Skip to content

Commit 6be3c0d

Browse files
JulianFun123JulianFun123
committed
feat: add macOS signing and notarization support for Electron builds
1 parent 8c3cb02 commit 6be3c0d

2 files changed

Lines changed: 36 additions & 21 deletions

File tree

.github/workflows/release-docker.yml

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,9 @@ jobs:
2121
publish-images:
2222
name: Publish ${{ matrix.image_name }} image
2323
runs-on: ubuntu-latest
24+
env:
25+
DOCKERHUB_USERNAME: ${{ secrets.DOCKER_USERNAME }}
26+
DOCKERHUB_TOKEN: ${{ secrets.DOCKER_PASSWORD }}
2427
strategy:
2528
fail-fast: false
2629
matrix:
@@ -48,11 +51,11 @@ jobs:
4851
password: ${{ secrets.GITHUB_TOKEN }}
4952

5053
- name: Log in to Docker Hub
51-
if: secrets.DOCKER_USERNAME != '' && secrets.DOCKER_PASSWORD != ''
54+
if: env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != ''
5255
uses: docker/login-action@v3
5356
with:
54-
username: ${{ secrets.DOCKER_USERNAME }}
55-
password: ${{ secrets.DOCKER_PASSWORD }}
57+
username: ${{ env.DOCKERHUB_USERNAME }}
58+
password: ${{ env.DOCKERHUB_TOKEN }}
5659

5760
- name: Compute image names
5861
id: image
@@ -71,7 +74,7 @@ jobs:
7174
{
7275
echo "images<<EOF"
7376
echo "${ghcr_image}"
74-
if [ -n "${{ secrets.DOCKER_USERNAME }}" ] && [ -n "${{ secrets.DOCKER_PASSWORD }}" ]; then
77+
if [ -n "${DOCKERHUB_USERNAME}" ] && [ -n "${DOCKERHUB_TOKEN}" ]; then
7578
echo "${dockerhub_image}"
7679
fi
7780
echo "EOF"

.github/workflows/release-electron.yml

Lines changed: 29 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,18 @@ jobs:
1717
build-electron:
1818
name: Build ${{ matrix.label }}
1919
runs-on: ${{ matrix.runs_on }}
20+
env:
21+
APPLE_SIGN_CERTIFICATE_P12_BASE64: ${{ secrets.APPLE_SIGN_CERTIFICATE_P12_BASE64 }}
22+
APPLE_SIGN_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_SIGN_CERTIFICATE_PASSWORD }}
23+
APPLE_SIGN_IDENTITY: ${{ secrets.APPLE_SIGN_IDENTITY }}
24+
APPLE_NOTARY_API_KEY_P8_BASE64: ${{ secrets.APPLE_NOTARY_API_KEY_P8_BASE64 }}
25+
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
26+
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
27+
APPLE_ID: ${{ secrets.APPLE_ID }}
28+
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
29+
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
30+
STARQUERY_WINDOWS_CERTIFICATE_BASE64: ${{ secrets.STARQUERY_WINDOWS_CERTIFICATE_BASE64 }}
31+
STARQUERY_WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.STARQUERY_WINDOWS_CERTIFICATE_PASSWORD }}
2032
strategy:
2133
fail-fast: false
2234
matrix:
@@ -59,21 +71,21 @@ jobs:
5971
run: pnpm install --frozen-lockfile
6072

6173
- name: Prepare Apple signing certificate
62-
if: runner.os == 'macOS' && secrets.APPLE_SIGN_CERTIFICATE_P12_BASE64 != ''
74+
if: runner.os == 'macOS' && env.APPLE_SIGN_CERTIFICATE_P12_BASE64 != ''
6375
shell: bash
6476
run: |
6577
CERTIFICATE_PATH="$RUNNER_TEMP/starquery-macos-signing.p12"
6678
KEYCHAIN_PATH="$RUNNER_TEMP/starquery-signing.keychain-db"
6779
KEYCHAIN_PASSWORD="$(uuidgen)"
6880
69-
echo "${{ secrets.APPLE_SIGN_CERTIFICATE_P12_BASE64 }}" | base64 --decode > "$CERTIFICATE_PATH"
81+
echo "${APPLE_SIGN_CERTIFICATE_P12_BASE64}" | base64 --decode > "$CERTIFICATE_PATH"
7082
7183
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
7284
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
7385
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
7486
security import "$CERTIFICATE_PATH" \
7587
-k "$KEYCHAIN_PATH" \
76-
-P "${{ secrets.APPLE_SIGN_CERTIFICATE_PASSWORD }}" \
88+
-P "${APPLE_SIGN_CERTIFICATE_PASSWORD}" \
7789
-T /usr/bin/codesign \
7890
-T /usr/bin/security \
7991
-T /usr/bin/productbuild
@@ -87,36 +99,36 @@ jobs:
8799
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
88100
89101
- name: Prepare Apple notarization API key
90-
if: runner.os == 'macOS' && secrets.APPLE_NOTARY_API_KEY_P8_BASE64 != ''
102+
if: runner.os == 'macOS' && env.APPLE_NOTARY_API_KEY_P8_BASE64 != ''
91103
shell: bash
92104
run: |
93-
API_KEY_PATH="$RUNNER_TEMP/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8"
94-
echo "${{ secrets.APPLE_NOTARY_API_KEY_P8_BASE64 }}" | base64 --decode > "$API_KEY_PATH"
105+
API_KEY_PATH="$RUNNER_TEMP/AuthKey_${APPLE_API_KEY_ID}.p8"
106+
echo "${APPLE_NOTARY_API_KEY_P8_BASE64}" | base64 --decode > "$API_KEY_PATH"
95107
echo "APPLE_API_KEY=$API_KEY_PATH" >> "$GITHUB_ENV"
96108
97109
- name: Prepare optional Windows code-signing certificate
98-
if: runner.os == 'Windows' && secrets.STARQUERY_WINDOWS_CERTIFICATE_BASE64 != ''
110+
if: runner.os == 'Windows' && env.STARQUERY_WINDOWS_CERTIFICATE_BASE64 != ''
99111
shell: pwsh
100112
run: |
101113
$certificatePath = Join-Path $env:RUNNER_TEMP 'starquery-windows-signing.pfx'
102114
[System.IO.File]::WriteAllBytes(
103115
$certificatePath,
104-
[System.Convert]::FromBase64String('${{ secrets.STARQUERY_WINDOWS_CERTIFICATE_BASE64 }}')
116+
[System.Convert]::FromBase64String($env:STARQUERY_WINDOWS_CERTIFICATE_BASE64)
105117
)
106118
"WINDOWS_CERTIFICATE_FILE=$certificatePath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
107119
108120
- name: Build Electron distributables
109121
env:
110-
STARQUERY_MAC_SIGN: ${{ runner.os == 'macOS' && secrets.APPLE_SIGN_CERTIFICATE_P12_BASE64 != '' && 'true' || 'false' }}
111-
STARQUERY_MAC_NOTARIZE: ${{ runner.os == 'macOS' && ((secrets.APPLE_NOTARY_API_KEY_P8_BASE64 != '' && secrets.APPLE_API_KEY_ID != '' && secrets.APPLE_API_ISSUER != '') || (secrets.APPLE_ID != '' && secrets.APPLE_APP_SPECIFIC_PASSWORD != '' && secrets.APPLE_TEAM_ID != '')) && 'true' || 'false' }}
122+
STARQUERY_MAC_SIGN: ${{ runner.os == 'macOS' && env.APPLE_SIGN_CERTIFICATE_P12_BASE64 != '' && 'true' || 'false' }}
123+
STARQUERY_MAC_NOTARIZE: ${{ runner.os == 'macOS' && ((env.APPLE_NOTARY_API_KEY_P8_BASE64 != '' && env.APPLE_API_KEY_ID != '' && env.APPLE_API_ISSUER != '') || (env.APPLE_ID != '' && env.APPLE_APP_SPECIFIC_PASSWORD != '' && env.APPLE_TEAM_ID != '')) && 'true' || 'false' }}
112124
STARQUERY_MAC_BUNDLE_ID: ${{ vars.STARQUERY_MAC_BUNDLE_ID }}
113125
STARQUERY_MAC_APP_CATEGORY: ${{ vars.STARQUERY_MAC_APP_CATEGORY }}
114-
APPLE_SIGN_IDENTITY: ${{ secrets.APPLE_SIGN_IDENTITY }}
115-
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
116-
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
117-
APPLE_ID: ${{ secrets.APPLE_ID }}
118-
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
119-
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
126+
APPLE_SIGN_IDENTITY: ${{ env.APPLE_SIGN_IDENTITY }}
127+
APPLE_API_KEY_ID: ${{ env.APPLE_API_KEY_ID }}
128+
APPLE_API_ISSUER: ${{ env.APPLE_API_ISSUER }}
129+
APPLE_ID: ${{ env.APPLE_ID }}
130+
APPLE_APP_SPECIFIC_PASSWORD: ${{ env.APPLE_APP_SPECIFIC_PASSWORD }}
131+
APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }}
120132
STARQUERY_MSIX_PUBLISHER: ${{ vars.STARQUERY_MSIX_PUBLISHER }}
121133
STARQUERY_MSIX_PUBLISHER_DISPLAY_NAME: ${{ vars.STARQUERY_MSIX_PUBLISHER_DISPLAY_NAME }}
122134
STARQUERY_MSIX_IDENTITY_NAME: ${{ vars.STARQUERY_MSIX_IDENTITY_NAME }}
@@ -128,7 +140,7 @@ jobs:
128140
STARQUERY_MSIX_WINDOWS_KIT_VERSION: ${{ vars.STARQUERY_MSIX_WINDOWS_KIT_VERSION }}
129141
STARQUERY_MSIX_WINDOWS_KIT_PATH: ${{ vars.STARQUERY_MSIX_WINDOWS_KIT_PATH }}
130142
STARQUERY_MSIX_SIGN: ${{ vars.STARQUERY_MSIX_SIGN }}
131-
WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.STARQUERY_WINDOWS_CERTIFICATE_PASSWORD }}
143+
WINDOWS_CERTIFICATE_PASSWORD: ${{ env.STARQUERY_WINDOWS_CERTIFICATE_PASSWORD }}
132144
run: pnpm --dir packages/electron make
133145

134146
- name: Upload workflow artifacts

0 commit comments

Comments
 (0)