-
Notifications
You must be signed in to change notification settings - Fork 3
157 lines (134 loc) · 5.15 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
name: build
on:
push:
pull_request:
jobs:
build:
runs-on: macos-11
env:
QS_BUILD_ONLY: 1
QS_SOURCE_ROOT: "/tmp/git/quicksilver"
steps:
- uses: actions/checkout@v2
with:
submodules: recursive
- name: Build plugin
run: |
set -Eeuf -o pipefail
log() {
echo "$*" > /dev/stderr
}
err() {
log "error: $*"
exit 1
}
json() {
# Usage: stdin is json content, $1 is python-formatted query
# Example: `xcodebuild -list -json | json '["project"]["configurations"][0]'`
python3 -c '
import json
import sys
stdin = sys.stdin.read()
content = json.loads(stdin)
json_keys = sys.argv[1]
output = eval(f"{content}{json_keys}")
# Strips quotes if there is a simple result
if isinstance(output, str):
print(output)
# Pretty-print arrays and dicts
else:
print(json.dumps(output, indent=4))
' "$1"
}
configuration=Release
mkdir -p "${QS_SOURCE_ROOT}"
git clone --recurse-submodules "https://github.com/quicksilver/Quicksilver.git" "${QS_SOURCE_ROOT}"
pushd "${QS_SOURCE_ROOT}"
latest_tag=$(git tag --list --sort=creatordate | tail -n 1)
git checkout "${latest_tag}"
pushd Quicksilver
while [[ ! -x "/tmp/QS/build/${configuration}/Quicksilver.app/Contents/MacOS/Quicksilver" ]]; do
xcodebuild \
-quiet \
-destination generic/platform=macos \
-configuration "${configuration}" \
-scheme 'Quicksilver Distribution' \
build || true
done
popd
popd
project=$(find . -maxdepth 1 -name '*.xcodeproj' -not -iname "*test.xcodeproj" -print -quit)
if [[ -z "${project}" ]]; then
scheme_list=$(xcodebuild -list -json || true)
else
scheme_list=$(xcodebuild -list -json -project "${project}")
fi
if [[ -z "${scheme_list}" ]]; then
err "unable to determine scheme list"
fi
scheme=$(json '["project"]["targets"][0]' <<< "${scheme_list}")
log "Using default scheme: ${scheme}"
# Absence of a project can still build, but will error if `-project` is specified
opts=(-configuration "${configuration}" -scheme "${scheme}")
if [[ -n "${project}" ]]; then
opts+=(-project "${project}")
fi
SETTINGS=$(xcodebuild "${opts[@]}" -showBuildSettings -json)
xcodebuild build -quiet "${opts[@]}"
PLUGIN_NAME=$(json '[0]["buildSettings"]["FULL_PRODUCT_NAME"]' <<< "${SETTINGS}")
echo "PLUGIN_NAME=${PLUGIN_NAME}" >> $GITHUB_ENV
log "Built ${PLUGIN_NAME} successfully"
- name: Archive plugin
working-directory: /tmp/QS/build/Release/Quicksilver.app/Contents/PlugIns/
run: |
tar -czvf "${PLUGIN_NAME}.tar.gz" "${PLUGIN_NAME}"
- name: Upload components for sign action
uses: actions/upload-artifact@v2
with:
name: UNSIGNED_PLUGIN
path: /tmp/QS/build/Release/Quicksilver.app/Contents/PlugIns/${{ env.PLUGIN_NAME }}.tar.gz
sign:
needs: build
runs-on: macos-11
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
SIGNING_IDENTITY: ${{ secrets.SIGNING_IDENTITY }}
steps:
- name: Download targz artifact
uses: actions/download-artifact@v2
with:
name: UNSIGNED_PLUGIN
path: /tmp/QS/build/Release/
- name: Unarchive artifact
run: |
cd /tmp/QS/build/Release
tar -xzvf *.tar.gz
rm -r *.tar.gz
- name: Sign plugin
working-directory: /tmp/QS/build/Release/
run: |
set -x
# https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development
KEYCHAIN_PATH=${RUNNER_TEMP}/app-signing.keychain-db
CERTIFICATE_PATH=${RUNNER_TEMP}/build_certificate.p12
echo -n "${MACOS_CERTIFICATE}" | base64 --decode --output "${CERTIFICATE_PATH}"
security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
security default-keychain -s "${KEYCHAIN_PATH}"
security set-keychain-settings -lut 21600 "${KEYCHAIN_PATH}"
security unlock-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
security import "${CERTIFICATE_PATH}" -P "${MACOS_CERTIFICATE_PASSWORD}" -A -t cert -f pkcs12 -k "${KEYCHAIN_PATH}"
codesign --force -vvv --deep --sign "${SIGNING_IDENTITY}" *.qsplugin
- name: Archive signed plugin
working-directory: /tmp/QS/build/Release
run: |
set -x
PLUGIN_NAME=$(find . -name "*.qsplugin" -exec basename {} \;)
echo "PLUGIN_NAME=${PLUGIN_NAME}" >> $GITHUB_ENV
tar -czvf "${PLUGIN_NAME}.tar.gz" "${PLUGIN_NAME}"
- name: Upload document
uses: actions/upload-artifact@v2
with:
name: SIGNED_PLUGIN
path: /tmp/QS/build/Release/${{ env.PLUGIN_NAME }}.tar.gz