Skip to content

Commit

Permalink
chore(actions): macos codesign (#81)
Browse files Browse the repository at this point in the history
  • Loading branch information
@rbioteau
rbioteau authored Dec 20, 2023
1 parent bb6ab20 commit 524b31e
Show file tree
Hide file tree
Showing 7 changed files with 215 additions and 243 deletions.
97 changes: 97 additions & 0 deletions .github/workflows/_reusable_macOs_codesign.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
name: macOs Codesign

on:
workflow_call:
inputs:
input-artifact:
required: true
type: string
output-artifact:
required: true
type: string
filename:
required: true
type: string
attachStaple:
required: false
type: boolean
default: false
secrets:
certificateData:
required: true
certificatePassword:
required: true
notorizationUser:
required: true
notorizationPassword:
required: true
teamId:
required: true
entitlements:
required: true

jobs:
codesign:
runs-on: macOs-13
steps:
- name: Download binary
uses: actions/download-artifact@v4
with:
name: ${{ inputs.input-artifact }}

- name: Sign binary
env:
MACOS_CERTIFICATE: ${{ secrets.certificateData }}
MACOS_CERTIFICATE_PWD: ${{ secrets.certificatePassword }}
TEAM_ID: ${{ secrets.teamId }}
APPLE_ENTITLEMENTS_XML: ${{ secrets.entitlements }}
run: |
echo $APPLE_ENTITLEMENTS_XML | base64 --decode > entitlements.xml
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
security create-keychain -p actions build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p actions build.keychain
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k actions build.keychain
/usr/bin/codesign --deep --force --options runtime --entitlements entitlements.xml -s $TEAM_ID ${{ inputs.filename}} -v
- name: Notorize binary
env:
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.notorizationUser }}
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.teamId }}
MACOS_NOTARIZATION_PWD: ${{ secrets.notorizationPassword }}
run: |
# Store the notarization credentials so that we can prevent a UI password dialog
# from blocking the CI
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service

echo "Creating temp notarization archives"
ditto -c -k --keepParent "${{ inputs.filename }}" "notarization.zip"

# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious

echo "Notarize binary"
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait

- name: Spatle binary
if: ${{ inputs.attachStaple }}
run: |
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
echo "Attach staple"
xcrun stapler staple "${{ inputs.filename }}"
- name: Upload binary
uses: actions/upload-artifact@v4
with:
name: ${{ inputs.output-artifact}}
path: ${{ inputs.filename }}
retention-days: 1
191 changes: 102 additions & 89 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,85 @@ on:
jobs:
build:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4

- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 17
cache: 'maven'

- name: Build
run: ./mvnw -ntp clean verify -Dstyle.color=always

- name: Publish Test Report
uses: EnricoMi/publish-unit-test-result-action@v2
if: always()
with:
files: |
target/reports/*.xml
- name: Upload macos-x64 binary
if: ${{ github.event.pull_request == null }}
uses: actions/upload-artifact@v4
with:
name: macos-x64-unsigned
path: target/binaries/bonita-data-repository-macos-x64
retention-days: 1

- name: Upload macos-arm64 binary
if: ${{ github.event.pull_request == null }}
uses: actions/upload-artifact@v4
with:
name: macos-arm64-unsigned
path: target/binaries/bonita-data-repository-macos-arm64
retention-days: 1

- name: Upload linux-x64 binary
if: ${{ github.event.pull_request == null }}
uses: actions/upload-artifact@v4
with:
name: linux-x64
path: target/binaries/bonita-data-repository-linux-x64
retention-days: 1

- name: Upload win-x64 binary
if: ${{ github.event.pull_request == null }}
uses: actions/upload-artifact@v4
with:
name: win-x64
path: target/binaries/bonita-data-repository-win-x64.exe
retention-days: 1

macOs-codesign:
if: ${{ github.event.pull_request == null }}
needs: build
strategy:
matrix:
arch: [macos-x64, macos-arm64]
uses: ./.github/workflows/_reusable_macOs_codesign.yml
secrets:
certificateData: ${{ secrets.APPLE_CERT_DATA }}
certificatePassword: ${{ secrets.APPLE_CERT_PASSWORD }}
notorizationUser: ${{ secrets.APPLE_NOTARY_USER }}
notorizationPassword: ${{ secrets.APPLE_NOTARY_PASSWORD }}
teamId: ${{ secrets.APPLE_TEAM_ID }}
entitlements: ${{ secrets.APPLE_ENTITLEMENTS_XML }}
with:
input-artifact: ${{ matrix.arch}}-unsigned
output-artifact: ${{ matrix.arch}}
filename: bonita-data-repository-${{ matrix.arch}}


deploy:
if: ${{ github.event.pull_request == null }}
needs: macOs-codesign
runs-on: ubuntu-22.04
strategy:
matrix:
arch: [ win-x64, linux-x64, macos-x64, macos-arm64 ]
steps:
- name: Retrieve secrets from Keeper
id: ksecrets
Expand All @@ -40,104 +119,38 @@ jobs:
- name: Setup Maven configuration
uses: whelk-io/maven-settings-xml-action@v21
with:
repositories: >
[
{
"id": "releases",
"name": "releases",
"url": "https://bonitasoft.jfrog.io/artifactory/releases",
"releases": {
"enabled": "true"
},
"snapshots": {
"enabled": "false"
}
},
{
"id": "snapshots",
"name": "snapshots",
"url": "https://bonitasoft.jfrog.io/artifactory/snapshots",
"releases": {
"enabled": "false"
},
"snapshots": {
"enabled": "true"
}
},
{
"id": "ossrh-snapshots",
"name": "ossrh-snapshots",
"url" : "https://oss.sonatype.org/content/repositories/snapshots",
"releases": {
"enabled": "false"
},
"snapshots": {
"enabled": "true"
}
}
]
plugin_repositories: >
[
{
"id": "releases",
"name": "releases",
"url": "https://bonitasoft.jfrog.io/artifactory/releases",
"releases": {
"enabled": "true"
},
"snapshots": {
"enabled": "false"
}
},
{
"id": "snapshots",
"name": "snapshots",
"url": "https://bonitasoft.jfrog.io/artifactory/snapshots",
"releases": {
"enabled": "false"
},
"snapshots": {
"enabled": "true"
}
},
{
"id": "ossrh-snapshots",
"name": "ossrh-snapshots",
"url" : "https://oss.sonatype.org/content/repositories/snapshots",
"releases": {
"enabled": "false"
},
"snapshots": {
"enabled": "true"
}
}
]
servers: >
[
{
"id": "releases",
"username": "${{ env.JFROG_USER }}",
"password": "${{ env.JFROG_TOKEN }}"
},
{
"id": "snapshots",
"username": "${{ env.JFROG_USER }}",
"password": "${{ env.JFROG_TOKEN }}"
}
]
- name: Build
run: ./mvnw -ntp clean verify -Dstyle.color=always

- name: Deploy
if: ${{ github.event.pull_request == null }}
run: ./mvnw -ntp deploy -Dstyle.color=always -DskipTests -DaltDeploymentRepository=snapshots::https://bonitasoft.jfrog.io/artifactory/libs-snapshot-local/
- name: Publish Test Report
uses: EnricoMi/publish-unit-test-result-action@v2
if: always()
- name: Download binaries
uses: actions/download-artifact@v4
with:
files: |
target/reports/*.xml
name: ${{ matrix.arch }}
path: target/binaries

- name: Read version
id: read-version
run: echo "version=$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT

- name: Deploy
env:
SNAPSHOT_REPOSITORY_URL: https://bonitasoft.jfrog.io/artifactory/libs-snapshot-local/
run: |
./mvnw assembly:single@archive-${{ matrix.arch }}
./mvnw -ntp deploy:deploy-file -Dstyle.color=always -DrepositoryId=snapshots -Durl=${{ env.SNAPSHOT_REPOSITORY_URL }} \
-Dfile=target/bonita-data-repository-${{ steps.read-version.outputs.version }}-${{ matrix.arch }}.zip \
-DgroupId=org.bonitasoft.web \
-DartifactId=bonita-data-repository \
-Dversion=${{ steps.read-version.outputs.version }} \
-Dclassifier=${{ matrix.arch }} \
-Dpackaging=zip


59 changes: 0 additions & 59 deletions Jenkinsfile
View file

This file was deleted.

12 changes: 12 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,3 +94,15 @@ For instance:
```
{"jsonRequest":true,"graphqlRequest":true}
```

## Branching strategy

This repository follows the [GitFlow branching strategy](https://gitversion.net/docs/learn/branching-strategies/gitflow/examples).

## Release

To release a new version, maintainers may use the Release and Publication GitHub actions.

1. [Release action](https://github.com/bonitasoft/bonita-asciidoc-templating/actions/workflows/release.yml) will invoke the `gitflow-maven-plugin` to perform all required merges, version updates and tag creation.
2. [Publication action](https://github.com/bonitasoft/bonita-asciidoc-templatingl/actions/workflows/publish.yml) will build and deploy a given tag to bonitasoft.jfrog.io/artifactory.
3. A GitHub release should be created and associated to the tag.
Loading

0 comments on commit 524b31e

Please sign in to comment.