From 634b57ce5d6a5b3c318e5416af7a8f8bc9a367be Mon Sep 17 00:00:00 2001 From: perf3ct Date: Wed, 26 Feb 2025 18:33:57 +0000 Subject: [PATCH 1/2] let's see if we can contain the signing explosion to just build-electron --- .github/actions/build-electron/action.yml | 14 +++++------ .github/workflows/main.yml | 30 ----------------------- 2 files changed, 7 insertions(+), 37 deletions(-) diff --git a/.github/actions/build-electron/action.yml b/.github/actions/build-electron/action.yml index dca9bc3b8..f40535d38 100644 --- a/.github/actions/build-electron/action.yml +++ b/.github/actions/build-electron/action.yml @@ -20,8 +20,8 @@ runs: if: inputs.os == 'macos' uses: apple-actions/import-codesign-certs@v2 with: - p12-file-base64: ${{ env.APPLE_APP_CERTIFICATE_BASE64 }} - p12-password: ${{ env.APPLE_APP_CERTIFICATE_PASSWORD }} + p12-file-base64: ${{ secrets.APPLE_APP_CERTIFICATE_BASE64 }} + p12-password: ${{ secrets.APPLE_APP_CERTIFICATE_PASSWORD }} keychain: build keychain-password: ${{ github.run_id }} @@ -29,8 +29,8 @@ runs: if: inputs.os == 'macos' uses: apple-actions/import-codesign-certs@v2 with: - p12-file-base64: ${{ env.APPLE_INSTALLER_CERTIFICATE_BASE64 }} - p12-password: ${{ env.APPLE_INSTALLER_CERTIFICATE_PASSWORD }} + p12-file-base64: ${{ secrets.APPLE_INSTALLER_CERTIFICATE_BASE64 }} + p12-password: ${{ secrets.APPLE_INSTALLER_CERTIFICATE_PASSWORD }} keychain: build keychain-password: ${{ github.run_id }} # We don't need to create a keychain here because we're using the build keychain that was created in the previous step @@ -74,9 +74,9 @@ runs: shell: bash env: # Pass through required environment variables for signing and notarization - APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} - APPLE_ID: ${{ env.APPLE_ID }} - APPLE_ID_PASSWORD: ${{ env.APPLE_ID_PASSWORD }} + APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} + APPLE_ID: ${{ secrets.APPLE_ID }} + APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} run: | # Map OS names to Electron Forge platform names if [ "${{ inputs.os }}" = "macos" ]; then diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b469ac79b..704dc4be5 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -33,36 +33,6 @@ jobs: runs-on: ${{ matrix.os.image }} steps: - uses: actions/checkout@v4 - - # Set up certificates and keychain for macOS - - name: Install Apple Certificates - if: matrix.os.name == 'macos' - env: - APP_CERTIFICATE_BASE64: ${{ secrets.APPLE_APP_CERTIFICATE_BASE64 }} - APP_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APP_CERTIFICATE_PASSWORD }} - INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_CERTIFICATE_BASE64 }} - INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_INSTALLER_CERTIFICATE_PASSWORD }} - KEYCHAIN_PASSWORD: ${{ github.run_id }} - run: | - # Create keychain - security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain - security default-keychain -s build.keychain - security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain - security set-keychain-settings -t 3600 -u build.keychain - - # Import application certificate - echo "$APP_CERTIFICATE_BASE64" | base64 --decode > application.p12 - security import application.p12 -k build.keychain -P "$APP_CERTIFICATE_PASSWORD" -T /usr/bin/codesign - rm application.p12 - - # Import installer certificate - echo "$INSTALLER_CERTIFICATE_BASE64" | base64 --decode > installer.p12 - security import installer.p12 -k build.keychain -P "$INSTALLER_CERTIFICATE_PASSWORD" -T /usr/bin/codesign - rm installer.p12 - - # Update keychain settings - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain - - name: Set up node & dependencies uses: actions/setup-node@v4 with: From 10561766243e82f90a1144b843e744dc5f5bd7f1 Mon Sep 17 00:00:00 2001 From: perf3ct Date: Wed, 26 Feb 2025 18:51:14 +0000 Subject: [PATCH 2/2] we have to pass the secret values to the composite github actions --- .github/actions/build-electron/action.yml | 14 +++++++------- .github/workflows/main.yml | 4 ++++ .github/workflows/nightly.yml | 10 +++++++++- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/.github/actions/build-electron/action.yml b/.github/actions/build-electron/action.yml index f40535d38..dca9bc3b8 100644 --- a/.github/actions/build-electron/action.yml +++ b/.github/actions/build-electron/action.yml @@ -20,8 +20,8 @@ runs: if: inputs.os == 'macos' uses: apple-actions/import-codesign-certs@v2 with: - p12-file-base64: ${{ secrets.APPLE_APP_CERTIFICATE_BASE64 }} - p12-password: ${{ secrets.APPLE_APP_CERTIFICATE_PASSWORD }} + p12-file-base64: ${{ env.APPLE_APP_CERTIFICATE_BASE64 }} + p12-password: ${{ env.APPLE_APP_CERTIFICATE_PASSWORD }} keychain: build keychain-password: ${{ github.run_id }} @@ -29,8 +29,8 @@ runs: if: inputs.os == 'macos' uses: apple-actions/import-codesign-certs@v2 with: - p12-file-base64: ${{ secrets.APPLE_INSTALLER_CERTIFICATE_BASE64 }} - p12-password: ${{ secrets.APPLE_INSTALLER_CERTIFICATE_PASSWORD }} + p12-file-base64: ${{ env.APPLE_INSTALLER_CERTIFICATE_BASE64 }} + p12-password: ${{ env.APPLE_INSTALLER_CERTIFICATE_PASSWORD }} keychain: build keychain-password: ${{ github.run_id }} # We don't need to create a keychain here because we're using the build keychain that was created in the previous step @@ -74,9 +74,9 @@ runs: shell: bash env: # Pass through required environment variables for signing and notarization - APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} - APPLE_ID: ${{ secrets.APPLE_ID }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} + APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} + APPLE_ID: ${{ env.APPLE_ID }} + APPLE_ID_PASSWORD: ${{ env.APPLE_ID_PASSWORD }} run: | # Map OS names to Electron Forge platform names if [ "${{ inputs.os }}" = "macos" ]; then diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 704dc4be5..1acdf4709 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -44,6 +44,10 @@ jobs: arch: ${{ matrix.arch }} extension: ${{ matrix.os.extension }} env: + APPLE_APP_CERTIFICATE_BASE64: ${{ secrets.APPLE_APP_CERTIFICATE_BASE64 }} + APPLE_APP_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APP_CERTIFICATE_PASSWORD }} + APPLE_INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_CERTIFICATE_BASE64 }} + APPLE_INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_INSTALLER_CERTIFICATE_PASSWORD }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index c339fd37d..1a7437423 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -2,7 +2,7 @@ name: Nightly Release on: # This can be used to automatically publish nightlies at UTC nighttime schedule: - - cron: '0 2 * * *' # run at 2 AM UTC + - cron: "0 2 * * *" # run at 2 AM UTC # This can be used to allow manually triggering nightlies from the web interface workflow_dispatch: env: @@ -45,6 +45,14 @@ jobs: os: ${{ matrix.os.name }} arch: ${{ matrix.arch }} extension: ${{ join(matrix.os.extension, ' ') }} + env: + APPLE_APP_CERTIFICATE_BASE64: ${{ secrets.APPLE_APP_CERTIFICATE_BASE64 }} + APPLE_APP_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APP_CERTIFICATE_PASSWORD }} + APPLE_INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_CERTIFICATE_BASE64 }} + APPLE_INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_INSTALLER_CERTIFICATE_PASSWORD }} + APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} + APPLE_ID: ${{ secrets.APPLE_ID }} + APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} - name: Publish release uses: softprops/action-gh-release@v2