diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 05bfb1a..a9eba3b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -108,181 +108,6 @@ jobs: path: './build/' retention-days: 3 - release-macos-x64: - needs: release-please - runs-on: - - self-hosted - - x64s - - macos - - sp53 - # timeout-minutes: 15 - - if: needs.release-please.outputs.releases_created == 'true' - env: - DIST_FILE_NAME: butler-sos - GITHUB_TOKEN: ${{ secrets.PAT }} - MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE_BASE64_CODESIGN }} - MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_CODESIGN_PWD }} - MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_CODESIGN_NAME }} - MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} - PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }} - PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }} - PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }} - steps: - - name: Release tag and upload url from previous job - run: | - echo "tag_name : ${{ needs.release-please.outputs.release_tag_name }}" - echo "version : ${{ needs.release-please.outputs.release_version }}" - echo "upload_url : ${{ needs.release-please.outputs.release_upload_url }}" - - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Setup Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 - with: - node-version: lts/* - - - name: Install tool for creating stand-alone executables - run: | - npm install --save-exact esbuild - - - name: Install dependencies - run: | - pwd - npm ci --include=prod - - - name: Build binaries - run: | - pwd - # Create a single JS file using esbuild - ./node_modules/.bin/esbuild src/bundle.js --bundle --outfile=build.cjs --format=cjs --platform=node --target=node22 --inject:./src/lib/import-meta-url.js --define:import.meta.url=import_meta_url - - # Generate blob to be injected into the binary - node --experimental-sea-config src/sea-config.json - - # Get a copy of the Node executable - cp $(command -v node) ${DIST_FILE_NAME} - - # Remove the signature from the Node executable - codesign --remove-signature ${DIST_FILE_NAME} - - # Inject the blob - npx postject ${DIST_FILE_NAME} NODE_SEA_BLOB sea-prep.blob --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 --macho-segment-name NODE_SEA - - security delete-keychain build.keychain || true - - pwd - ls -la - - # Start signing of the binary - # ------------------- - # We need to create a new keychain, otherwise using the certificate will prompt - # with a UI dialog asking for the certificate password, which we can't - # use in a headless CI environment - - # Turn our base64-encoded certificate back to a regular .p12 file - echo "DEBUG: Decoding certificate from base64" - echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 - - echo "DEBUG: Setting KEYCHAIN_NAME environment variable" - export KEYCHAIN_NAME="build.keychain" - - echo "DEBUG: Creating new keychain" - security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" "${KEYCHAIN_NAME}" - - echo "DEBUG: Getting current keychain list" - OLD_KEYCHAIN_NAMES=$(security list-keychains -d user | sed -e 's/"//g' | xargs) - echo "DEBUG: Current keychains: ${OLD_KEYCHAIN_NAMES}" - - echo "DEBUG: Setting keychain search list" - security list-keychains -d user -s "${KEYCHAIN_NAME}" ${OLD_KEYCHAIN_NAMES} - - echo "DEBUG: Getting current default keychain" - DEFAULT_KEYCHAIN=$(security default-keychain -d user | sed -e 's/"//g' | xargs) - echo "DEBUG: Default keychain is: ${DEFAULT_KEYCHAIN}" - - echo "DEBUG: Setting our keychain as default" - security default-keychain -d user -s "${KEYCHAIN_NAME}" - - echo "DEBUG: Unlocking keychain" - security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" "${KEYCHAIN_NAME}" - - echo "DEBUG: Importing certificate into keychain" - security import certificate.p12 -k "${KEYCHAIN_NAME}" -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign - - echo "DEBUG: Setting keychain timeout to prevent locking" - security set-keychain-settings -t 3600 -l "${KEYCHAIN_NAME}" - - echo "DEBUG: Setting key partition list" - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" "${KEYCHAIN_NAME}" - - echo "DEBUG: Performing codesign operation" - codesign --force -s "$MACOS_CERTIFICATE_NAME" -v "./${DIST_FILE_NAME}" --deep --strict --options=runtime --timestamp --entitlements ./release-config/${DIST_FILE_NAME}.entitlements - - echo "DEBUG: Verifying code signature" - codesign -vvv --deep --strict "./${DIST_FILE_NAME}" - - # ------------------- - # Notarize - # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI - echo "Create keychain profile" - # Get the absolute path to the keychain in ~/Library/Keychains/ with the -db suffix macOS adds to keychain files - KEYCHAIN_PATH=~/Library/Keychains/${KEYCHAIN_NAME}-db - echo "DEBUG: Using keychain at path: ${KEYCHAIN_PATH}" - xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD" --keychain "${KEYCHAIN_PATH}" - - # ------------------- - # We can't notarize an app bundle directly, but we need to compress it as an archive. - # Therefore, we create a zip file containing our app bundle, so that we can send it to the - # notarization service - # Notarize insider binary - echo "Creating temp notarization archive for insider build" - zip -r "./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_version }}-macos-x64.zip" "./${DIST_FILE_NAME}" -x "*.DS_Store" - - # Add additional files to the zip file - cd src - zip -u -r "../${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_version }}-macos-x64.zip" "./config/production_template.yaml" "./config/log_appender_xml" -x "*.DS_Store" - cd .. - - # Here we send the notarization request to the Apple's Notarization service, waiting for the result. - echo "Notarize insider app" - xcrun notarytool submit "./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_version }}-macos-x64.zip" --keychain-profile "notarytool-profile" --wait --keychain "${KEYCHAIN_PATH}" - - echo "DEBUG: Restoring original default keychain" - security default-keychain -d user -s "$DEFAULT_KEYCHAIN" || echo "WARNING: Failed to restore default keychain, continuing anyway" - - echo "DEBUG: Restoring original keychain list" - security list-keychains -d user -s ${OLD_KEYCHAIN_NAMES} || echo "WARNING: Failed to restore keychain list, continuing anyway" - - # ------------------- - # Clean up - # Delete build keychain - security delete-keychain build.keychain - - ls -la - - - name: Upload to existing release - uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0 - with: - allowUpdates: true - omitBodyDuringUpdate: true - omitNameDuringUpdate: true - artifactContentType: raw - # artifactContentType: application/zip - draft: true - tag: ${{ needs.release-please.outputs.release_tag_name }} - artifacts: ./butler-sos-${{ needs.release-please.outputs.release_version }}-macos-x64.zip - token: ${{ github.token }} - - - name: Tidy up before existing - run: | - pwd - ls -la - rm build.cjs certificate.p12 - rm "./${DIST_FILE_NAME}" - rm "./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_version }}-macos-x64.zip" - release-macos-arm64: needs: release-please runs-on: diff --git a/.github/workflows/insiders-build.yaml b/.github/workflows/insiders-build.yaml index 22ac0ab..db7b344 100644 --- a/.github/workflows/insiders-build.yaml +++ b/.github/workflows/insiders-build.yaml @@ -8,7 +8,7 @@ jobs: insiders-build: strategy: matrix: - os: [win-code-sign, mac-build2, mac-build1, ubuntu-latest] + os: [win-code-sign, mac-build2, ubuntu-latest] include: - os: win-code-sign build: | @@ -95,125 +95,6 @@ jobs: # artifact_release_path: release-binaries-win/* artifact_insider: butler-sos--win-x64--${{ github.sha }}.zip - # x64 build - - os: mac-build1 - build: | - # Inject git SHA and date into package.json - GIT_SHA=$(git rev-parse --short HEAD) - DATE_STR=$(date +"%Y-%b-%d") - VERSION=$(grep -o '"version": "[^"]*"' package.json | cut -d'"' -f4) - sed -i '' "s/\"version\": \".*\"/\"version\": \"${VERSION}_${DATE_STR}_${GIT_SHA}\"/" package.json - - # Create a single JS file using esbuild - ./node_modules/.bin/esbuild src/bundle.js --bundle --outfile=build.cjs --format=cjs --platform=node --target=node22 --inject:./src/lib/import-meta-url.js --define:import.meta.url=import_meta_url - - # Generate blob to be injected into the binary - node --experimental-sea-config src/sea-config.json - - # Get a copy of the Node executable - cp $(command -v node) ${DIST_FILE_NAME} - - # Remove the signature from the Node executable - codesign --remove-signature ${DIST_FILE_NAME} - - # Inject the blob - npx postject ${DIST_FILE_NAME} NODE_SEA_BLOB sea-prep.blob --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 --macho-segment-name NODE_SEA - - security delete-keychain build.keychain || true - - pwd - ls -la - - # Start signing of the binary - - # ------------------- - # We need to create a new keychain, otherwise using the certificate will prompt - # with a UI dialog asking for the certificate password, which we can't - # use in a headless CI environment - - # Turn our base64-encoded certificate back to a regular .p12 file - echo "DEBUG: Decoding certificate from base64" - echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 - - echo "DEBUG: Setting KEYCHAIN_NAME environment variable" - export KEYCHAIN_NAME="build.keychain" - - echo "DEBUG: Creating new keychain" - security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" "${KEYCHAIN_NAME}" - - echo "DEBUG: Getting current keychain list" - OLD_KEYCHAIN_NAMES=$(security list-keychains -d user | sed -e 's/"//g' | xargs) - echo "DEBUG: Current keychains: ${OLD_KEYCHAIN_NAMES}" - - echo "DEBUG: Setting keychain search list" - security list-keychains -d user -s "${KEYCHAIN_NAME}" ${OLD_KEYCHAIN_NAMES} - - echo "DEBUG: Getting current default keychain" - DEFAULT_KEYCHAIN=$(security default-keychain -d user | sed -e 's/"//g' | xargs) - echo "DEBUG: Default keychain is: ${DEFAULT_KEYCHAIN}" - - echo "DEBUG: Setting our keychain as default" - security default-keychain -d user -s "${KEYCHAIN_NAME}" - - echo "DEBUG: Unlocking keychain" - security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" "${KEYCHAIN_NAME}" - - echo "DEBUG: Importing certificate into keychain" - security import certificate.p12 -k "${KEYCHAIN_NAME}" -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign - - echo "DEBUG: Setting keychain timeout to prevent locking" - security set-keychain-settings -t 3600 -l "${KEYCHAIN_NAME}" - - echo "DEBUG: Setting key partition list" - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" "${KEYCHAIN_NAME}" - - echo "DEBUG: Performing codesign operation" - codesign --force -s "$MACOS_CERTIFICATE_NAME" -v "./${DIST_FILE_NAME}" --deep --strict --options=runtime --timestamp --entitlements ./release-config/${DIST_FILE_NAME}.entitlements - - echo "DEBUG: Verifying code signature" - codesign -vvv --deep --strict "./${DIST_FILE_NAME}" - - # ------------------- - # Notarize - # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI - echo "Create keychain profile" - # Get the absolute path to the keychain in ~/Library/Keychains/ with the -db suffix macOS adds to keychain files - KEYCHAIN_PATH=~/Library/Keychains/${KEYCHAIN_NAME}-db - echo "DEBUG: Using keychain at path: ${KEYCHAIN_PATH}" - xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD" --keychain "${KEYCHAIN_PATH}" - - # ------------------- - # We can't notarize an app bundle directly, but we need to compress it as an archive. - # Therefore, we create a zip file containing our app bundle, so that we can send it to the - # notarization service - # Notarize insider binary - echo "Creating temp notarization archive for insider build" - zip -r "./${DIST_FILE_NAME}--macos-x64--${{ github.sha }}.zip" "./${DIST_FILE_NAME}" -x "*.DS_Store" - - # Add additional files to the zip file - cd src - zip -u -r "../${DIST_FILE_NAME}--macos-x64--${{ github.sha }}.zip" "./config/production_template.yaml" "./config/log_appender_xml" -x "*.DS_Store" - cd .. - - # Here we send the notarization request to the Apple's Notarization service, waiting for the result. - echo "Notarize insider app" - xcrun notarytool submit "./${DIST_FILE_NAME}--macos-x64--${{ github.sha }}.zip" --keychain-profile "notarytool-profile" --wait --keychain "${KEYCHAIN_PATH}" - - echo "DEBUG: Restoring original default keychain" - security default-keychain -d user -s "$DEFAULT_KEYCHAIN" || echo "WARNING: Failed to restore default keychain, continuing anyway" - - echo "DEBUG: Restoring original keychain list" - security list-keychains -d user -s ${OLD_KEYCHAIN_NAMES} || echo "WARNING: Failed to restore keychain list, continuing anyway" - - # ------------------- - # Clean up - # Delete build keychain - security delete-keychain build.keychain - rm build.cjs certificate.p12 - - ls -la - artifact_insider: butler-sos--macos-x64--${{ github.sha }}.zip - # Arm64 build - os: mac-build2 build: |