Add release pipeline

2026-01-04 12:30:08 -06:00 · 2025-03-17 08:07:57 +01:00
parent 9baab6f00a
commit 8d609e43d0
2 changed files with 135 additions and 0 deletions
--- a/.github/workflows/ci-lume.yml
+++ b/.github/workflows/ci-lume.yml
--- a/.github/workflows/publish-lume.yml
+++ b/.github/workflows/publish-lume.yml
@@ -0,0 +1,135 @@
+name: Publish Notarized Lume
+
+on:
+  push:
+    tags:
+      - 'lume-v*'
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to notarize (without v prefix)'
+        required: true
+        default: '0.1.0'
+  workflow_call:
+    inputs:
+      version:
+        description: 'Version to notarize'
+        required: true
+        type: string
+    secrets:
+      APPLICATION_CERT_BASE64:
+        required: true
+      INSTALLER_CERT_BASE64:
+        required: true
+      CERT_PASSWORD:
+        required: true
+      APPLE_ID:
+        required: true
+      TEAM_ID:
+        required: true
+      APP_SPECIFIC_PASSWORD:
+        required: true
+      DEVELOPER_NAME:
+        required: true
+
+permissions:
+  contents: write
+
+env:
+  APPLICATION_CERT_BASE64: ${{ secrets.APPLICATION_CERT_BASE64 }}
+  INSTALLER_CERT_BASE64: ${{ secrets.INSTALLER_CERT_BASE64 }}
+  CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }}
+  APPLE_ID: ${{ secrets.APPLE_ID }}
+  TEAM_ID: ${{ secrets.TEAM_ID }}
+  APP_SPECIFIC_PASSWORD: ${{ secrets.APP_SPECIFIC_PASSWORD }}
+  DEVELOPER_NAME: ${{ secrets.DEVELOPER_NAME }}
+
+jobs:
+  notarize:
+    runs-on: macos-latest
+    outputs:
+      sha256_checksums: ${{ steps.generate_checksums.outputs.checksums }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Swift
+        uses: swift-actions/setup-swift@v1
+
+      - name: Install dependencies
+        run: |
+          brew install xar
+          brew install cpio
+
+      - name: Create .release directory
+        run: mkdir -p .release
+
+      - name: Import Certificates
+        env:
+          APPLICATION_CERT_BASE64: ${{ secrets.APPLICATION_CERT_BASE64 }}
+          INSTALLER_CERT_BASE64: ${{ secrets.INSTALLER_CERT_BASE64 }}
+          CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }}
+          KEYCHAIN_PASSWORD: "temp_password"
+        run: |
+          # Create a temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+          security set-keychain-settings -t 3600 -l build.keychain
+
+          # Import certificates
+          echo $APPLICATION_CERT_BASE64 | base64 --decode > application.p12
+          echo $INSTALLER_CERT_BASE64 | base64 --decode > installer.p12
+          
+          security import application.p12 -k build.keychain -P "$CERT_PASSWORD" -T /usr/bin/codesign -T /usr/bin/pkgbuild
+          security import installer.p12 -k build.keychain -P "$CERT_PASSWORD" -T /usr/bin/codesign -T /usr/bin/pkgbuild
+          
+          # Allow codesign to access the certificates
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
+          
+          # Clean up certificate files
+          rm application.p12 installer.p12
+
+      - name: Build and Notarize
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          TEAM_ID: ${{ secrets.TEAM_ID }}
+          APP_SPECIFIC_PASSWORD: ${{ secrets.APP_SPECIFIC_PASSWORD }}
+          # These will now reference the imported certificates
+          CERT_APPLICATION_NAME: "Developer ID Application: ${{ secrets.DEVELOPER_NAME }} (${{ secrets.TEAM_ID }})"
+          CERT_INSTALLER_NAME: "Developer ID Installer: ${{ secrets.DEVELOPER_NAME }} (${{ secrets.TEAM_ID }})"
+        working-directory: ./libs/lume
+        run: |
+          chmod +x scripts/build/build-release-notarized.sh
+          ./scripts/build/build-release-notarized.sh
+
+      - name: Generate SHA256 Checksums
+        id: generate_checksums
+        working-directory: ./libs/lume/.release
+        run: |
+          echo "## SHA256 Checksums" > checksums.txt
+          echo '```' >> checksums.txt
+          shasum -a 256 lume.tar.gz >> checksums.txt
+          echo '```' >> checksums.txt
+          checksums=$(cat checksums.txt)
+          echo "checksums<<EOF" >> $GITHUB_OUTPUT
+          echo "$checksums" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Upload Notarized Package
+        uses: actions/upload-artifact@v3
+        with:
+          name: lume-notarized
+          path: |
+            ./libs/lume/.release/lume.tar.gz
+            ./libs/lume/.release/lume.pkg.tar.gz
+
+      - name: Create Release
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: softprops/action-gh-release@v1
+        with:
+          files: |
+            ./libs/lume/.release/lume.tar.gz
+            ./libs/lume/.release/lume.pkg.tar.gz
+          body: |
+            ${{ steps.generate_checksums.outputs.checksums }}
+          generate_release_notes: true