ref: c3a336812cedf3024dfa1cdf059a0a91649830fc
parent: ce3f4db79fd038ca1030a04aae5a3a881d16ca37
author: Jonne Kokkonen <jonne.kokkonen@gmail.com>
date: Tue Jul 1 18:16:44 EDT 2025
notarize the apple build only on releases (#196)
--- a/.github/workflows/build-macos-arm.yml
+++ b/.github/workflows/build-macos-arm.yml
@@ -3,6 +3,8 @@
on:
push:
pull_request:
+ release:
+ types: [published]
workflow_dispatch:
jobs:
@@ -29,6 +31,7 @@
- name: Create Custom Keychain
id: createCustomKeychain
+ if: github.event_name == 'release'
env:
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}run: |
@@ -39,6 +42,8 @@
security set-keychain-settings build.keychain
- name: Import Apple Developer Certificate
+ id: importAppleCertificate
+ if: github.event_name == 'release'
env:
CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}@@ -72,6 +77,8 @@
run: cat /Users/runner/work/m8c/m8c/${{ env.BUILD_DIR }}/_CPack_Packages/Darwin/DragNDrop/PreinstallOutput.log- name: 'Notarize the App'
+ id: notarizeApp
+ if: github.event_name == 'release'
run: |
pushd ${{ env.BUILD_DIR }}APP_PATH=$(find package-output -maxdepth 1 -name "m8c*.dmg" | head -n 1)
@@ -88,8 +95,9 @@
APPLE_PASSWORD: ${{ secrets.APP_SPECIFIC_PASSWORD }} TEAM_ID: ${{ secrets.TEAM_ID }}-
- name: 'Verify Stapling'
+ id: verifyStapling
+ if: github.event_name == 'release'
run: |
APP_PATH=$(find "${{ env.BUILD_DIR }}/package-output" -maxdepth 1 -name "m8c*.dmg" | head -n 1)echo "Verifying stapling on $APP_PATH"
@@ -96,7 +104,8 @@
xcrun stapler validate "$APP_PATH"
- name: 'Delete Custom Keychain'
- if: steps.createCustomKeychain.outcome == 'success'
+ id: deleteCustomKeychain
+ if: github.event_name == 'release' && steps.createCustomKeychain.outcome == 'success'
run: |
security delete-keychain build.keychain
@@ -110,4 +119,4 @@
with:
name: m8c-${{ env.NOW }}-macos-applesiliconpath: |
- m8c-${{ env.NOW }}-macos-applesilicon.dmg+ m8c-${{ env.NOW }}-macos-applesilicon.dmg\ No newline at end of file
--- a/.github/workflows/build-macos-intel.yml
+++ b/.github/workflows/build-macos-intel.yml
@@ -3,6 +3,8 @@
on:
push:
pull_request:
+ release:
+ types: [published]
workflow_dispatch:
jobs:
@@ -29,6 +31,7 @@
- name: Create Custom Keychain
id: createCustomKeychain
+ if: github.event_name == 'release'
env:
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}run: |
@@ -39,6 +42,8 @@
security set-keychain-settings build.keychain
- name: Import Apple Developer Certificate
+ id: importAppleCertificate
+ if: github.event_name == 'release'
env:
CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}@@ -72,6 +77,8 @@
run: cat /Users/runner/work/m8c/m8c/${{ env.BUILD_DIR }}/_CPack_Packages/Darwin/DragNDrop/PreinstallOutput.log- name: 'Notarize the App'
+ id: notarizeApp
+ if: github.event_name == 'release'
run: |
pushd ${{ env.BUILD_DIR }}APP_PATH=$(find package-output -maxdepth 1 -name "m8c*.dmg" | head -n 1)
@@ -88,8 +95,9 @@
APPLE_PASSWORD: ${{ secrets.APP_SPECIFIC_PASSWORD }} TEAM_ID: ${{ secrets.TEAM_ID }}-
- name: 'Verify Stapling'
+ id: verifyStapling
+ if: github.event_name == 'release'
run: |
APP_PATH=$(find "${{ env.BUILD_DIR }}/package-output" -maxdepth 1 -name "m8c*.dmg" | head -n 1)echo "Verifying stapling on $APP_PATH"
@@ -96,7 +104,8 @@
xcrun stapler validate "$APP_PATH"
- name: 'Delete Custom Keychain'
- if: steps.createCustomKeychain.outcome == 'success'
+ id: deleteCustomKeychain
+ if: github.event_name == 'release' && steps.createCustomKeychain.outcome == 'success'
run: |
security delete-keychain build.keychain
@@ -110,4 +119,4 @@
with:
name: m8c-${{ env.NOW }}-macos-intelpath: |
- m8c-${{ env.NOW }}-macos-intel.dmg+ m8c-${{ env.NOW }}-macos-intel.dmg\ No newline at end of file
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -91,9 +91,17 @@
set(APPS "\${CMAKE_INSTALL_PREFIX}/${APP_NAME}.app")- install(CODE "include(BundleUtilities)
- fixup_bundle(\"${APPS}\" \"\" \"\")- execute_process(COMMAND codesign --force --options runtime --deep --entitlements ../package/macos/Entitlements.plist --sign \"${CODESIGN_CERT_NAME}\" --timestamp \${CMAKE_INSTALL_PREFIX}/${APP_NAME}.app)")+ if(CODESIGN_CERT_NAME)
+ # Use the specified certificate
+ install(CODE "include(BundleUtilities)
+ fixup_bundle(\"${APPS}\" \"\" \"\")+ execute_process(COMMAND codesign --force --options runtime --deep --entitlements ../package/macos/Entitlements.plist --sign \"${CODESIGN_CERT_NAME}\" --timestamp \${CMAKE_INSTALL_PREFIX}/${APP_NAME}.app)")+ else()
+ # Use ad-hoc signing (self-signed) when no certificate is specified
+ install(CODE "include(BundleUtilities)
+ fixup_bundle(\"${APPS}\" \"\" \"\")+ execute_process(COMMAND codesign --force --options runtime --deep --entitlements ../package/macos/Entitlements.plist --sign - --timestamp \${CMAKE_INSTALL_PREFIX}/${APP_NAME}.app)")+ endif()
set(CPACK_PACKAGE_NAME "m8c")
set(CPACK_PACKAGE_VERSION ${PROJECT_VERSION})@@ -100,5 +108,4 @@
set(CPACK_PACKAGE_DIRECTORY "package-output")
set(CPACK_GENERATOR "DragNDrop")
include(CPack)
-endif ()
-
+endif ()
\ No newline at end of file
--
⑨