Files
archr-flasher/.github/workflows/build.yml
T
Douglas Teles e628d71a01 ci: pass the imported certificate identity to the bundler
The certificate import step only placed the Developer ID certificate
in the keychain; without APPLE_SIGNING_IDENTITY the tauri bundler
silently skips signing and notarization, so every published macOS
bundle shipped unsigned and Apple Silicon rejected the app with the
damaged-app dialog. Extract the identity from the keychain after the
import and export it for the build step, so no additional secret is
required.
2026-07-08 11:36:59 -03:00

112 lines
4.1 KiB
YAML

name: Build & Release
on:
push:
tags: ['v*']
workflow_dispatch:
permissions:
contents: write
jobs:
build:
strategy:
fail-fast: false
matrix:
include:
- platform: ubuntu-22.04
args: ''
- platform: macos-latest
args: '--target aarch64-apple-darwin'
- platform: macos-latest
args: '--target x86_64-apple-darwin'
- platform: windows-latest
args: ''
runs-on: ${{ matrix.platform }}
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.platform == 'macos-latest' && 'aarch64-apple-darwin,x86_64-apple-darwin' || '' }}
- name: Rust cache
uses: swatinem/rust-cache@v2
with:
workspaces: './src-tauri -> target'
- name: Install system dependencies (Linux)
if: runner.os == 'Linux'
run: |
sudo apt-get update
sudo apt-get install -y \
libwebkit2gtk-4.1-dev \
libappindicator3-dev \
librsvg2-dev \
patchelf \
libxdo-dev \
libssl-dev \
libglib2.0-dev \
libgtk-3-dev
# macOS: import signing certificate from GitHub Secrets (skip if not configured)
- name: Import Apple certificate
if: runner.os == 'macOS' && env.APPLE_CERTIFICATE != ''
env:
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
run: |
CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
echo -n "$APPLE_CERTIFICATE" | base64 --decode -o $CERTIFICATE_PATH
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security import $CERTIFICATE_PATH -P "$APPLE_CERTIFICATE_PASSWORD" \
-A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: \
-k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# Tell tauri which identity to sign with. The import above only
# places the certificate in the keychain; without
# APPLE_SIGNING_IDENTITY the bundler skips signing entirely and
# the app ships unsigned (Gatekeeper then shows the misleading
# "damaged" dialog). Extract the identity name from the
# keychain so no extra secret is needed.
IDENTITY=$(security find-identity -v -p codesigning $KEYCHAIN_PATH \
| sed -n 's/.*"\(.*\)".*/\1/p' | head -1)
echo "Signing identity: ${IDENTITY}"
echo "APPLE_SIGNING_IDENTITY=${IDENTITY}" >> $GITHUB_ENV
- name: Build and release
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
with:
tagName: v__VERSION__
releaseName: 'Arch R Flasher v__VERSION__'
releaseBody: 'See the assets to download and install.'
releaseDraft: true
prerelease: false
includeUpdaterJson: true
args: ${{ matrix.args }}
# macOS: cleanup keychain (only if certificate was imported)
- name: Cleanup keychain
if: runner.os == 'macOS' && always() && env.APPLE_CERTIFICATE != ''
env:
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
run: security delete-keychain $RUNNER_TEMP/app-signing.keychain-db 2>/dev/null || true