mirror of
				https://github.com/zadam/trilium.git
				synced 2025-10-20 15:19:01 +02:00 
			
		
		
		
	Merge pull request #1521 from TriliumNext/renovate/apple-actions-import-codesign-certs-5.x
chore(deps): update apple-actions/import-codesign-certs action to v5
This commit is contained in:
		
						commit
						60c0a6d543
					
				
							
								
								
									
										257
									
								
								.github/actions/build-electron/action.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										257
									
								
								.github/actions/build-electron/action.yml
									
									
									
									
										vendored
									
									
								
							| @ -18,143 +18,152 @@ inputs: | |||||||
| runs: | runs: | ||||||
|   using: composite |   using: composite | ||||||
|   steps: |   steps: | ||||||
|   # Certificate setup |     # Certificate setup | ||||||
|   - name: Import Apple certificates |     - name: Import Apple certificates | ||||||
|     if: inputs.os == 'macos' |       if: inputs.os == 'macos' | ||||||
|     uses: apple-actions/import-codesign-certs@v3 |       uses: apple-actions/import-codesign-certs@v3 | ||||||
|     with: |       with: | ||||||
|       p12-file-base64: ${{ env.APPLE_APP_CERTIFICATE_BASE64 }} |         p12-file-base64: ${{ env.APPLE_APP_CERTIFICATE_BASE64 }} | ||||||
|       p12-password: ${{ env.APPLE_APP_CERTIFICATE_PASSWORD }} |         p12-password: ${{ env.APPLE_APP_CERTIFICATE_PASSWORD }} | ||||||
|       keychain: build |         keychain: build-app-${{ github.run_id }} | ||||||
|       keychain-password: ${{ github.run_id }} |         keychain-password: ${{ github.run_id }} | ||||||
| 
 | 
 | ||||||
|   - name: Install Installer certificate |     - name: Install Installer certificate | ||||||
|     if: inputs.os == 'macos' |       if: inputs.os == 'macos' | ||||||
|     uses: apple-actions/import-codesign-certs@v3 |       uses: apple-actions/import-codesign-certs@v3 | ||||||
|     with: |       with: | ||||||
|       p12-file-base64: ${{ env.APPLE_INSTALLER_CERTIFICATE_BASE64 }} |         p12-file-base64: ${{ env.APPLE_INSTALLER_CERTIFICATE_BASE64 }} | ||||||
|       p12-password: ${{ env.APPLE_INSTALLER_CERTIFICATE_PASSWORD }} |         p12-password: ${{ env.APPLE_INSTALLER_CERTIFICATE_PASSWORD }} | ||||||
|       keychain: build |         keychain: build-installer-${{ github.run_id }} | ||||||
|       keychain-password: ${{ github.run_id }} |         keychain-password: ${{ github.run_id }} | ||||||
|       # We don't need to create a keychain here because we're using the build keychain that was created in the previous step |  | ||||||
|       create-keychain: false |  | ||||||
| 
 | 
 | ||||||
|   - name: Verify certificates |     - name: Verify certificates | ||||||
|     if: inputs.os == 'macos' |       if: inputs.os == 'macos' | ||||||
|     shell: ${{ inputs.shell }} |       shell: ${{ inputs.shell }} | ||||||
|     run: | |       run: | | ||||||
|       echo "Available signing identities:" |         echo "Available signing identities in app keychain:" | ||||||
|       security find-identity -v -p codesigning build.keychain |         security find-identity -v -p codesigning build-app-${{ github.run_id }}.keychain | ||||||
| 
 | 
 | ||||||
|   - name: Set up Python and other macOS dependencies |         echo "Available signing identities in installer keychain:" | ||||||
|     if: ${{ inputs.os == 'macos' }} |         security find-identity -v -p codesigning build-installer-${{ github.run_id }}.keychain | ||||||
|     shell: ${{ inputs.shell }} |  | ||||||
|     run: | |  | ||||||
|       brew install python-setuptools |  | ||||||
|       brew install create-dmg |  | ||||||
| 
 | 
 | ||||||
|   - name: Install dependencies for RPM and Flatpak package building |         # Make the keychains searchable | ||||||
|     if: ${{ inputs.os == 'linux' }} |         security list-keychains -d user -s build-app-${{ github.run_id }}.keychain build-installer-${{ github.run_id }}.keychain $(security list-keychains -d user | tr -d '"') | ||||||
|     shell: ${{ inputs.shell }} |         security default-keychain -s build-app-${{ github.run_id }}.keychain | ||||||
|     run: | |         security unlock-keychain -p ${{ github.run_id }} build-app-${{ github.run_id }}.keychain | ||||||
|       sudo apt-get update && sudo apt-get install rpm flatpak-builder elfutils |         security unlock-keychain -p ${{ github.run_id }} build-installer-${{ github.run_id }}.keychain | ||||||
|       flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo |         security set-keychain-settings -t 3600 -l build-app-${{ github.run_id }}.keychain | ||||||
|       FLATPAK_ARCH=$(if [[ ${{ inputs.arch }} = 'arm64' ]]; then echo 'aarch64'; else echo 'x86_64'; fi) |         security set-keychain-settings -t 3600 -l build-installer-${{ github.run_id }}.keychain | ||||||
|       FLATPAK_VERSION='24.08' |  | ||||||
|       flatpak install --user --no-deps --arch $FLATPAK_ARCH --assumeyes runtime/org.freedesktop.Platform/$FLATPAK_ARCH/$FLATPAK_VERSION runtime/org.freedesktop.Sdk/$FLATPAK_ARCH/$FLATPAK_VERSION org.electronjs.Electron2.BaseApp/$FLATPAK_ARCH/$FLATPAK_VERSION |  | ||||||
| 
 | 
 | ||||||
|   # Build setup |     - name: Set up Python and other macOS dependencies | ||||||
|   - name: Install dependencies |       if: ${{ inputs.os == 'macos' }} | ||||||
|     shell: ${{ inputs.shell }} |       shell: ${{ inputs.shell }} | ||||||
|     run: npm ci |       run: | | ||||||
|  |         brew install python-setuptools | ||||||
|  |         brew install create-dmg | ||||||
| 
 | 
 | ||||||
|   - name: Update build info |     - name: Install dependencies for RPM and Flatpak package building | ||||||
|     shell: ${{ inputs.shell }} |       if: ${{ inputs.os == 'linux' }} | ||||||
|     run: npm run chore:update-build-info |       shell: ${{ inputs.shell }} | ||||||
|  |       run: | | ||||||
|  |         sudo apt-get update && sudo apt-get install rpm flatpak-builder elfutils | ||||||
|  |         flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo | ||||||
|  |         FLATPAK_ARCH=$(if [[ ${{ inputs.arch }} = 'arm64' ]]; then echo 'aarch64'; else echo 'x86_64'; fi) | ||||||
|  |         FLATPAK_VERSION='24.08' | ||||||
|  |         flatpak install --user --no-deps --arch $FLATPAK_ARCH --assumeyes runtime/org.freedesktop.Platform/$FLATPAK_ARCH/$FLATPAK_VERSION runtime/org.freedesktop.Sdk/$FLATPAK_ARCH/$FLATPAK_VERSION org.electronjs.Electron2.BaseApp/$FLATPAK_ARCH/$FLATPAK_VERSION | ||||||
| 
 | 
 | ||||||
|   # Critical debugging configuration |     # Build setup | ||||||
|   - name: Run electron-forge build with enhanced logging |     - name: Install dependencies | ||||||
|     shell: ${{ inputs.shell }} |       shell: ${{ inputs.shell }} | ||||||
|     env: |       run: npm ci | ||||||
|       # Pass through required environment variables for signing and notarization |  | ||||||
|       APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} |  | ||||||
|       APPLE_ID: ${{ env.APPLE_ID }} |  | ||||||
|       APPLE_ID_PASSWORD: ${{ env.APPLE_ID_PASSWORD }} |  | ||||||
|       WINDOWS_SIGN_EXECUTABLE: ${{ env.WINDOWS_SIGN_EXECUTABLE }} |  | ||||||
|       TRILIUM_ARTIFACT_NAME_HINT: TriliumNextNotes-${{ github.ref_name }}-${{ inputs.os }}-${{ inputs.arch }} |  | ||||||
|     run: npm run electron-forge:make -- --arch=${{ inputs.arch }} --platform=${{ inputs.forge_platform }} |  | ||||||
| 
 | 
 | ||||||
|   # Add DMG signing step |     - name: Update build info | ||||||
|   - name: Sign DMG |       shell: ${{ inputs.shell }} | ||||||
|     if: inputs.os == 'macos' |       run: npm run chore:update-build-info | ||||||
|     shell: ${{ inputs.shell }} | 
 | ||||||
|     run: | |     # Critical debugging configuration | ||||||
|       echo "Signing DMG file..." |     - name: Run electron-forge build with enhanced logging | ||||||
|       dmg_file=$(find ./dist -name "*.dmg" -print -quit) |       shell: ${{ inputs.shell }} | ||||||
|       if [ -n "$dmg_file" ]; then |       env: | ||||||
|         echo "Found DMG: $dmg_file" |         # Pass through required environment variables for signing and notarization | ||||||
|         # Get the first valid signing identity from the keychain |         APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} | ||||||
|         SIGNING_IDENTITY=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application" | head -1 | sed -E 's/.*"([^"]+)".*/\1/') |         APPLE_ID: ${{ env.APPLE_ID }} | ||||||
|         if [ -z "$SIGNING_IDENTITY" ]; then |         APPLE_ID_PASSWORD: ${{ env.APPLE_ID_PASSWORD }} | ||||||
|           echo "Error: No valid Developer ID Application certificate found in keychain" |         WINDOWS_SIGN_EXECUTABLE: ${{ env.WINDOWS_SIGN_EXECUTABLE }} | ||||||
|           exit 1 |         TRILIUM_ARTIFACT_NAME_HINT: TriliumNextNotes-${{ github.ref_name }}-${{ inputs.os }}-${{ inputs.arch }} | ||||||
|  |       run: npm run electron-forge:make -- --arch=${{ inputs.arch }} --platform=${{ inputs.forge_platform }} | ||||||
|  | 
 | ||||||
|  |     # Add DMG signing step | ||||||
|  |     - name: Sign DMG | ||||||
|  |       if: inputs.os == 'macos' | ||||||
|  |       shell: ${{ inputs.shell }} | ||||||
|  |       run: | | ||||||
|  |         echo "Signing DMG file..." | ||||||
|  |         dmg_file=$(find ./dist -name "*.dmg" -print -quit) | ||||||
|  |         if [ -n "$dmg_file" ]; then | ||||||
|  |           echo "Found DMG: $dmg_file" | ||||||
|  |           # Get the first valid signing identity from the keychain | ||||||
|  |           SIGNING_IDENTITY=$(security find-identity -v -p codesigning build-app-${{ github.run_id }}.keychain | grep "Developer ID Application" | head -1 | sed -E 's/.*"([^"]+)".*/\1/') | ||||||
|  |           if [ -z "$SIGNING_IDENTITY" ]; then | ||||||
|  |             echo "Error: No valid Developer ID Application certificate found in keychain" | ||||||
|  |             exit 1 | ||||||
|  |           fi | ||||||
|  |           echo "Using signing identity: $SIGNING_IDENTITY" | ||||||
|  |           # Sign the DMG | ||||||
|  |           codesign --force --sign "$SIGNING_IDENTITY" --options runtime --timestamp "$dmg_file" | ||||||
|  |           # Notarize the DMG | ||||||
|  |           xcrun notarytool submit "$dmg_file" --apple-id "$APPLE_ID" --password "$APPLE_ID_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait | ||||||
|  |           # Staple the notarization ticket | ||||||
|  |           xcrun stapler staple "$dmg_file" | ||||||
|  |         else | ||||||
|  |           echo "No DMG found to sign" | ||||||
|         fi |         fi | ||||||
|         echo "Using signing identity: $SIGNING_IDENTITY" |  | ||||||
|         # Sign the DMG |  | ||||||
|         codesign --force --sign "$SIGNING_IDENTITY" --options runtime --timestamp "$dmg_file" |  | ||||||
|         # Notarize the DMG |  | ||||||
|         xcrun notarytool submit "$dmg_file" --apple-id "$APPLE_ID" --password "$APPLE_ID_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait |  | ||||||
|         # Staple the notarization ticket |  | ||||||
|         xcrun stapler staple "$dmg_file" |  | ||||||
|       else |  | ||||||
|         echo "No DMG found to sign" |  | ||||||
|       fi |  | ||||||
| 
 | 
 | ||||||
|   - name: Verify code signing |     - name: Verify code signing | ||||||
|     if: inputs.os == 'macos' |       if: inputs.os == 'macos' | ||||||
|     shell: ${{ inputs.shell }} |       shell: ${{ inputs.shell }} | ||||||
|     run: | |       run: | | ||||||
|       echo "Verifying code signing for all artifacts..." |         echo "Verifying code signing for all artifacts..." | ||||||
| 
 | 
 | ||||||
|       # First check the .app bundle |         # First check the .app bundle | ||||||
|       echo "Looking for .app bundle..." |         echo "Looking for .app bundle..." | ||||||
|       app_bundle=$(find ./dist -name "*.app" -print -quit) |         app_bundle=$(find ./dist -name "*.app" -print -quit) | ||||||
|       if [ -n "$app_bundle" ]; then |         if [ -n "$app_bundle" ]; then | ||||||
|         echo "Found app bundle: $app_bundle" |           echo "Found app bundle: $app_bundle" | ||||||
|         echo "Verifying app bundle signing..." |           echo "Verifying app bundle signing..." | ||||||
|         codesign --verify --deep --strict --verbose=2 "$app_bundle" |           codesign --verify --deep --strict --verbose=2 "$app_bundle" | ||||||
|         echo "Displaying app bundle signing info..." |           echo "Displaying app bundle signing info..." | ||||||
|         codesign --display --verbose=2 "$app_bundle" |           codesign --display --verbose=2 "$app_bundle" | ||||||
| 
 | 
 | ||||||
|         echo "Checking entitlements..." |           echo "Checking entitlements..." | ||||||
|         codesign --display --entitlements :- "$app_bundle" |           codesign --display --entitlements :- "$app_bundle" | ||||||
| 
 | 
 | ||||||
|         echo "Checking notarization status..." |           echo "Checking notarization status..." | ||||||
|         xcrun stapler validate "$app_bundle" || echo "Warning: App bundle not notarized yet" |           xcrun stapler validate "$app_bundle" || echo "Warning: App bundle not notarized yet" | ||||||
|       else |         else | ||||||
|         echo "No .app bundle found to verify" |           echo "No .app bundle found to verify" | ||||||
|       fi |         fi | ||||||
| 
 | 
 | ||||||
|       # Then check DMG if it exists |         # Then check DMG if it exists | ||||||
|       echo "Looking for DMG..." |         echo "Looking for DMG..." | ||||||
|       dmg_file=$(find ./dist -name "*.dmg" -print -quit) |         dmg_file=$(find ./dist -name "*.dmg" -print -quit) | ||||||
|       if [ -n "$dmg_file" ]; then |         if [ -n "$dmg_file" ]; then | ||||||
|         echo "Found DMG: $dmg_file" |           echo "Found DMG: $dmg_file" | ||||||
|         echo "Verifying DMG signing..." |           echo "Verifying DMG signing..." | ||||||
|         codesign --verify --deep --strict --verbose=2 "$dmg_file" |           codesign --verify --deep --strict --verbose=2 "$dmg_file" | ||||||
|         echo "Displaying DMG signing info..." |           echo "Displaying DMG signing info..." | ||||||
|         codesign --display --verbose=2 "$dmg_file" |           codesign --display --verbose=2 "$dmg_file" | ||||||
| 
 | 
 | ||||||
|         echo "Checking DMG notarization..." |           echo "Checking DMG notarization..." | ||||||
|         xcrun stapler validate "$dmg_file" || echo "Warning: DMG not notarized yet" |           xcrun stapler validate "$dmg_file" || echo "Warning: DMG not notarized yet" | ||||||
|       else |         else | ||||||
|         echo "No DMG found to verify" |           echo "No DMG found to verify" | ||||||
|       fi |         fi | ||||||
| 
 | 
 | ||||||
|       # Finally check ZIP if it exists |         # Finally check ZIP if it exists | ||||||
|       echo "Looking for ZIP..." |         echo "Looking for ZIP..." | ||||||
|       zip_file=$(find ./dist -name "*.zip" -print -quit) |         zip_file=$(find ./dist -name "*.zip" -print -quit) | ||||||
|       if [ -n "$zip_file" ]; then |         if [ -n "$zip_file" ]; then | ||||||
|         echo "Found ZIP: $zip_file" |           echo "Found ZIP: $zip_file" | ||||||
|         echo "Note: ZIP files are not code signed, but their contents should be" |           echo "Note: ZIP files are not code signed, but their contents should be" | ||||||
|       fi |         fi | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 Elian Doran
						Elian Doran