From 64173bc76be0095860fc64e7587e628acbd27d3d Mon Sep 17 00:00:00 2001 From: Romain Bioteau Date: Tue, 19 Dec 2023 15:33:28 +0100 Subject: [PATCH] chore(actions): macos codesign --- .github/workflows/build.yml | 233 ++++++++++++++++++++++-------------- README.md | 12 ++ pom.xml | 51 +------- 3 files changed, 160 insertions(+), 136 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4058eae..f626044 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,127 @@ on: jobs: build: runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: 17 + cache: 'maven' + + - name: Build + run: ./mvnw -ntp clean verify -Dstyle.color=always + + - name: Publish Test Report + uses: EnricoMi/publish-unit-test-result-action@v2 + if: always() + with: + files: | + target/reports/*.xml + + - name: Upload macos-x64 binary + uses: actions/upload-artifact@v4 + with: + name: macos-x64-unsigned + path: | + target/binaries/bonita-data-repository-macos-x64 + + - name: Upload macos-arm64 binary + uses: actions/upload-artifact@v4 + with: + name: macos-arm64-unsigned + path: | + target/binaries/bonita-data-repository-macos-arm64 + + - name: Upload linux-x64 binary + uses: actions/upload-artifact@v4 + with: + name: linux-x64 + path: | + target/binaries/bonita-data-repository-linux-x64 + + - name: Upload win-x64 binary + uses: actions/upload-artifact@v4 + with: + name: win-x64 + path: | + target/binaries/bonita-data-repository-win-x64.exe + + macOs-codesign: + needs: build + runs-on: macOs-11 + strategy: + matrix: + arch: [macos-x64, macos-arm64] + steps: + - name: Download binaries + uses: actions/download-artifact@v4 + with: + name: ${{ matrix.arch}}-unsigned + path: target/binaries + + - name: Sign binaries + env: + MACOS_CERTIFICATE: ${{ secrets.APPLE_CERT_DATA }} + MACOS_CERTIFICATE_PWD: ${{ secrets.APPLE_CERT_PASSWORD }} + TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} + APPLE_ENTITLEMENTS_XML: ${{ secrets.APPLE_ENTITLEMENTS_XML }} + run: | + echo $APPLE_ENTITLEMENTS_XML | base64 --decode > entitlements.xml + echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 + security create-keychain -p actions build.keychain + security default-keychain -s build.keychain + security unlock-keychain -p actions build.keychain + security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k actions build.keychain + /usr/bin/codesign --force --options runtime --entitlements entitlements.xml -s $TEAM_ID ./target/binaries/bonita-data-repository-${{ matrix.arch}} -v + + - name: Notorize binaries + env: + MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.APPLE_NOTARY_USER }} + MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} + MACOS_NOTARIZATION_PWD: ${{ secrets.APPLE_NOTARY_PASSWORD }} + run: | + # Store the notarization credentials so that we can prevent a UI password dialog + # from blocking the CI + echo "Create keychain profile" + xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" + + # We can't notarize an app bundle directly, but we need to compress it as an archive. + # Therefore, we create a zip file containing our app bundle, so that we can send it to the + # notarization service + + echo "Creating temp notarization archives" + ditto -c -k --keepParent "target/binaries/bonita-data-repository-${{ matrix.arch}}" "notarization-${{ matrix.arch}}.zip" + + # Here we send the notarization request to the Apple's Notarization service, waiting for the result. + # This typically takes a few seconds inside a CI environment, but it might take more depending on the App + # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if + # you're curious + + echo "Notarize binary" + xcrun notarytool submit "notarization-${{ matrix.arch}}.zip" --keychain-profile "notarytool-profile" --wait + + # Finally, we need to "attach the staple" to our executable, which will allow our app to be + # validated by macOS even when an internet connection is not available. + # echo "Attach staple" + # xcrun stapler staple "target/binaries/bonita-data-repository-${{ matrix.arch }}" + + - name: Upload binaries + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.arch}} + path: | + target/binaries/bonita-data-repository-${{ matrix.arch}} + + deploy: + needs: macOs-codesign + runs-on: ubuntu-22.04 + strategy: + matrix: + arch: [ win-x64, linux-x64, macos-x64, macos-arm64 ] steps: - name: Retrieve secrets from Keeper id: ksecrets @@ -40,104 +161,38 @@ jobs: - name: Setup Maven configuration uses: whelk-io/maven-settings-xml-action@v21 with: - repositories: > - [ - { - "id": "releases", - "name": "releases", - "url": "https://bonitasoft.jfrog.io/artifactory/releases", - "releases": { - "enabled": "true" - }, - "snapshots": { - "enabled": "false" - } - }, - { - "id": "snapshots", - "name": "snapshots", - "url": "https://bonitasoft.jfrog.io/artifactory/snapshots", - "releases": { - "enabled": "false" - }, - "snapshots": { - "enabled": "true" - } - }, - { - "id": "ossrh-snapshots", - "name": "ossrh-snapshots", - "url" : "https://oss.sonatype.org/content/repositories/snapshots", - "releases": { - "enabled": "false" - }, - "snapshots": { - "enabled": "true" - } - } - ] - plugin_repositories: > - [ - { - "id": "releases", - "name": "releases", - "url": "https://bonitasoft.jfrog.io/artifactory/releases", - "releases": { - "enabled": "true" - }, - "snapshots": { - "enabled": "false" - } - }, - { - "id": "snapshots", - "name": "snapshots", - "url": "https://bonitasoft.jfrog.io/artifactory/snapshots", - "releases": { - "enabled": "false" - }, - "snapshots": { - "enabled": "true" - } - }, - { - "id": "ossrh-snapshots", - "name": "ossrh-snapshots", - "url" : "https://oss.sonatype.org/content/repositories/snapshots", - "releases": { - "enabled": "false" - }, - "snapshots": { - "enabled": "true" - } - } - ] servers: > [ - { - "id": "releases", - "username": "${{ env.JFROG_USER }}", - "password": "${{ env.JFROG_TOKEN }}" - }, { "id": "snapshots", "username": "${{ env.JFROG_USER }}", "password": "${{ env.JFROG_TOKEN }}" } ] - - - name: Build - run: ./mvnw -ntp clean verify -Dstyle.color=always - - name: Deploy - if: ${{ github.event.pull_request == null }} - run: ./mvnw -ntp deploy -Dstyle.color=always -DskipTests -DaltDeploymentRepository=snapshots::https://bonitasoft.jfrog.io/artifactory/libs-snapshot-local/ - - - name: Publish Test Report - uses: EnricoMi/publish-unit-test-result-action@v2 - if: always() + - name: Download binaries + uses: actions/download-artifact@v4 with: - files: | - target/reports/*.xml + name: ${{ matrix.arch }} + path: target/binaries + + - name: Read version + id: read-version + run: echo "version=$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT + + - name: Deploy + env: + SNAPSHOT_REPOSITORY_URL: https://bonitasoft.jfrog.io/artifactory/libs-snapshot-local/ + run: | + ./mvnw assembly:single@archive-${{ matrix.arch }} + ./mvnw -ntp deploy:deploy-file -Dstyle.color=always -DrepositoryId=snapshots -Durl=${{ env.SNAPSHOT_REPOSITORY_URL }} \ + -Dfile=target/bonita-data-repository-${{ steps.read-version.outputs.version }}-${{ matrix.arch }}.zip \ + -DgroupId=org.bonitasoft.web \ + -DartifactId=bonita-data-repository \ + -Dversion=${{ steps.read-version.outputs.version }} \ + -Dclassifier=${{ matrix.arch }} \ + -Dpackaging=zip + + \ No newline at end of file diff --git a/README.md b/README.md index 463c06f..1fce1ae 100644 --- a/README.md +++ b/README.md @@ -94,3 +94,15 @@ For instance: ``` {"jsonRequest":true,"graphqlRequest":true} ``` + +## Branching strategy + +This repository follows the [GitFlow branching strategy](https://gitversion.net/docs/learn/branching-strategies/gitflow/examples). + +## Release + +To release a new version, maintainers may use the Release and Publication GitHub actions. + +1. [Release action](https://github.com/bonitasoft/bonita-asciidoc-templating/actions/workflows/release.yml) will invoke the `gitflow-maven-plugin` to perform all required merges, version updates and tag creation. +2. [Publication action](https://github.com/bonitasoft/bonita-asciidoc-templatingl/actions/workflows/publish.yml) will build and deploy a given tag to bonitasoft.jfrog.io/artifactory. +3. A GitHub release should be created and associated to the tag. diff --git a/pom.xml b/pom.xml index 1199371..be15fe2 100644 --- a/pom.xml +++ b/pom.xml @@ -147,7 +147,7 @@ maven-assembly-plugin - generated-linux-zip + archive-linux-x64 package single @@ -159,7 +159,7 @@ - generated-macos-x64-zip + archive-macos-x64 package single @@ -171,7 +171,7 @@ - generated-macos-arm64-zip + archive-macos-arm64 package single @@ -183,7 +183,7 @@ - generated-win-zip + archive-win-x64 package single @@ -306,48 +306,5 @@ - - macos-codesign - - - - org.codehaus.mojo - exec-maven-plugin - - - sign-macos-x64-binary - prepare-package - - exec - - - ./sign-macos.sh - - ${project.artifactId}-macos-x64 - ${macSignServiceURL} - ${project.build.directory}/binaries/ - - - - - sign-macos-arm64-binary - prepare-package - - exec - - - ./sign-macos.sh - - ${project.artifactId}-macos-arm64 - ${macSignServiceURL} - ${project.build.directory}/binaries/ - - - - - - - -