mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
8eb738e66a
To avoid burning Azure credits, we move the runners back down to the free tier. Now that caching is properly set up, this should incur only a minor increase in CI time.
100 lines
2.8 KiB
Bash
Executable File
100 lines
2.8 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
set -e
|
|
|
|
# See https://docs.github.com/en/actions/use-cases-and-examples/deploying/installing-an-apple-certificate-on-macos-runners-for-xcode-development
|
|
function setup_runner() {
|
|
local app_profile="$1"
|
|
local app_profile_file="$2"
|
|
local ne_profile="$3"
|
|
local ne_profile_file="$4"
|
|
|
|
# Use the latest version of Xcode - matches what we typically use for development
|
|
sudo xcode-select --switch "$(ls -d /Applications/Xcode*${XCODE_MAJOR}*.app | sort -V | tail -n 1)"
|
|
|
|
profiles_path="$HOME/Library/Developer/Xcode/UserData/Provisioning Profiles"
|
|
keychain_pass=$(openssl rand -base64 32)
|
|
keychain_path="$(mktemp -d)/app-signing.keychain-db"
|
|
|
|
# Install provisioning profiles
|
|
mkdir -p "$profiles_path"
|
|
base64_decode "$app_profile" "$profiles_path/$app_profile_file"
|
|
base64_decode "$ne_profile" "$profiles_path/$ne_profile_file"
|
|
|
|
# Create a keychain to use for signing
|
|
security create-keychain -p "$keychain_pass" "$keychain_path"
|
|
|
|
# Set it as the default keychain so Xcode can find the signing certs
|
|
security default-keychain -s "$keychain_path"
|
|
|
|
# Ensure it stays unlocked during the build
|
|
security set-keychain-settings -lut 21600 "$keychain_path"
|
|
|
|
# Unlock the keychain for use
|
|
security unlock-keychain -p "$keychain_pass" "$keychain_path"
|
|
|
|
# Install signing certs
|
|
install_cert \
|
|
"$BUILD_CERT" \
|
|
"$BUILD_CERT_PASS" \
|
|
"$keychain_pass" \
|
|
"$keychain_path"
|
|
install_cert \
|
|
"$INSTALLER_CERT" \
|
|
"$INSTALLER_CERT_PASS" \
|
|
"$keychain_pass" \
|
|
"$keychain_path"
|
|
install_cert \
|
|
"$STANDALONE_BUILD_CERT" \
|
|
"$STANDALONE_BUILD_CERT_PASS" \
|
|
"$keychain_pass" \
|
|
"$keychain_path"
|
|
install_cert \
|
|
"$STANDALONE_INSTALLER_CERT" \
|
|
"$STANDALONE_INSTALLER_CERT_PASS" \
|
|
"$keychain_pass" \
|
|
"$keychain_path"
|
|
}
|
|
|
|
function extract_uuid() {
|
|
local b64_profile="$1"
|
|
|
|
echo "$b64_profile" | base64 --decode | security cms -D | plutil -extract UUID raw -o - -
|
|
}
|
|
|
|
function base64_decode() {
|
|
local input_stdin="$1"
|
|
local output_path="$2"
|
|
|
|
echo -n "$input_stdin" | base64 --decode -o "$output_path"
|
|
}
|
|
|
|
function install_cert() {
|
|
local cert_path
|
|
local cert="$1"
|
|
local pass="$2"
|
|
local keychain_pass="$3"
|
|
local keychain_path="$4"
|
|
|
|
cert_path="$(mktemp -d)/cert.p12"
|
|
|
|
base64_decode "$cert" "$cert_path"
|
|
|
|
# Import cert into keychain
|
|
security import "$cert_path" \
|
|
-P "$pass" \
|
|
-A \
|
|
-t cert \
|
|
-f pkcs12 \
|
|
-k "$keychain_path"
|
|
|
|
# Prevent the keychain from asking for password to access the cert
|
|
security set-key-partition-list \
|
|
-S apple-tool:,apple: \
|
|
-k "$keychain_pass" \
|
|
"$keychain_path"
|
|
|
|
# Clean up
|
|
rm "$cert_path"
|
|
}
|