client/.github/workflows/build-macos.yaml at main · DefGuard/client · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Build macOS app
on:
  push:
    branches:
      - main
      - dev
      - "release/**"
    paths-ignore:
      - "*.md"
      - "LICENSE"
    tags:
      - v*.*.*

jobs:
  build-macos:
    runs-on:
      - self-hosted
      - macOS
    env:
      APPLE_SIGNING_IDENTITY: "Apple Distribution: defguard sp. z o.o. (82GZ7KN29J)"
      APPLE_SIGNING_IDENTITY_INSTALLER: "3rd Party Mac Developer Installer: defguard sp. z o.o. (82GZ7KN29J)"
      APPLE_PROVIDER_SHORT_NAME: "82GZ7KN29J"
      APPLE_ID: "kamil@defguard.net"
      APPLE_TEAM_ID: "82GZ7KN29J"
    steps:
      - uses: actions/checkout@v6
        with:
          submodules: recursive

      - name: Write release version
        run: |
          VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
          echo Version: $VERSION
          echo "VERSION=$VERSION" >> ${GITHUB_ENV}

      - uses: actions/setup-node@v6
        with:
          node-version: 25

      - uses: pnpm/action-setup@v5
        with:
          cache: true
          version: 10

      - name: Install deps
        run: pnpm install --frozen-lockfile

      - uses: dtolnay/rust-toolchain@stable
        with:
          targets: aarch64-apple-darwin,x86_64-apple-darwin

      - name: Set build number
        run: |
          sed -i '' "s,@BUILD_NUMBER@,${{ github.run_number }}," src-tauri/tauri.conf.json
          sed -i '' "s,@BUILD_NUMBER@,${{ github.run_number }}," swift/extension/VPNExtension.xcodeproj/project.pbxproj

      - name: Unlock keychain
        run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" login.keychain

      - name: Build app
        uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          args: --target universal-apple-darwin

      - name: Build installation package
        run: |
          security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" login.keychain
          xcrun productbuild --sign "${{ env.APPLE_SIGNING_IDENTITY_INSTALLER }}" --component "src-tauri/target/universal-apple-darwin/release/bundle/macos/Defguard.app" /Applications defguard-client.pkg
          xcrun altool --upload-app --type macos --file defguard-client.pkg --apiKey ${{ secrets.APPLE_API_KEY }} --apiIssuer ${{ secrets.APPLE_API_ISSUER }}
          # xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} defguard-client.pkg
          # xcrun stapler staple defguard-client.pkg