diff --git a/.github/secrets/hcloud_cli.p12.gpg b/.github/secrets/hcloud_cli.p12.gpg deleted file mode 100644 index 6706e17b..00000000 Binary files a/.github/secrets/hcloud_cli.p12.gpg and /dev/null differ diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5cb7f13c..a9baec83 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,7 +7,7 @@ on: jobs: build: - runs-on: macos-latest + runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3306c344..a385f3b0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,7 +7,7 @@ on: jobs: release: - runs-on: macos-latest + runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 @@ -17,8 +17,10 @@ jobs: with: go-version-file: go.mod - - name: Set up gon - run: brew install mitchellh/gon/gon + - name: Setup rcodesign + uses: hashicorp/action-setup-rcodesign@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Import GPG key id: import_gpg @@ -27,10 +29,8 @@ jobs: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_PASSPHRASE }} - - name: Decrypt Secrets - env: - SECRETS_PASSWORD: ${{ secrets.SECRETS_PASSWORD }} - run: bash script/decrypt_secrets.sh + - name: Extract Apple certificate + run: echo "${{ secrets.APPLE_CERTIFICATE_P12_FILE }}" | base64 -d > certificate.p12 - name: Run GoReleaser uses: goreleaser/goreleaser-action@v5 @@ -39,6 +39,8 @@ jobs: args: release --clean --skip=validate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - HC_APPLE_DEVELOPER_USER: ${{ secrets.HC_APPLE_DEVELOPER_USER }} - HC_APPLE_DEVELOPER_PASSWORD: ${{ secrets.HC_APPLE_DEVELOPER_PASSWORD }} - HC_APPLE_IDENTITY: ${{ secrets.HC_APPLE_IDENTITY }} + APPLE_CERTIFICATE_P12_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }} + + - name: Delete Apple certificate + if: always() + run: rm -f certificate.p12 diff --git a/.goreleaser.yml b/.goreleaser.yml index 6a700432..8fcaf8f4 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -41,7 +41,16 @@ builds: - arm64 hooks: post: - - cmd: bash script/gon.sh "{{ .Path }}" + - cmd: > + {{- if index .Env "APPLE_CERTIFICATE_P12_PASSWORD" -}} + rcodesign sign + --p12-file certificate.p12 + --p12-password "{{ .Env.APPLE_CERTIFICATE_P12_PASSWORD }}" + --code-signature-flags runtime + "{{ .Path }}" + {{- else -}} + echo "skipping rcodesign sign hook!" + {{- end -}} output: true snapshot: diff --git a/script/decrypt_secrets.sh b/script/decrypt_secrets.sh deleted file mode 100755 index 0f1f61b5..00000000 --- a/script/decrypt_secrets.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh - -gpg --quiet --batch --yes --decrypt --passphrase="$SECRETS_PASSWORD" --output ./.github/secrets/hcloud_cli.p12 ./.github/secrets/hcloud_cli.p12.gpg - -security create-keychain -p "" build.keychain -# Use long timeout for keychain to avoid issues where codesign fails because the keychain is locked -# before it was used. Default timeout is 300s -security set-keychain-settings -u -t 3600 ~/Library/Keychains/build.keychain -security import ./.github/secrets/hcloud_cli.p12 -t agg -k ~/Library/Keychains/build.keychain -P "$CERT_PASSWORD" -A - -security list-keychains -s ~/Library/Keychains/build.keychain -security default-keychain -s ~/Library/Keychains/build.keychain -security unlock-keychain -p "" ~/Library/Keychains/build.keychain - -security set-key-partition-list -S apple-tool:,apple: -s -k "" ~/Library/Keychains/build.keychain diff --git a/script/gon.sh b/script/gon.sh deleted file mode 100755 index 751a79ba..00000000 --- a/script/gon.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env bash - -set -eu -o posix - -# Only sign on releasing -if [[ "${GITHUB_REF_TYPE:-}" != "tag" ]]; then - exit 0 -fi - -BINARY_PATH="$1" - -GON_CONFIG="gon_$RANDOM.json" -cleanup() { - rm -f "$GON_CONFIG" -} -trap cleanup EXIT - -printf '{ - "source": ["%s"], - "bundle_id": "cloud.hetzner.cli", - "apple_id": { - "username": "integrations@hetzner-cloud.de", - "password": "@env:HC_APPLE_DEVELOPER_PASSWORD" - }, - "sign": { - "application_identity": "Developer ID Application: Hetzner Cloud GmbH (4PM38G6W5R)" - } -}' "$BINARY_PATH" > "$GON_CONFIG" - -gon -log-level=debug "$GON_CONFIG"