
"id": "snapshots",
"username": "${{ env.JFROG_USER }}",
"password": "${{ env.JFROG_TOKEN }}"
}
]
- name: Download binaries
uses: actions/download-artifact@v4
with:
name: ${{ matrix.arch }}
path: target/binaries
- name: Read version
id: read-version
run: echo "version=$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT
- name: Deploy
env:
SNAPSHOT_REPOSITORY_URL: https://bonitasoft.jfrog.io/artifactory/libs-snapshot-local/
run: |
./mvnw assembly:single@archive-${{ matrix.arch }}
./mvnw -ntp deploy:deploy-file -Dstyle.color=always -DrepositoryId=snapshots -Durl=${{ env.SNAPSHOT_REPOSITORY_URL }} \
-Dfile=target/bonita-data-repository-${{ steps.read-version.outputs.version }}-${{ matrix.arch }}.zip \
-DgroupId=org.bonitasoft.web \
-DartifactId=bonita-data-repository \
-Dversion=${{ steps.read-version.outputs.version }} \
-Dclassifier=${{ matrix.arch }} \
-Dpackaging=zip