diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8c3e9866..93b77fbf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -20,10 +20,13 @@ jobs: config: - os: windows-2016 - os: ubuntu-latest - - os: turin-macmini # self-hosted macOS + - os: macos-latest # - os: rsora-rpi-arm # self-hosted armhf runs-on: ${{ matrix.config.os }} timeout-minutes: 30 + env: + CERTIFICATE_PATH: /tmp/macos_signing_certificate.p12 + steps: - name: Checkout uses: actions/checkout@v2 @@ -39,12 +42,12 @@ jobs: with: python-version: '2.7' - - name: Update Keychain [macOS] + - name: Generate signing certificate file [macOS] if: runner.OS == 'macOS' run: | - echo "${{ secrets.KEYCHAIN }}" | base64 --decode > ~/Library/Keychains/apple-developer.keychain-db - security list-keychains -s ~/Library/Keychains/apple-developer.keychain-db - security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" ~/Library/Keychains/apple-developer.keychain-db + # APPLE_SIGNING_CERTIFICATE_P12 secret was produced by following the procedure from: + # https://www.kencochrane.com/2020/08/01/build-and-sign-golang-binaries-for-macos-with-github-actions/#exporting-the-developer-certificate + echo "${{ secrets.APPLE_SIGNING_CERTIFICATE_P12 }}" | base64 --decode > "${{ env.CERTIFICATE_PATH }}" - name: Package shell: bash @@ -58,6 +61,12 @@ jobs: IS_NIGHTLY: ${{ github.event_name == 'schedule' }} IS_RELEASE: ${{ startsWith(github.ref, 'refs/tags/') }} run: | + # electron-builder will try to sign during the Windows job if these environment variables are defined + if [ "${{ runner.OS }}" = "macOS" ]; then + # See: https://www.electron.build/code-signing + export CSC_LINK="${{ env.CERTIFICATE_PATH }}" + export CSC_KEY_PASSWORD="${{ secrets.KEYCHAIN_PASSWORD }}" + fi yarn --cwd ./electron/packager/ yarn --cwd ./electron/packager/ package