rustcast/.github/workflows/release.yml at 086efc71e48c3022dfb548e6bfbc64d12a6b64c7 · RustCastLabs/rustcast · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
name: Build macOS Release

on:
  push:
    tags:
      - "v*"
  workflow_dispatch:

permissions:
  contents: write

jobs:
  build-macos:
    strategy:
      matrix:
        include:
          - target: aarch64-apple-darwin
            os: macos-14
          - target: x86_64-apple-darwin
            os: macos-14

    runs-on: ${{ matrix.os }}

    env:
      APP_NAME: RustCast
      BUNDLE_ID: com.umangsurana.rustcast
      TEAM_ID: ${{ secrets.TEAM_ID }}
      APPLE_ID: ${{ secrets.APPLE_ID }}
      APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
        with:
          targets: ${{ matrix.target }}

      - name: Install cargo-bundle
        run: cargo install cargo-bundle

      - name: Cache cargo registry
        uses: actions/cache@v4
        with:
          path: ~/.cargo/registry
          key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}

      - name: Cache cargo index
        uses: actions/cache@v4
        with:
          path: ~/.cargo/git
          key: ${{ runner.os }}-cargo-git-${{ hashFiles('**/Cargo.lock') }}

      - name: Cache cargo build
        uses: actions/cache@v4
        with:
          path: target
          key: ${{ runner.os }}-${{ matrix.target }}-cargo-build-${{ hashFiles('**/Cargo.lock') }}

      - name: Build release .app with cargo-bundle
        run: cargo bundle --release --target ${{ matrix.target }}

      - name: Set up keychain and import signing certificate
        run: |
          KEYCHAIN=build.keychain
          security create-keychain -p "" "$KEYCHAIN"
          security default-keychain -s "$KEYCHAIN"
          security unlock-keychain -p "" "$KEYCHAIN"
          security set-keychain-settings "$KEYCHAIN"

          # Import certificate from base64 secret
          echo "${MACOS_CERT_P12}" | base64 --decode > cert.p12
          security import cert.p12 -k "$KEYCHAIN" -P "${MACOS_CERT_PASSWORD}" -T /usr/bin/codesign -T /usr/bin/productsign

          # Allow codesign access
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "" "$KEYCHAIN"

          security find-identity -v -p codesigning
        env:
          MACOS_CERT_P12: ${{ secrets.MACOS_CERT_P12 }}
          MACOS_CERT_PASSWORD: ${{ secrets.MACOS_CERT_PASSWORD }}

      - name: Codesign .app bundle
        run: |
          APP_PATH="target/${{ matrix.target }}/release/bundle/osx/${APP_NAME}.app"

          # Find Developer ID Application identity
          SIGN_IDENTITY=$(security find-identity -p codesigning -v | grep "Developer ID Application" | head -n1 | awk '{print $2}')
          echo "Using signing identity: $SIGN_IDENTITY"

          # Basic hardened runtime signing. If you later need entitlements, add --entitlements entitlements.plist
          codesign --force --options runtime --timestamp --deep \
            --sign "$SIGN_IDENTITY" \
            "$APP_PATH"

          echo "Verifying codesign..."
          codesign --verify --deep --strict --verbose=2 "$APP_PATH"
          spctl -a -vvvv "$APP_PATH" || true

      - name: Create dmg
        run: |
          APP_PATH="target/${{ matrix.target }}/release/bundle/osx/${APP_NAME}.app"
          DMG_NAME="rustcast-${{ matrix.target }}.dmg"

          mkdir dmg-root
          cp -R "$APP_PATH" dmg-root/
          ln -s /Applications dmg-root/Applications

          hdiutil create \
            -volname "${APP_NAME}" \
            -srcfolder dmg-root \
            -ov \
            -format UDZO \
            "$DMG_NAME"

      - name: Codesign dmg
        run: |
          DMG_NAME="rustcast-${{ matrix.target }}.dmg"
          SIGN_IDENTITY=$(security find-identity -p codesigning -v | grep "Developer ID Application" | head -n1 | awk '{print $2}')

          codesign --force --timestamp --sign "$SIGN_IDENTITY" "$DMG_NAME"
          codesign --verify --verbose=2 "$DMG_NAME"

      - name: Notarize dmg with notarytool
        run: |
          DMG_NAME="rustcast-${{ matrix.target }}.dmg"

          xcrun notarytool submit "$DMG_NAME" \
            --apple-id "$APPLE_ID" \
            --team-id "$TEAM_ID" \
            --password "$APPLE_ID_PASSWORD" \
            --wait

      - name: Staple notarization ticket
        run: |
          DMG_NAME="rustcast-${{ matrix.target }}.dmg"
          xcrun stapler staple "$DMG_NAME"
          xcrun stapler validate "$DMG_NAME"

      - name: Upload dmg artifacts
        uses: actions/upload-artifact@v4
        with:
          name: macos-${{ matrix.target }}
          path: rustcast-${{ matrix.target }}.dmg
          retention-days: 7

  create-release:
    needs: build-macos
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Download all artifacts
        uses: actions/download-artifact@v4
        with:
          path: artifacts

      - name: Create GitHub Release with DMGs
        uses: softprops/action-gh-release@v1
        with:
          files: artifacts/**/rustcast-*.dmg
          draft: false
          prerelease: false
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}