Create DMG Variants #36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Create DMG Variants | |
on: | |
workflow_dispatch: | |
inputs: | |
atb-variants: | |
description: "ATB variants (comma-separated)" | |
required: true | |
type: string | |
jobs: | |
set-up-variants: | |
name: Set Up Variants | |
runs-on: macos-13 | |
timeout-minutes: 15 | |
outputs: | |
atb-variants: ${{ steps.atb-variants.outputs.matrix }} | |
steps: | |
- name: Set up ATB variants | |
id: atb-variants | |
run: | | |
variant_matrix="$(echo "${{ github.event.inputs.atb-variants }}" | sed 's/,/\",\"/g')" | |
echo "matrix={\"variant\": [\"${variant_matrix}\"]}" >> $GITHUB_OUTPUT | |
create-atb-variants: | |
name: Create ATB Variant | |
needs: set-up-variants | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJSON(needs.set-up-variants.outputs.atb-variants) }} | |
runs-on: macos-12 | |
timeout-minutes: 15 | |
steps: | |
- name: Download release app | |
run: | | |
curl -fLSs "${{ vars.RELEASE_DMG_URL }}" --output duckduckgo.dmg | |
hdiutil attach duckduckgo.dmg -mountpoint vanilla | |
mkdir -p dmg | |
cp -R vanilla/DuckDuckGo.app dmg/DuckDuckGo.app | |
hdiutil detach vanilla | |
rm -f duckduckgo.dmg | |
- name: Install create-dmg | |
run: brew install create-dmg | |
- name: Fetch install-certs-and-profiles action | |
env: | |
GH_TOKEN: ${{ github.token }} | |
DEST_DIR: ".github/actions/install-certs-and-profiles" | |
run: | | |
mkdir -p "${{ env.DEST_DIR }}" | |
curl -fLSs $(gh api https://api.github.com/repos/${{ github.repository }}/contents/${{ env.DEST_DIR }}/action.yml?ref=${{ github.ref }} --jq .download_url) \ | |
--output ${{ env.DEST_DIR }}/action.yml | |
- name: Install Apple Developer ID Application certificate | |
uses: ./.github/actions/install-certs-and-profiles | |
with: | |
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} | |
P12_PASSWORD: ${{ secrets.P12_PASSWORD }} | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.REVIEW_PROVISION_PROFILE_BASE64 }} | |
RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.RELEASE_PROVISION_PROFILE_BASE64 }} | |
DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }} | |
DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64 }} | |
NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64_V2 }} | |
NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64_V2 }} | |
NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64_V2 }} | |
NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64_V2 }} | |
NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64 }} | |
NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64 }} | |
- name: Set up variant | |
working-directory: ${{ github.workspace }}/dmg | |
run: | | |
codesign -d --entitlements :- DuckDuckGo.app > entitlements.plist | |
echo "${{ matrix.variant }}" > "DuckDuckGo.app/Contents/Resources/variant.txt" | |
sign_identity="$(security find-certificate -a -c "Developer ID Application" -Z | grep ^SHA-1 | cut -d " " -f3 | uniq)" | |
/usr/bin/codesign \ | |
--force \ | |
--sign ${sign_identity} \ | |
--options runtime \ | |
--entitlements entitlements.plist \ | |
--generate-entitlement-der "DuckDuckGo.app" | |
rm -f entitlements.plist | |
- name: Notarize the app | |
env: | |
APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }} | |
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} | |
APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }} | |
working-directory: ${{ github.workspace }}/dmg | |
run: | | |
# import API Key from secrets | |
export APPLE_API_KEY_PATH="$RUNNER_TEMP/apple_api_key.pem" | |
echo -n "$APPLE_API_KEY_BASE64" | base64 --decode -o $APPLE_API_KEY_PATH | |
notarization_zip_path="DuckDuckGo-for-notarization.zip" | |
ditto -c -k --keepParent "DuckDuckGo.app" "${notarization_zip_path}" | |
xcrun notarytool submit \ | |
--key "${APPLE_API_KEY_PATH}" \ | |
--key-id "${{ env.APPLE_API_KEY_ID }}" \ | |
--issuer "${{ env.APPLE_API_KEY_ISSUER }}" \ | |
--wait \ | |
"${notarization_zip_path}" | |
xcrun stapler staple "DuckDuckGo.app" | |
rm -rf "${notarization_zip_path}" | |
- name: Create variant DMG | |
env: | |
GH_TOKEN: ${{ github.token }} | |
run: | | |
curl -fLSs $(gh api https://api.github.com/repos/${{ github.repository }}/contents/scripts/assets/dmg-background.png?ref=${{ github.ref }} --jq .download_url) \ | |
--output dmg-background.png | |
create-dmg --volname "DuckDuckGo" \ | |
--icon "DuckDuckGo.app" 140 160 \ | |
--background "dmg-background.png" \ | |
--window-size 600 400 \ | |
--icon-size 120 \ | |
--app-drop-link 430 160 "duckduckgo.dmg" \ | |
"dmg" | |
- name: Upload variant DMG | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_RELEASE_S3 }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_RELEASE_S3 }} | |
AWS_DEFAULT_REGION: ${{ vars.AWS_DEFAULT_REGION }} | |
run: | | |
aws s3 cp duckduckgo.dmg \ | |
s3://${{ vars.RELEASE_BUCKET_NAME }}/${{ vars.RELEASE_BUCKET_PREFIX }}/${{ matrix.variant }}/duckduckgo.dmg \ | |
--acl public-read | |
mattermost: | |
name: Send Mattermost message | |
needs: create-atb-variants | |
runs-on: ubuntu-latest | |
steps: | |
- name: Send Mattermost message | |
env: | |
GH_TOKEN: ${{ github.token }} | |
WORKFLOW_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
run: | | |
curl -fLSs $(gh api https://api.github.com/repos/${{ github.repository }}/contents/scripts/assets/variants-release-mm-template.json?ref=${{ github.ref }} --jq .download_url) \ | |
--output message-template.json | |
export MM_USER_HANDLE=$(base64 -d <<< ${{ secrets.MM_HANDLES_BASE64 }} | jq ".${{ github.actor }}" | tr -d '"') | |
if [[ -z "${MM_USER_HANDLE}" ]]; then | |
echo "Mattermost user handle not known for ${{ github.actor }}, skipping sending message" | |
else | |
curl -s -H 'Content-type: application/json' \ | |
-d "$(envsubst < message-template.json)" \ | |
${{ secrets.MM_WEBHOOK_URL }} | |
fi |