You've already forked archr-flasher
mirror of
https://github.com/archr-linux/archr-flasher.git
synced 2026-07-12 18:19:47 -07:00
e628d71a01
The certificate import step only placed the Developer ID certificate in the keychain; without APPLE_SIGNING_IDENTITY the tauri bundler silently skips signing and notarization, so every published macOS bundle shipped unsigned and Apple Silicon rejected the app with the damaged-app dialog. Extract the identity from the keychain after the import and export it for the build step, so no additional secret is required.
112 lines
4.1 KiB
YAML
112 lines
4.1 KiB
YAML
name: Build & Release
|
|
|
|
on:
|
|
push:
|
|
tags: ['v*']
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
build:
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- platform: ubuntu-22.04
|
|
args: ''
|
|
- platform: macos-latest
|
|
args: '--target aarch64-apple-darwin'
|
|
- platform: macos-latest
|
|
args: '--target x86_64-apple-darwin'
|
|
- platform: windows-latest
|
|
args: ''
|
|
|
|
runs-on: ${{ matrix.platform }}
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install Rust
|
|
uses: dtolnay/rust-toolchain@stable
|
|
with:
|
|
targets: ${{ matrix.platform == 'macos-latest' && 'aarch64-apple-darwin,x86_64-apple-darwin' || '' }}
|
|
|
|
- name: Rust cache
|
|
uses: swatinem/rust-cache@v2
|
|
with:
|
|
workspaces: './src-tauri -> target'
|
|
|
|
- name: Install system dependencies (Linux)
|
|
if: runner.os == 'Linux'
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y \
|
|
libwebkit2gtk-4.1-dev \
|
|
libappindicator3-dev \
|
|
librsvg2-dev \
|
|
patchelf \
|
|
libxdo-dev \
|
|
libssl-dev \
|
|
libglib2.0-dev \
|
|
libgtk-3-dev
|
|
|
|
# macOS: import signing certificate from GitHub Secrets (skip if not configured)
|
|
- name: Import Apple certificate
|
|
if: runner.os == 'macOS' && env.APPLE_CERTIFICATE != ''
|
|
env:
|
|
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
|
|
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
|
|
run: |
|
|
CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12
|
|
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
|
|
KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
|
|
|
|
echo -n "$APPLE_CERTIFICATE" | base64 --decode -o $CERTIFICATE_PATH
|
|
|
|
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
|
|
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
|
|
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
|
|
security import $CERTIFICATE_PATH -P "$APPLE_CERTIFICATE_PASSWORD" \
|
|
-A -t cert -f pkcs12 -k $KEYCHAIN_PATH
|
|
security set-key-partition-list -S apple-tool:,apple: \
|
|
-k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
|
|
security list-keychain -d user -s $KEYCHAIN_PATH
|
|
|
|
# Tell tauri which identity to sign with. The import above only
|
|
# places the certificate in the keychain; without
|
|
# APPLE_SIGNING_IDENTITY the bundler skips signing entirely and
|
|
# the app ships unsigned (Gatekeeper then shows the misleading
|
|
# "damaged" dialog). Extract the identity name from the
|
|
# keychain so no extra secret is needed.
|
|
IDENTITY=$(security find-identity -v -p codesigning $KEYCHAIN_PATH \
|
|
| sed -n 's/.*"\(.*\)".*/\1/p' | head -1)
|
|
echo "Signing identity: ${IDENTITY}"
|
|
echo "APPLE_SIGNING_IDENTITY=${IDENTITY}" >> $GITHUB_ENV
|
|
|
|
- name: Build and release
|
|
uses: tauri-apps/tauri-action@v0
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
|
|
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
|
|
APPLE_ID: ${{ secrets.APPLE_ID }}
|
|
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
|
|
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
|
with:
|
|
tagName: v__VERSION__
|
|
releaseName: 'Arch R Flasher v__VERSION__'
|
|
releaseBody: 'See the assets to download and install.'
|
|
releaseDraft: true
|
|
prerelease: false
|
|
includeUpdaterJson: true
|
|
args: ${{ matrix.args }}
|
|
|
|
# macOS: cleanup keychain (only if certificate was imported)
|
|
- name: Cleanup keychain
|
|
if: runner.os == 'macOS' && always() && env.APPLE_CERTIFICATE != ''
|
|
env:
|
|
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
|
|
run: security delete-keychain $RUNNER_TEMP/app-signing.keychain-db 2>/dev/null || true
|