Skip to content

Java app image macOS #8

Java app image macOS

Java app image macOS #8

Workflow file for this run

name: Java app image macOS
on:
release:
types: [published]
workflow_dispatch:
inputs:
sem-version:
description: 'Version'
required: false
notarize:
description: 'Notarize app'
required: false
type: boolean
permissions:
contents: write
packages: write
env:
JAVA_DIST: 'zulu'
JAVA_VERSION: '22.0.2+9'
defaults:
run:
shell: bash
jobs:
prepare:
name: Determines the versions strings for the binaries
runs-on: [ubuntu-latest]
outputs:
semVerStr: ${{ steps.determine-version.outputs.version }}
semVerNum: ${{steps.determine-number.outputs.number}}
revisionNum: ${{steps.determine-number.outputs.revision}}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- id: determine-version
shell: pwsh
run: |
if ( '${{github.event_name}}' -eq 'release') {
echo 'version=${{ github.event.release.tag_name}}' >> "$env:GITHUB_OUTPUT"
exit 0
} elseif ('${{inputs.sem-version}}') {
echo 'version=${{ inputs.sem-version}}' >> "$env:GITHUB_OUTPUT"
exit 0
}
Write-Error "Version neither via input nor by tag specified. Aborting"
exit 1
- id: determine-number
run: |
SEM_VER_NUM=$(echo "${{ steps.determine-version.outputs.version }}" | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+).*/\1/')
echo "number=${SEM_VER_NUM}" >> "$GITHUB_OUTPUT"
REVISION_NUM=`git rev-list --count HEAD`
echo "revision=${REVISION_NUM}" >> "$GITHUB_OUTPUT"
build-binary:
name: Build java app image
needs: [prepare]
strategy:
fail-fast: false
matrix:
include:
- os: macos-latest
architecture: arm64
artifact-name: cryptomator-cli-${{ needs.prepare.outputs.semVerStr }}-mac-arm64.zip
- os: macos-13
architecture: x64
artifact-name: cryptomator-cli-${{ needs.prepare.outputs.semVerStr }}-mac-x64.zip
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
java-version: ${{ env.JAVA_VERSION }}
distribution: ${{ env.JAVA_DIST }}
- name: Set version
run: mvn versions:set -DnewVersion=${{ needs.prepare.outputs.semVerStr }}
- name: Run maven
run: mvn -B clean package -DskipTests
- name: Patch target dir
run: |
cp LICENSE.txt target
cp target/cryptomator-*.jar target/mods
- name: Run jlink
run: >
"${JAVA_HOME}/bin/jlink"
--verbose
--output target/runtime
--module-path "${JAVA_HOME}/jmods"
--add-modules java.base,java.compiler,java.naming,java.xml
--strip-native-commands
--no-header-files
--no-man-pages
--strip-debug
--compress zip-6
- name: Run jpackage
run: >
"${JAVA_HOME}/bin/jpackage"
--verbose
--type app-image
--runtime-image target/runtime
--input target/libs
--module-path target/mods
--module org.cryptomator.cli/org.cryptomator.cli.CryptomatorCli
--dest target
--name cryptomator-cli
--vendor "Skymatic GmbH"
--copyright "(C) 2016 - 2024 Skymatic GmbH"
--app-version "${{ needs.prepare.outputs.semVerNum }}"
--java-options "-Dorg.cryptomator.cli.version=${{ needs.prepare.outputs.semVerStr }}"
--java-options "--enable-native-access=org.cryptomator.jfuse.mac"
--java-options "-Xss5m"
--java-options "-Xmx256m"
--java-options "-Dfile.encoding=\"utf-8\""
- name: Patch .app dir
run: |
sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NO}|g" ./target/cryptomator-cli.app/Contents/Info.plist
sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NO}|g" ./target/cryptomator-cli.app/Contents/Info.plist
echo -n "$PROVISIONING_PROFILE_BASE64" | base64 --decode --output ./target/cryptomator-cli.app/Contents/embedded.provisionprofile
env:
VERSION_NO: ${{ needs.prepare.outputs.semVerNum }}
REVISION_NO: ${{ needs.prepare.outputs.revisionNum }}
PROVISIONING_PROFILE_BASE64: ${{ secrets.MACOS_PROVISIONING_PROFILE_BASE64 }}
- name: Install codesign certificate
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/codesign.p12
KEYCHAIN_PATH=$RUNNER_TEMP/codesign.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$CODESIGN_P12_BASE64" | base64 --decode --output $CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$CODESIGN_TMP_KEYCHAIN_PW" $KEYCHAIN_PATH
security set-keychain-settings -lut 900 $KEYCHAIN_PATH
security unlock-keychain -p "$CODESIGN_TMP_KEYCHAIN_PW" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$CODESIGN_P12_PW" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
env:
CODESIGN_P12_BASE64: ${{ secrets.MACOS_CODESIGN_P12_BASE64 }}
CODESIGN_P12_PW: ${{ secrets.MACOS_CODESIGN_P12_PW }}
CODESIGN_TMP_KEYCHAIN_PW: ${{ secrets.MACOS_CODESIGN_TMP_KEYCHAIN_PW }}
- name: Codesign
run: |
echo "Codesigning jdk files..."
find ./target/cryptomator-cli.app/Contents/runtime/Contents/Home/lib/ -name '*.dylib' -exec codesign --force -s ${CODESIGN_IDENTITY} {} \;
find ./target/cryptomator-cli.app/Contents/runtime/Contents/Home/lib/ \( -name 'jspawnhelper' -o -name 'pauseengine' -o -name 'simengine' \) -exec codesign --force -o runtime -s ${CODESIGN_IDENTITY} {} \;
echo "Codesigning jar contents..."
find ./target/cryptomator-cli.app/Contents/runtime/Contents/MacOS -name '*.dylib' -exec codesign --force -s ${CODESIGN_IDENTITY} {} \;
for JAR_PATH in `find ./target/cryptomator-cli.app -name "*.jar"`; do
if [[ `unzip -l ${JAR_PATH} | grep '.dylib\|.jnilib'` ]]; then
JAR_FILENAME=$(basename ${JAR_PATH})
OUTPUT_PATH=${JAR_PATH%.*}
echo "Codesigning libs in ${JAR_FILENAME}..."
unzip -q ${JAR_PATH} -d ${OUTPUT_PATH}
find ${OUTPUT_PATH} -name '*.dylib' -exec codesign --force -s ${CODESIGN_IDENTITY} {} \;
find ${OUTPUT_PATH} -name '*.jnilib' -exec codesign --force -s ${CODESIGN_IDENTITY} {} \;
rm ${JAR_PATH}
pushd ${OUTPUT_PATH} > /dev/null
zip -qr ../${JAR_FILENAME} *
popd > /dev/null
rm -r ${OUTPUT_PATH}
fi
done
echo "Codesigning Cryptomator.app..."
sed -i '' "s|###APP_IDENTIFIER_PREFIX###|${TEAM_IDENTIFIER}.|g" dist/mac/cryptomator-cli.entitlements
sed -i '' "s|###TEAM_IDENTIFIER###|${TEAM_IDENTIFIER}|g" dist/mac/cryptomator-cli.entitlements
codesign --force --deep --entitlements dist/mac/cryptomator-cli.entitlements -o runtime -s ${CODESIGN_IDENTITY} ./target/cryptomator-cli.app
env:
CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
TEAM_IDENTIFIER: ${{ secrets.MACOS_TEAM_IDENTIFIER }}
- name: Zip binary for release
run: zip -r ./${{ matrix.artifact-name}} ./target/cryptomator-cli.app
- name: Notarize .dmg
if: startsWith(github.ref, 'refs/tags/') || inputs.notarize
uses: cocoalibs/xcode-notarization-action@v1
with:
app-path: ${{ matrix.artifact-name }}
apple-id: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
password: ${{ secrets.MACOS_NOTARIZATION_PW }}
team-id: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
xcode-path: '/Applications/Xcode_16.app'
- name: Create detached GPG signature with key 615D449FE6E6A235
run: |
echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a ./${{ matrix.artifact-name }}
env:
GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
- uses: actions/upload-artifact@v4
with:
name: cryptomator-cli-mac-${{ matrix.architecture }}
path: |
${{ matrix.artifact-name}}
*.asc
if-no-files-found: error
- name: Publish artefact on GitHub Releases
if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
uses: softprops/action-gh-release@v2
with:
fail_on_unmatched_files: true
token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
files: |
${{ matrix.artifact-name }}
cryptomator-cli-*.asc