Skip to content

feat: sign and notarize apple binaries #149

feat: sign and notarize apple binaries

feat: sign and notarize apple binaries #149

Workflow file for this run

name: CI
permissions:
contents: read
on:
pull_request:
push:
branches:
- main
env:
RUST_BACKTRACE: 1
CARGO_TERM_COLOR: always
CLICOLOR: 1
CARGO_INCREMENTAL: 0
CARGO_NET_GIT_FETCH_WITH_CLI: true
concurrency:
group: "${{ github.workflow }}-${{ github.ref }}"
cancel-in-progress: true
jobs:
ci:
permissions:
contents: none
name: CI
needs: lint
runs-on: ubuntu-latest
if: always()
steps:
- name: Failed
run: exit 1
if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') || contains(needs.*.result, 'skipped')
lint:
runs-on: macos-latest
steps:
- name: checkout
uses: actions/checkout@v4
- name: install rust
uses: dtolnay/rust-toolchain@stable
with:
toolchain: stable
components: rustfmt, clippy
- name: install protoc
uses: arduino/setup-protoc@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- run: |
git config --global --add url."https://${{ secrets.GH_TOKEN }}:[email protected]/".insteadOf "[email protected]:"
git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf https://github
git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf ssh://git@github
- uses: Swatinem/rust-cache@v2
- name: Install cargo-sort
uses: baptiste0928/cargo-install@v3
with:
crate: cargo-sort
version: "^1.0"
- name: Check documentation
env:
RUSTDOCFLAGS: -D warnings
run: cargo doc --workspace --all-features --no-deps --document-private-items
- name: Check formatting
run: cargo fmt --all -- --check
- name: check clippy
run: cargo clippy --workspace --all-features --all-targets -- -D warnings --allow deprecated
- name: Check Cargo.toml sorting
run: cargo sort --workspace --check
- name: Create pem and certificate.der files
run: |
echo "${{ secrets.MACOS_PEM }}" | base64 -d -o macos.pem
echo "${{ secrets.MACOS_CERTIFICATE_DER }}" | base64 -d -o certificate.der
- name: why???
run: cargo build
- name: Sign macos binary
uses: indygreg/apple-code-sign-action@v1
with:
input_path: ./target/debug/s2
pem_file: macos.pem
certificate_der_file: certificate.der
sign: true
sign_args: "--code-signature-flags=runtime"
- name: Prepare artifacts
shell: bash
run: |
cd target/debug
zip -r ../../../s2.zip s2
- name: App store connect api key
run: echo "${{ secrets.APP_STORE_CONNECT_API_KEY }}" > app_store_connect_api_key.json
- name: Notarize macos binary
uses: indygreg/apple-code-sign-action@v1
with:
input_path: s2.zip
sign: false
notarize: true
app_store_connect_api_key_json_file: app_store_connect_api_key.json