CI: Signed MacOS app bundles, MacOS installer #26

Workflow file for this run

	name: Build & Release

	on:
	push:
	branches:
	- main
	tags:
	- v*
	pull_request:

	permissions:
	# https://github.com/softprops/action-gh-release/issues/236
	contents: write

	jobs:
	build:
	name: Build (${{ matrix.os }}) - ${{ matrix.arch }}
	runs-on: ${{ matrix.os }}
	strategy:
	matrix:
	os: [macOS-latest, ubuntu-latest, windows-latest]
	arch: [amd64, arm64]
	exclude:
	# Cross-compilation to arm64 on x86 Linux is broken due to a bug in Go/Wails.
	# Until that is fixed, only build x86 Linux binaries.
	- os: ubuntu-latest
	arch: arm64
	fail-fast: false
	steps:
	- uses: actions/checkout@v4
	- name: Setup Go
	uses: actions/setup-go@v4
	with:
	check-latest: true
	go-version: 1.21
	- run: go version
	- name: Setup Node
	uses: actions/setup-node@v3
	with:
	node-version: 18
	- run: node --version
	- name: Install Wails
	run: go install github.com/wailsapp/wails/v2/cmd/wails@latest
	- name: Install Linux Wails deps
	if: runner.os == 'Linux'
	run: sudo apt-get update && sudo apt-get install libgtk-3-0 libwebkit2gtk-4.0-dev gcc-aarch64-linux-gnu
	- name: Build Linux App
	if: runner.os == 'Linux'
	run: wails build -o Zen-${{ matrix.arch }} -platform linux/${{ matrix.arch }}

	- name: Build MacOS App
	if: runner.os == 'macOS'
	run: wails build -platform darwin/${{ matrix.arch }} && mv build/bin/Zen.app build/bin/Zen-${{ matrix.arch }}.app
	- name: Codesign MacOS App Bundle
	if: runner.os == 'macOS'
	env:
	MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
	MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
	MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
	MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
	run: \|
	echo $MACOS_CERTIFICATE \| base64 --decode > certificate.p12

	security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
	security default-keychain -s build.keychain
	security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
	security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
	security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain

	/usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime build/bin/Zen-${{ matrix.arch }}.app -v
	- name: Notarize MacOS App Bundle
	if: runner.os == 'macOS'
	env:
	PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
	PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
	PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
	run: \|
	xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"

	ditto -c -k --keepParent build/bin/Zen-${{ matrix.arch }}.app notarization.zip

	xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait

	xcrun stapler staple build/bin/Zen-${{ matrix.arch }}.app

	- name: Build Windows App & Installer
	if: runner.os == 'Windows'
	run: wails build -o Zen-${{ matrix.arch }}.exe -platform windows/${{ matrix.arch }} -nsis

	- uses: actions/upload-artifact@v3
	with:
	name: Zen-${{ runner.os }}-${{ matrix.arch }}
	path: build/bin/*
	- name: Release
	uses: softprops/action-gh-release@v1
	if: startsWith(github.ref, 'refs/tags/v')
	with:
	files: build/bin/*
	tag_name: ${{ github.ref }}
	draft: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CI: Signed MacOS app bundles, MacOS installer #26

Workflow file

CI: Signed MacOS app bundles, MacOS installer #26

Jobs

Run details

Workflow file for this run