-
Notifications
You must be signed in to change notification settings - Fork 60
146 lines (117 loc) · 5.66 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: release
on:
push:
tags: [ release* ]
jobs:
release:
runs-on: self-hosted
strategy:
matrix:
run-config:
- { scheme: 'Planet', destination: 'platform=macOS'}
steps:
- name: Checkout Repository
uses: actions/checkout@v3
with:
lfs: true
- name: Checkout LFS objects
run: git lfs pull
- name: Set release SUFeedURL
run: /usr/libexec/PlistBuddy -c "Set :SUFeedURL https://opensource.planetable.xyz/planet/appcast.xml" Planet/Info.plist
- name: Fix Package Dependencies
run: xcodebuild -resolvePackageDependencies -onlyUsePackageVersionsFromResolvedFile
- name: Show Build Version
run: xcodebuild -version
- name: Show Build Settings
run: xcodebuild -showBuildSettings
- name: Show Build SDK
run: xcodebuild -showsdks
- name: Show Available Destinations
env:
scheme: ${{ matrix.run-config['scheme'] }}
run: xcodebuild -scheme ${scheme} -showdestinations
- name: Set ENV
run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
- name: Install the Apple certificate
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 -d -o $CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- name: Build
env:
scheme: ${{ matrix.run-config['scheme'] }}
run: |
xcodebuild archive -scheme ${scheme} -archivePath archive/Planet.xcarchive -showBuildTimingSummary -allowProvisioningUpdates
- name: Prepare for Codesign
run: |
mkdir to-be-signed
ditto archive/Planet.xcarchive/Products/Applications/Planet.app to-be-signed/Planet.app
- name: Codesign with Developer ID
run: |
xcrun codesign --options runtime --deep --force --verbose --timestamp --sign "Developer ID Application: ${{ secrets.DEVELOPER_NAME }}" to-be-signed/Planet.app/Contents/Frameworks/Sparkle.framework/Versions/B/XPCServices/Installer.xpc
xcrun codesign --options runtime --deep --force --verbose --timestamp --sign "Developer ID Application: ${{ secrets.DEVELOPER_NAME }}" to-be-signed/Planet.app/Contents/Frameworks/Sparkle.framework/Versions/B/Autoupdate
xcrun codesign --options runtime --deep --force --verbose --timestamp --sign "Developer ID Application: ${{ secrets.DEVELOPER_NAME }}" to-be-signed/Planet.app/Contents/Frameworks/Sparkle.framework/Versions/B/Updater.app
xcrun codesign --options runtime --deep --force --verbose --timestamp --sign "Developer ID Application: ${{ secrets.DEVELOPER_NAME }}" to-be-signed/Planet.app/Contents/Frameworks/Sparkle.framework
- name: Prepare for Notarization
run: |
ditto -c -k --keepParent to-be-signed/Planet.app Planet.zip
- name: Submit for Notarization
run: |
xcrun notarytool submit Planet.zip --apple-id ${{ secrets.NOTARIZE_USERNAME }} --password ${{ secrets.NOTARIZE_PASSWORD }} --team-id ${{ secrets.TEAM_ID }} --wait --timeout 10m --verbose
- name: Staple
run: |
xcrun stapler staple -v to-be-signed/Planet.app
- name: Prepare for Release
run: |
ditto -c -k --keepParent to-be-signed/Planet.app Planet.zip
- name: Release App
uses: softprops/action-gh-release@v1
with:
files: Planet.zip
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload to DigitalOcean Spaces
uses: BetaHuhn/do-spaces-action@v2
with:
access_key: ${{ secrets.DO_ACCESS_KEY }}
secret_key: ${{ secrets.DO_SECRET_KEY }}
space_name: ${{ secrets.DO_SPACE_NAME }}
space_region: ${{ secrets.DO_SPACE_REGION }}
source: Planet.zip
out_dir: planet/${{ env.RELEASE_VERSION }}
- name: Prepare for Sparkle Appcast
env:
WORKPLACE: ${{ github.workspace }}
run: |
mkdir -p Release
cp Planet.zip Release/
${{ secrets.SPARKLE_GENERATE }} $WORKPLACE/Release ${{ env.RELEASE_VERSION }}
- name: Upload Sparkle Appcast
uses: BetaHuhn/do-spaces-action@v2
with:
access_key: ${{ secrets.DO_ACCESS_KEY }}
secret_key: ${{ secrets.DO_SECRET_KEY }}
space_name: ${{ secrets.DO_SPACE_NAME }}
space_region: ${{ secrets.DO_SPACE_REGION }}
source: Release/appcast.xml
out_dir: planet
- name: Purge CDN Cache (appcast.xml file only)
run: |
curl -X DELETE -H "Content-Type: application/json" -H "Authorization: Bearer ${{ secrets.DO_PLATFORM_TOKEN }}" -d '{"files": ["planet/appcast.xml"]}' "https://api.digitalocean.com/v2/cdn/endpoints/${{ secrets.DO_CDN_ENDPOINT_ID }}/cache"
- name: Cleanup Keychain
if: ${{ always() }}
run: |
security delete-keychain $RUNNER_TEMP/app-signing.keychain-db