@@ -113,6 +113,9 @@ jobs:
113113 toolchain : stable
114114 target : ${{ matrix.target }}
115115
116+ - name : Setup | Cache
117+ uses : Swatinem/rust-cache@v2
118+
116119 - name : Setup | Install cargo-wix [Windows]
117120 continue-on-error : true
118121 # aarch64 is only supported in wix 4.0 development builds
@@ -170,11 +173,100 @@ jobs:
170173 name : cook-${{ matrix.target }}.msi
171174 path : target/wix/cook-${{ matrix.target }}.msi
172175
176+ # Notarize cook binaries for MacOS and build notarized pkg installers
177+ notarize :
178+ runs-on : macos-latest
179+ continue-on-error : true
180+ needs : [github_build]
181+ strategy :
182+ fail-fast : false
183+ matrix :
184+ include :
185+ - target : x86_64-apple-darwin
186+ arch : x86_64
187+ name : cook-x86_64-apple-darwin.tar.gz
188+
189+ - target : aarch64-apple-darwin
190+ arch : aarch64
191+ name : cook-aarch64-apple-darwin.tar.gz
192+
193+ env :
194+ KEYCHAIN_FILENAME : app-signing.keychain-db
195+ KEYCHAIN_ENTRY : AC_PASSWORD
196+ steps :
197+ - name : Checkout repository
198+ uses : actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
199+
200+ - name : Notarize | Set up secrets
201+ env :
202+ APP_CERTIFICATE_BASE64 : ${{ secrets.APPLEDEV_APPSIGNKEY_BASE64 }}
203+ P12_PASSWORD : ${{ secrets.APPLEDEV_SIGNKEY_PASS }}
204+ KEYCHAIN_PASSWORD : ${{ secrets.APPLEDEV_SIGNKEY_PASS }}
205+ APPLEID_USERNAME : ${{ secrets.APPLEDEV_ID_NAME }}
206+ APPLEID_TEAMID : ${{ secrets.APPLEDEV_TEAM_ID }}
207+ APPLEID_PASSWORD : ${{ secrets.APPLEDEV_PASSWORD }}
208+ run : |
209+ APP_CERTIFICATE_PATH="$RUNNER_TEMP/app_certificate.p12"
210+ KEYCHAIN_PATH="$RUNNER_TEMP/$KEYCHAIN_FILENAME"
211+
212+ # import certificates from secrets
213+ echo -n "$APP_CERTIFICATE_BASE64" | base64 --decode --output $APP_CERTIFICATE_PATH
214+
215+ # create temporary keychain
216+ security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
217+ security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
218+ security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
219+
220+ # import certificates to keychain
221+ security import $APP_CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
222+ security list-keychain -d user -s $KEYCHAIN_PATH
223+
224+ # Add Apple Developer ID credentials to keychain
225+ xcrun notarytool store-credentials "$KEYCHAIN_ENTRY" --team-id "$APPLEID_TEAMID" --apple-id "$APPLEID_USERNAME" --password "$APPLEID_PASSWORD" --keychain "$KEYCHAIN_PATH"
226+
227+ name : Notarize | Download artifacts
228+ uses : actions/download-artifact@v3
229+ with :
230+ name : ${{ matrix.name }}
231+ path : artifacts
232+
233+ - name : Notarize | Unpack Binaries
234+ run : tar xf artifacts/${{ matrix.name }}
235+
236+ - name : Notarize | Build, Sign, and Notarize Pkg
237+ env :
238+ APPLICATION_KEY_IDENT : ${{ secrets.APPLEDEV_KEY_IDENT }}
239+ run : |
240+ KEYCHAIN_PATH="$RUNNER_TEMP/$KEYCHAIN_FILENAME"
241+
242+ echo ">>>> Signing binary"
243+ codesign --timestamp --keychain $KEYCHAIN_PATH --sign "$APPLICATION_KEY_IDENT" --verbose -f -o runtime cook
244+
245+ # Make ZIP file to notarize binary
246+ zip cook.zip cook
247+
248+ echo ">>>> Submitting binary for notarization"
249+ xcrun notarytool submit cook.zip --keychain-profile "$KEYCHAIN_ENTRY" --wait
250+
251+ name : Notarize | Package Notarized Binary
252+ run : tar czvf ${{ matrix.name }} cook
253+
254+ - name : Notarize | Upload Notarized Binary
255+ uses : actions/upload-artifact@v3
256+ with :
257+ name : ${{ matrix.name }}
258+ path : ${{ matrix.name }}
259+
260+ - name : Cleanup Secrets
261+ if : ${{ always() }}
262+ run : |
263+ KEYCHAIN_PATH="$RUNNER_TEMP/$KEYCHAIN_FILENAME"
264+ security delete-keychain $KEYCHAIN_PATH
173265
174266# Create GitHub release with Rust build targets and release notes
175267 upload_artifacts :
176268 name : Add Build Artifacts to Release
177- needs : [release_please, github_build]
269+ needs : [release_please, github_build, notarize ]
178270 runs-on : ubuntu-latest
179271 steps :
180272 - name : Setup | Artifacts
0 commit comments