Build, Sign, Notarize & Publish (non-MAS) #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build, Sign & Notarize (non-MAS) | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| create_release: | |
| description: 'Create a GitHub Release with the DMG' | |
| type: boolean | |
| default: true | |
| release_tag: | |
| description: 'Release tag (e.g. v1.0.33). Leave empty to auto-generate from package.json' | |
| type: string | |
| default: '' | |
| release_notes: | |
| description: 'Release notes (e.g. "Add session list feature")' | |
| type: string | |
| default: 'Non-App Store notarized build' | |
| jobs: | |
| build-and-notarize: | |
| runs-on: macos-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| cache: 'yarn' | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| - name: Import certificate to keychain | |
| env: | |
| APPLE_CERTIFICATE_P12_BASE64: ${{ secrets.APPLE_CERTIFICATE_P12_BASE64 }} | |
| APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| run: | | |
| CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12 | |
| KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
| KEYCHAIN_PASSWORD=$(openssl rand -base64 32) | |
| echo -n "$APPLE_CERTIFICATE_P12_BASE64" | base64 --decode -o $CERTIFICATE_PATH | |
| security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
| security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| security import $CERTIFICATE_PATH -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
| security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| security list-keychain -d user -s $KEYCHAIN_PATH | |
| # Import Developer ID G2 intermediate certificate | |
| curl -sO https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer | |
| security import DeveloperIDG2CA.cer -k $KEYCHAIN_PATH || true | |
| rm DeveloperIDG2CA.cer | |
| - name: Build app | |
| run: yarn make | |
| - name: Install create-dmg | |
| run: brew install create-dmg | |
| - name: Sign, notarize, and create DMG | |
| env: | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| run: sh ./sign-notarize.sh | |
| - name: Get version from package.json | |
| id: version | |
| run: echo "version=$(node -p 'require("./package.json").version')" >> $GITHUB_OUTPUT | |
| - name: Upload DMG artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: CodeV-${{ steps.version.outputs.version }}.dmg | |
| path: ./out/CodeV.dmg | |
| - name: Create GitHub Release | |
| if: ${{ inputs.create_release }} | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| TAG="${{ inputs.release_tag }}" | |
| if [ -z "$TAG" ]; then | |
| TAG="v${{ steps.version.outputs.version }}" | |
| fi | |
| gh release create "$TAG" ./out/CodeV.dmg \ | |
| --title "$TAG" \ | |
| --notes "${{ inputs.release_notes }}" | |
| - name: Cleanup keychain | |
| if: always() | |
| run: security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true |