Merge pull request #136 from nook-browser/dev #8
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: macOS Build, Sign, & Notarize | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| release: | |
| types: [published] | |
| jobs: | |
| build-sign-notarize: | |
| runs-on: macos-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Import Developer ID certificate | |
| id: import-cert | |
| run: | | |
| printf "%s" "$APPLE_CERTIFICATE_P12_BASE64" | base64 --decode > signing_certificate.p12 | |
| security create-keychain -p "" build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p "" build.keychain | |
| security import signing_certificate.p12 \ | |
| -k build.keychain \ | |
| -P "$APPLE_CERTIFICATE_PASSWORD" \ | |
| -T /usr/bin/codesign | |
| security list-keychains -d user -s build.keychain login.keychain | |
| security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "" build.keychain | |
| IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -n1 | awk '{print $2}') | |
| echo "SIGNING_IDENTITY=$IDENTITY" >> $GITHUB_ENV | |
| echo "Imported certificate and set up keychain successfully." | |
| - name: Build app | |
| run: | | |
| set -e | |
| mkdir -p build | |
| echo "Attempting universal build (arm64 + x86_64)..." | |
| if ! xcodebuild -scheme Nook -configuration Release -arch arm64 -arch x86_64 -derivedDataPath build; then | |
| echo "Universal build failed, retrying Apple Silicon only..." | |
| xcodebuild -scheme Nook -configuration Release -arch arm64 -derivedDataPath build | |
| fi | |
| cp -R "build/Build/Products/Release/Nook.app" ./Nook.app | |
| - name: Codesign app | |
| run: | | |
| codesign --deep --force --verify --verbose \ | |
| --options runtime \ | |
| --entitlements Nook/entitlements.plist \ | |
| --sign "$SIGNING_IDENTITY" \ | |
| "Nook.app" | |
| - name: Verify code signature | |
| run: | | |
| codesign --verify --deep --strict --verbose=2 "Nook.app" | |
| spctl --assess --type execute --verbose "Nook.app" | |
| - name: Notarize app | |
| env: | |
| NOTARY_PROFILE: "nook-notary" | |
| run: | | |
| xcrun notarytool store-credentials "$NOTARY_PROFILE" \ | |
| --apple-id "$APPLE_ID" \ | |
| --team-id "$APPLE_TEAM_ID" \ | |
| --password "$APPLE_APP_SPECIFIC_PASSWORD" | |
| zip -r Nook.zip "Nook.app" | |
| xcrun notarytool submit "Nook.zip" \ | |
| --keychain-profile "$NOTARY_PROFILE" \ | |
| --wait | |
| - name: Staple notarization ticket | |
| run: xcrun stapler staple "Nook.app" | |
| - name: Create DMG | |
| run: | | |
| VERSION=${GITHUB_REF#refs/tags/} | |
| hdiutil create -volname "Nook ${VERSION}" \ | |
| -srcfolder "Nook.app" \ | |
| -ov -format UDZO "Nook-${VERSION}.dmg" | |
| - name: Upload DMG to release assets | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: Nook-*.dmg | |
| fail_on_unmatched_files: false | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Update Sparkle appcast | |
| if: github.event_name == 'release' | |
| run: | | |
| if [ ! -f appcast.xml ]; then | |
| echo "appcast.xml not found, skipping Sparkle update" | |
| exit 0 | |
| fi | |
| VERSION=${GITHUB_REF#refs/tags/} | |
| DMG_URL="https://github.com/${{ github.repository }}/releases/download/${VERSION}/Nook-${VERSION}.dmg" | |
| DATE=$(date -R) | |
| SHORT_VERSION=${VERSION#v} | |
| ENTRY=$(cat <<EOF | |
| <item> | |
| <title>Version ${SHORT_VERSION}</title> | |
| <sparkle:releaseNotesLink>https://github.com/${{ github.repository }}/releases/tag/${VERSION}</sparkle:releaseNotesLink> | |
| <pubDate>${DATE}</pubDate> | |
| <enclosure url="${DMG_URL}" sparkle:version="${SHORT_VERSION}" length="$(stat -f%z Nook-${VERSION}.dmg)" type="application/octet-stream"/> | |
| </item> | |
| EOF | |
| ) | |
| git fetch origin gh-pages | |
| git checkout gh-pages | |
| sed -i '' "s|</channel>|${ENTRY}\n</channel>|" appcast.xml | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git add appcast.xml | |
| git commit -m "Add release ${VERSION} to appcast" | |
| git push origin gh-pages |