Skip to content

Commit

Permalink
chore(actions): macos codesign
Browse files Browse the repository at this point in the history
  • Loading branch information
@rbioteau
rbioteau committed Dec 20, 2023
1 parent bb6ab20 commit 64173bc
Show file tree
Hide file tree
Showing 3 changed files with 160 additions and 136 deletions.
233 changes: 144 additions & 89 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,127 @@ on:
jobs:
build:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4

- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 17
cache: 'maven'

- name: Build
run: ./mvnw -ntp clean verify -Dstyle.color=always

- name: Publish Test Report
uses: EnricoMi/publish-unit-test-result-action@v2
if: always()
with:
files: |
target/reports/*.xml
- name: Upload macos-x64 binary
uses: actions/upload-artifact@v4
with:
name: macos-x64-unsigned
path: |
target/binaries/bonita-data-repository-macos-x64
- name: Upload macos-arm64 binary
uses: actions/upload-artifact@v4
with:
name: macos-arm64-unsigned
path: |
target/binaries/bonita-data-repository-macos-arm64
- name: Upload linux-x64 binary
uses: actions/upload-artifact@v4
with:
name: linux-x64
path: |
target/binaries/bonita-data-repository-linux-x64
- name: Upload win-x64 binary
uses: actions/upload-artifact@v4
with:
name: win-x64
path: |
target/binaries/bonita-data-repository-win-x64.exe
macOs-codesign:
needs: build
runs-on: macOs-11
strategy:
matrix:
arch: [macos-x64, macos-arm64]
steps:
- name: Download binaries
uses: actions/download-artifact@v4
with:
name: ${{ matrix.arch}}-unsigned
path: target/binaries

- name: Sign binaries
env:
MACOS_CERTIFICATE: ${{ secrets.APPLE_CERT_DATA }}
MACOS_CERTIFICATE_PWD: ${{ secrets.APPLE_CERT_PASSWORD }}
TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
APPLE_ENTITLEMENTS_XML: ${{ secrets.APPLE_ENTITLEMENTS_XML }}
run: |
echo $APPLE_ENTITLEMENTS_XML | base64 --decode > entitlements.xml
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
security create-keychain -p actions build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p actions build.keychain
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k actions build.keychain
/usr/bin/codesign --force --options runtime --entitlements entitlements.xml -s $TEAM_ID ./target/binaries/bonita-data-repository-${{ matrix.arch}} -v
- name: Notorize binaries
env:
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.APPLE_NOTARY_USER }}
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
MACOS_NOTARIZATION_PWD: ${{ secrets.APPLE_NOTARY_PASSWORD }}
run: |
# Store the notarization credentials so that we can prevent a UI password dialog
# from blocking the CI
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service

echo "Creating temp notarization archives"
ditto -c -k --keepParent "target/binaries/bonita-data-repository-${{ matrix.arch}}" "notarization-${{ matrix.arch}}.zip"

# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious

echo "Notarize binary"
xcrun notarytool submit "notarization-${{ matrix.arch}}.zip" --keychain-profile "notarytool-profile" --wait

# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
# echo "Attach staple"
# xcrun stapler staple "target/binaries/bonita-data-repository-${{ matrix.arch }}"

- name: Upload binaries
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.arch}}
path: |
target/binaries/bonita-data-repository-${{ matrix.arch}}
deploy:
needs: macOs-codesign
runs-on: ubuntu-22.04
strategy:
matrix:
arch: [ win-x64, linux-x64, macos-x64, macos-arm64 ]
steps:
- name: Retrieve secrets from Keeper
id: ksecrets
Expand All @@ -40,104 +161,38 @@ jobs:
- name: Setup Maven configuration
uses: whelk-io/maven-settings-xml-action@v21
with:
repositories: >
[
{
"id": "releases",
"name": "releases",
"url": "https://bonitasoft.jfrog.io/artifactory/releases",
"releases": {
"enabled": "true"
},
"snapshots": {
"enabled": "false"
}
},
{
"id": "snapshots",
"name": "snapshots",
"url": "https://bonitasoft.jfrog.io/artifactory/snapshots",
"releases": {
"enabled": "false"
},
"snapshots": {
"enabled": "true"
}
},
{
"id": "ossrh-snapshots",
"name": "ossrh-snapshots",
"url" : "https://oss.sonatype.org/content/repositories/snapshots",
"releases": {
"enabled": "false"
},
"snapshots": {
"enabled": "true"
}
}
]
plugin_repositories: >
[
{
"id": "releases",
"name": "releases",
"url": "https://bonitasoft.jfrog.io/artifactory/releases",
"releases": {
"enabled": "true"
},
"snapshots": {
"enabled": "false"
}
},
{
"id": "snapshots",
"name": "snapshots",
"url": "https://bonitasoft.jfrog.io/artifactory/snapshots",
"releases": {
"enabled": "false"
},
"snapshots": {
"enabled": "true"
}
},
{
"id": "ossrh-snapshots",
"name": "ossrh-snapshots",
"url" : "https://oss.sonatype.org/content/repositories/snapshots",
"releases": {
"enabled": "false"
},
"snapshots": {
"enabled": "true"
}
}
]
servers: >
[
{
"id": "releases",
"username": "${{ env.JFROG_USER }}",
"password": "${{ env.JFROG_TOKEN }}"
},
{
"id": "snapshots",
"username": "${{ env.JFROG_USER }}",
"password": "${{ env.JFROG_TOKEN }}"
}
]
- name: Build
run: ./mvnw -ntp clean verify -Dstyle.color=always
- name: Deploy
if: ${{ github.event.pull_request == null }}
run: ./mvnw -ntp deploy -Dstyle.color=always -DskipTests -DaltDeploymentRepository=snapshots::https://bonitasoft.jfrog.io/artifactory/libs-snapshot-local/

- name: Publish Test Report
uses: EnricoMi/publish-unit-test-result-action@v2
if: always()
- name: Download binaries
uses: actions/download-artifact@v4
with:
files: |
target/reports/*.xml
name: ${{ matrix.arch }}
path: target/binaries

- name: Read version
id: read-version
run: echo "version=$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT

- name: Deploy
env:
SNAPSHOT_REPOSITORY_URL: https://bonitasoft.jfrog.io/artifactory/libs-snapshot-local/
run: |
./mvnw assembly:single@archive-${{ matrix.arch }}
./mvnw -ntp deploy:deploy-file -Dstyle.color=always -DrepositoryId=snapshots -Durl=${{ env.SNAPSHOT_REPOSITORY_URL }} \
-Dfile=target/bonita-data-repository-${{ steps.read-version.outputs.version }}-${{ matrix.arch }}.zip \
-DgroupId=org.bonitasoft.web \
-DartifactId=bonita-data-repository \
-Dversion=${{ steps.read-version.outputs.version }} \
-Dclassifier=${{ matrix.arch }} \
-Dpackaging=zip


12 changes: 12 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,3 +94,15 @@ For instance:
```
{"jsonRequest":true,"graphqlRequest":true}
```

## Branching strategy

This repository follows the [GitFlow branching strategy](https://gitversion.net/docs/learn/branching-strategies/gitflow/examples).

## Release

To release a new version, maintainers may use the Release and Publication GitHub actions.

1. [Release action](https://github.com/bonitasoft/bonita-asciidoc-templating/actions/workflows/release.yml) will invoke the `gitflow-maven-plugin` to perform all required merges, version updates and tag creation.
2. [Publication action](https://github.com/bonitasoft/bonita-asciidoc-templatingl/actions/workflows/publish.yml) will build and deploy a given tag to bonitasoft.jfrog.io/artifactory.
3. A GitHub release should be created and associated to the tag.
51 changes: 4 additions & 47 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@
<artifactId>maven-assembly-plugin</artifactId>
<executions>
<execution>
<id>generated-linux-zip</id>
<id>archive-linux-x64</id>
<phase>package</phase>
<goals>
<goal>single</goal>
Expand All @@ -159,7 +159,7 @@
</configuration>
</execution>
<execution>
<id>generated-macos-x64-zip</id>
<id>archive-macos-x64</id>
<phase>package</phase>
<goals>
<goal>single</goal>
Expand All @@ -171,7 +171,7 @@
</configuration>
</execution>
<execution>
<id>generated-macos-arm64-zip</id>
<id>archive-macos-arm64</id>
<phase>package</phase>
<goals>
<goal>single</goal>
Expand All @@ -183,7 +183,7 @@
</configuration>
</execution>
<execution>
<id>generated-win-zip</id>
<id>archive-win-x64</id>
<phase>package</phase>
<goals>
<goal>single</goal>
Expand Down Expand Up @@ -306,48 +306,5 @@
</plugins>
</build>
</profile>
<profile>
<id>macos-codesign</id>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<executions>
<execution>
<id>sign-macos-x64-binary</id>
<phase>prepare-package</phase>
<goals>
<goal>exec</goal>
</goals>
<configuration>
<executable>./sign-macos.sh</executable>
<arguments>
<argument>${project.artifactId}-macos-x64</argument>
<argument>${macSignServiceURL}</argument>
<argument>${project.build.directory}/binaries/</argument>
</arguments>
</configuration>
</execution>
<execution>
<id>sign-macos-arm64-binary</id>
<phase>prepare-package</phase>
<goals>
<goal>exec</goal>
</goals>
<configuration>
<executable>./sign-macos.sh</executable>
<arguments>
<argument>${project.artifactId}-macos-arm64</argument>
<argument>${macSignServiceURL}</argument>
<argument>${project.build.directory}/binaries/</argument>
</arguments>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>

0 comments on commit 64173bc

Please sign in to comment.