mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
0c38409588
The CI swift workflow needs to be updated to accommodate the macOS standalone build. This required a decent amount of refactoring to make the Apple build process more maintainable. Unfortunately this PR ended up being a giant ball of yarn where pulling on one thread tended to unravel things elsewhere, since building the Apple artifacts involve multiple interconnected systems. Combined with the slow iteration of running in CI, I wasn't able to split this PR into easier to digest commits, so I've annotated the PR as much as I can to explain what's changed. The good news is that Apple release artifacts can now be easily built from a developer's machine with simply `scripts/build/macos-standalone.sh`. The only thing needed is the proper provisioning profiles and signing certs installed. Since this PR is so big already, I'll save the swift/apple/README.md updates for another PR.
96 lines
2.6 KiB
Bash
Executable File
96 lines
2.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
set -e
|
|
|
|
# See https://docs.github.com/en/actions/use-cases-and-examples/deploying/installing-an-apple-certificate-on-macos-runners-for-xcode-development
|
|
function setup_runner() {
|
|
local app_profile="$1"
|
|
local app_profile_file="$2"
|
|
local ne_profile="$3"
|
|
local ne_profile_file="$4"
|
|
profiles_path="$HOME/Library/Developer/Xcode/UserData/Provisioning Profiles"
|
|
keychain_pass=$(openssl rand -base64 32)
|
|
keychain_path="$(mktemp -d)/app-signing.keychain-db"
|
|
|
|
# Select Xcode specified by the workflow
|
|
sudo xcode-select -s "/Applications/Xcode_$XCODE_VERSION.app"
|
|
|
|
# Install provisioning profiles
|
|
mkdir -p "$profiles_path"
|
|
base64_decode "$app_profile" "$profiles_path/$app_profile_file"
|
|
base64_decode "$ne_profile" "$profiles_path/$ne_profile_file"
|
|
|
|
# Create a keychain to use for signing
|
|
security create-keychain -p "$keychain_pass" "$keychain_path"
|
|
|
|
# Set it as the default keychain so Xcode can find the signing certs
|
|
security default-keychain -s "$keychain_path"
|
|
|
|
# Ensure it stays unlocked during the build
|
|
security set-keychain-settings -lut 21600 "$keychain_path"
|
|
|
|
# Unlock the keychain for use
|
|
security unlock-keychain -p "$keychain_pass" "$keychain_path"
|
|
|
|
# Install signing certs
|
|
install_cert \
|
|
"$BUILD_CERT" \
|
|
"$BUILD_CERT_PASS" \
|
|
"$keychain_pass" \
|
|
"$keychain_path"
|
|
install_cert \
|
|
"$INSTALLER_CERT" \
|
|
"$INSTALLER_CERT_PASS" \
|
|
"$keychain_pass" \
|
|
"$keychain_path"
|
|
install_cert \
|
|
"$STANDALONE_BUILD_CERT" \
|
|
"$STANDALONE_BUILD_CERT_PASS" \
|
|
"$keychain_pass" \
|
|
"$keychain_path"
|
|
}
|
|
|
|
function base64_decode() {
|
|
local input_stdin="$1"
|
|
local output_path="$2"
|
|
|
|
echo -n "$input_stdin" | base64 --decode -o "$output_path"
|
|
}
|
|
|
|
function install_cert() {
|
|
local cert_path
|
|
local cert="$1"
|
|
local pass="$2"
|
|
local keychain_pass="$3"
|
|
local keychain_path="$4"
|
|
|
|
cert_path="$(mktemp -d)/cert.p12"
|
|
|
|
base64_decode "$cert" "$cert_path"
|
|
|
|
# Import cert into keychain
|
|
security import "$cert_path" \
|
|
-P "$pass" \
|
|
-A \
|
|
-t cert \
|
|
-f pkcs12 \
|
|
-k "$keychain_path"
|
|
|
|
# Prevent the keychain from asking for password to access the cert
|
|
security set-key-partition-list \
|
|
-S apple-tool:,apple: \
|
|
-k "$keychain_pass" \
|
|
"$keychain_path"
|
|
|
|
# Clean up
|
|
rm "$cert_path"
|
|
}
|
|
|
|
function set_project_build_version() {
|
|
local project_file="$1"
|
|
|
|
seconds_since_epoch=$(date +%s)
|
|
sed -i '' "s/CURRENT_PROJECT_VERSION = [0-9]/CURRENT_PROJECT_VERSION = $seconds_since_epoch/" \
|
|
"$project_file"
|
|
}
|