Try code signing with SignPath again. #5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: test-code-signing | |
on: | |
push: | |
branches: [code-signing] | |
jobs: | |
setup: | |
if: github.repository == 'hsorby/mapclient' | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.set-matrix.outputs.matrix }} | |
run-installer: ${{ steps.set-matrix.outputs.run-installer }} | |
package: ${{ steps.set-matrix.outputs.run-packaging }} | |
tag: ${{ steps.get-tag.outputs.tag }} | |
steps: | |
- name: Get the tag | |
id: get-tag | |
shell: bash | |
run: | | |
echo "Setting tag as: vX.Y.Z" | |
echo "tag=vX.Y.Z" >> $GITHUB_OUTPUT | |
- name: Get the release name | |
id: get-release-name | |
shell: bash | |
run: | | |
tag=${{ steps.get-tag.outputs.tag }} | |
bare_tag=${tag/v/} | |
IFS='.' read -ra bare_tag_parts <<< "$bare_tag" | |
name="${bare_tag_parts[0]}.${bare_tag_parts[1]}.${bare_tag_parts[2]}" | |
echo "Setting name as: ${name}" | |
echo "name=$name" >> $GITHUB_OUTPUT | |
- name: Determine required assets | |
id: set-variants | |
shell: cmake -P {0} | |
run: | | |
set(RELEASE_BODY "${{ github.event.release.body }}") | |
string(REPLACE "\n" ";" _PARTS "${RELEASE_BODY}") | |
set(VARIANTS standard) | |
message(STATUS "variants=\"${VARIANTS}\"") | |
file(APPEND $ENV{GITHUB_OUTPUT} "variants=\"${VARIANTS}\"") | |
- name: set_matrix | |
id: set-matrix | |
shell: bash | |
run: | | |
matrixElements=() | |
variants=${{ steps.set-variants.outputs.variants }} | |
for v in $variants; do | |
matrixElements+=('{"os":"windows-2022","variant":"'$v'","tag":"${{ steps.get-tag.outputs.tag }}","release-name":"${{ steps.get-release-name.outputs.name }}","python-version":"3.9"}') | |
done | |
if [ "${#matrixElements[@]}" -eq "0" ]; then | |
echo run-installer=false >> $GITHUB_OUTPUT | |
echo run-packaging=false >> $GITHUB_OUTPUT | |
else | |
echo run-installer=true >> $GITHUB_OUTPUT | |
echo run-packaging=true >> $GITHUB_OUTPUT | |
fi | |
function join_by { local IFS="$1"; shift; echo "$*"; } | |
content=`join_by , ${matrixElements[@]}` | |
echo "{\"include\":[$content]}" | |
echo "matrix={\"include\":[$content]}" >> $GITHUB_OUTPUT | |
installer: | |
needs: setup | |
name: installer | |
if: needs.setup.outputs.run-installer == 'true' | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: ${{fromJson(needs.setup.outputs.matrix)}} | |
steps: | |
- name: Install PowerShell module SignPath (Windows) | |
if: runner.os == 'Windows' | |
shell: pwsh | |
run: | | |
Install-Module -Name SignPath -MinimumVersion 4.4.1 -Force | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Checkout codebase | |
uses: actions/checkout@v4 | |
with: | |
ref: code-signing | |
path: mapclient | |
- name: Setup scripts | |
uses: actions/checkout@v4 | |
with: | |
repository: hsorby/mapclientreleasescripts | |
path: scripts | |
- name: Setup Python virtual environment | |
id: python-environment | |
shell: bash | |
run: | | |
echo "Creating application asset" | |
python -m venv venv | |
if [ "$RUNNER_OS" == "macOS" ]; then | |
python_exe=$GITHUB_WORKSPACE/venv/bin/python | |
pip_exe=$GITHUB_WORKSPACE/venv/bin/pip | |
# source venv/bin/activate | |
elif [ "$RUNNER_OS" == "Windows" ]; then | |
python_exe=$GITHUB_WORKSPACE/venv/Scripts/python.exe | |
pip_exe=$GITHUB_WORKSPACE/venv/Scripts/pip.exe | |
# source venv/Scripts/activate | |
else | |
echo "$RUNNER_OS not supported" | |
exit 1 | |
fi | |
cd mapclient | |
echo "===============================================" | |
echo "=== setting extensions.worktreeconfig false ===" | |
echo "====== because Dulwich cannot handle it. ======" | |
echo "===============================================" | |
git config extensions.worktreeconfig false | |
echo "---=---" | |
git config --list | |
cd .. | |
python_exe=${python_exe//\\//} | |
echo "python_exe=$python_exe" | |
echo "python_exe=$python_exe" >> $GITHUB_OUTPUT | |
pip_exe=${pip_exe//\\//} | |
echo "pip_exe=$pip_exe" | |
echo "pip_exe=$pip_exe" >> $GITHUB_OUTPUT | |
- name: Create application asset | |
id: create-application | |
shell: bash | |
run: | | |
echo "Creating application asset" | |
if [ "${{ matrix.variant }}" == "standard" ]; then | |
variant= | |
else | |
variant="-${{ matrix.variant }}" | |
fi | |
cd $GITHUB_WORKSPACE | |
cd scripts | |
# ${{ steps.get_tag.outputs.tag }} | |
# Manually install PyInstaller rather than use the dev install requires from setup.py. | |
${{ steps.python-environment.outputs.pip_exe }} install pyinstaller | |
git fetch | |
git switch ${{ matrix.variant }} | |
git log -1 --oneline | |
${{ steps.python-environment.outputs.python_exe }} create_mapclient_application.py -v "${{ matrix.variant }}" -l $GITHUB_WORKSPACE/mapclient ${{ matrix.tag }} | |
if [ "$RUNNER_OS" == "Windows" ]; then | |
asset="${GITHUB_WORKSPACE}/mapclient/res/pyinstaller/dist/MAP-Client${variant}/MAP-Client${variant}.exe" | |
asset=${asset//\\//} | |
fi | |
echo "file=$asset" >> $GITHUB_OUTPUT | |
cat $GITHUB_OUTPUT | |
- name: Codesign application (Windows) | |
if: runner.os == 'Windows' | |
shell: pwsh | |
run: | | |
# The user must be a submitter for the given signing policy! | |
Submit-SigningRequest ` | |
-InputArtifactPath "${{ steps.create-application.outputs.file }}" ` | |
-ApiToken "${{ secrets.SIGNPATH_API_TOKEN }}" ` | |
-OrganizationId "${{ secrets.SIGNPATH_ORGANIZATION_ID }}" ` | |
-ProjectSlug "MAP_Client" ` | |
-SigningPolicySlug "MAP_Client_Release_Candidate_Policy" ` | |
-OutputArtifactPath "${{ steps.create-application.outputs.file }}" ` | |
-WaitForCompletion | |
- name: Create installer asset | |
id: create-installer | |
shell: bash | |
run: | | |
echo "Creating installer asset" | |
if [ "${{ matrix.variant }}" == "standard" ]; then | |
variant= | |
else | |
variant="-${{ matrix.variant }}" | |
fi | |
cd $GITHUB_WORKSPACE | |
cd scripts | |
${{ steps.python-environment.outputs.python_exe }} create_mapclient_installer.py -v "${{ matrix.variant }}" -l $GITHUB_WORKSPACE/mapclient ${{ matrix.tag }} | |
if [ "$RUNNER_OS" == "macOS" ]; then | |
asset=$GITHUB_WORKSPACE/mapclient/res/macos/MAP-Client${variant}-${{ matrix.release-name }}.dmg | |
elif [ "$RUNNER_OS" == "Windows" ]; then | |
asset=$GITHUB_WORKSPACE/mapclient/package/MAP-Client${variant}-${{ matrix.release-name }}.exe | |
asset=${asset//\\//} | |
else | |
echo "$RUNNER_OS not supported" | |
exit 1 | |
fi | |
echo $asset | |
echo "file=$asset" >> $GITHUB_OUTPUT | |
- name: Codesign installer (Windows) | |
if: runner.os == 'Windows' | |
shell: pwsh | |
run: | | |
# The user must be a submitter for the given signing policy! | |
Submit-SigningRequest ` | |
-InputArtifactPath "${{ steps.create-installer.outputs.file }}" ` | |
-ApiToken "${{ secrets.SIGNPATH_API_TOKEN }}" ` | |
-OrganizationId "${{ secrets.SIGNPATH_ORGANIZATION_ID }}" ` | |
-ProjectSlug "MAP_Client" ` | |
-SigningPolicySlug "MAP_Client_Release_Candidate_Policy" ` | |
-OutputArtifactPath "${{ steps.create-installer.outputs.file }}" ` | |
-WaitForCompletion | |
- name: Notarize and Staple installer (macOS) | |
if: runner.os == 'macOS' | |
run: | | |
#codesign -s "${{ secrets.APPLE_DEV_ID_APPLICATION}}" --timestamp --force "${{ steps.create-installer.outputs.file }}" | |
xcrun notarytool submit "${{ steps.create-installer.outputs.file }}" --apple-id ${{ secrets.APPLE_NOTARIZATION_USERNAME }} --password ${{ secrets.APPLE_NOTARIZATION_PASSWORD }} --team-id ${{ secrets.APPLE_DEV_TEAM_ID }} --wait | |
xcrun stapler staple "${{ steps.create-installer.outputs.file }}" | |
- name: Upload asset | |
uses: softprops/action-gh-release@v2 | |
with: | |
files: ${{ steps.create-installer.outputs.file }} | |
tag_name: ${{ matrix.tag }} |