From 94be8c86e182f282429148f4f843e091d4298b07 Mon Sep 17 00:00:00 2001 From: Conrad Kramer Date: Sun, 24 Mar 2024 23:28:16 -0700 Subject: [PATCH] Update build pipeline to notarize macOS releases --- .github/actions/archive/action.yml | 5 +- .github/actions/build-for-testing/action.yml | 5 +- .github/actions/import-cert/action.yml | 25 +++------- .github/actions/notarize/action.yml | 34 +++++++------- .github/workflows/build-apple.yml | 48 ++++++++++---------- .github/workflows/release-apple.yml | 30 ++++++------ 6 files changed, 66 insertions(+), 81 deletions(-) diff --git a/.github/actions/archive/action.yml b/.github/actions/archive/action.yml index 4fd15b02..8b4c2274 100644 --- a/.github/actions/archive/action.yml +++ b/.github/actions/archive/action.yml @@ -29,11 +29,12 @@ runs: xcodebuild clean archive \ -allowProvisioningUpdates \ -allowProvisioningDeviceRegistration \ + -skipPackagePluginValidation \ + -skipMacroValidation \ + -onlyUsePackageVersionsFromResolvedFile \ -authenticationKeyID ${{ inputs.app-store-key-id }} \ -authenticationKeyIssuerID ${{ inputs.app-store-key-issuer-id }} \ -authenticationKeyPath "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8" \ - -onlyUsePackageVersionsFromResolvedFile \ - -skipPackagePluginValidation \ -scheme '${{ inputs.scheme }}' \ -destination '${{ inputs.destination }}' \ -archivePath '${{ inputs.archive-path }}' \ diff --git a/.github/actions/build-for-testing/action.yml b/.github/actions/build-for-testing/action.yml index 69d10683..dfc14f2f 100644 --- a/.github/actions/build-for-testing/action.yml +++ b/.github/actions/build-for-testing/action.yml @@ -26,11 +26,12 @@ runs: xcodebuild build-for-testing \ -allowProvisioningUpdates \ -allowProvisioningDeviceRegistration \ + -skipPackagePluginValidation \ + -skipMacroValidation \ + -onlyUsePackageVersionsFromResolvedFile \ -authenticationKeyID ${{ inputs.app-store-key-id }} \ -authenticationKeyIssuerID ${{ inputs.app-store-key-issuer-id }} \ -authenticationKeyPath "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8" \ - -onlyUsePackageVersionsFromResolvedFile \ - -skipPackagePluginValidation \ -scheme '${{ inputs.scheme }}' \ -destination '${{ inputs.destination }}' \ -resultBundlePath BuildResults.xcresult diff --git a/.github/actions/import-cert/action.yml b/.github/actions/import-cert/action.yml index 2e2d2e33..759418e3 100644 --- a/.github/actions/import-cert/action.yml +++ b/.github/actions/import-cert/action.yml @@ -11,29 +11,16 @@ runs: steps: - shell: bash run: | - security list-keychains -d user -s login.keychain Developer.keychain - - if [[ ! -f "$HOME/Library/Keychains/Developer.keychain-db" ]]; then - security create-keychain -p "${{ inputs.password }}" Developer.keychain - security set-keychain-settings -lut 21600 Developer.keychain - - for CERT_INDEX in {2..8}; do - CERT_FILE=AppleWWDRCAG${CERT_INDEX}.cer - curl --proto '=https' --tlsv1.2 -sSOf "https://www.apple.com/certificateauthority/$CERT_FILE" - security import $CERT_FILE -k Developer.keychain -f openssl - rm $CERT_FILE - done - fi - - security unlock-keychain -p "${{ inputs.password }}" Developer.keychain - echo -n "${{ inputs.certificate }}" | base64 -d > Developer.p12 + security create-keychain -p password Developer.keychain + security set-keychain-settings -lut 21600 Developer.keychain + security unlock-keychain -p password Developer.keychain security import Developer.p12 \ -k Developer.keychain \ -f pkcs12 \ -A \ -T /usr/bin/codesign \ -T /usr/bin/security \ - -P "${{ inputs.password }}" - - security set-key-partition-list -S apple-tool:,apple: -k "${{ inputs.password }}" Developer.keychain + -P ${{ inputs.password }} + security set-key-partition-list -S apple-tool:,apple: -k password Developer.keychain + security list-keychains -d user -s login.keychain Developer.keychain diff --git a/.github/actions/notarize/action.yml b/.github/actions/notarize/action.yml index 33cb855a..8cbe7f5e 100644 --- a/.github/actions/notarize/action.yml +++ b/.github/actions/notarize/action.yml @@ -28,34 +28,32 @@ runs: run: | echo "${{ inputs.app-store-key }}" > AuthKey_${{ inputs.app-store-key-id }}.p8 - echo '{"destination":"upload","method":"developer-id"}' \ + echo '{"destination":"export","method":"developer-id"}' \ | plutil -convert xml1 -o ExportOptions.plist - - xcodebuild \ - -exportArchive \ + xcodebuild -exportArchive \ -allowProvisioningUpdates \ -allowProvisioningDeviceRegistration \ + -skipPackagePluginValidation \ + -skipMacroValidation \ + -onlyUsePackageVersionsFromResolvedFile \ -authenticationKeyID ${{ inputs.app-store-key-id }} \ -authenticationKeyIssuerID ${{ inputs.app-store-key-issuer-id }} \ -authenticationKeyPath "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8" \ -archivePath '${{ inputs.archive-path }}' \ + -exportPath Release \ -exportOptionsPlist ExportOptions.plist - until xcodebuild \ - -exportNotarizedApp \ - -allowProvisioningUpdates \ - -allowProvisioningDeviceRegistration \ - -authenticationKeyID ${{ inputs.app-store-key-id }} \ - -authenticationKeyIssuerID ${{ inputs.app-store-key-issuer-id }} \ - -authenticationKeyPath "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8" \ - -archivePath '${{ inputs.archive-path }}' \ - -exportPath Release - do - echo "Failed to export app, trying again in 10s..." - sleep 10 - done + rm ExportOptions.plist + + ditto -c -k --keepParent Release/${{ inputs.product-name }} Upload.zip + SUBMISSION_ID=$(xcrun notarytool submit --issuer ${{ inputs.app-store-key-issuer-id }} --key-id ${{ inputs.app-store-key-id }} --key "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8" Upload.zip | awk '/ id:/ { print $2; exit }') + + xcrun notarytool wait $SUBMISSION_ID --issuer ${{ inputs.app-store-key-issuer-id }} --key-id ${{ inputs.app-store-key-id }} --key "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8" + xcrun stapler staple Release/${{ inputs.product-name }} aa archive -a lzma -b 8m -d Release -subdir ${{ inputs.product-name }} -o ${{ inputs.product-name }}.aar - echo "notarized-app=Apple/${{ inputs.product-name }}.aar" >> $GITHUB_OUTPUT - rm -rf AuthKey_${{ inputs.app-store-key-id }}.p8 Release ExportOptions.plist + rm -rf Upload.zip Release AuthKey_${{ inputs.app-store-key-id }}.p8 ExportOptions.plist + + echo "notarized-app=Apple/${{ inputs.product-name }}.aar" >> $GITHUB_OUTPUT diff --git a/.github/workflows/build-apple.yml b/.github/workflows/build-apple.yml index 3b71f1c7..f07cde0a 100644 --- a/.github/workflows/build-apple.yml +++ b/.github/workflows/build-apple.yml @@ -8,18 +8,18 @@ on: - "*" jobs: build: - name: Build (${{ matrix.configuration['platform'] }}) + name: Build (${{ matrix.platform }}) runs-on: macos-13 strategy: fail-fast: false matrix: - configuration: + include: - scheme: App destination: generic/platform=iOS platform: iOS sdk-name: iphoneos - scheme: App - destination: platform=iOS Simulator,OS=17.0,name=iPhone 14 Pro + destination: platform=iOS Simulator,OS=17.2,name=iPhone 14 Pro platform: iOS Simulator sdk-name: iphonesimulator xcode-unit-test: UnitTests @@ -33,7 +33,7 @@ jobs: xcode-ui-test: UITests-macOS gradle-test: macosX64Test env: - DEVELOPER_DIR: /Applications/Xcode_15.0.app/Contents/Developer + DEVELOPER_DIR: /Applications/Xcode_15.2.app/Contents/Developer steps: - name: Checkout uses: actions/checkout@v3 @@ -60,44 +60,44 @@ jobs: password: ${{ secrets.DEVELOPER_CERT_PASSWORD }} - name: Build External Libraries shell: bash - run: External/build-darwin.sh ${{ matrix.configuration['sdk-name'] }} + run: External/build-darwin.sh ${{ matrix.sdk-name }} - name: Build id: build uses: ./.github/actions/build-for-testing with: - scheme: ${{ matrix.configuration['scheme'] }} - destination: ${{ matrix.configuration['destination'] }} + scheme: ${{ matrix.scheme }} + destination: ${{ matrix.destination }} app-store-key: ${{ secrets.APPSTORE_KEY }} app-store-key-id: ${{ secrets.APPSTORE_KEY_ID }} app-store-key-issuer-id: ${{ secrets.APPSTORE_KEY_ISSUER_ID }} - name: Xcode Unit Test - if: ${{ matrix.configuration['xcode-unit-test'] != '' }} + if: ${{ matrix.xcode-unit-test != '' }} continue-on-error: true uses: ./.github/actions/test-without-building with: - scheme: ${{ matrix.configuration['scheme'] }} - destination: ${{ matrix.configuration['destination'] }} - test-plan: ${{ matrix.configuration['xcode-unit-test'] }} - artifact-prefix: unit-tests-${{ matrix.configuration['sdk-name'] }} - check-name: Xcode Unit Tests (${{ matrix.configuration['platform'] }}) + scheme: ${{ matrix.scheme }} + destination: ${{ matrix.destination }} + test-plan: ${{ matrix.xcode-unit-test }} + artifact-prefix: unit-tests-${{ matrix.sdk-name }} + check-name: Xcode Unit Tests (${{ matrix.platform }}) - name: Build Kotlin Tests - if: ${{ matrix.configuration['gradle-test'] != '' }} + if: ${{ matrix.gradle-test != '' }} shell: bash - run: ./gradlew :Shared:${{ matrix.configuration['gradle-test'] }}Klibrary + run: ./gradlew :Shared:${{ matrix.gradle-test }}Klibrary - name: Kotlin Unit Test - if: ${{ matrix.configuration['gradle-test'] != '' }} + if: ${{ matrix.gradle-test != '' }} continue-on-error: true uses: ./.github/actions/gradle-test with: - task: :Shared:${{ matrix.configuration['gradle-test'] }} - check-name: Kotlin Tests (${{ matrix.configuration['platform'] }}) + task: :Shared:${{ matrix.gradle-test }} + check-name: Kotlin Tests (${{ matrix.platform }}) - name: Xcode UI Test - if: ${{ matrix.configuration['xcode-ui-test'] != '' }} + if: ${{ matrix.xcode-ui-test != '' }} continue-on-error: true uses: ./.github/actions/test-without-building with: - scheme: ${{ matrix.configuration['scheme'] }} - destination: ${{ matrix.configuration['destination'] }} - test-plan: ${{ matrix.configuration['xcode-ui-test'] }} - artifact-prefix: ui-tests-${{ matrix.configuration['sdk-name'] }} - check-name: Xcode UI Tests (${{ matrix.configuration['platform'] }}) + scheme: ${{ matrix.scheme }} + destination: ${{ matrix.destination }} + test-plan: ${{ matrix.xcode-ui-test }} + artifact-prefix: ui-tests-${{ matrix.sdk-name }} + check-name: Xcode UI Tests (${{ matrix.platform }}) diff --git a/.github/workflows/release-apple.yml b/.github/workflows/release-apple.yml index b4866306..ad74c955 100644 --- a/.github/workflows/release-apple.yml +++ b/.github/workflows/release-apple.yml @@ -5,26 +5,22 @@ on: - created jobs: build: - name: Build ${{ matrix.configuration['platform'] }} Release + name: Build ${{ matrix.platform }} Release runs-on: macos-13 strategy: fail-fast: false matrix: - configuration: + include: - scheme: App build-destination: generic/platform=iOS platform: iOS - method: ad-hoc - export-destination: export artifact-file: Apple/Release/Wallet.ipa - scheme: App (macOS) build-destination: generic/platform=macOS platform: macOS - method: developer-id - export-destination: upload artifact-file: Apple/Wallet.app.aar env: - DEVELOPER_DIR: /Applications/Xcode_15.0.app/Contents/Developer + DEVELOPER_DIR: /Applications/Xcode_15.2.app/Contents/Developer steps: - name: Checkout uses: actions/checkout@v3 @@ -47,32 +43,33 @@ jobs: - name: Import Certificate uses: ./.github/actions/import-cert with: - certificate: ${{ secrets.DEVELOPER_ID_CERT }} - password: ${{ secrets.DEVELOPER_ID_CERT_PASSWORD }} + certificate: ${{ secrets.DEVELOPER_CERT }} + password: ${{ secrets.DEVELOPER_CERT_PASSWORD }} - name: Build External Libraries shell: bash - run: External/build-darwin.sh ${{ matrix.configuration['sdk-name'] }} + run: External/build-darwin.sh ${{ matrix.sdk-name }} - name: Archive uses: ./.github/actions/archive with: - scheme: ${{ matrix.configuration['scheme'] }} - destination: ${{ matrix.configuration['build-destination'] }} + scheme: ${{ matrix.scheme }} + destination: ${{ matrix.build-destination }} app-store-key: ${{ secrets.APPSTORE_KEY }} app-store-key-id: ${{ secrets.APPSTORE_KEY_ID }} app-store-key-issuer-id: ${{ secrets.APPSTORE_KEY_ISSUER_ID }} archive-path: Wallet.xcarchive - name: Export + if: ${{ matrix.platform == 'iOS' }} uses: ./.github/actions/export with: - method: ${{ matrix.configuration['method'] }} - destination: ${{ matrix.configuration['export-destination'] }} + method: ad-hoc + destination: export app-store-key: ${{ secrets.APPSTORE_KEY }} app-store-key-id: ${{ secrets.APPSTORE_KEY_ID }} app-store-key-issuer-id: ${{ secrets.APPSTORE_KEY_ISSUER_ID }} archive-path: Wallet.xcarchive export-path: Release - name: Notarize - if: ${{ matrix.configuration['platform'] == 'macOS' }} + if: ${{ matrix.platform == 'macOS' }} uses: ./.github/actions/notarize with: app-store-key: ${{ secrets.APPSTORE_KEY }} @@ -84,5 +81,6 @@ jobs: uses: SierraSoftworks/gh-releases@v1.0.7 with: token: ${{ secrets.GITHUB_TOKEN }} + release_tag: ${{ github.ref_name }} overwrite: 'false' - files: ${{ matrix.configuration['artifact-file'] }} + files: ${{ matrix.artifact-file }}