diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 23ec99c..e03f3bf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -68,7 +68,7 @@ jobs: cp .\Release\* ..\artifacts\$env:ARCH env: ARCH: Win32 - - name: Sign generated DLLs + - name: Code signing binaries uses: azure/trusted-signing-action@v0.5.0 if: env.CODESIGN == 'true' with: @@ -105,8 +105,17 @@ jobs: runs-on: macos-13 env: MACOSX_DEPLOYMENT_TARGET: "10.10" + CODESIGN: ${{ !!secrets.CODESIGN_MACOS_P12_URL }} steps: - uses: actions/checkout@v4 + - name: Cache apple-codesign + uses: actions/cache@v2 + with: + path: | + ~/.cargo/bin + ~/.cargo/git + ~/.cargo/registry + key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - name: Build run: | mkdir build @@ -127,11 +136,35 @@ jobs: done cp -Rv include artifacts/ cp -v ../COPYING ../README ../ChangeLog artifacts + - name: Prepare code signing certificate + if: env.CODESIGN == 'true' + run: | + pip3 install awscli + aws s3 cp "$CODESIGN_MACOS_P12_URL" ./appledev.p12 + cargo install apple-codesign + env: + AWS_DEFAULT_REGION: eu-central-1 + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + CODESIGN_MACOS_P12_URL: ${{ secrets.CODESIGN_MACOS_P12_URL }} + - name: Code signing binaries + if: env.CODESIGN == 'true' + run: | + for arch in arm64 x86_64; do + rcodesign sign \ + --p12-file appledev.p12 \ + --p12-password "$CODESIGN_MACOS_P12_PASSWORD" \ + artifacs/${arch}/libdiscid.0.dylib + done + env: + CODESIGN_MACOS_P12_PASSWORD: ${{ secrets.CODESIGN_MACOS_P12_PASSWORD }} - name: Archive production artifacts uses: actions/upload-artifact@v4 with: name: libdiscid-macos path: build/artifacts + - name: Code signing cleanup + run: rm ./appledev.p12 release: runs-on: ubuntu-latest