build-git-installers #273

Workflow file for this run

.github/workflows/build-git-installers.yml at 3e3f46b

	name: build-git-installers

	on:
	push:
	tags:
	- 'v[0-9]vfs' # matches "v<number><any characters>vfs<any characters>"

	permissions:
	id-token: write # required for Azure login via OIDC

	env:
	DO_WIN_CODESIGN: ${{ secrets.WIN_CODESIGN_CERT_SECRET_NAME != '' && secrets.WIN_CODESIGN_PASS_SECRET_NAME != '' }}
	DO_WIN_GPGSIGN: ${{ secrets.WIN_GPG_KEYGRIP_SECRET_NAME != '' && secrets.WIN_GPG_PRIVATE_SECRET_NAME != '' && secrets.WIN_GPG_PASSPHRASE_SECRET_NAME != '' }}

	jobs:
	# Build and sign Mac OSX installers & upload artifacts
	create-macos-artifacts:
	runs-on: macos-latest-xl-arm64
	env:
	VERSION: "2.49.0.vfs.0.1"
	environment: release
	steps:
	- name: Check out repository
	uses: actions/checkout@v4
	with:
	path: 'git'

	- name: Log in to Azure
	uses: azure/login@v2
	with:
	client-id: ${{ secrets.AZURE_CLIENT_ID }}
	tenant-id: ${{ secrets.AZURE_TENANT_ID }}
	subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

	- uses: mxschmitt/action-tmate@v3
	with:
	detached: true

	- name: Download signing secrets
	id: signing-secrets
	uses: ./git/.github/actions/akv-secret
	with:
	vault: ${{ secrets.AZURE_VAULT }}
	secrets: \|
	${{ secrets.APPLE_APPSIGN_ID_SECRET_NAME }} > $output:appsign-id
	${{ secrets.APPLE_INSTSIGN_ID_SECRET_NAME }} > $output:instsign-id
	${{ secrets.APPLE_TEAM_ID_SECRET_NAME }} > $output:team-id
	${{ secrets.APPLE_DEVELOPER_ID_SECRET_NAME }} > $output:dev-id
	${{ secrets.APPLE_DEVELOPER_PASSWORD_SECRET_NAME }} > $output:dev-pass
	${{ secrets.APPLE_APPCERT_PASS_SECRET_NAME }} > $output:appcert-pass
	${{ secrets.APPLE_INSTCERT_PASS_SECRET_NAME }} > $output:instcert-pass
	${{ secrets.APPLE_APPCERT_SECRET_NAME }} base64> appcert.p12
	${{ secrets.APPLE_INSTCERT_SECRET_NAME }} base64> instcert.p12

	- shell: bash
	run: \|
	cat >/tmp/a1 <<-\EOF
	echo "Setting up signing certificates"
	security create-keychain -p pwd $RUNNER_TEMP/buildagent.keychain
	security default-keychain -s $RUNNER_TEMP/buildagent.keychain
	security unlock-keychain -p pwd $RUNNER_TEMP/buildagent.keychain
	# Prevent re-locking
	security set-keychain-settings $RUNNER_TEMP/buildagent.keychain

	security import appcert.p12 \
	-k $RUNNER_TEMP/buildagent.keychain \
	-P '${{ steps.signing-secrets.outputs.appcert-pass }}' \
	-T /usr/bin/codesign
	security set-key-partition-list \
	-S apple-tool:,apple:,codesign: \
	-s -k pwd \
	$RUNNER_TEMP/buildagent.keychain

	security import instcert.p12 \
	-k $RUNNER_TEMP/buildagent.keychain \
	-P '${{ steps.signing-secrets.outputs.instcert-pass }}' \
	-T /usr/bin/pkgbuild
	security set-key-partition-list \
	-S apple-tool:,apple:,pkgbuild: \
	-s -k pwd \
	$RUNNER_TEMP/buildagent.keychain

	echo "Setting up notarytool"
	xcrun notarytool store-credentials \
	--team-id '${{ steps.signing-secrets.outputs.team-id }}' \
	--apple-id '${{ steps.signing-secrets.outputs.dev-id }}' \
	--password '${{ steps.signing-secrets.outputs.dev-pass }}' \
	"msftgit"
	EOF

	- name: Set up signing/notarization infrastructure
	run: \|
	echo "Setting up signing certificates"
	security create-keychain -p pwd $RUNNER_TEMP/buildagent.keychain
	security default-keychain -s $RUNNER_TEMP/buildagent.keychain
	security unlock-keychain -p pwd $RUNNER_TEMP/buildagent.keychain
	# Prevent re-locking
	security set-keychain-settings $RUNNER_TEMP/buildagent.keychain

	security import appcert.p12 \
	-k $RUNNER_TEMP/buildagent.keychain \
	-P '${{ steps.signing-secrets.outputs.appcert-pass }}' \
	-T /usr/bin/codesign
	security set-key-partition-list \
	-S apple-tool:,apple:,codesign: \
	-s -k pwd \
	$RUNNER_TEMP/buildagent.keychain

	security import instcert.p12 \
	-k $RUNNER_TEMP/buildagent.keychain \
	-P '${{ steps.signing-secrets.outputs.instcert-pass }}' \
	-T /usr/bin/pkgbuild
	security set-key-partition-list \
	-S apple-tool:,apple:,pkgbuild: \
	-s -k pwd \
	$RUNNER_TEMP/buildagent.keychain

	echo "Setting up notarytool"
	xcrun notarytool store-credentials \
	--team-id '${{ steps.signing-secrets.outputs.team-id }}' \
	--apple-id '${{ steps.signing-secrets.outputs.dev-id }}' \
	--password '${{ steps.signing-secrets.outputs.dev-pass }}' \
	"msftgit"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

build-git-installers #273

Workflow file

build-git-installers #273

Uh oh!

Jobs

Run details

Workflow file for this run