From d2c5e23bf3d0eb8ecefeeb6fdafed4bc9394636d Mon Sep 17 00:00:00 2001 From: Oliver Kopp Date: Sat, 1 Jul 2023 22:03:50 +0200 Subject: [PATCH] Get notarization running on GitHub (#10041) Co-authored-by: Christoph --- .github/workflows/deployment-arm64.yml | 140 +++++++++++------------- .github/workflows/deployment.yml | 145 +++++++++++++++---------- 2 files changed, 156 insertions(+), 129 deletions(-) diff --git a/.github/workflows/deployment-arm64.yml b/.github/workflows/deployment-arm64.yml index b9e6ea1336b..9cad9fcb5e0 100644 --- a/.github/workflows/deployment-arm64.yml +++ b/.github/workflows/deployment-arm64.yml @@ -2,6 +2,11 @@ name: Deployment Release for ARM64 - Run manually! on: workflow_dispatch: + inputs: + notarization: + type: boolean + required: false + default: false push: branches: - arm64mac-release @@ -37,11 +42,7 @@ jobs: id: checksecrets shell: bash run: | - if [ "$BUILDJABREFPRIVATEKEY" == "" ]; then - echo "secretspresent=NO" >> $GITHUB_OUTPUT - else - echo "secretspresent=YES" >> $GITHUB_OUTPUT - fi + [ -n "$BUILDJABREFPRIVATEKEY" ] || exit 1 env: BUILDJABREFPRIVATEKEY: ${{ secrets.buildJabRefPrivateKey }} - name: Fetch all history for all tags and branches @@ -76,106 +77,97 @@ jobs: sed -i'.bak' -e "s/JavaLanguageVersion.of(20)/JavaLanguageVersion.of(21)/" build.gradle - name: Clean up keychain - if: (matrix.os == 'self-hosted') && (steps.checksecrets.outputs.secretspresent == 'YES') run: | security delete-keychain signing_temp.keychain || true - name: Setup OSX key chain on OSX - if: (matrix.os == 'macos-latest' || matrix.os == 'self-hosted') && (steps.checksecrets.outputs.secretspresent == 'YES') uses: apple-actions/import-codesign-certs@v2 with: p12-file-base64: ${{ secrets.OSX_SIGNING_CERT }} p12-password: ${{ secrets.OSX_CERT_PWD }} keychain-password: jabref - name: Setup OSX key chain on OSX for app id cert - if: (matrix.os == 'macos-latest' || matrix.os == 'self-hosted') && (steps.checksecrets.outputs.secretspresent == 'YES') uses: apple-actions/import-codesign-certs@v2 with: p12-file-base64: ${{ secrets.OSX_SIGNING_CERT_APPLICATION }} p12-password: ${{ secrets.OSX_CERT_PWD }} create-keychain: false keychain-password: jabref - - name: Build runtime image - if: (matrix.os != 'macos-latest') || (steps.checksecrets.outputs.secretspresent == 'YES') - run: ./gradlew -i -PprojVersion="${{ steps.gitversion.outputs.AssemblySemVer }}" -PprojVersionInfo="${{ steps.gitversion.outputs.InformationalVersion }}" jlinkZip - - name: Build installer - if: (matrix.os != 'macos-latest') || (steps.checksecrets.outputs.secretspresent == 'YES') - run: ./gradlew -i -PprojVersion="${{ steps.gitversion.outputs.AssemblySemVer }}" -PprojVersionInfo="${{ steps.gitversion.outputs.InformationalVersion }}" jpackage - shell: bash - - name: Resign app image for OSX and build dmg - if: (matrix.os == 'macos-latest' || matrix.os == 'self-hosted') && (steps.checksecrets.outputs.secretspresent == 'YES') + - name: Prepare merged jars and modules dir (macos) + run: ./gradlew -i -PprojVersion="${{ steps.gitversion.outputs.AssemblySemVer }}" -PprojVersionInfo="${{ steps.gitversion.outputs.InformationalVersion }}" prepareModulesDir + - name: Build dmg (macos) shell: bash run: | - jpackage --type pkg --dest build/distribution --name JabRef --app-version "${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}" --app-image build/distribution/JabRef.app --verbose --type dmg --vendor JabRef --app-version "${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}" --file-associations buildres/mac/bibtexAssociations.properties --resource-dir buildres/mac --mac-sign --mac-signing-key-user-name "Developer ID Installer: JabRef e.V. (6792V39SK3)" - jpackage --type pkg --dest build/distribution --name JabRef --mac-package-identifier JabRef --app-version "${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}" --app-image build/distribution/JabRef.app --verbose --type pkg --vendor JabRef --app-version "${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}" --file-associations buildres/mac/bibtexAssociations.properties --resource-dir buildres/mac --mac-sign --mac-signing-key-user-name "Developer ID Installer: JabRef e.V. (6792V39SK3)" - productsign --sign "Developer ID Installer: JabRef e.V. (6792V39SK3)" "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.pkg" "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-signed.pkg" - - name: Notarize dmg and pkg installer - if: (matrix.os == 'macos-latest' || matrix.os == 'self-hosted' ) && contains(fromJson('["refs/tags/", "refs/heads/arm64mac-release"]'), github.ref) && (steps.checksecrets.outputs.secretspresent == 'YES') + ${{env.JDK21}}/Contents/Home/bin/jpackage \ + --module org.jabref/org.jabref.cli.Launcher \ + --module-path ${{env.JDK21}}/Contents/Home/jmods/:build/jlinkbase/jlinkjars \ + --add-modules org.jabref,org.jabref.merged.module \ + --dest build/distribution \ + --name JabRef \ + --app-version ${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }} \ + --verbose \ + --mac-sign \ + --vendor JabRef \ + --mac-package-identifier Jabref \ + --mac-package-name JabRef \ + --type dmg --mac-signing-key-user-name "JabRef e.V. (6792V39SK3)" \ + --mac-package-signing-prefix org.jabref \ + --mac-entitlements buildres/mac/jabref.entitlements \ + --icon src/main/resources/icons/jabref.icns \ + --resource-dir buildres/mac \ + --file-associations buildres/mac/bibtexAssociations.properties \ + --jlink-options --bind-services + - name: Build pkg (macos) + if: (matrix.os == 'macos-latest') && (steps.checksecrets.outputs.secretspresent == 'YES') shell: bash run: | - codesign --timestamp -s "Developer ID Application: JabRef e.V. (6792V39SK3)" --options runtime --entitlements buildres/mac/jabref.entitlements -vvvv --deep "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg" - xcrun notarytool submit build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg --apple-id "${{ secrets.OSX_NOTARIZATION_APP_USERNAME }}" --team-id "6792V39SK3" --password "${{ secrets.OSX_NOTARIZATION_APP_PWD }}" --wait - xcrun stapler staple "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg" - spctl -a -t open --context context:primary-signature -vv "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg" - - name: Rename files (non-macos) - if: (matrix.os != 'macos-latest' && matrix.os != 'self-hosted') + ${{env.JDK21}}/Contents/Home/bin/jpackage \ + --module org.jabref/org.jabref.cli.Launcher \ + --module-path ${{env.JDK21}}/Contents/Home/jmods/:build/jlinkbase/jlinkjars \ + --add-modules org.jabref,org.jabref.merged.module \ + --dest build/distribution \ + --name JabRef \ + --app-version ${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }} \ + --verbose \ + --mac-sign \ + --vendor JabRef \ + --mac-package-identifier Jabref \ + --mac-package-name JabRef \ + --type pkg --mac-signing-key-user-name "JabRef e.V. (6792V39SK3)" \ + --mac-package-signing-prefix org.jabref \ + --mac-entitlements buildres/mac/jabref.entitlements \ + --icon src/main/resources/icons/jabref.icns \ + --resource-dir buildres/mac \ + --file-associations buildres/mac/bibtexAssociations.properties \ + --jlink-options --bind-services + - name: Rename files shell: pwsh run: | get-childitem -Path build/distribution/* | rename-item -NewName {$_.name -replace "${{ steps.gitversion.outputs.AssemblySemVer }}","${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}"} get-childitem -Path build/distribution/* | rename-item -NewName {$_.name -replace "portable","${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-portable"} - - name: Rename files (arm64) - if: (matrix.os == 'self-hosted') && (steps.checksecrets.outputs.secretspresent == 'YES') - shell: pwsh + - name: Notarize dmg + if: (startsWith(github.ref, 'refs/tags/') || (${{ inputs.notarization }})) + shell: bash run: | - get-childitem -Path build/distribution/* | rename-item -NewName {$_.name -replace ".dmg", ".${{ matrix.suffix }}.dmg"} - get-childitem -Path build/distribution/* | rename-item -NewName {$_.name -replace ".pkg", ".${{ matrix.suffix }}.pkg"} + xcrun notarytool store-credentials "notarytool-profile" --apple-id "vorstand@jabref.org" --team-id "6792V39SK3" --password "${{ secrets.OSX_NOTARIZATION_APP_PWD }}" + xcrun notarytool submit build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg --keychain-profile "notarytool-profile" --wait + xcrun stapler staple build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg + - name: Notarize pkg + if: (startsWith(github.ref, 'refs/tags/') || (${{ inputs.notarization }})) + shell: bash + run: | + xcrun notarytool store-credentials "notarytool-profile" --apple-id "vorstand@jabref.org" --team-id "6792V39SK3" --password "${{ secrets.OSX_NOTARIZATION_APP_PWD }}" + xcrun notarytool submit build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.pkg --keychain-profile "notarytool-profile" --wait + xcrun stapler staple build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.pkg + - name: Package application image + shell: bash + run: ${{ matrix.archivePortable }} - name: Upload to GitHub workflow artifacts store - if: (matrix.os != 'macos-latest' && matrix.os !='self-hosted') || (steps.checksecrets.outputs.secretspresent == 'YES') uses: actions/upload-artifact@v3 with: name: JabRef-${{ matrix.displayName }} path: build/distribution - deploy: - strategy: - fail-fast: false - name: Deploy binaries on builds.jabref.org - runs-on: ubuntu-latest - needs: [build] - steps: - - name: Check secrets presence - id: checksecrets - shell: bash - run: | - if [ "$BUILDJABREFPRIVATEKEY" == "" ]; then - echo "secretspresent=NO" >> $GITHUB_OUTPUT - else - echo "secretspresent=YES" >> $GITHUB_OUTPUT - fi - env: - BUILDJABREFPRIVATEKEY: ${{ secrets.buildJabRefPrivateKey }} - - name: Checkout source - if: steps.checksecrets.outputs.secretspresent == 'YES' - uses: actions/checkout@v3 - - name: Fetch all history for all tags and branches - if: steps.checksecrets.outputs.secretspresent == 'YES' - run: git fetch --prune --unshallow - - name: Install GitVersion - if: steps.checksecrets.outputs.secretspresent == 'YES' - uses: gittools/actions/gitversion/setup@v0.10.2 - with: - versionSpec: '5.x' - - name: Run GitVersion - if: steps.checksecrets.outputs.secretspresent == 'YES' - id: gitversion - uses: gittools/actions/gitversion/execute@v0.10.2 - - name: Get macOSArm64 binaries - if: steps.checksecrets.outputs.secretspresent == 'YES' - uses: actions/download-artifact@master - with: - name: JabRef-macOS (Arm64) - path: build/distribution/ - name: Deploy to builds.jabref.org id: deploy - if: steps.checksecrets.outputs.secretspresent == 'YES' uses: Pendect/action-rsyncer@v2.0.0 env: DEPLOY_KEY: ${{ secrets.buildJabRefPrivateKey }} diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index 5db32beef29..de5387f0f4c 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -2,6 +2,11 @@ name: Deployment on: workflow_dispatch: + inputs: + notarization: + type: boolean + required: false + default: false push: branches: - main @@ -122,7 +127,7 @@ jobs: echo "org.gradle.java.installations.paths=${{runner.temp}}/jdk/jdk-21" >> gradle.properties echo "org.gradle.java.installations.auto-detect=false" >> gradle.properties - cat gradle.properties + cat gradle.properties sed -i'.bak' -e "s/JavaLanguageVersion.of(20)/JavaLanguageVersion.of(21)/" build.gradle - name: Setup OSX key chain on OSX @@ -140,27 +145,64 @@ jobs: p12-password: ${{ secrets.OSX_CERT_PWD }} create-keychain: false keychain-password: jabref - - name: Build runtime image - if: (matrix.os != 'macos-latest') || (steps.checksecrets.outputs.secretspresent == 'YES') - shell: bash + - name: Build runtime image (non-macos) + if: (matrix.os != 'macos-latest') run: ./gradlew -i -PprojVersion="${{ steps.gitversion.outputs.AssemblySemVer }}" -PprojVersionInfo="${{ steps.gitversion.outputs.InformationalVersion }}" jlinkZip - - name: Build installer - if: (matrix.os != 'macos-latest') || (steps.checksecrets.outputs.secretspresent == 'YES') + - name: Prepare merged jars and modules dir (macos) + if: (matrix.os == 'macos-latest') && (steps.checksecrets.outputs.secretspresent == 'YES') + run: ./gradlew -i -PprojVersion="${{ steps.gitversion.outputs.AssemblySemVer }}" -PprojVersionInfo="${{ steps.gitversion.outputs.InformationalVersion }}" prepareModulesDir + - name: Build installer (non-macos) + if: (matrix.os != 'macos-latest') + shell: bash run: ./gradlew -i -PprojVersion="${{ steps.gitversion.outputs.AssemblySemVer }}" -PprojVersionInfo="${{ steps.gitversion.outputs.InformationalVersion }}" jpackage + - name: Build dmg (macos) + if: (matrix.os == 'macos-latest') && (steps.checksecrets.outputs.secretspresent == 'YES') shell: bash - - name: Resign app image for OSX and build dmg + run: | + ${{env.JDK21}}/Contents/Home/bin/jpackage \ + --module org.jabref/org.jabref.cli.Launcher \ + --module-path ${{env.JDK21}}/Contents/Home/jmods/:build/jlinkbase/jlinkjars \ + --add-modules org.jabref,org.jabref.merged.module \ + --dest build/distribution \ + --name JabRef \ + --app-version ${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }} \ + --verbose \ + --mac-sign \ + --vendor JabRef \ + --mac-package-identifier Jabref \ + --mac-package-name JabRef \ + --type dmg --mac-signing-key-user-name "JabRef e.V. (6792V39SK3)" \ + --mac-package-signing-prefix org.jabref \ + --mac-entitlements buildres/mac/jabref.entitlements \ + --icon src/main/resources/icons/jabref.icns \ + --resource-dir buildres/mac \ + --file-associations buildres/mac/bibtexAssociations.properties \ + --jlink-options --bind-services + - name: Build pkg (macos) if: (matrix.os == 'macos-latest') && (steps.checksecrets.outputs.secretspresent == 'YES') shell: bash run: | - codesign --entitlements buildres/mac/jabref.entitlements --options runtime -vvv -f --sign "Developer ID Application: JabRef e.V. (6792V39SK3)" build/distribution/JabRef.app/Contents/runtime/Contents/MacOS/libjli.dylib - codesign --entitlements buildres/mac/jabref.entitlements --options runtime -vvv -f --sign "Developer ID Application: JabRef e.V. (6792V39SK3)" build/distribution/JabRef.app/Contents/MacOS/JabRef - codesign --entitlements buildres/mac/jabref.entitlements --options runtime -vvv -f --sign "Developer ID Application: JabRef e.V. (6792V39SK3)" build/distribution/JabRef.app - ${{env.JDK21}}/Contents/Home/bin/jpackage --type pkg --dest build/distribution --name JabRef --app-version "${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}" --app-image build/distribution/JabRef.app --verbose --type dmg --vendor JabRef --app-version "${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}" --file-associations buildres/mac/bibtexAssociations.properties --resource-dir buildres/mac - codesign -s "Developer ID Application: JabRef e.V. (6792V39SK3)" --options runtime --entitlements buildres/mac/jabref.entitlements -vvvv --deep "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg" - ${{env.JDK21}}/Contents/Home/bin/jpackage --type pkg --dest build/distribution --name JabRef --mac-package-identifier JabRef --app-version "${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}" --app-image build/distribution/JabRef.app --verbose --type pkg --vendor JabRef --app-version "${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}" --file-associations buildres/mac/bibtexAssociations.properties --resource-dir buildres/mac - productsign --sign "Developer ID Installer: JabRef e.V. (6792V39SK3)" "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.pkg" "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-signed.pkg" - - name: Package application image - if: (matrix.os != 'macos-latest') || (steps.checksecrets.outputs.secretspresent == 'YES') + ${{env.JDK21}}/Contents/Home/bin/jpackage \ + --module org.jabref/org.jabref.cli.Launcher \ + --module-path ${{env.JDK21}}/Contents/Home/jmods/:build/jlinkbase/jlinkjars \ + --add-modules org.jabref,org.jabref.merged.module \ + --dest build/distribution \ + --name JabRef \ + --app-version ${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }} \ + --verbose \ + --mac-sign \ + --vendor JabRef \ + --mac-package-identifier Jabref \ + --mac-package-name JabRef \ + --type pkg --mac-signing-key-user-name "JabRef e.V. (6792V39SK3)" \ + --mac-package-signing-prefix org.jabref \ + --mac-entitlements buildres/mac/jabref.entitlements \ + --icon src/main/resources/icons/jabref.icns \ + --resource-dir buildres/mac \ + --file-associations buildres/mac/bibtexAssociations.properties \ + --jlink-options --bind-services + - name: Package application image (non-macos) + if: (matrix.os != 'macos-latest') shell: bash run: ${{ matrix.archivePortable }} - name: Rename files @@ -180,20 +222,20 @@ jobs: ar -m -c -a sdsd jabref_${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}_amd64_repackaged.deb debian-binary control.tar.xz data.tar.xz rm debian-binary control.tar.* data.tar.* mv -f jabref_${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}_amd64_repackaged.deb jabref_${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}_amd64.deb - - name: Upload to GitHub workflow artifacts store (non-Mac) + - name: Upload to GitHub workflow artifacts store (non-macos) if: (matrix.os != 'macos-latest') uses: actions/upload-artifact@v3 with: name: JabRef-${{ matrix.displayName }} path: build/distribution - - name: Upload to GitHub workflow artifacts store (Mac) + - name: Upload to GitHub workflow artifacts store (macos) if: (matrix.os == 'macos-latest') && (steps.checksecrets.outputs.secretspresent == 'YES') uses: actions/upload-artifact@v3 with: - name: JabRef-macOS-signed + # tbn = to-be-notarized + name: JabRef-macOS-tbn path: build/distribution notarize: # outsourced in a separate job to be able to rerun if this fails for timeouts - if: ${{ false }} # disable for v5.9 since apple notarization fails name: Notarize and package Mac OS binaries runs-on: macos-latest needs: [build] @@ -214,50 +256,37 @@ jobs: uses: actions/checkout@v3 with: fetch-depth: 0 + - name: Install GitVersion + uses: gittools/actions/gitversion/setup@v0.10.2 + with: + versionSpec: "5.x" - name: Run GitVersion - if: steps.checksecrets.outputs.secretspresent == 'YES' id: gitversion - shell: bash - run: | - echo "AssemblySemVer=5.9.60000" >> $GITHUB_OUTPUT - echo "InformationalVersion=5.9--`git log -1 --pretty='format:%cd' --date=format:'%Y-%m-%d'`--`git log -1 --format=%h`" >> $GITHUB_OUTPUT - echo "Major=5" >> $GITHUB_OUTPUT - echo "Minor=9" >> $GITHUB_OUTPUT + uses: gittools/actions/gitversion/execute@v0.10.2 - name: Get macOS binaries if: steps.checksecrets.outputs.secretspresent == 'YES' uses: actions/download-artifact@master with: - name: JabRef-macOS-signed + name: JabRef-macOS-tbn path: build/distribution/ - - name: Notarize dmg and pkg installer - if: startsWith(github.ref, 'refs/tags/') && (steps.checksecrets.outputs.secretspresent == 'YES') + - name: Notarize dmg + if: (startsWith(github.ref, 'refs/tags/') || (${{ inputs.notarization }})) && (steps.checksecrets.outputs.secretspresent == 'YES') + shell: bash + run: | + xcrun notarytool store-credentials "notarytool-profile" --apple-id "vorstand@jabref.org" --team-id "6792V39SK3" --password "${{ secrets.OSX_NOTARIZATION_APP_PWD }}" + xcrun notarytool submit build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg --keychain-profile "notarytool-profile" --wait + xcrun stapler staple build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg + - name: Notarize pkg + if: (startsWith(github.ref, 'refs/tags/') || (${{ inputs.notarization }})) && (steps.checksecrets.outputs.secretspresent == 'YES') shell: bash run: | - REQUEST_UUID_DMG=$(xcrun altool --verbose --notarize-app --primary-bundle-id "org.jabref" --username ${{ secrets.OSX_NOTARIZATION_APP_USERNAME }} --password ${{ secrets.OSX_NOTARIZATION_APP_PWD }} --asc-provider "6792V39SK3" --file "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg" | grep RequestUUID | awk '{print $3}') - while xcrun altool --notarization-info "$REQUEST_UUID_DMG" -u ${{ secrets.OSX_NOTARIZATION_APP_USERNAME }} -p ${{ secrets.OSX_NOTARIZATION_APP_PWD }} | grep "Status: in progress" > /dev/null; do - echo "Verification in progress..." - sleep 30 - done - codesign -vvv --deep --strict "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg" - codesign -dvv "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg" - REQUEST_UUID_PKG=$(xcrun altool --verbose --notarize-app --primary-bundle-id "org.jabref" --username ${{ secrets.OSX_NOTARIZATION_APP_USERNAME }} --password ${{ secrets.OSX_NOTARIZATION_APP_PWD }} --asc-provider "6792V39SK3" --file "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-signed.pkg" | grep RequestUUID | awk '{print $3}') - while xcrun altool --notarization-info "$REQUEST_UUID_PKG" -u ${{ secrets.OSX_NOTARIZATION_APP_USERNAME }} -p ${{ secrets.OSX_NOTARIZATION_APP_PWD }} | grep "Status: in progress" > /dev/null; do - echo "Verification in progress..." - sleep 30 - done - xcrun stapler staple "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-signed.pkg" - rm "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.pkg" - mv "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-signed.pkg" "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.pkg" + xcrun notarytool store-credentials "notarytool-profile" --apple-id "vorstand@jabref.org" --team-id "6792V39SK3" --password "${{ secrets.OSX_NOTARIZATION_APP_PWD }}" + xcrun notarytool submit build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.pkg --keychain-profile "notarytool-profile" --wait + xcrun stapler staple build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.pkg - name: Package application image if: (steps.checksecrets.outputs.secretspresent == 'YES') shell: bash run: ${{ matrix.archivePortable }} - - name: Rename files - if: (steps.checksecrets.outputs.secretspresent == 'YES') - shell: pwsh - run: | - get-childitem -Path build/distribution/* | rename-item -NewName {$_.name -replace "${{ steps.gitversion.outputs.AssemblySemVer }}","${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}"} - get-childitem -Path build/distribution/* | rename-item -NewName {$_.name -replace "portable","${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-portable"} - name: Upload to GitHub workflow artifacts store if: (steps.checksecrets.outputs.secretspresent == 'YES') uses: actions/upload-artifact@v3 @@ -269,7 +298,7 @@ jobs: fail-fast: false name: Deploy binaries on builds.jabref.org runs-on: ubuntu-latest - needs: [build] + needs: [build, notarize] steps: - name: Check secrets presence id: checksecrets @@ -309,11 +338,17 @@ jobs: with: name: JabRef-windows path: build/distribution - - name: Get macOS binaries - if: steps.checksecrets.outputs.secretspresent == 'YES' + - name: Get macOS binaries unsigned + if: steps.checksecrets.outputs.secretspresent == 'YES' && ! (${{ inputs.notarization }})) && ! (startsWith(github.ref, 'refs/tags/') uses: actions/download-artifact@master with: - name: JabRef-macOS-signed + name: JabRef-macOS-tbn + path: build/distribution/ + - name: Get macOS binaries notarized + if: (startsWith(github.ref, 'refs/tags/') || (${{ inputs.notarization }})) && (steps.checksecrets.outputs.secretspresent == 'YES') + uses: actions/download-artifact@master + with: + name: JabRef-macOS path: build/distribution/ - name: Deploy to builds.jabref.org id: deploy