@@ -64,9 +64,113 @@ jobs:
6464 name : ${{ env.ARTIFACT_NAME }}
6565 path : ${{ env.DIST_DIR }}
6666
67+ notarize-macos :
68+ name : Notarize ${{ matrix.artifact.name }}
69+ runs-on : macos-latest
70+ needs : create-release-artifacts
71+
72+ env :
73+ GON_CONFIG_PATH : gon.config.hcl
74+
75+ strategy :
76+ matrix :
77+ artifact :
78+ - name : darwin_amd64
79+ path : " macOS_64bit.tar.gz"
80+ - name : darwin_arm64
81+ path : " macOS_ARM64.tar.gz"
82+
83+ steps :
84+ - name : Checkout repository
85+ uses : actions/checkout@v3
86+
87+ - name : Download artifacts
88+ uses : actions/download-artifact@v3
89+ with :
90+ name : ${{ env.ARTIFACT_NAME }}
91+ path : ${{ env.DIST_DIR }}
92+
93+ - name : Import Code-Signing Certificates
94+ env :
95+ KEYCHAIN : " sign.keychain"
96+ INSTALLER_CERT_MAC_PATH : " /tmp/ArduinoCerts2020.p12"
97+ # Arbitrary password for a keychain that exists only for the duration of the job, so not secret
98+ KEYCHAIN_PASSWORD : keychainpassword
99+ run : |
100+ echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}"
101+ security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
102+ security default-keychain -s "${{ env.KEYCHAIN }}"
103+ security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
104+ security import \
105+ "${{ env.INSTALLER_CERT_MAC_PATH }}" \
106+ -k "${{ env.KEYCHAIN }}" \
107+ -f pkcs12 \
108+ -A \
109+ -T "/usr/bin/codesign" \
110+ -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}"
111+ security set-key-partition-list \
112+ -S apple-tool:,apple: \
113+ -s \
114+ -k "${{ env.KEYCHAIN_PASSWORD }}" \
115+ "${{ env.KEYCHAIN }}"
116+
117+ name : Install gon for code signing and app notarization
118+ run : |
119+ wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip
120+ unzip gon_macos.zip -d /usr/local/bin
121+
122+ name : Write gon config to file
123+ # gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20)
124+ run : |
125+ cat > "${{ env.GON_CONFIG_PATH }}" <<EOF
126+ # See: https://github.com/mitchellh/gon#configuration-file
127+ source = ["${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_osx_${{ matrix.artifact.name }}/${{ env.PROJECT_NAME }}"]
128+ bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}"
129+
130+ sign {
131+ application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
132+ entitlements_file = "entitlements.plist"
133+ }
134+
135+ # Ask Gon for zip output to force notarization process to take place.
136+ # The CI will ignore the zip output, using the signed binary only.
137+ zip {
138+ output_path = "unused.zip"
139+ }
140+ EOF
141+
142+ name : Sign and notarize binary
143+ env :
144+ AC_USERNAME : ${{ secrets.AC_USERNAME }}
145+ AC_PASSWORD : ${{ secrets.AC_PASSWORD }}
146+ run : |
147+ gon "${{ env.GON_CONFIG_PATH }}"
148+
149+ name : Re-package binary
150+ id : re-package
151+ working-directory : ${{ env.DIST_DIR }}
152+ # Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
153+ run : |
154+ # GitHub's upload/download-artifact actions don't preserve file permissions,
155+ # so we need to add execution permission back until the action is made to do this.
156+ chmod +x "${{ env.PROJECT_NAME }}_osx_${{ matrix.artifact.name }}/${{ env.PROJECT_NAME }}"
157+ TAG="${GITHUB_REF/refs\/tags\//}"
158+ PACKAGE_FILENAME="${{ env.PROJECT_NAME }}_${TAG}_${{ matrix.artifact.path }}"
159+ tar -czvf "$PACKAGE_FILENAME" \
160+ -C "${{ env.PROJECT_NAME }}_osx_${{ matrix.artifact.name }}/" "${{ env.PROJECT_NAME }}" \
161+ -C ../../ LICENSE.txt
162+ echo "PACKAGE_FILENAME=$PACKAGE_FILENAME" >> $GITHUB_ENV
163+
164+ name : Upload artifact
165+ uses : actions/upload-artifact@v3
166+ with :
167+ if-no-files-found : error
168+ name : ${{ env.ARTIFACT_NAME }}
169+ path : ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }}
170+
67171 create-release :
68172 runs-on : ubuntu-latest
69- needs : create-release-artifacts
173+ needs : notarize-macos
70174
71175 steps :
72176 - name : Download artifact
0 commit comments