Skip to content

Commit

Permalink
Use fastlane match for code signing DMG builds (#3246)
Browse files Browse the repository at this point in the history
Task/Issue URL: https://app.asana.com/0/1203301625297703/1208273969808386/f

Description:
This change adds support for using fastlane match to manage code signing with
Developer ID Application certificate. New lanes are added for syncing code signing
for local and CI use. Build settings are updated to use provisioning profiles generated
by fastlane. archive.sh script and all CI workflows are updated to use fastlane for signing
DMG builds and other CI binaries that use Developer ID Application certificate (e.g. unit tests).
  • Loading branch information
ayoy authored Sep 11, 2024
1 parent 86d440a commit bb0f394
Show file tree
Hide file tree
Showing 32 changed files with 325 additions and 828 deletions.
187 changes: 0 additions & 187 deletions .github/actions/install-certs-and-profiles/action.yml

This file was deleted.

5 changes: 2 additions & 3 deletions .github/workflows/build_appstore.yml
Original file line number Diff line number Diff line change
Expand Up @@ -76,11 +76,10 @@ jobs:
*) echo "👎 Not a release or hotfix branch"; exit 1 ;;
esac
- name: Register SSH keys for submodules access
- name: Register SSH key for certificates repository access
uses: webfactory/[email protected]
with:
ssh-private-key: |
${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}

- name: Check out the code
uses: actions/checkout@v4
Expand Down
30 changes: 4 additions & 26 deletions .github/workflows/build_hotfix_release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,33 +41,11 @@ jobs:
needs: assert_release_branch
uses: ./.github/workflows/pr.yml
secrets:
APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }}
ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
CI_PROVISION_PROFILE_BASE64: ${{ secrets.CI_PROVISION_PROFILE_BASE64 }}
DBP_AGENT_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
DBP_AGENT_CI_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_CI_PROVISION_PROFILE_BASE64 }}
DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64 }}
INTEGRATION_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.INTEGRATION_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
INTEGRATION_TESTS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.INTEGRATION_TESTS_CI_PROVISION_PROFILE_BASE64 }}
NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64 }}
NETP_NOTIFICATIONS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_CI_PROVISION_PROFILE_BASE64 }}
NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64 }}
NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64 }}
NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64 }}
NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64 }}
RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.RELEASE_PROVISION_PROFILE_BASE64 }}
REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.REVIEW_PROVISION_PROFILE_BASE64 }}
UNIT_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.UNIT_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
UNIT_TESTS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.UNIT_TESTS_CI_PROVISION_PROFILE_BASE64 }}
VPN_APPEX_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APPEX_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
VPN_APP_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APP_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
VPN_APP_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APP_CI_PROVISION_PROFILE_BASE64 }}
VPN_PROXY_EXTENSION_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_PROXY_EXTENSION_CI_PROVISION_PROFILE_BASE64 }}
MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}

update_asana:

Expand Down
112 changes: 26 additions & 86 deletions .github/workflows/build_notarized.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,58 +41,6 @@ on:
required: false
type: string
secrets:
BUILD_CERTIFICATE_BASE64:
required: true
P12_PASSWORD:
required: true
KEYCHAIN_PASSWORD:
required: true
APPSTORE_CI_PROVISION_PROFILE_BASE64:
required: true
CI_PROVISION_PROFILE_BASE64:
required: true
DBP_AGENT_APPSTORE_CI_PROVISION_PROFILE_BASE64:
required: true
DBP_AGENT_CI_PROVISION_PROFILE_BASE64:
required: true
DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64:
required: true
DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64:
required: true
INTEGRATION_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64:
required: true
INTEGRATION_TESTS_CI_PROVISION_PROFILE_BASE64:
required: true
NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64:
required: true
NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64:
required: true
NETP_NOTIFICATIONS_CI_PROVISION_PROFILE_BASE64:
required: true
NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64:
required: true
NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64:
required: true
NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64:
required: true
NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64:
required: true
RELEASE_PROVISION_PROFILE_BASE64:
required: true
REVIEW_PROVISION_PROFILE_BASE64:
required: true
UNIT_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64:
required: true
UNIT_TESTS_CI_PROVISION_PROFILE_BASE64:
required: true
VPN_APPEX_APPSTORE_CI_PROVISION_PROFILE_BASE64:
required: true
VPN_APP_APPSTORE_CI_PROVISION_PROFILE_BASE64:
required: true
VPN_APP_CI_PROVISION_PROFILE_BASE64:
required: true
VPN_PROXY_EXTENSION_CI_PROVISION_PROFILE_BASE64:
required: true
APPLE_API_KEY_BASE64:
required: true
APPLE_API_KEY_ID:
Expand All @@ -101,10 +49,6 @@ on:
required: true
ASANA_ACCESS_TOKEN:
required: true
MM_HANDLES_BASE64:
required: true
MM_WEBHOOK_URL:
required: true
AWS_ACCESS_KEY_ID:
required: true
AWS_ACCESS_KEY_ID_RELEASE_S3:
Expand All @@ -113,6 +57,14 @@ on:
required: true
AWS_SECRET_ACCESS_KEY_RELEASE_S3:
required: true
MATCH_PASSWORD:
required: true
MM_HANDLES_BASE64:
required: true
MM_WEBHOOK_URL:
required: true
SSH_PRIVATE_KEY_FASTLANE_MATCH:
required: true

jobs:
export-notarized-app:
Expand All @@ -132,6 +84,10 @@ jobs:
branch: ${{ inputs.branch || github.ref_name }}

steps:
- name: Register SSH key for certificates repository access
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}

- name: Check out the code
uses: actions/checkout@v4
Expand All @@ -142,6 +98,20 @@ jobs:
- name: Set up fastlane
run: bundle install

- name: Sync code signing assets
env:
APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
APPLE_API_KEY_ISSUER: ${{ secrets.APPLE_API_KEY_ISSUER }}
MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
SSH_PRIVATE_KEY_FASTLANE_MATCH: ${{ secrets.SSH_PRIVATE_KEY_FASTLANE_MATCH }}
run: |
if [[ "${{ env.release-type }}" == "release" ]]; then
bundle exec fastlane sync_signing_dmg_release
else
bundle exec fastlane sync_signing_dmg_review
fi
- name: Check if this is an official release build
id: is-official-release
env:
Expand All @@ -155,36 +125,6 @@ jobs:
echo "upload-to=asana" >> $GITHUB_ENV
fi
- name: Install Apple Developer ID Application certificate
uses: ./.github/actions/install-certs-and-profiles
with:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
CI_PROVISION_PROFILE_BASE64: ${{ secrets.CI_PROVISION_PROFILE_BASE64 }}
DBP_AGENT_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
DBP_AGENT_CI_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_CI_PROVISION_PROFILE_BASE64 }}
DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.DBP_AGENT_REVIEW_PROVISION_PROFILE_BASE64 }}
INTEGRATION_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.INTEGRATION_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
INTEGRATION_TESTS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.INTEGRATION_TESTS_CI_PROVISION_PROFILE_BASE64 }}
NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_RELEASE_PROVISION_PROFILE_BASE64 }}
NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_AGENT_REVIEW_PROVISION_PROFILE_BASE64 }}
NETP_NOTIFICATIONS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_CI_PROVISION_PROFILE_BASE64 }}
NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_RELEASE_PROVISION_PROFILE_BASE64 }}
NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_NOTIFICATIONS_REVIEW_PROVISION_PROFILE_BASE64 }}
NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_RELEASE_PROVISION_PROFILE_BASE64 }}
NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.NETP_SYSEX_REVIEW_PROVISION_PROFILE_BASE64 }}
RELEASE_PROVISION_PROFILE_BASE64: ${{ secrets.RELEASE_PROVISION_PROFILE_BASE64 }}
REVIEW_PROVISION_PROFILE_BASE64: ${{ secrets.REVIEW_PROVISION_PROFILE_BASE64 }}
UNIT_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.UNIT_TESTS_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
UNIT_TESTS_CI_PROVISION_PROFILE_BASE64: ${{ secrets.UNIT_TESTS_CI_PROVISION_PROFILE_BASE64 }}
VPN_APPEX_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APPEX_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
VPN_APP_APPSTORE_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APP_APPSTORE_CI_PROVISION_PROFILE_BASE64 }}
VPN_APP_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_APP_CI_PROVISION_PROFILE_BASE64 }}
VPN_PROXY_EXTENSION_CI_PROVISION_PROFILE_BASE64: ${{ secrets.VPN_PROXY_EXTENSION_CI_PROVISION_PROFILE_BASE64 }}

- name: Select Xcode
run: sudo xcode-select -s /Applications/Xcode_$(<.xcode-version).app/Contents/Developer

Expand Down
Loading

0 comments on commit bb0f394

Please sign in to comment.