eliott/openwork
1
0
Fork 0
mirror of https://github.com/different-ai/openwork synced 2026-04-25 17:15:34 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
c3cc0a5832eb738c2e23bb025ea186a50fea3646
openwork/.github/workflows/release-macos-aarch64.yml
Benjamin Shafii c3cc0a5832 Increase notarization timeout for macOS release
2026-01-14 17:07:54 -08:00

148 lines
4.4 KiB
YAML
Raw Blame History

name: Release macOS (Apple Silicon)
on:
push:
tags:
- "v*"
workflow_dispatch:
inputs:
tag:
description: "Tag to release (e.g., v0.1.2). Leave empty to use current ref."
required: false
type: string
permissions:
contents: write
jobs:
release-macos-aarch64:
runs-on: macos-14
timeout-minutes: 240
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: 20
- name: Setup pnpm
uses: pnpm/action-setup@v4
with:
version: 10.27.0
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Setup Rust
uses: dtolnay/rust-toolchain@stable
with:
targets: aarch64-apple-darwin
- name: Import Apple signing certificate
env:
APPLE_CODESIGN_CERT_P12_BASE64: ${{ secrets.APPLE_CODESIGN_CERT_P12_BASE64 }}
APPLE_CODESIGN_CERT_PASSWORD: ${{ secrets.APPLE_CODESIGN_CERT_PASSWORD }}
run: |
set -euo pipefail
KEYCHAIN_PATH="$RUNNER_TEMP/openwork-signing.keychain-db"
KEYCHAIN_PASSWORD="$(openssl rand -hex 12)"
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security default-keychain -s "$KEYCHAIN_PATH"
CERT_P12="$RUNNER_TEMP/openwork-certificate.p12"
printf '%s' "$APPLE_CODESIGN_CERT_P12_BASE64" | base64 --decode > "$CERT_P12"
security import "$CERT_P12" \
-k "$KEYCHAIN_PATH" \
-P "$APPLE_CODESIGN_CERT_PASSWORD" \
-A \
-T /usr/bin/codesign \
-T /usr/bin/security
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
- name: Write notary API key
env:
APPLE_NOTARY_API_KEY_P8_BASE64: ${{ secrets.APPLE_NOTARY_API_KEY_P8_BASE64 }}
run: |
set -euo pipefail
NOTARY_KEY="$RUNNER_TEMP/AuthKey.p8"
printf '%s' "$APPLE_NOTARY_API_KEY_P8_BASE64" | base64 --decode > "$NOTARY_KEY"
chmod 600 "$NOTARY_KEY"
echo "NOTARY_KEY=$NOTARY_KEY" >> "$GITHUB_ENV"
- name: Build Tauri DMG (Apple Silicon)
env:
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
run: |
set -euo pipefail
pnpm exec tauri build --bundles dmg
DMG_PATH="$(ls -1 "$GITHUB_WORKSPACE/src-tauri/target/release/bundle/dmg/"*.dmg | head -n 1)"
echo "DMG_PATH=$DMG_PATH" >> "$GITHUB_ENV"
echo "Built DMG: $DMG_PATH"
- name: Sign DMG (Developer ID)
env:
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
run: |
set -euo pipefail
codesign --force --timestamp --sign "$APPLE_SIGNING_IDENTITY" "$DMG_PATH"
- name: Notarize DMG
env:
APPLE_NOTARY_API_KEY_ID: ${{ secrets.APPLE_NOTARY_API_KEY_ID }}
APPLE_NOTARY_API_ISSUER_ID: ${{ secrets.APPLE_NOTARY_API_ISSUER_ID }}
run: |
set -euo pipefail
xcrun notarytool submit "$DMG_PATH" \
--key "$NOTARY_KEY" \
--key-id "$APPLE_NOTARY_API_KEY_ID" \
--issuer "$APPLE_NOTARY_API_ISSUER_ID" \
--wait --timeout 3h
- name: Staple notarization ticket
run: |
set -euo pipefail
xcrun stapler staple "$DMG_PATH"
spctl -a -vv --type open "$DMG_PATH"
- name: Create or update GitHub Release
env:
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
TAG_INPUT="${{ inputs.tag }}"
if [ -n "$TAG_INPUT" ]; then
TAG="$TAG_INPUT"
else
TAG="${GITHUB_REF_NAME}"
fi
LABEL="OpenWork macOS (Apple Silicon)"
ASSET="${DMG_PATH}#${LABEL}"
if gh release view "$TAG" >/dev/null 2>&1; then
gh release upload "$TAG" "$ASSET" --clobber
else
gh release create "$TAG" "$ASSET" --title "OpenWork $TAG" --generate-notes --verify-tag
fi
Reference in New Issue View Git Blame Copy Permalink