-
Notifications
You must be signed in to change notification settings - Fork 10
176 lines (151 loc) · 5.87 KB
/
release.yml
File metadata and controls
176 lines (151 loc) · 5.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
name: Release
on:
push:
tags:
- "v*"
workflow_dispatch:
inputs:
tag_name:
description: "Draft verification tag to create, e.g. verify-signing-2026-04-16"
required: true
type: string
permissions:
contents: read
jobs:
test:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- run: bun install
- run: bun test
build:
needs: test
permissions:
contents: read
strategy:
matrix:
include:
- target: bun-darwin-arm64
archive: polar-darwin-arm64.zip
os: macos-15
sign: true
notarize: true
- target: bun-darwin-x64
archive: polar-darwin-x64.zip
os: macos-15
sign: true
notarize: true
- target: bun-linux-x64
archive: polar-linux-x64.tar.gz
os: ubuntu-latest
sign: false
notarize: false
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
# Currently 1.3.12 is the latest, and is broken when it comes
# to building MacOS binaries that are possible to sign.
# See: https://github.com/oven-sh/bun/pull/29272
# Will be fixed in 1.3.13
- uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.11
- run: bun install
- name: Validate macOS signing configuration
if: ${{ matrix.sign }}
env:
MACOS_CERTIFICATE_P12_BASE64: ${{ secrets.MACOS_CERTIFICATE_P12_BASE64 }}
MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }}
APP_STORE_CONNECT_API_KEY_P8: ${{ secrets.APP_STORE_CONNECT_API_KEY_P8 }}
APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }}
APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
run: |
test -n "$MACOS_CERTIFICATE_P12_BASE64" || { echo "Missing MACOS_CERTIFICATE_P12_BASE64 secret"; exit 1; }
test -n "$MACOS_CERTIFICATE_PASSWORD" || { echo "Missing MACOS_CERTIFICATE_PASSWORD secret"; exit 1; }
test -n "$MACOS_SIGNING_IDENTITY" || { echo "Missing MACOS_SIGNING_IDENTITY secret"; exit 1; }
test -n "$APP_STORE_CONNECT_API_KEY_P8" || { echo "Missing APP_STORE_CONNECT_API_KEY_P8 secret"; exit 1; }
test -n "$APP_STORE_CONNECT_API_KEY_ID" || { echo "Missing APP_STORE_CONNECT_API_KEY_ID secret"; exit 1; }
test -n "$APP_STORE_CONNECT_ISSUER_ID" || { echo "Missing APP_STORE_CONNECT_ISSUER_ID secret"; exit 1; }
- name: Import macOS signing certificate
if: ${{ matrix.sign }}
uses: apple-actions/import-codesign-certs@v6
with:
p12-file-base64: ${{ secrets.MACOS_CERTIFICATE_P12_BASE64 }}
p12-password: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
- name: Build binary
run: bun build ./src/cli.ts --compile --target=${{ matrix.target }} --outfile polar
- name: Sign macOS binary
if: ${{ matrix.sign }}
env:
MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }}
run: |
codesign --force --options runtime \
--entitlements ./.github/macos-entitlements.plist \
--sign "$MACOS_SIGNING_IDENTITY" \
--timestamp \
./polar
- name: Verify macOS signature
if: ${{ matrix.sign }}
run: codesign --verify --strict --verbose=2 ./polar
- name: Write App Store Connect API key
if: ${{ matrix.notarize }}
env:
APP_STORE_CONNECT_API_KEY_P8: ${{ secrets.APP_STORE_CONNECT_API_KEY_P8 }}
APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }}
run: |
key_path="$RUNNER_TEMP/AuthKey_${APP_STORE_CONNECT_API_KEY_ID}.p8"
printf '%s' "$APP_STORE_CONNECT_API_KEY_P8" > "$key_path"
chmod 600 "$key_path"
echo "APP_STORE_CONNECT_API_KEY_PATH=$key_path" >> "$GITHUB_ENV"
- name: Package binary
run: |
if [[ "${{ matrix.archive }}" == *.zip ]]; then
ditto -c -k polar "${{ matrix.archive }}"
else
tar -czf "${{ matrix.archive }}" polar
fi
- name: Notarize macOS archive
if: ${{ matrix.notarize }}
env:
APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }}
APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
run: |
xcrun notarytool submit "${{ matrix.archive }}" \
--key "$APP_STORE_CONNECT_API_KEY_PATH" \
--key-id "$APP_STORE_CONNECT_API_KEY_ID" \
--issuer "$APP_STORE_CONNECT_ISSUER_ID" \
--wait
- uses: actions/upload-artifact@v4
with:
name: ${{ matrix.archive }}
path: ${{ matrix.archive }}
release:
needs: build
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/download-artifact@v4
with:
merge-multiple: true
- name: Generate checksums
run: sha256sum *.tar.gz *.zip > checksums.txt
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.event_name == 'workflow_dispatch' && inputs.tag_name || github.ref_name }}
target_commitish: ${{ github.sha }}
draft: ${{ github.event_name == 'workflow_dispatch' }}
prerelease: ${{ github.event_name == 'workflow_dispatch' }}
name: ${{ github.event_name == 'workflow_dispatch' && format('Signing Verification {0}', inputs.tag_name) || github.ref_name }}
files: |
*.tar.gz
*.zip
checksums.txt
generate_release_notes: true