1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185name: Build package
on:
workflow_call:
inputs:
runs-on:
description: 'The runner type'
required: true
type: string
defaults:
run:
shell: bash
env:
PUB_ENVIRONMENT: bot.github
permissions: read-all
jobs:
publish:
name: "Build"
runs-on: "${{ inputs.runs-on }}"
environment: build
env:
GITHUB_REPOSITORY_URL: ${{ github.server_url }}/${{ github.repository }}
steps:
- uses: dart-lang/setup-dart@v1
with:
sdk: stable
- id: checkout
uses: actions/checkout@v6
- name: Compare version with ref/tag
if: startsWith(github.ref, 'refs/tags/')
id: compare_version_with_tag
run: |
set -e
VERSION=$(awk '/^version: / {print $2}' pubspec.yaml)
TAG=${GITHUB_REF_NAME#v}
if [[ "$VERSION" != "$TAG" ]]; then
echo "Version in pubspec.yaml ($VERSION) does not match tag ($TAG)"
exit 1
fi
echo "VERSION=$VERSION" >> $GITHUB_ENV
- name: Configure .env file
id: generate_env_file
env:
ALGOLIA_SEARCH_INDEX: ${{ vars.ALGOLIA_SEARCH_INDEX }}
ALGOLIA_APPLICATION_ID: ${{ vars.ALGOLIA_APPLICATION_ID }}
ALGOLIA_SEARCH_ONLY_API_KEY: ${{ vars.ALGOLIA_SEARCH_ONLY_API_KEY }}
run: |
set -e
mv .env.example .env
sed -i '' "s#APP_VERSION=.*#APP_VERSION=$VERSION#" .env
sed -i '' "s#GITHUB_REPOSITORY_URL=.*#GITHUB_REPOSITORY_URL=$GITHUB_REPOSITORY_URL#" .env
sed -i '' "s#ALGOLIA_SEARCH_INDEX=.*#ALGOLIA_SEARCH_INDEX=$ALGOLIA_SEARCH_INDEX#" .env
sed -i '' "s#ALGOLIA_APPLICATION_ID=.*#ALGOLIA_APPLICATION_ID=$ALGOLIA_APPLICATION_ID#" .env
sed -i '' "s#ALGOLIA_SEARCH_ONLY_API_KEY=.*#ALGOLIA_SEARCH_ONLY_API_KEY=$ALGOLIA_SEARCH_ONLY_API_KEY#" .env
- name: Configure the info.plist
id: info_plist
run: |
set -e
/usr/libexec/PlistBuddy -c "Set :version $VERSION" ./info.plist
/usr/libexec/PlistBuddy -c "Set :webaddress $GITHUB_REPOSITORY_URL" ./info.plist
- name: Install dependencies
id: install_dependencies
run: |
dart pub get
dart pub global activate -sgit https://github.com/techouse/dart_pubspec_licenses_lite
- name: Run Dart code generation
id: generate_code
run: dart run build_runner build --delete-conflicting-outputs
- name: Check formatting
run: dart format --output=none --set-exit-if-changed .
- name: Analyze
run: dart analyze --fatal-infos
- name: Build executable
id: build_executable
run: bash ./build.sh
- name: Install the Apple certificate
id: install_certificate
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
set -e
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- name: Sign executable
id: sign_executable
env:
BUILD_CERTIFICATE_SHA1: ${{ secrets.BUILD_CERTIFICATE_SHA1 }}
run: |
set -e
BUNDLE_ID=$(/usr/libexec/PlistBuddy -c 'print ":bundleid"' info.plist)
codesign \
--sign="$BUILD_CERTIFICATE_SHA1" \
--identifier="$BUNDLE_ID" \
--deep \
--force \
--options=runtime \
--entitlement="./entitlements.plist" \
--timestamp \
./build/dist/workflow
- name: Verify signature
id: verify_executable_signature
env:
TEAM_ID: ${{ secrets.TEAM_ID }}
run: |
set -e
if [[ $(codesign -dv ./build/dist/workflow 2>&1 | awk -F= '/TeamIdentifier/{print $2}') != "$TEAM_ID" ]]; then
echo "The TeamIdentifier in the signature does not match the signing TeamIdentifier."
exit 1
fi
- name: Package executable into ZIP archive
id: zip_executable
run: |
set -e
zip -j ./build/dist/workflow.zip ./build/dist/workflow
- name: Create notarytool Keychain profile
id: create_keychain_profile
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
TEAM_ID: ${{ secrets.TEAM_ID }}
NOTARYTOOL_PASSWORD: ${{ secrets.NOTARYTOOL_PASSWORD }}
NOTARYTOOL_KEYCHAIN_PROFILE: ${{ vars.NOTARYTOOL_KEYCHAIN_PROFILE }}
run: |
set -e
xcrun notarytool \
store-credentials "$NOTARYTOOL_KEYCHAIN_PROFILE" \
--apple-id "$APPLE_ID" \
--team-id "$TEAM_ID" \
--password "$NOTARYTOOL_PASSWORD"
- name: Notarize executable
id: notarize_executable
env:
NOTARYTOOL_KEYCHAIN_PROFILE: ${{ vars.NOTARYTOOL_KEYCHAIN_PROFILE }}
run: |
set -e
xcrun notarytool \
submit ./build/dist/workflow.zip \
--keychain-profile "$NOTARYTOOL_KEYCHAIN_PROFILE" \
--wait
- name: Delete obsolete ZIP archive
id: delete_zip_archive
run: |
set -e
rm -rf ./build/dist/workflow.zip
- name: Compress artifacts
id: compress_artifacts
env:
WORKFLOW_NAME: ${{ vars.WORKFLOW_NAME }}
working-directory: build/dist
run: |
set -e
ARTIFACT_NAME=${WORKFLOW_NAME}-v${VERSION}-$(uname -m)
echo "ARTIFACT_NAME=$ARTIFACT_NAME" >> $GITHUB_ENV
find . -not -path "./*_cache*" -exec zip --symlinks "../${ARTIFACT_NAME}.zip" {} +
echo "ARTIFACT_PATH=build/${ARTIFACT_NAME}.zip" >> $GITHUB_ENV
- name: Artifact
id: success_artifact
uses: actions/upload-artifact@v6
with:
name: ${{ env.ARTIFACT_NAME }}
path: ${{ env.ARTIFACT_PATH }}
retention-days: 1
- name: Clean up keychain and build directory
id: clean_up
if: ${{ always() }}
run: |
security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
rm -rf $RUNNER_TEMP/build_certificate.p12
rm .env
rm -rf build