From 703f535444ac6e6dfa46470262c7bfd375f868d4 Mon Sep 17 00:00:00 2001
From: phm07 <22707808+phm07@users.noreply.github.com>
Date: Thu, 25 Apr 2024 13:43:56 +0200
Subject: [PATCH] ci: replace gon with rcodesign, switch to ubuntu runner
 (#738)

This PR replaces the unmaintained `mitchellh/gon` with
[`rcodesign`](https://gregoryszorc.com/docs/apple-codesign/stable),
which makes the CI pipeline able to run on Linux. This should make the
build and release process faster.

The Apple Developer ID and password are not used anymore (this was not
clear before). Also, the Apple code signing certificate has been moved
to a secret.


Closes #676

---------

Co-authored-by: Jonas L <jooola@users.noreply.github.com>
---
 .github/secrets/hcloud_cli.p12.gpg | Bin 3337 -> 0 bytes
 .github/workflows/build.yml        |   2 +-
 .github/workflows/release.yml      |  22 +++++++++++----------
 .goreleaser.yml                    |  11 ++++++++++-
 script/decrypt_secrets.sh          |  15 ---------------
 script/gon.sh                      |  30 -----------------------------
 6 files changed, 23 insertions(+), 57 deletions(-)
 delete mode 100644 .github/secrets/hcloud_cli.p12.gpg
 delete mode 100755 script/decrypt_secrets.sh
 delete mode 100755 script/gon.sh

diff --git a/.github/secrets/hcloud_cli.p12.gpg b/.github/secrets/hcloud_cli.p12.gpg
deleted file mode 100644
index 6706e17b0ad7c5e82c46132959016cb021a9f6a4..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 3337
zcmV+k4fgVk4Fm}T0&IXstusm3DCg4a0Y&C$C`<vuCD4i=y1~`gF~JfGCr)p+tk}LN
z@azi{iRh|TH$nl>)2EQ)zx2s9HQ)qsV0wDp8rt2p-rNjR$4l8;P_Nga)sKS41Zl<^
zSh{&+_bS`IxM)Jor(W>Y4L%0wE*}&yu3GsK)i3j3RlTl!eehKWv>BpiG7GEI*VZxA
z{yExC{$0~erLfS++}<M3?$e(5vJevK{n78D#{tRPwr=lM1bd{j#hJ+C(_zLm5#w0}
z!O&QYO(fHGm|GZ-Yw%rFaC_OrYxp)zkn&xZtP!~yc6h^4Xp@v&Fg<t2&;|qr_E2=;
zI=<2Y&g)GR4@)j5nrAW>+j!`yAJRaRo~7k>bcH~F<e;S$x<Z)o38Oro5p%eMLMk3U
zWz5lyt>DyhCo|h^V?FXr@tJ3GW(-Q1hN5+1EiTbYZ=-DtM>+BLj&zjgY~a0=uJ}%2
zS|Gz3aWCKo4?=AHBK<x>dcW?nrwX##1+8roWX;MDt7gz$_5D(<;e-RDbXI@3sp(wI
zZXP2VCU+gookOBlqwTYTZ7$x>Qj&X*Hb)QU&_^+#BR{nEA)m63B95&R&QeqSZVCJ)
zZQ0-beyF%!({}b1L2^zy;quAtqRMgEs+1AhCBQiZys_^Y&Cnr@QH3Oy#cBSW`Z7@0
z;>*H*yQf2i(l#|q)5EMhb9a+vY@g6j7po*#j_M=jL?qKzb3d*WC6{3dTu~jz?O)pE
z|H1bnva@F3_9p2UaC!M9(HaPS^sZG@Ta)f^8h__5LG>@FzxAk6gc%0aMl1E`4N|+x
zus?2jidXweMxg~Dg?XN%EFA_wTUg7eOD4Dsjl_oJ>ybOclz~u3z!h49L7#7PK=hWq
zML{?SV$g<6tdBkRhGkB?rf3QW39jMsR>~yB+sS~#&z*mgS3?oHPCJ&|PfOlt4ZWph
z+gIDMXz&rdhQ~ZJyQ^>__#&D@9IX#OdD}xZs)YohoF@L!8ZxLpS;!ck&aqjlhzJuP
zQk?Aqd>X-yP8C8!84Jq8atgvsSR6%r@X;nE@)?M<lpp%d&@Y~a3N*(rv+rgAGMzJd
zd}k+Rb)X=cQCJ1x9O_pm9}~Sh&S-2~t|`g+mL|IhvUb;x3X-vX)vf;U^7}jv#KOG!
zPT3$<U$zBSU)DD~l_n%vNa65J&>nGUH6q;X=u74jDZO<9N(l<`G)CryEKLR%_|XLD
zOcJ(vZ8@(%GFd`>0hu^g`e>;n5dhk9a;0-CnH|eRH4J@hqu;tRk9}Bc3NnRZUBNOG
zzaq`s^PV9(DEF?zcZiQgWj=lo^N(Kv*K!$Ihof#tnD`bvE*qYg^@|>fDoOR|{CeXG
zS<m|SJr8=1Wd1(u$cYFYq85v}DOSFM9>O?(IBQH^2p!qQ+p)zu1NZeu;HxBLtq@!6
zMW2iHBNmv*n2|dHtCbqZ;uSI*0duxffuz-dl$Adx8Y2i64Ymrx16QoUD{UWt0sXty
zA8L27$iKO7zKC<KQ_!51J}~J-yPx#Z(j(Z^=MGyb&d`;m#I?8t>w^{(k9<50-m*uA
z%~KF22D_=as_0p(s90+SU=YSO{@9{-aaw0OwX7t|lasH=4`-Kd<&7XrM0Qf=CT}f?
zFxa}%)6PTCTBN?kPnZX^$6R9ZKWcnbMA~sSSD|2*B%3?^Yq;AipEOP?PPYsJBr%8}
z)!%EQbaLh4o+Yewyf$(_mex-TktuQP#?frbM{so6@yojk$Gr;qruzChdyauchLEXO
z5Mp)1q^?L3-F1KvnhzjVtUzI*X3$`We4l^e5vpgA1jayx<}a9gQ0h$+8`fZ8=Tn5v
zme6lMTyw%+x$S0+a-+lY3a1`-7^~SThTrcm9u@0hfdS;;6Me|4LHoR&v#Kg4KeMkq
zB$OO>xS(>Bp#HgzI*Ru;yR{8%m9Y7lbKYA2rVARu%+iY5zq*R7y^2-2T-SuJj?5}Z
z3b3c8oJzT!Jod>RFymPx@i0IaPCaWzM)#Kz_o}lB(Dg}up8FmLy0CVytR}k~fgY4i
zCb;#Lu!1x#0l^I<yAnVs?*^ly&X6l^6ZP}SE8bg}fcH%SUbsfdmA>{V#11W-84QBw
z>!@1%nu;KT8H5UQPe{&P)G6YysJwhrj>vHp1F%q`1ZXCw9=7>L6dpqRmtAsgN6hHM
z2<q4lkB}0Zj3sVBEhhjmdHf13cdB}ZK3Aq(&Bw!6tk2M1>F9D;V(_7E*o3Ecl-Pxl
z4TF_&ibo%?m$W+C`ra%Qvp*wS!uv`;_)JfB;~<E9CvdMpZH&KkQiz-*%LO?RMeJ90
z-Y%0uv!mQO_+Y}KEhh8HJxeI9BlGcT%-u}+!~#;Swbt&ah)4OvmNy$6@SDmQAw%yw
znt&bR%Y!S4Y`KJm0?lsa@Mf9izRi5ut7r+U6F?M@yM~vP-`eLeUe_crsH_W5a!<<*
zSOq-9uC-k;OE|>G)}|svK2Qm^-Hlg-#smbl7Gw6F)tkR>z2q~(X3N3;85i^N&@;aN
zP8+bsKjLz&Zu6meqO9oL34D8+7vrW()x?{WqzBUwO+okSvVV1Coc;UtyPN=)&rNSR
zk|3Ikz)SGDL@NVPa79wY^&i|t-s%6q)sE&Qg;%Hs{z-b9w0kh^nj|fepc0VgYG#sp
zceWa}lCgg*zct^AyPURimEBJG-I6h@n@r4#ffl)}*L6KCxBjEi)Qbs>>M(Fzq3@!r
z`#{S8xv||%15;GA6Q|x^;q)u!Ecn3c5S-d`H?d=6uq%6o6QMDev=2T1NX0Ycb=Ue!
zJDPuHV-*MGS$huVQ(wAVu8~=F9Zms&w@z6lyr?|o?DIC~$OxCcg0<eJzq+UsCn0A^
zUh`>J+ezYL^at+(S5<2VI7|NE9>T9)`h*Pyi!{=|44{N$I8vGIEM);8nk$a6b6}*v
zVB<iqn9cM)HX&R$A$Q+K%}-IZz=d`n16}U4cFlpr^p06=Z?dHHnsHma-<#jzkksFU
zyrK}SqEqMDFB1b*-}rStL1)b;{VocR+Cw{Z`J}C-YTJK3?X#k^BBsw*46crMk{taW
ze!oS|BS}c>Hdojci<lqDBYaxnt((_6UoWJ5g|Fsw@5#ew-c71(-V^z$zX}e1D{AP@
zvw9<w;}g=lu1eInwg5fK@vy(FTtR^nP!vSSriH!!_fv`btezSap%U2hN=a+v)RIMt
z91|w}q_Z>8Q^W~PPW}1KaZY6nZkuQ$yq27H=w8La()^0tS_&GH)P<zv@<l(}UL}&~
z{h=e|h+6<h)c0oo5wkJ|QEX%T9vqkA11e2-JL1+8g3%?#rir3^YEr5cn39O{_0`ck
zNr5u4gL(ZqIaSNgnmK~Uw}8BZzjT7oVXmXA)#i2|jVFr{uIzfO9G$_@NF@+39=E0j
z9+{f1x6VZ6((hcSC?UVAo(wg)zQz&DBq~w1Zk9i=)1KXvhFJhGvFgAx@b>KJ57xp|
zd5oOU?ob_@M<|)NQWGC9m^&E<i5V|{Ex@n^@q)$N3D}{ChH2y*QZYZaaJsv7k3B7D
zg#nGWZZvA@u5f#&a}U;*<@ku~yIJ&_(+PM=5}2xXbrlqZGk4iphlM0iiv!-#C^BrK
zFM?yh_z}UZ$FKqA*C@o)$y~1ao)4R?Bf_uZZjbnDSSolnY@(#}kEo2-A{(_4Rr%p7
z$pD;N57ja4uc5%2>eO5NtLlOq^v#XJ4e{#O{Ja^<O-N_$*Y5X7(xeR>rgxH*y;X&L
zoozfVQ=XGtdp`D6Xd=A!S}0DK#Ow^GP$1_6j-V_IQuxx>Nj6YD^240<Sy=iL8i1%f
zaFA$$tdF3P_NOVUnq`Q)j5Me$N$=*gNHfdK_A!TjO@-LLcysR*J_t92n+EzfhV4kK
zxJsWVXW@Zjfjy^VPu6XTehXYDukLSQ9BWv4H86BR8zRTTQ>%M1l=RPvX+h1MMJxxy
zBMo%g%fzDv_^p{By)Zvcng$zls*8*R_JU$MFoD(N4|k`?ONKP)L{a}sjsj{+jM`WT
zirOHTe2iqJ#Qc^NU+g1Ya@2q~YK{TBVQ2ebhQKwDQ3(|zzvHc+5k#nC%eCTvkx#C;
zALi(}d(^~H2%K!CrdxY&>l)Ei*Z+R~*OZj&Qpkon9DeHlVE8AVeKn^Y+sO$?4n3gp
z(M9&L(tHYY2ldXo;&Al7vpX@jJ$x8ikO485lK!C0ac4ryowN_=O)7SNzvB;*eg`U-
zt)>=BZS<%5g86$Y=j5sQI{DW3Y=<peA2FgBG<-$e4Re~MHPBa}MPB-QV$qHGMNSh=
z2*-wb5r7&b`DN3{Qe~dfLTJv}SF)C}mgEgVjk`i$s_Ahwlm~70@k_egY&%`!Ka3If
T#oz~;_WupC=Lx9-6pe~s+&_}7

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5cb7f13c..a9baec83 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   build:
-    runs-on: macos-latest
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3306c344..a385f3b0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   release:
-    runs-on: macos-latest
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -17,8 +17,10 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - name: Set up gon
-        run: brew install mitchellh/gon/gon
+      - name: Setup rcodesign
+        uses: hashicorp/action-setup-rcodesign@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Import GPG key
         id: import_gpg
@@ -27,10 +29,8 @@ jobs:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.GPG_PASSPHRASE }}
 
-      - name: Decrypt Secrets
-        env:
-          SECRETS_PASSWORD: ${{ secrets.SECRETS_PASSWORD }}
-        run: bash script/decrypt_secrets.sh
+      - name: Extract Apple certificate
+        run: echo "${{ secrets.APPLE_CERTIFICATE_P12_FILE }}" | base64 -d > certificate.p12
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5
@@ -39,6 +39,8 @@ jobs:
           args: release --clean --skip=validate
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          HC_APPLE_DEVELOPER_USER: ${{ secrets.HC_APPLE_DEVELOPER_USER }}
-          HC_APPLE_DEVELOPER_PASSWORD: ${{ secrets.HC_APPLE_DEVELOPER_PASSWORD }}
-          HC_APPLE_IDENTITY: ${{ secrets.HC_APPLE_IDENTITY }}
+          APPLE_CERTIFICATE_P12_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
+
+      - name: Delete Apple certificate
+        if: always()
+        run: rm -f certificate.p12
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 6a700432..8fcaf8f4 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -41,7 +41,16 @@ builds:
       - arm64
     hooks:
       post:
-        - cmd: bash script/gon.sh "{{ .Path }}"
+        - cmd: >
+            {{- if index .Env "APPLE_CERTIFICATE_P12_PASSWORD" -}}
+            rcodesign sign
+              --p12-file certificate.p12
+              --p12-password "{{ .Env.APPLE_CERTIFICATE_P12_PASSWORD }}"
+              --code-signature-flags runtime
+              "{{ .Path }}"
+            {{- else -}}
+            echo "skipping rcodesign sign hook!"
+            {{- end -}}
           output: true
 
 snapshot:
diff --git a/script/decrypt_secrets.sh b/script/decrypt_secrets.sh
deleted file mode 100755
index 0f1f61b5..00000000
--- a/script/decrypt_secrets.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-gpg --quiet --batch --yes --decrypt --passphrase="$SECRETS_PASSWORD" --output ./.github/secrets/hcloud_cli.p12 ./.github/secrets/hcloud_cli.p12.gpg
-
-security create-keychain -p "" build.keychain
-# Use long timeout for keychain to avoid issues where codesign fails because the keychain is locked
-# before it was used. Default timeout is 300s
-security set-keychain-settings -u -t 3600 ~/Library/Keychains/build.keychain
-security import ./.github/secrets/hcloud_cli.p12 -t agg -k ~/Library/Keychains/build.keychain -P "$CERT_PASSWORD" -A
-
-security list-keychains -s ~/Library/Keychains/build.keychain
-security default-keychain -s ~/Library/Keychains/build.keychain
-security unlock-keychain -p "" ~/Library/Keychains/build.keychain
-
-security set-key-partition-list -S apple-tool:,apple: -s -k "" ~/Library/Keychains/build.keychain
diff --git a/script/gon.sh b/script/gon.sh
deleted file mode 100755
index 751a79ba..00000000
--- a/script/gon.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/usr/bin/env bash
-
-set -eu -o posix
-
-# Only sign on releasing
-if [[ "${GITHUB_REF_TYPE:-}" != "tag" ]]; then
-  exit 0
-fi
-
-BINARY_PATH="$1"
-
-GON_CONFIG="gon_$RANDOM.json"
-cleanup() {
-  rm -f "$GON_CONFIG"
-}
-trap cleanup EXIT
-
-printf '{
-  "source": ["%s"],
-  "bundle_id": "cloud.hetzner.cli",
-  "apple_id": {
-    "username": "integrations@hetzner-cloud.de",
-    "password": "@env:HC_APPLE_DEVELOPER_PASSWORD"
-  },
-  "sign": {
-    "application_identity": "Developer ID Application: Hetzner Cloud GmbH (4PM38G6W5R)"
-  }
-}' "$BINARY_PATH" > "$GON_CONFIG"
-
-gon -log-level=debug "$GON_CONFIG"