GitHub/gogs
1
0
Fork 0
mirror of https://github.com/gogs/gogs.git synced 2026-05-28 21:30:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci: notarize macOS release archives (#8297)

Browse Source
This commit is contained in:
ᴊᴏᴇ ᴄʜᴇɴ
2026-05-24 23:08:45 -04:00
committed by GitHub
parent adea243ee8
commit 878caa7378
1 changed files with 71 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/release.yml
+71 -12
View File
@@ -23,22 +23,23 @@ permissions:
jobs: jobs:
build: build:
name: Build ${{ matrix.goos }}/${{ matrix.goarch }}${{ matrix.suffix }} name: Build ${{ matrix.goos }}/${{ matrix.goarch }}${{ matrix.suffix }}
runs-on: ubuntu-latest if: ${{ github.repository == 'gogs/gogs' }}
runs-on: ${{ matrix.runner }}
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
include: include:
- {goos: linux, goarch: amd64} - {goos: linux, goarch: amd64, runner: ubuntu-latest}
- {goos: linux, goarch: arm64} - {goos: linux, goarch: arm64, runner: ubuntu-latest}
- {goos: linux, goarch: "386"} - {goos: linux, goarch: "386", runner: ubuntu-latest}
- {goos: darwin, goarch: amd64} - {goos: darwin, goarch: amd64, runner: macos-latest}
- {goos: darwin, goarch: arm64} - {goos: darwin, goarch: arm64, runner: macos-latest}
- {goos: windows, goarch: amd64} - {goos: windows, goarch: amd64, runner: ubuntu-latest}
- {goos: windows, goarch: arm64} - {goos: windows, goarch: arm64, runner: ubuntu-latest}
- {goos: windows, goarch: "386"} - {goos: windows, goarch: "386", runner: ubuntu-latest}
- {goos: windows, goarch: amd64, suffix: "_mws", tags: minwinsvc} - {goos: windows, goarch: amd64, suffix: "_mws", tags: minwinsvc, runner: ubuntu-latest}
- {goos: windows, goarch: arm64, suffix: "_mws", tags: minwinsvc} - {goos: windows, goarch: arm64, suffix: "_mws", tags: minwinsvc, runner: ubuntu-latest}
- {goos: windows, goarch: "386", suffix: "_mws", tags: minwinsvc} - {goos: windows, goarch: "386", suffix: "_mws", tags: minwinsvc, runner: ubuntu-latest}
steps: steps:
- name: Check out code - name: Check out code
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
@@ -93,6 +94,42 @@ jobs:
" \ " \
-tags "$TAGS" \ -tags "$TAGS" \
-trimpath -o "$BINARY_NAME" ./cmd/gogs -trimpath -o "$BINARY_NAME" ./cmd/gogs
- name: Import Apple signing certificate
if: ${{ matrix.goos == 'darwin' }}
env:
APPLE_DEVELOPER_ID_CERTIFICATE_BASE64: ${{ secrets.APPLE_DEVELOPER_ID_CERTIFICATE_BASE64 }}
APPLE_DEVELOPER_ID_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_CERTIFICATE_PASSWORD }}
APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
run: |
if [ -z "$APPLE_DEVELOPER_ID_CERTIFICATE_BASE64" ] || [ -z "$APPLE_DEVELOPER_ID_CERTIFICATE_PASSWORD" ] || [ -z "$APPLE_KEYCHAIN_PASSWORD" ]; then
echo "Missing required Apple signing secrets." >&2
exit 1
fi
CERTIFICATE_PATH="$RUNNER_TEMP/developer_id_application.p12"
KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
printf '%s' "$APPLE_DEVELOPER_ID_CERTIFICATE_BASE64" | base64 -d > "$CERTIFICATE_PATH"
security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security import "$CERTIFICATE_PATH" -P "$APPLE_DEVELOPER_ID_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
security list-keychains -d user -s "$KEYCHAIN_PATH"
security default-keychain -s "$KEYCHAIN_PATH"
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$APPLE_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
- name: Sign macOS binary
if: ${{ matrix.goos == 'darwin' }}
env:
APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }}
run: |
if [ -z "$APPLE_DEVELOPER_IDENTITY" ]; then
echo "Missing required Apple signing identity secret." >&2
exit 1
fi
security find-identity -v -p codesigning
codesign --force --options runtime --timestamp --sign "$APPLE_DEVELOPER_IDENTITY" "gogs"
codesign --verify --verbose=2 "gogs"
- name: Prepare archive contents - name: Prepare archive contents
run: | run: |
mkdir -p dist/gogs mkdir -p dist/gogs
@@ -114,6 +151,28 @@ jobs:
if [ "${{ matrix.goos }}" = "linux" ]; then if [ "${{ matrix.goos }}" = "linux" ]; then
tar -czvf "${ARCHIVE_BASE}.tar.gz" gogs tar -czvf "${ARCHIVE_BASE}.tar.gz" gogs
fi fi
- name: Notarize macOS archive
if: ${{ matrix.goos == 'darwin' }}
env:
APPLE_NOTARY_ISSUER_ID: ${{ secrets.APPLE_NOTARY_ISSUER_ID }}
APPLE_NOTARY_KEY_BASE64: ${{ secrets.APPLE_NOTARY_KEY_BASE64 }}
APPLE_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
run: |
if [ -z "$APPLE_NOTARY_ISSUER_ID" ] || [ -z "$APPLE_NOTARY_KEY_BASE64" ] || [ -z "$APPLE_NOTARY_KEY_ID" ]; then
echo "Missing required Apple notarization secrets." >&2
exit 1
fi
VERSION="${{ steps.version.outputs.version }}"
ARCHIVE_PATH="dist/gogs_${VERSION}_${{ matrix.goos }}_${{ matrix.goarch }}${{ matrix.suffix }}.zip"
NOTARY_KEY_PATH="$RUNNER_TEMP/AuthKey_${APPLE_NOTARY_KEY_ID}.p8"
printf '%s' "$APPLE_NOTARY_KEY_BASE64" | base64 -d > "$NOTARY_KEY_PATH"
xcrun notarytool submit "$ARCHIVE_PATH" \
--key "$NOTARY_KEY_PATH" \
--key-id "$APPLE_NOTARY_KEY_ID" \
--issuer "$APPLE_NOTARY_ISSUER_ID" \
--wait
- name: Upload to release - name: Upload to release
env: env:
GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ github.token }}