forked from p0deje/Maccy
-
Notifications
You must be signed in to change notification settings - Fork 0
482 lines (422 loc) · 21.8 KB
/
build+appstoredeploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
name: Build Mac App Store Release
on:
workflow_dispatch:
inputs:
releaseVersion:
description: "Version to title release with (like: 1.0rc3), blank for project's version"
type: string
required: false
uploadToStore:
description: "Upload to App Store Connect"
type: boolean
required: true
default: false
env:
uploadToStoreDefault: true
projectfile: Maccy.xcodeproj
buildscheme: "Cleepp (App Store)"
productname: "Batch Clipboard"
bundlename: "Batch Clipboard.app"
builddir: Build/Products/Release
branch: forkmain
jobs:
build:
name: Build and Upload Cleepp AppStore Variant
runs-on: macos-15
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # required for 'git show-ref --tags' to work
ref: "${{ env.branch }}"
- name: Patch Xcode 15.3
uses: jpmhouston/patch-package-resolved@v1
# this fixes a mysterious build failure
# xcodebuild: error: Could not resolve package dependencies:
# Package.resolved file is corrupted or malformed; fix or delete the file
# to continue: unknown 'PinsStorage' version '3'
# should probably remove this when upgrading the "runs-on" platform
- name: Install tools
# pandoc is used by sparkle step and by one of the xcode project's build rules
# create-dmg is to define dmg entirely from script below instead of using a tempplate
run: |
:
brew update
brew install pandoc create-dmg coreutils timelimit
if ! command -v xcodebuild >/dev/null 2>&1 || ! command -v xcrun >/dev/null 2>&1 \
|| ! command -v security >/dev/null 2>&1 || ! command -v plutil >/dev/null 2>&1 \
|| ! command -v xcbeautify >/dev/null 2>&1
then
echo "::error::Required executables not found: xcodebuild, xcrun, security, plutil, xcbeautify"
exit 1
fi
- name: Validate
id: version
run: |
:
echo "- Extract version and bundle id from the project"
xcodebuild -scheme "${{ env.buildscheme }}" -configuration Release \
-project "${{ env.projectfile }}" -showBuildSettings 2>/dev/null > buildsettings.txt
version=$(sed -nr 's/^.*MARKETING_VERSION = (.*)$/\1/p' < buildsettings.txt)
if [[ -z $version ]] ; then
echo "::error::Unable to determine a version number for the current state of the xcode project"
exit 1
fi
bundleID=$(sed -nr 's/^.*PRODUCT_BUNDLE_IDENTIFIER = (.*)$/\1/p' < buildsettings.txt)
if [[ -z $bundleID ]] ; then
echo "::error::Unable to extract bundle id from the xcode project"
exit 1
fi
echo "- Check script inputs"
if [[ -z "${{ inputs.releaseVersion }}" || $version == "${{ inputs.releaseVersion }}" ]] ; then
echo "- Build version is $version"
else
echo "- Build version is $version but overriding with ${{ inputs.releaseVersion }} for release & file names"
version="${{ inputs.releaseVersion }}"
fi
releaseName="${{ env.productname }} $version"
releaseNameNoSpaces="$(echo "${{ env.productname }}" | sed "s/ /./").$version"
if [[ -z "${{ inputs.uploadToStore }}" ]] ; then
echo "- Use default value for uploadToStore: ${{ env.uploadToStoreDefault }}"
uploadToStore=${{ env.uploadToStoreDefault }}
else
echo "- Use supplied value for uploadToStore: ${{ inputs.uploadToStore }}"
uploadToStore=${{ inputs.uploadToStore }}
fi
echo "- Parse trigger" # NOTE: only support triggering manually for now
if [[ "${{ github.event_name }}" == workflow_dispatch ]] ; then
if [[ "${{ github.ref }}" != "refs/heads/${{ env.branch }}" ]] ; then
echo "::error::Manually triggered workflow supports ${{ env.branch }} only, gihub.ref == ${{ github.ref }})"
exit 1
fi
if $uploadToStore == "true" ; then
echo "- Will build and save as artifacts verison \"$releaseName\" and associated release notes"
else
echo "- Will build and deplay verison \"$releaseName\" and save as as artifact with associated release notes"
fi
else
echo "::error::Not triggered manually or by a tag (github.event_name == ${{ github.event_name }}, gihub.ref == ${{ github.ref }})"
exit 1
fi
# parse version to set these
bareversion=$(echo $version | sed -r 's/([0-9](\.[0-9]){1,2}).*/\1/')
versionsuffix=$(echo $version | sed -r 's/[0-9\.]+(.*)/\1/')
echo "version=$version" >> $GITHUB_OUTPUT
echo "bareversion=$bareversion" >> $GITHUB_OUTPUT
echo "versionsuffix=$versionsuffix" >> $GITHUB_OUTPUT
echo "bundleID=$bundleID" >> $GITHUB_OUTPUT
echo "releaseName=$releaseName" >> $GITHUB_OUTPUT
echo "releaseArchivename=$releaseNameNoSpaces" >> $GITHUB_OUTPUT
echo "uploadToStore=$uploadToStore" >> $GITHUB_OUTPUT
if [[ -n $tag ]] ; then
echo "tag=$tag" >> $GITHUB_OUTPUT
fi
- name: Build
id: build
run: |
:
buildlogfile=xcodebuild-out.txt
echo "- Build with xcodebuild from $(xcodebuild -version)"
# requires that env.projectfile is the name of the .xcodeproj, env.buildscheme is
# a valid build scheme, and and env.bundlename is name of the produced .app
# note: not sure why ONLY_ACTIVE_ARCH=NO is required for xcodebuild, it should
# already be NO for Release configuration
set -o pipefail && xcodebuild ONLY_ACTIVE_ARCH=NO clean build analyze \
-scheme "${{ env.buildscheme }}" -configuration Release \
-project "${{ env.projectfile }}" -derivedDataPath . | \
tee "$buildlogfile" | xcbeautify --renderer github-actions
if [[ ! -d "${{ env.builddir }}/${{ env.bundlename }}" ]]; then
echo "::error::Unable to find the built app bundle"
exit 1
fi
echo "- Extract bundle version from app"
plutil -extract CFBundleVersion raw \
"${{ env.builddir }}/${{ env.bundlename }}/Contents/Info.plist"
bundleVersion=$(plutil -extract CFBundleVersion raw \
"${{ env.builddir }}/${{ env.bundlename }}/Contents/Info.plist" 2> /dev/null)
if [[ -z $bundleVersion ]] ; then
echo "::warning::Unable to find the app's bundle version"
fi
echo "version=$bundleVersion" >> $GITHUB_OUTPUT
echo "log=$buildlogfile" >> $GITHUB_OUTPUT
echo "appbundle=${{ env.builddir }}/${{ env.bundlename }}" >> $GITHUB_OUTPUT
- name: Save Build Log as Artifact
if: ${{ success() || failure() }}
uses: actions/upload-artifact@v4
with:
name: Build log
path: ${{ steps.build.outputs.log }}
- name: Patch Version String
if: ${{ steps.version.outputs.versionsuffix != '' && steps.version.outputs.bareversion != '' }}
run: |
:
echo "- Removing suffix \"${{ steps.version.outputs.versionsuffix }}\" from Info.plist CFBundleShortVersionString"
plutil -replace CFBundleShortVersionString -string \
"${{ steps.version.outputs.bareversion }}" \
"${{ steps.build.outputs.appbundle }}/Contents/Info.plist"
- name: Setup Keychain
run: |
:
if [[ -z "${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}" ]] ; then
echo "::error::Secret PROD_MACOS_CI_KEYCHAIN_PWD not defined"
exit 1
fi
if [[ -z "${{ secrets.STORE_MACOS_CERTIFICATE }}" ]] ; then
echo "::error::Secret STORE_MACOS_CERTIFICATE not defined"
exit 1
fi
if [[ -z "${{ secrets.STORE_MACOS_CERTIFICATE_PWD }}" ]] ; then
echo "::error::Secret STORE_MACOS_CERTIFICATE_PWD not defined"
exit 1
fi
if [[ -z "${{ secrets.PKG_MACOS_CERTIFICATE }}" ]] ; then
echo "::error::Secret PKG_MACOS_CERTIFICATE not defined"
exit 1
fi
if [[ -z "${{ secrets.PKG_MACOS_CERTIFICATE_PWD }}" ]] ; then
echo "::error::Secret PKG_MACOS_CERTIFICATE_PWD not defined"
exit 1
fi
# Turn our base64-encoded certificates back to a regular .p12 files
signcertname="signcertificate.p12"
echo "- Base64-decode certificate to make \"$signcertname\""
echo "${{ secrets.STORE_MACOS_CERTIFICATE }}" | base64 --decode > "$signcertname"
pkgcertname="pkgcertificate.p12"
echo "- Base64-encode certificate to make \"$pkgcertname\""
echo "${{ secrets.PKG_MACOS_CERTIFICATE }}" | base64 --decode > "$pkgcertname"
# We need to create a new keychain, one that we can keep unlocked,
# otherwise using the certificate will prompt with a UI dialog asking for
# the certificate password, which won't work in a headless CI environment
echo "- Create unlocked keychain \"build.keychain\""
security create-keychain -p "${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}" build.keychain
security default-keychain -s build.keychain
security set-keychain-settings build.keychain # omitted '-t N' option means no timeout
security unlock-keychain -p "${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}" build.keychain
echo "- Import \"$signcertname\" and \"$pkgcertname\" into \"build.keychain\""
security import "$signcertname" -P "${{ secrets.STORE_MACOS_CERTIFICATE_PWD }}" \
-A -t cert -f pkcs12 -k build.keychain
security import "$pkgcertname" -P "${{ secrets.PKG_MACOS_CERTIFICATE_PWD }}" \
-A -t cert -f pkcs12 -k build.keychain
security list-keychain -d user -s build.keychain
# this cmd might not be necessary, no idea if productbuild: is valid anyway:
# security set-key-partition-list -S apple-tool:,apple:,codesign:,productbuild: \
# -s -k "${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}" build.keychain
- name: Codesign App Bundle
run: |
:
if [[ -z "${{ secrets.STORE_MACOS_CERTIFICATE_NAME }}" ]] ; then
echo "::error::Secret STORE_MACOS_CERTIFICATE_NAME not defined"
exit 1
fi
# Codesign our app bundle, specifying the Hardened runtime option
echo "- Sign subcomponents..."
# this is thanks to https://stackoverflow.com/a/11284404/592739
# within this section change the Internal Field Separator (IFS) to
# iterate over newline-separated paths that contain spaces
savedIFS=$IFS
IFS=$(echo -en "\n\b")
subitems=""
addsubitems()
{
if [ -z "$subitems" ] ; then
subitems="$1"
else
subitems="$subitems"$'\n'"$1"
fi
}
frameworksdir="${{ steps.build.outputs.appbundle }}/Contents/Frameworks"
if [ -d "$frameworksdir" ] ; then
frameworksdirdylibs=$(find "$frameworksdir" -depth -name "*.dylib")
if [ -n "$frameworksdirdylibs" ] ; then
addsubitems "$frameworksdirdylibs"
fi
frameworksdirbundles=$(find "$frameworksdir" -depth -type d -name "*.bundle")
if [ -n "$frameworksdirbundles" ] ; then
addsubitems "$frameworksdirbundles"
fi
frameworksdirframeworks=$(find "$frameworksdir" -depth -type d -name "*.framework")
if [ -n "$frameworksdirframeworks" ] ; then
for framework in $frameworksdirframeworks; do
frameworksubapp=$(find "$framework" -depth -type d -name "*.app")
if [ -n "$frameworksubapp" ] ; then
addsubitems "$frameworksubapp"
fi
frameworksubapp=$(find "$framework" -depth -type d -name "*.xpc")
if [ -n "$frameworksubapp" ] ; then
addsubitems "$frameworksubapp"
fi
# search for executables with limited depth to avoid ones within an .app
frameworkname=$(basename -s ".framework" "$framework")
frameworksubexecutable=$(find "$framework" -maxdepth 4 -type f -perm +111 \
-not -name "$frameworkname")
if [ -n "$frameworksubexecutable" ] ; then
addsubitems "$frameworksubexecutable"
fi
done
addsubitems "$frameworksdirframeworks"
fi
fi
# potentially grab more subitems from other places within the .app here
# ie. resourcesdir="${{ steps.build.outputs.appbundle }}/Contents/Resources"
for subitem in $subitems; do
xcrun codesign --force --sign "${{ secrets.STORE_MACOS_CERTIFICATE_NAME }}" \
--options runtime -v "$subitem"
done
# would instead do this to if any subcomponents themselves included entitlements:
# for subitem in $subitems; do
# echo -n "" > subentitlements.xml # codesign doesn't erase prev contents but appends, avoid this problem
# xcrun codesign -d --entitlements subentitlements.xml --xml "$subitem"
# if [ -s subentitlements.xml ] ; then
# xcrun codesign --force --sign "${{ secrets.STORE_MACOS_CERTIFICATE_NAME }}" \
# --entitlements subentitlements.xml --options runtime -v "$subitem"
# else
# xcrun codesign --force --sign "${{ secrets.STORE_MACOS_CERTIFICATE_NAME }}" \
# --options runtime -v "$subitem"
# fi
# done
IFS=$savedIFS
echo "- Sign app"
xcrun codesign -d --entitlements entitlements.xml --xml "${{ steps.build.outputs.appbundle }}"
xcrun codesign --force --sign "${{ secrets.STORE_MACOS_CERTIFICATE_NAME }}" \
--entitlements entitlements.xml --options runtime -v "${{ steps.build.outputs.appbundle }}"
- name: Package App
id: package
run: |
:
if [[ -z "${{ secrets.PKG_MACOS_CERTIFICATE_NAME }}" ]] ; then
echo "::error::Secret PKG_MACOS_CERTIFICATE_NAME not defined"
exit 1
fi
# Build a pkg from the built app for uploading to App Store Connect
packagefilename="${{ steps.version.outputs.releaseArchivename }}.pkg"
echo "- Package app to make \"$packagefilename\""
# xcrun productbuild --sign "${{ secrets.PKG_MACOS_CERTIFICATE_NAME }}" \
# --component "${{ steps.build.outputs.appbundle }}" /Applications \
# "${{ env.builddir }}/$packagefilename"
timelimit -t20 xcrun productbuild --sign "${{ secrets.PKG_MACOS_CERTIFICATE_NAME }}" \
--component "${{ steps.build.outputs.appbundle }}" /Applications \
"${{ env.builddir }}/$packagefilename" || \
(
echo "::warning::Failed during productbuild, possible timeout"
sudo log show --last 21s --debug --info > systemlog.txt # followup step can save as artifact
exit 1
)
echo "filename=$packagefilename" >> $GITHUB_OUTPUT
echo "file=${{ env.builddir }}/$packagefilename" >> $GITHUB_OUTPUT
- name: Verify Package and AppStore Connect Acceess
id: connect
run: |
:
if [[ -z "${{ secrets.APPSTORECONNECT_APIKEY }}" ]] ; then
echo "::error::Secret APPSTORECONNECT_APIKEY not defined"
exit 1
fi
if [[ -z "${{ secrets.APPSTORECONNECT_APIKEYID }}" ]] ; then
echo "::error::Secret APPSTORECONNECT_APIKEYID not defined"
exit 1
fi
if [[ -z "${{ secrets.APPSTORECONNECT_APIISSUERID }}" ]] ; then
echo "::error::Secret APPSTORECONNECT_APIISSUERID not defined"
exit 1
fi
# Turn our base64-encoded acess key back to a regular .p8 file
# in the expected subdirectory with the expected name containing the key id
packagefile="${{ steps.package.outputs.file }}"
keyfilename="AuthKey_${{ secrets.APPSTORECONNECT_APIKEYID }}.p8"
keydir="private_keys"
mkdir "$keydir"
echo "- Base64-decode key to make \"$keyfilename\""
echo "${{ secrets.APPSTORECONNECT_APIKEY }}" | base64 --decode > "./$keydir/$keyfilename"
# if deploying, this decoded key file will be used again by altool
echo "- Run verification"
xcrun altool --validate-app --file "$packagefile" --type macos \
--apiKey "${{ secrets.APPSTORECONNECT_APIKEYID }}" \
--apiIssuer "${{ secrets.APPSTORECONNECT_APIISSUERID }}"
echo "keyid=${{ secrets.APPSTORECONNECT_APIKEYID }}" >> $GITHUB_OUTPUT
echo "issuerid=${{ secrets.APPSTORECONNECT_APIISSUERID }}" >> $GITHUB_OUTPUT
- name: Release Notes
id: notes
run: |
:
echo "- Collect release notes"
changeLogFilename=CHANGELOG.md
tempNotesFilename="${{ steps.version.outputs.releaseName }}.temp.md"
currentNotesFilename="${{ steps.version.outputs.releaseName }}.md"
if [[ ! -f $changeLogFilename ]] ; then
echo "::warning::Change log file is missing"
numlines=0
else
echo -n "" > "${{ env.builddir }}/$tempNotesFilename"
thisversion=''
prevversion=''
while read line || [[ -n $line ]] ; do
if [[ -z $thisversion ]]; then
thisversion=$(echo $line | sed -n -E 's/^#+ version ([0-9.dabrc]+) .*$/\1/p')
if [[ -n $thisversion ]] ; then
if [[ $thisversion != "${{ steps.version.outputs.version }}" ]] ; then
echo "::warning::Version $thisversion at the top of the change log doesn't match build version ${{ steps.version.outputs.version }}"
break
fi
echo "- Found section for build version ${{ steps.version.outputs.version }} at the top of the change log"
fi
continue
fi
prevversion=$(echo $line | sed -n -E 's/^#+ version ([0-9.dabrc]+) .*$/\1/p')
if [[ -n $prevversion ]] ; then
break
fi
echo $line >> "${{ env.builddir }}/$tempNotesFilename"
done < "$changeLogFilename"
# sed command removes initial and trailing blank lines, don't ask me how it works
# from https://unix.stackexchange.com/a/552195
cat "${{ env.builddir }}/$tempNotesFilename" | sed -e '/./,$!d' -e :a -e '/^\n*$/{$d;N;ba' -e '}' \
> "${{ env.builddir }}/$currentNotesFilename"
numlines=$(wc -l "${{ env.builddir }}/$currentNotesFilename" | cut -w -f2)
fi
if [[ $numlines -gt 0 ]] ; then
echo "- Save $numlines lines of release notes to \"$currentNotesFilename\""
else
echo "- Save placeholder release notes to \"$currentNotesFilename\""
echo "Release notes unavailable at this time" > "${{ env.builddir }}/$currentNotesFilename"
fi
echo "filename=$currentNotesFilename" >> $GITHUB_OUTPUT
echo "file=${{ env.builddir }}/$currentNotesFilename" >> $GITHUB_OUTPUT
- name: Save Build Components as Artifact
uses: actions/upload-artifact@v4
with:
name: "${{ steps.version.outputs.releaseArchivename }} App and Pkg"
path: |
${{ steps.build.outputs.appbundle }}
${{ steps.package.outputs.file }}
- name: Save Release Notes as Artifact
uses: actions/upload-artifact@v4
with:
name: "${{ steps.version.outputs.releaseArchivename }} Release notes"
path: ${{ steps.notes.outputs.file }}
- name: Deploy
if: ${{ success() && steps.version.outputs.uploadToStore == 'true' }}
run: |
:
if [[ -z "${{ secrets.APPSTORECONNECT_APPLEID }}" ]] ; then
echo "::error::Secret APPSTORECONNECT_APPLEID not defined"
exit 1
fi
packagefile="${{ steps.package.outputs.file }}"
keyid="${{ steps.connect.outputs.keyid }}"
issuerid="${{ steps.connect.outputs.issuerid }}"
bundleid="${{ steps.build.outputs.bundleID }}"
bundleversion="${{ steps.build.outputs.version }}"
versionstr="${{ steps.version.outputs.version }}"
echo "- Deploy"
xcrun altool --upload-package --file "$packagefile" --type macos \
--apiKey "$keyid" --apiIssuer "$issuerid" --bundle-id "$bundleid" \
--bundle-version "$bundleversion" --bundle-short-version-string "$versionstr" \
--apple-id "${{ secrets.APPSTORECONNECT_APPLEID }}" \
- name: Fin
run: |
:
if [[ "${{ steps.version.outputs.uploadToStore }}" == "true" ]] ; then
echo "::notice::Deployed \"${{ env.bundlename }}\" to app store, saved it and \"${{ steps.notes.outputs.filename }}\" as artifacts"
else
echo "::notice::Saved \"${{ env.bundlename }}\" and \"${{ steps.notes.outputs.filename }}\" as artifacts"
fi