Build and upload Mac app artifact #62
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and upload Mac app artifact | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| buildBranch: | |
| description: 'Headlamp ref/branch/tag' | |
| required: true | |
| default: 'main' | |
| signBinaries: | |
| description: Notarize app | |
| default: false | |
| type: boolean | |
| jobs: | |
| build-mac: | |
| runs-on: macos-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.inputs.buildBranch }} | |
| - name: Setup nodejs | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 18.x | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.20.*' | |
| - name: Dependencies | |
| run: brew install make | |
| - name: Build Backend and Frontend | |
| run: | | |
| make | |
| - name: Add MacOS certs | |
| run: cd ./app/mac/scripts/ && sh ./setup-certificate.sh | |
| env: | |
| APPLE_CERTIFICATE: ${{ secrets.TEST_APPLE_DEV_CERT }} | |
| APPLE_CERTIFICATE_PASSWORD: ${{ secrets.TEST_APPLE_DEV_CERT_PASS }} | |
| - name: Build Notarized App Mac | |
| if: ${{ inputs.signBinaries }} | |
| run: | | |
| make app-build | |
| # env: | |
| # APPLEID: ${{ secrets.APPLEID }} | |
| # APPLEIDPASS: ${{ secrets.APPLEIDPASS }} | |
| # APPLETEAMID: ${{ secrets.APPLETEAMID }} | |
| # - name: Build App Mac | |
| # if: ${{ ! inputs.signBinaries }} | |
| # run: | | |
| # make app-mac | |
| - name: CodeSign | |
| run: | | |
| cd ./app/dist/mac && codesign -s ${{ secrets.TEST_APPLE_TEAM_ID }} --deep --force --options runtime --entitlements ../../../mac/entitlements.mac.plist ./Headlamp.app | |
| - name: Zip Artifact | |
| run: | | |
| cd ./app/dist/mac && zip -r -X -y ./Headlamp.zip Headlamp.app | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: zipbuild | |
| path: ./app/dist/mac/Headlamp.zip | |
| if-no-files-found: error | |
| retention-days: 1 | |
| notarize: | |
| runs-on: windows-latest | |
| needs: build-mac | |
| if: ${{ inputs.signBinaries }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.inputs.buildBranch }} | |
| - name: Setup nodejs | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 18.x | |
| - name: Download artifact | |
| uses: actions/download-artifact@v2 | |
| with: | |
| name: zipbuild | |
| path: ./app/dist | |
| - name: Fetch certificates | |
| if: ${{ inputs.signBinaries }} | |
| shell: pwsh | |
| run: | | |
| az login --service-principal -u ${{ secrets.WINDOWS_CLIENT_ID }} -p ${{ secrets.AZ_LOGIN_PASS }} --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47 | |
| az keyvault secret download --subscription ${{ secrets.AZ_SUBSCRIPTION_ID }} --vault-name headlamp --name HeadlampAuthCert --file c:\HeadlampAuthCert.pfx --encoding base64 | |
| az keyvault secret download --subscription ${{ secrets.AZ_SUBSCRIPTION_ID }} --vault-name headlamp --name ESRPHeadlampReqCert --file c:\HeadlampReqCert.pfx --encoding base64 | |
| - name: Set up certificates | |
| if: ${{ inputs.signBinaries }} | |
| shell: pwsh | |
| run: | | |
| Import-PfxCertificate -FilePath c:\HeadlampAuthCert.pfx -CertStoreLocation Cert:\LocalMachine\My -Exportable | |
| Import-PfxCertificate -FilePath c:\HeadlampReqCert.pfx -CertStoreLocation Cert:\LocalMachine\My -Exportable | |
| - name: Download and Set up ESRPClient | |
| if: ${{ inputs.signBinaries }} | |
| shell: pwsh | |
| run: | | |
| nuget.exe sources add -name esrp -source ${{ secrets.ESRP_NUGET_INDEX_URL }} -username headlamp -password ${{ secrets.AZ_DEVOPS_TOKEN }} | |
| nuget.exe install Microsoft.EsrpClient -Version 1.2.80 -source ${{ secrets.ESRP_NUGET_INDEX_URL }} | out-null | |
| - name: App Windows | |
| shell: pwsh | |
| run: | | |
| ls | |
| if ("${{ inputs.signBinaries }}" -eq "true") { | |
| $env:ESRP_PATH="$(Get-Location)\..\Microsoft.EsrpClient.1.2.80\tools\EsrpClient.exe" | |
| $env:HEADLAMP_WINDOWS_CLIENT_ID="${{ secrets.WINDOWS_CLIENT_ID }}" | |
| $env:HEADLAMP_WINDOWS_SIGN_EMAIL="${{ secrets.WINDOWS_SIGN_EMAIL }}" | |
| } else { | |
| echo "Not signing binaries" | |
| } | |
| cd ./app/mac/scripts | |
| node ./esrp-notarize.js ../../dist/Headlamp.zip | |
| - name: Upload Notarized | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: Win exes | |
| path: ./app/dist/Headlamp*.* | |
| if-no-files-found: error | |
| retention-days: 2 |