Skip to content

Only enable no unused users if user is admin #757

Only enable no unused users if user is admin

Only enable no unused users if user is admin #757

Workflow file for this run

name: Test and Build
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
lint:
name: Lint
runs-on: macos-latest
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-lint
cancel-in-progress: true
steps:
- uses: maxim-lobanov/setup-xcode@v1
with:
xcode-version: "latest-stable"
- name: Repository checkout
uses: actions/checkout@v3
- name: Cache mint modules
uses: actions/cache@v3
env:
cache-name: cache-mint-v2
with:
path: ~/.mint
key: ${{ runner.os }}-mint-${{ env.cache-name }}-${{ hashFiles('Mintfile') }}
restore-keys: |
${{ runner.os }}-mint-${{ env.cache-name }}-
- name: Install mint and packages
run: brew install mint && mint bootstrap
- name: Lint
run: make lint
# test:
# name: Unit and UI Tests
# runs-on: apple-silicon
# needs: lint
# timeout-minutes: 60
# concurrency:
# group: ${{ github.workflow }}-${{ github.ref }}-test
# cancel-in-progress: true
# permissions:
# issues: write
# pull-requests: write
# steps:
# - uses: maxim-lobanov/setup-xcode@v1
# with:
# xcode-version: "latest-stable"
# - name: "Import Certificate: Development"
# env:
# DEVELOPMENT_CERTIFICATE_DATA: ${{ secrets.DEVELOPMENT_CERTIFICATE_DATA }}
# DEVELOPMENT_CERTIFICATE_PASSPHRASE: ${{ secrets.DEVELOPMENT_CERTIFICATE_PASSPHRASE }}
# KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
# run: |
# # create variables
# CERTIFICATE_PATH=$RUNNER_TEMP/dev_certificate.p12
# KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# # import certificate and provisioning profile from secrets
# echo -n "$DEVELOPMENT_CERTIFICATE_DATA" | base64 --decode >$CERTIFICATE_PATH
# # create temporary keychain
# security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH || true
# security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
# security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# # import certificate to keychain
# security import $CERTIFICATE_PATH -P "$DEVELOPMENT_CERTIFICATE_PASSPHRASE" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
# security list-keychain -d user -s $KEYCHAIN_PATH
# - name: "Import Certificate: Developer ID Application"
# env:
# APPLICATION_CERTIFICATE_DATA: ${{ secrets.APPLICATION_CERTIFICATE_DATA }}
# APPLICATION_CERTIFICATE_PASSPHRASE: ${{ secrets.APPLICATION_CERTIFICATE_PASSPHRASE }}
# KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
# run: |
# # create variables
# CERTIFICATE_PATH=$RUNNER_TEMP/dev_certificate.p12
# KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# # import certificate and provisioning profile from secrets
# echo -n "$APPLICATION_CERTIFICATE_DATA" | base64 --decode >$CERTIFICATE_PATH
# # create temporary keychain
# security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH || true
# security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
# security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# # import certificate to keychain
# security import $CERTIFICATE_PATH -P "$APPLICATION_CERTIFICATE_PASSPHRASE" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
# security list-keychain -d user -s $KEYCHAIN_PATH
# - name: Repository checkout
# uses: actions/checkout@v3
# - name: Cache mint modules
# uses: actions/cache@v3
# env:
# cache-name: cache-mint-v2
# with:
# path: ~/.mint
# key: ${{ runner.os }}-mint-${{ env.cache-name }}-${{ hashFiles('Mintfile') }}
# restore-keys: |
# ${{ runner.os }}-mint-${{ env.cache-name }}-
# - name: Install mint and packages
# run: brew install mint && mint bootstrap
# - name: Cache SPM modules
# uses: actions/cache@v3
# env:
# cache-name: cache-spm-v2
# with:
# path: SourcePackages
# key: ${{ runner.os }}-spm-${{ env.cache-name }}-${{ hashFiles('Pareto Security.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved') }}
# restore-keys: |
# ${{ runner.os }}-spm-${{ env.cache-name }}-
# - name: Tests
# run: make test
# - name: Upload BlueRacer reports
# run: bash <(curl -s https://app.blueracer.io/upload) || true
# env:
# BLUERACER_TOKEN: ${{ secrets.BLUERACER_TOKEN }}
# - name: Update coverage
# run: bash <(curl -s https://codecov.io/bash)
# - name: Gather screenshots
# run: |
# mkdir -p "${{ runner.temp }}/screenshots/"
# # export the screenshots
# mint run ChargePoint/xcparse xcparse screenshots --test ./test.xcresult '${{ runner.temp }}/screenshots'
# - name: Upload screenshots
# uses: actions/upload-artifact@v2
# with:
# name: screenshots-${{ github.run_number }}
# path: ${{ runner.temp }}/screenshots
# - uses: mshick/add-pr-comment@v1
# with:
# message: |
# You can find the app screenshots under the Artifacts at https://github.com/ParetoSecurity/pareto-mac/actions/runs/${{ github.run_id }}
# repo-token: ${{ secrets.GITHUB_TOKEN }}
# repo-token-user-login: "github-actions[bot]"
build:
name: Build and Archive Native
needs: lint
runs-on: macos-latest
timeout-minutes: 15
permissions:
issues: write
pull-requests: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-build
cancel-in-progress: true
steps:
- uses: mshick/add-pr-comment@v1
with:
message: |
You can find the built app under the Artifacts at https://github.com/ParetoSecurity/pareto-mac/actions/runs/${{ github.run_id }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
repo-token-user-login: "github-actions[bot]"
- uses: maxim-lobanov/setup-xcode@v1
with:
xcode-version: "latest-stable"
- name: "Import Certificate: Development"
env:
DEVELOPMENT_CERTIFICATE_DATA: ${{ secrets.DEVELOPMENT_CERTIFICATE_DATA }}
DEVELOPMENT_CERTIFICATE_PASSPHRASE: ${{ secrets.DEVELOPMENT_CERTIFICATE_PASSPHRASE }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/dev_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$DEVELOPMENT_CERTIFICATE_DATA" | base64 --decode >$CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH || true
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$DEVELOPMENT_CERTIFICATE_PASSPHRASE" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- name: "Import Certificate: Developer ID Application"
env:
APPLICATION_CERTIFICATE_DATA: ${{ secrets.APPLICATION_CERTIFICATE_DATA }}
APPLICATION_CERTIFICATE_PASSPHRASE: ${{ secrets.APPLICATION_CERTIFICATE_PASSPHRASE }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/dev_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$APPLICATION_CERTIFICATE_DATA" | base64 --decode >$CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH || true
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$APPLICATION_CERTIFICATE_PASSPHRASE" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- name: Repository checkout
uses: actions/checkout@v3
- name: Cache mint modules
uses: actions/cache@v3
env:
cache-name: cache-mint-v2
with:
path: ~/.mint
key: ${{ runner.os }}-mint-${{ env.cache-name }}-${{ hashFiles('Mintfile') }}
restore-keys: |
${{ runner.os }}-mint-${{ env.cache-name }}-
- name: Install mint and packages
run: brew install mint && mint bootstrap
- name: Cache SPM modules
uses: actions/cache@v3
env:
cache-name: cache-spm-v2
with:
path: SourcePackages
key: ${{ runner.os }}-spm-${{ env.cache-name }}-${{ hashFiles('Pareto Security.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved') }}
restore-keys: |
${{ runner.os }}-spm-${{ env.cache-name }}-
- name: Cache DerivedData
uses: actions/cache@v3
env:
cache-name: build-derived-data-v2
with:
path: ~/Library/Developer/Xcode/DerivedData
key: ${{ runner.os }}-${{ env.cache-name }}
restore-keys: |
${{ runner.os }}-${{ env.cache-name }}-
- name: Build
run: set -o pipefail && make archive-debug 2>&1 | mint run xcbeautify
# run: make archive-debug
- name: Compress app for storage
run: ditto -V -c -k --keepParent Export/Pareto\ Security.app ParetoSecurity.app.zip
- name: Upload App to Artifacts
uses: actions/upload-artifact@v2
with:
name: ParetoSecurity.app
path: ParetoSecurity.app.zip
- name: Publish hashes
run: |
echo "## Debug build" >> $GITHUB_STEP_SUMMARY
openssl md5 Export/Pareto\ Security.app/Contents/MacOS/Pareto\ Security >> $GITHUB_STEP_SUMMARY
openssl sha1 Export/Pareto\ Security.app/Contents/MacOS/Pareto\ Security >> $GITHUB_STEP_SUMMARY
openssl sha256 Export/Pareto\ Security.app/Contents/MacOS/Pareto\ Security >> $GITHUB_STEP_SUMMARY
test-profile-default:
strategy:
matrix:
os: [macos-12, macos-latest]
runs-on: ${{ matrix.os }}
name: Profile - Default
timeout-minutes: 6
needs: build
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-test-profile-default
steps:
- name: Repository checkout
uses: actions/checkout@v3
- name: Download the build output
uses: actions/download-artifact@v3
with:
name: ParetoSecurity.app
- name: Patch permissions kTCCServiceAppleEvents
run: |
epochdate=$(($(date +'%s * 1000 + %-N / 1000000')))
tcc_update="replace into access (service,client,client_type,auth_value,auth_reason,auth_version,indirect_object_identifier,flags,last_modified) values (\"kTCCServiceAppleEvents\",\"niteo.co.Pareto\",0,2,3,1,\"com.apple.systemevents\",0,$epochdate);"
tcc_service_accessibility="replace into access (service,client,client_type,auth_value,auth_reason,auth_version,indirect_object_identifier,flags,last_modified) values (\"kTCCServiceAccessibility\",\"com.apple.dt.Xcode-Helper\",0,2,1,1,\"UNUSED\",0,$epochdate);"
tcc_service_developer_tool="replace into access (service,client,client_type,auth_value,auth_reason,auth_version,indirect_object_identifier,flags,last_modified) values (\"kTCCServiceDeveloperTool\",\"com.apple.Terminal\",0,2,1,1,\"UNUSED\",0,$epochdate);"
sudo sqlite3 "$HOME/Library/Application Support/com.apple.TCC/TCC.db" "$tcc_service_accessibility"
sudo sqlite3 "$HOME/Library/Application Support/com.apple.TCC/TCC.db" "$tcc_service_developer_tool"
sudo sqlite3 "$HOME/Library/Application Support/com.apple.TCC/TCC.db" "$tcc_update"
- name: Generate Profile
run: .github/bin/profile default
test-profile-bad:
strategy:
matrix:
os: [macos-12, macos-latest]
runs-on: ${{ matrix.os }}
name: Profile - Bad
timeout-minutes: 6
needs: build
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-test-profile-bad
steps:
- name: Repository checkout
uses: actions/checkout@v3
- name: Download the build output
uses: actions/download-artifact@v3
with:
name: ParetoSecurity.app
- name: Patch permissions kTCCServiceAppleEvents
run: |
epochdate=$(($(date +'%s * 1000 + %-N / 1000000')))
tcc_update="replace into access (service,client,client_type,auth_value,auth_reason,auth_version,indirect_object_identifier,flags,last_modified) values (\"kTCCServiceAppleEvents\",\"niteo.co.Pareto\",0,2,3,1,\"com.apple.systemevents\",0,$epochdate);"
tcc_service_accessibility="replace into access (service,client,client_type,auth_value,auth_reason,auth_version,indirect_object_identifier,flags,last_modified) values (\"kTCCServiceAccessibility\",\"com.apple.dt.Xcode-Helper\",0,2,1,1,\"UNUSED\",0,$epochdate);"
tcc_service_developer_tool="replace into access (service,client,client_type,auth_value,auth_reason,auth_version,indirect_object_identifier,flags,last_modified) values (\"kTCCServiceDeveloperTool\",\"com.apple.Terminal\",0,2,1,1,\"UNUSED\",0,$epochdate);"
sudo sqlite3 "$HOME/Library/Application Support/com.apple.TCC/TCC.db" "$tcc_service_accessibility"
sudo sqlite3 "$HOME/Library/Application Support/com.apple.TCC/TCC.db" "$tcc_service_developer_tool"
sudo sqlite3 "$HOME/Library/Application Support/com.apple.TCC/TCC.db" "$tcc_update"
- name: Generate Profile
run: .github/bin/profile bad
build-setapp:
name: Build and Archive SetApp
runs-on: macos-latest
timeout-minutes: 15
needs: lint
permissions:
issues: write
pull-requests: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-build-setapp
cancel-in-progress: true
steps:
- uses: mshick/add-pr-comment@v1
with:
message: |
You can find the built app under the Artifacts at https://github.com/ParetoSecurity/pareto-mac/actions/runs/${{ github.run_id }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
repo-token-user-login: "github-actions[bot]"
- uses: maxim-lobanov/setup-xcode@v1
with:
xcode-version: "latest-stable"
- name: "Import Certificate: Development"
env:
DEVELOPMENT_CERTIFICATE_DATA: ${{ secrets.DEVELOPMENT_CERTIFICATE_DATA }}
DEVELOPMENT_CERTIFICATE_PASSPHRASE: ${{ secrets.DEVELOPMENT_CERTIFICATE_PASSPHRASE }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/dev_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$DEVELOPMENT_CERTIFICATE_DATA" | base64 --decode >$CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH || true
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$DEVELOPMENT_CERTIFICATE_PASSPHRASE" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- name: "Import Certificate: Developer ID Application"
env:
APPLICATION_CERTIFICATE_DATA: ${{ secrets.APPLICATION_CERTIFICATE_DATA }}
APPLICATION_CERTIFICATE_PASSPHRASE: ${{ secrets.APPLICATION_CERTIFICATE_PASSPHRASE }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/dev_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$APPLICATION_CERTIFICATE_DATA" | base64 --decode >$CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH || true
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$APPLICATION_CERTIFICATE_PASSPHRASE" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- name: Repository checkout
uses: actions/checkout@v3
- name: Cache mint modules
uses: actions/cache@v3
env:
cache-name: cache-mint-v2
with:
path: ~/.mint
key: ${{ runner.os }}-mint-${{ env.cache-name }}-${{ hashFiles('Mintfile') }}
restore-keys: |
${{ runner.os }}-mint-${{ env.cache-name }}-
- name: Install mint and packages
run: brew install mint && mint bootstrap
- name: Cache SPM modules
uses: actions/cache@v3
env:
cache-name: cache-spm-v2
with:
path: SourcePackages
key: ${{ runner.os }}-spm-${{ env.cache-name }}-${{ hashFiles('Pareto Security.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved') }}
restore-keys: |
${{ runner.os }}-spm-${{ env.cache-name }}-
- name: Cache DerivedData
uses: actions/cache@v3
env:
cache-name: setapp-build-derived-data-v2
with:
path: ~/Library/Developer/Xcode/DerivedData
key: ${{ runner.os }}-${{ env.cache-name }}
restore-keys: |
${{ runner.os }}-${{ env.cache-name }}-
- name: Build
run: set -o pipefail && make archive-debug-setapp 2>&1 | mint run xcbeautify
#run: make archive-debug-setapp
- name: Compress app for storage
run: ditto -V -c -k --keepParent SetAppExport/Pareto\ Security.app ParetoSecuritySetApp.app.zip
- name: Upload App to Artifacts
uses: actions/upload-artifact@v2
with:
name: ParetoSecuritySetApp.app
path: ParetoSecuritySetApp.app.zip
- name: Publish hashes
run: |
echo "## Setapp" >> $GITHUB_STEP_SUMMARY
openssl md5 SetAppExport/Pareto\ Security.app/Contents/MacOS/Pareto\ Security\ SetApp >> $GITHUB_STEP_SUMMARY
openssl sha1 SetAppExport/Pareto\ Security.app/Contents/MacOS/Pareto\ Security\ SetApp >> $GITHUB_STEP_SUMMARY
openssl sha256 SetAppExport/Pareto\ Security.app/Contents/MacOS/Pareto\ Security\ SetApp >> $GITHUB_STEP_SUMMARY