4141build-binaries :
4242 strategy :
4343 matrix :
44- os : [linux, darwin, freebsd, windows]
45- arch : [amd64, arm64]
44+ include :
45+ - runner : macos-latest
46+ os : darwin
47+ arch : arm64
48+ - runner : ubuntu-latest
49+ os : freebsd
50+ arch : amd64
51+ - runner : ubuntu-latest
52+ os : freebsd
53+ arch : arm64
54+ - runner : ubuntu-latest
55+ os : linux
56+ arch : amd64
57+ - runner : ubuntu-latest
58+ os : linux
59+ arch : arm64
60+ - runner : ubuntu-latest
61+ os : windows
62+ arch : amd64
63+ - runner : ubuntu-latest
64+ os : windows
65+ arch : arm64
66+ runs-on : ${{ matrix.runner }}
4667 runs-on : ubuntu-latest
4768 needs : [create-draft-release]
4869 permissions :
@@ -61,24 +82,27 @@ jobs:
6182 - uses : actions/setup-go@v5
6283 with :
6384 go-version : 1.22.x
85+ - name : Build binary
86+ run : GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} make build
87+
88+ # Sign Windows build
6489 - name : Set up Java
6590 uses : actions/setup-java@v4
91+ if : ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' }}
6692 with :
6793 java-version : 17
6894 distribution : ' temurin'
69- - name : Build binary
70- run : GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} make build
7195 - id : ' auth'
7296 name : Authenticate with Google Cloud
73- if : ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows'
97+ if : ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' }}
7498 uses : ' google-github-actions/auth@v2'
7599 with :
76100 credentials_json : ' ${{ secrets.CERTIFICATE_SA_CREDENTIALS }}'
77101 - name : Set up Cloud SDK
78- if : ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows'
102+ if : ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' }}
79103 uses : ' google-github-actions/setup-gcloud@v2'
80104 - name : Sign windows binary
81- if : ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows'
105+ if : ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' }}
82106 run : |
83107 echo "Downloading jsign.jar"
84108 curl -L -o jsign.jar https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar
@@ -103,19 +127,68 @@ jobs:
103127 echo "Signed Windows binary: ${_filename}"
104128 echo "Cleaning up certificate chain"
105129 rm -f codesign-chain.pem
130+
131+ # Sign MacOS build
132+
133+ - name : Create .app package and sign macos binary
134+ if : ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'darwin' }}
135+ run : |
136+ echo "Decoding and importing Apple certificate..."
137+ echo -n "${{ secrets.APPLE_CERTIFICATE }}" | base64 --decode -o apple_certificate.p12
138+ security create-keychain -p "${{ secrets.APPLE_KEYCHAIN_PASSWORD }}" build.keychain
139+ security default-keychain -s build.keychain
140+ security set-keychain-settings -lut 21600 build.keychain
141+ security unlock-keychain -p "${{ secrets.APPLE_KEYCHAIN_PASSWORD }}" build.keychain
142+ security import apple_certificate.p12 -k build.keychain -P "${{ secrets.APPLE_CERTIFICATE_PASSWORD }}" -T /usr/bin/codesign
143+ security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.APPLE_KEYCHAIN_PASSWORD }}" build.keychain
144+ echo "Packaging adder..."
145+ mkdir -p Adder.app/Contents/MacOS
146+ mkdir -p Adder.app/Contents/Resources
147+ cp adder Adder.app/Contents/MacOS/adder
148+ chmod +x Adder.app/Contents/MacOS/adder
149+ cat <<EOF > Adder.app/Contents/Info.plist
150+ <?xml version="1.0" encoding="UTF-8"?>
151+ <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
152+ <plist version="1.0">
153+ <dict>
154+ <key>CFBundleExecutable</key>
155+ <string>adder</string>
156+ <key>CFBundleIdentifier</key>
157+ <string>com.blinklabssoftware.adder</string>
158+ <key>CFBundleName</key>
159+ <string>Adder</string>
160+ <key>CFBundleVersion</key>
161+ <string>${{ env.RELEASE_TAG }}</string>
162+ <key>CFBundleShortVersionString</key>
163+ <string>${{ env.RELEASE_TAG }}</string>
164+ </dict>
165+ </plist>
166+ EOF
167+ /usr/bin/codesign --force -s "Developer ID Application: Blink Labs Software (${{ secrets.APPLE_TEAM_ID }})" --options runtime Adder.app -v
168+ xcrun notarytool store-credentials "notarytool-profile" --apple-id "${{ secrets.APPLE_ID }}" --team-id "${{ secrets.APPLE_TEAM_ID }}" --password "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}"
169+ ditto -c -k --keepParent "Adder.app" "notarization.zip"
170+ xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
171+ xcrun stapler staple "Adder.app"
106172name : Upload release asset
107173 if : startsWith(github.ref, 'refs/tags/')
108174 run : |
109175 _filename=adder-${{ env.RELEASE_TAG }}-${{ matrix.os }}-${{ matrix.arch }}
110- if [[ ${{ matrix.os }} == windows ]]; then
176+ if [[ " ${{ matrix.os }}" == " windows" ]]; then
111177 _filename=${_filename}.exe
112178 fi
113- cp adder ${_filename}
179+ if [[ "${{ matrix.os }}" == "windows" || "${{ matrix.os }}" == "linux" ]]; then
180+ cp adder ${_filename}
181+ fi
182+ if [[ "${{ matrix.os }}" == "darwin" ]]; then
183+ _filename=adder-${{ env.RELEASE_TAG }}-${{ matrix.os }}-${{ matrix.arch }}.zip
184+ zip -r ${_filename} Adder.app
185+ fi
114186 curl \
115187 -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
116188 -H "Content-Type: application/octet-stream" \
117189 --data-binary @${_filename} \
118190 https://uploads.github.com/repos/${{ github.repository_owner }}/adder/releases/${{ needs.create-draft-release.outputs.RELEASE_ID }}/assets?name=${_filename}
191+
119192name : Attest binary
120193 uses : actions/attest-build-provenance@v2
121194 with :
0 commit comments