Skip to content

Commit

Permalink
Remove secrets from action
Browse files Browse the repository at this point in the history
  • Loading branch information
@tnunamak
tnunamak committed Apr 2, 2024
1 parent 0942341 commit 0fe96a8
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 8 deletions.
40 changes: 32 additions & 8 deletions .github/actions/build-action/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,27 @@ inputs:
release_tag:
description: 'The tag name of the release'
required: false
apple_build_certificate_base64:
description: 'The base64-encoded Apple build certificate'
required: false
apple_build_certificate_password:
description: 'The password for the Apple build certificate'
required: false
apple_provisioning_profile_base64:
description: 'The base64-encoded Apple provisioning profile'
required: false
apple_macos_keychain_password:
description: 'The password for the macOS keychain'
required: false
apple_asc_api_key_key_base64:
description: 'The base64-encoded Apple ASC API key'
required: false
apple_asc_api_key_id:
description: 'The ID of the Apple ASC API key'
required: false
apple_asc_api_key_issuer_uuid:
description: 'The UUID of the Apple ASC API key issuer'
required: false

runs:
using: 'composite'
Expand All @@ -20,10 +41,11 @@ runs:
- name: Install the Apple certificate and provisioning profile
if: runner.os == 'macOS'
env:
APPLE_BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }}
APPLE_BUILD_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_BUILD_CERTIFICATE_PASSWORD }}
APPLE_PROVISIONING_PROFILE_BASE64: ${{ secrets.APPLE_PROVISIONING_PROFILE_BASE64 }}
APPLE_MACOS_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_MACOS_KEYCHAIN_PASSWORD }}
APPLE_BUILD_CERTIFICATE_BASE64: ${{ inputs.apple_build_certificate_base64 }}
APPLE_BUILD_CERTIFICATE_PASSWORD: ${{ inputs.apple_build_certificate_password }}
APPLE_PROVISIONING_PROFILE_BASE64: ${{ inputs.apple_provisioning_profile_base64 }}
APPLE_MACOS_KEYCHAIN_PASSWORD: ${{ inputs.apple_macos_keychain_password }}
APPLE_ASC_API_KEY_KEY_BASE64: ${{ inputs.apple_asc_api_key_key_base64 }}
run: |
CERTIFICATE_PATH=$RUNNER_TEMP/apple_certificate.p12
PROVISIONING_PROFILE_PATH=$RUNNER_TEMP/apple_provisioning_profile.provisionprofile
Expand Down Expand Up @@ -98,16 +120,18 @@ runs:
- name: Build macOS App
if: runner.os == 'macOS'
env:
APPLE_ASC_API_KEY_KEY_BASE64: ${{ secrets.APPLE_ASC_API_KEY_KEY_BASE64 }}
APPLE_ASC_API_KEY_KEY_BASE64: ${{ inputs.apple_asc_api_key_key_base64 }}
APPLE_ASC_API_KEY_ID: ${{ inputs.apple_asc_api_key_id }}
APPLE_ASC_API_KEY_ISSUER_UUID: ${{ inputs.apple_asc_api_key_issuer_uuid }}
run: |
sh scripts/package-macos-app.sh
ditto -c -k --keepParent "${{ github.workspace }}/dist/Selfie.app" "${{ env.TARGET_NAME }}.zip"
API_KEY_PATH=$RUNNER_TEMP/AuthKey_${{secrets.APPLE_ASC_API_KEY_ID}}.p8
API_KEY_PATH=$RUNNER_TEMP/AuthKey_${{APPLE_ASC_API_KEY_ID}}.p8
echo -n "$APPLE_ASC_API_KEY_KEY_BASE64" | base64 --decode > $API_KEY_PATH
NOTARIZATION_OUTPUT=$(xcrun notarytool submit "${{ env.TARGET_NAME }}.zip" --issuer ${{ secrets.APPLE_ASC_API_KEY_ISSUER_UUID }} --key-id ${{ secrets.APPLE_ASC_API_KEY_ID }} --key $API_KEY_PATH --wait 2>&1)
NOTARIZATION_OUTPUT=$(xcrun notarytool submit "${{ env.TARGET_NAME }}.zip" --issuer ${{ APPLE_ASC_API_KEY_ISSUER_UUID }} --key-id ${{ APPLE_ASC_API_KEY_ID }} --key $API_KEY_PATH --wait 2>&1)
REQUEST_UUID=$(echo "${NOTARIZATION_OUTPUT}" | grep 'id:' | awk '{print $NF}')
NOTARIZATION_STATUS=$(echo "${NOTARIZATION_OUTPUT}" | grep 'status:' | tail -n 1 | awk '{print $NF}')
Expand All @@ -123,7 +147,7 @@ runs:
if [[ "$NOTARIZATION_STATUS" == "Invalid" ]]; then
echo "Notarization failed with status: ${NOTARIZATION_STATUS}"
echo "Fetching notarization log for RequestUUID: ${REQUEST_UUID}..."
xcrun notarytool log ${REQUEST_UUID} --key $API_KEY_PATH --key-id ${{ secrets.APPLE_ASC_API_KEY_ID }} --issuer ${{ secrets.APPLE_ASC_API_KEY_ISSUER_UUID }}
xcrun notarytool log ${REQUEST_UUID} --key $API_KEY_PATH --key-id ${{ APPLE_ASC_API_KEY_ID }} --issuer ${{ APPLE_ASC_API_KEY_ISSUER_UUID }}
exit 1
elif [[ "$NOTARIZATION_STATUS" != "Accepted" ]]; then
echo "Notarization failed with an unexpected status: ${NOTARIZATION_STATUS}"
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/package.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,11 @@ jobs:

- name: Build package
uses: ./.github/actions/build-action
with:
apple_build_certificate_base64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }}
apple_build_certificate_password: ${{ secrets.APPLE_BUILD_CERTIFICATE_PASSWORD }}
apple_provisioning_profile_base64: ${{ secrets.APPLE_PROVISIONING_PROFILE_BASE64 }}
apple_macos_keychain_password: ${{ secrets.APPLE_MACOS_KEYCHAIN_PASSWORD }}
apple_asc_api_key_key_base64: ${{ secrets.APPLE_ASC_API_KEY_KEY_BASE64 }}
apple_asc_api_key_id: ${{ secrets.APPLE_ASC_API_KEY_ID }}
apple_asc_api_key_issuer_uuid: ${{ secrets.APPLE_ASC_API_KEY_ISSUER_UUID }}
7 changes: 7 additions & 0 deletions .github/workflows/release-please.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,10 @@ jobs:
uses: ./.github/actions/build-action
with:
release_tag: ${{ needs.release-please.outputs.tag_name }}
apple_build_certificate_base64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }}
apple_build_certificate_password: ${{ secrets.APPLE_BUILD_CERTIFICATE_PASSWORD }}
apple_provisioning_profile_base64: ${{ secrets.APPLE_PROVISIONING_PROFILE_BASE64 }}
apple_macos_keychain_password: ${{ secrets.APPLE_MACOS_KEYCHAIN_PASSWORD }}
apple_asc_api_key_key_base64: ${{ secrets.APPLE_ASC_API_KEY_KEY_BASE64 }}
apple_asc_api_key_id: ${{ secrets.APPLE_ASC_API_KEY_ID }}
apple_asc_api_key_issuer_uuid: ${{ secrets.APPLE_ASC_API_KEY_ISSUER_UUID }}

0 comments on commit 0fe96a8

Please sign in to comment.