Skip to content

Make Notarized DMG Release #795

Make Notarized DMG Release

Make Notarized DMG Release #795

Workflow file for this run

name: Make Notarized DMG Release
on:
workflow_dispatch:
inputs:
release-type:
description: "Build type (product review or public release)"
required: true
default: review
type: choice
options:
- review
- release
create-dmg:
description: "Create DMG image"
required: true
default: false
type: boolean
asana-task-url:
description: "Asana release task URL"
required: false
type: string
workflow_call:
inputs:
release-type:
description: "Build type (product review or public release)"
required: true
default: release
type: string
create-dmg:
description: "Create DMG image"
required: true
default: true
type: boolean
asana-task-url:
description: "Asana release task URL"
required: false
type: string
branch:
description: "Branch name"
required: false
type: string
secrets:
BUILD_CERTIFICATE_BASE64:
required: true
P12_PASSWORD:
required: true
KEYCHAIN_PASSWORD:
required: true
REVIEW_PROVISION_PROFILE_BASE64:
required: true
RELEASE_PROVISION_PROFILE_BASE64:
required: true
DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64:
required: true
DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64:
required: true
NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64_V2:
required: true
NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64_V2:
required: true
NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64_V2:
required: true
NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64_V2:
required: true
NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64:
required: true
NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64:
required: true
APPLE_API_KEY_BASE64:
required: true
APPLE_API_KEY_ID:
required: true
APPLE_API_KEY_ISSUER:
required: true
ASANA_ACCESS_TOKEN:
required: true
MM_HANDLES_BASE64:
required: true
MM_WEBHOOK_URL:
required: true
AWS_ACCESS_KEY_ID:
required: true
AWS_ACCESS_KEY_ID_RELEASE_S3:
required: true
AWS_SECRET_ACCESS_KEY:
required: true
AWS_SECRET_ACCESS_KEY_RELEASE_S3:
required: true
jobs:
export-notarized-app:
name: Export Notarized App
runs-on: macos-13-xlarge
outputs:
app-version: ${{ steps.set-outputs.outputs.app-version }}
app-name: ${{ steps.set-outputs.outputs.app-name }}
upload-to: ${{ steps.is-official-release.outputs.upload-to }}
env:
release-type: ${{ github.event.inputs.release-type || inputs.release-type }}
asana-task-url: ${{ github.event.inputs.asana-task-url || inputs.asana-task-url }}
branch: ${{ inputs.branch || github.ref_name }}
steps:
- name: Check out the code
uses: actions/checkout@v4
with:
submodules: recursive
ref: ${{ env.branch }}
- name: Check if this is an official release build
id: is-official-release
env:
is-official-release: ${{ env.release-type == 'release' && (startsWith(env.branch, 'release') || startsWith(env.branch, 'hotfix')) }}
run: |
if [[ "${{ env.is-official-release }}" == "true" ]]; then
echo "upload-to=s3" >> $GITHUB_OUTPUT
echo "upload-to=s3" >> $GITHUB_ENV
elif [[ -n "${{ env.asana-task-url }}" ]]; then
echo "upload-to=asana" >> $GITHUB_OUTPUT
echo "upload-to=asana" >> $GITHUB_ENV
fi
- name: Install Apple Developer ID Application certificate
uses: ./.github/actions/install-certs-and-profiles
with:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.REVIEW_PROVISION_PROFILE_BASE64 }}
RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.RELEASE_PROVISION_PROFILE_BASE64 }}
DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64 }}
NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64_V2 }}
NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64_V2 }}
NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64_V2 }}
NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64_V2 }}
NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64 }}
NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64 }}
- name: Select Xcode
run: sudo xcode-select -s /Applications/Xcode_$(<.xcode-version).app/Contents/Developer
- name: Archive and notarize the app
id: archive
env:
APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }}
ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
run: |
# import API Key from secrets
export APPLE_API_KEY_PATH="$RUNNER_TEMP/apple_api_key.pem"
echo -n "$APPLE_API_KEY_BASE64" | base64 --decode -o $APPLE_API_KEY_PATH
if [[ "${{ runner.debug }}" == "1" ]]; then
./scripts/archive.sh ${{ env.release-type }} -r
else
./scripts/archive.sh ${{ env.release-type }}
fi
- name: Set app name and version
id: set-outputs
run: |
echo "app-version=${{ env.app-version }}" >> $GITHUB_OUTPUT
echo "app-name=${{ env.app-name }}" >> $GITHUB_OUTPUT
echo "dsym-name=DuckDuckGo-${{ env.app-version }}-dSYM.zip" >> $GITHUB_OUTPUT
- name: Upload app artifact
uses: actions/upload-artifact@v4
with:
name: DuckDuckGo-${{ env.release-type }}-${{ env.app-version }}.app
path: ${{ github.workspace }}/release/DuckDuckGo-${{ env.app-version }}.zip
- name: Upload dSYMs artifact
uses: actions/upload-artifact@v4
with:
name: DuckDuckGo-${{ env.release-type }}-dSYM-${{ env.app-version }}
path: ${{ github.workspace }}/release/${{ steps.set-outputs.outputs.dsym-name }}
- name: Extract Asana Task ID
id: task-id
if: ${{ env.upload-to == 'asana' }}
uses: ./.github/actions/asana-extract-task-id
with:
task-url: ${{ env.asana-task-url }}
- name: Upload dSYMs to S3
id: upload-dsyms-to-s3
if: ${{ env.upload-to == 's3' }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ vars.AWS_DEFAULT_REGION }}
DSYM_S3_PATH: s3://${{ vars.DSYM_BUCKET_NAME }}/${{ vars.DSYM_BUCKET_PREFIX }}/${{ steps.set-outputs.outputs.dsym-name }}
run: |
echo "dsym-s3-path=${DSYM_S3_PATH}" >> $GITHUB_OUTPUT
aws s3 cp ${{ github.workspace }}/release/${{ steps.set-outputs.outputs.dsym-name }} ${{ env.DSYM_S3_PATH }}
- name: Report success
if: ${{ env.upload-to == 's3' }}
uses: ./.github/actions/asana-log-message
env:
DSYM_S3_PATH: ${{ steps.upload-dsyms-to-s3.outputs.dsym-s3-path }}
TAG: ${{ env.app-version }}
WORKFLOW_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
with:
task-url: ${{ env.asana-task-url }}
access-token: ${{ secrets.ASANA_ACCESS_TOKEN }}
template-name: debug-symbols-uploaded
create-dmg:
name: Create DMG
needs: export-notarized-app
if: ${{ github.event.inputs.create-dmg == true || inputs.create-dmg == true }}
# use macos-12 for creating DMGs as macos-13 beta runners can't run AppleScript: https://app.asana.com/0/0/1204523592790998/f
runs-on: macos-12
env:
app-version: ${{ needs.export-notarized-app.outputs.app-version }}
app-name: ${{ needs.export-notarized-app.outputs.app-name }}
asana-task-url: ${{ github.event.inputs.asana-task-url || inputs.asana-task-url }}
upload-to: ${{ needs.export-notarized-app.outputs.upload-to }}
release-type: ${{ github.event.inputs.release-type || inputs.release-type }}
steps:
- name: Check out the code
uses: actions/checkout@v4
with:
submodules: recursive
ref: ${{ inputs.branch || github.ref_name }}
sparse-checkout: .github
- name: Fetch app bundle
uses: actions/download-artifact@v4
with:
name: DuckDuckGo-${{ env.release-type }}-${{ env.app-version }}.app
path: ${{ github.workspace }}/dmg
- name: Extract app bundle
run: |
ditto -xk DuckDuckGo-${{ env.app-version }}.zip .
rm -f DuckDuckGo-${{ env.app-version }}.zip
working-directory: ${{ github.workspace }}/dmg
- name: Install create-dmg
run: brew install create-dmg
- name: Create DMG
id: create-dmg
env:
GH_TOKEN: ${{ github.token }}
run: |
dmg="duckduckgo-${{ env.app-version }}.dmg"
curl -fLSs $(gh api https://api.github.com/repos/${{ github.repository }}/contents/scripts/assets/dmg-background.png?ref=${{ github.ref }} --jq .download_url) \
--output dmg-background.png
create-dmg --volname "${{ env.app-name }}" \
--icon "${{ env.app-name }}.app" 140 160 \
--background "dmg-background.png" \
--window-size 600 400 \
--icon-size 120 \
--app-drop-link 430 160 "${dmg}" \
"dmg"
echo "dmg=${dmg}" >> $GITHUB_OUTPUT
- name: Upload DMG artifact
uses: actions/upload-artifact@v4
with:
name: DuckDuckGo-${{ env.release-type }}-${{ env.app-version }}.dmg
path: ${{ github.workspace }}/${{ steps.create-dmg.outputs.dmg }}
- name: Upload DMG to S3
if: ${{ env.upload-to == 's3' }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_RELEASE_S3 }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_RELEASE_S3 }}
AWS_DEFAULT_REGION: ${{ vars.AWS_DEFAULT_REGION }}
RELEASE_BUCKET_NAME: ${{ vars.RELEASE_BUCKET_NAME }}
RELEASE_BUCKET_PREFIX: ${{ vars.RELEASE_BUCKET_PREFIX }}
run: |
aws s3 cp \
${{ github.workspace }}/${{ steps.create-dmg.outputs.dmg }} \
s3://${{ env.RELEASE_BUCKET_NAME }}/${{ env.RELEASE_BUCKET_PREFIX }}/ \
--acl public-read
- name: Report success
if: ${{ env.upload-to == 's3' }}
uses: ./.github/actions/asana-log-message
env:
DMG_URL: ${{ vars.DMG_URL_ROOT }}${{ steps.create-dmg.outputs.dmg }}
TAG: ${{ env.app-version }}
WORKFLOW_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
with:
task-url: ${{ env.asana-task-url }}
access-token: ${{ secrets.ASANA_ACCESS_TOKEN }}
template-name: dmg-uploaded
- name: Extract Asana Task ID
id: task-id
if: ${{ env.upload-to == 'asana' }}
uses: ./.github/actions/asana-extract-task-id
with:
task-url: ${{ env.asana-task-url }}
- name: Upload DMG to Asana
if: ${{ env.upload-to == 'asana' }}
uses: ./.github/actions/asana-upload
with:
access-token: ${{ secrets.ASANA_ACCESS_TOKEN }}
file-name: ${{ github.workspace }}/duckduckgo-${{ env.app-version }}.dmg
task-id: ${{ steps.task-id.outputs.task-id }}
mattermost:
name: Send Mattermost message
needs: [export-notarized-app, create-dmg]
if: always()
runs-on: ubuntu-latest
env:
success: ${{ (needs.export-notarized-app.result == 'success') && (needs.create-dmg.result == 'success' || needs.create-dmg.result == 'skipped') }}
failure: ${{ (needs.export-notarized-app.result == 'failure') || (needs.create-dmg.result == 'failure') }}
steps:
- name: Send Mattermost message
if: ${{ env.success || env.failure }} # Don't execute when cancelled
env:
ASANA_TASK_URL: ${{ github.event.inputs.asana-task-url || inputs.asana-task-url }}
GH_TOKEN: ${{ github.token }}
RELEASE_TYPE: ${{ github.event.inputs.release-type || inputs.release-type }}
WORKFLOW_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
run: |
curl -fLSs $(gh api https://api.github.com/repos/${{ github.repository }}/contents/scripts/assets/release-mm-template.json?ref=${{ github.ref }} --jq .download_url) \
--output message-template.json
export MM_USER_HANDLE=$(base64 -d <<< ${{ secrets.MM_HANDLES_BASE64 }} | jq ".${{ github.actor }}" | tr -d '"')
if [[ -z "${MM_USER_HANDLE}" ]]; then
echo "Mattermost user handle not known for ${{ github.actor }}, skipping sending message"
else
if [[ -n "${ASANA_TASK_URL}" ]]; then
export ASANA_LINK=" | [:asana: Asana task](${ASANA_TASK_URL})"
fi
if [[ "${{ env.success }}" == "true" ]]; then
status="success"
else
status="failure"
fi
curl -s -H 'Content-type: application/json' \
-d "$(envsubst < message-template.json | jq ".${status}")" \
${{ secrets.MM_WEBHOOK_URL }}
fi