feat: app notarisation

freeCodeCamp · Feb 2, 2025 · b175c3e · b175c3e
1 parent e0d87fa
commit b175c3e
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 69 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -4,58 +4,58 @@ on:
   workflow_dispatch:
 
 jobs:
-  create-release:
-    permissions:
-      contents: write
-    runs-on: ubuntu-latest
-    outputs:
-      release_id: ${{ steps.create-release.outputs.result }}
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: setup node
-        uses: actions/setup-node@v4
-        with:
-          node-version: lts/*
-
-      - name: get version
-        run: echo "PACKAGE_VERSION=$(node -p "require('./package.json').version")" >> $GITHUB_ENV
-
-      - name: create release
-        id: create-release
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const { data } = await github.rest.repos.createRelease({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              tag_name: `v${process.env.PACKAGE_VERSION}`,
-              name: `Exam Environment v${process.env.PACKAGE_VERSION}`,
-              body: 'Take a look at the assets to download and install this app.',
-              draft: true,
-              prerelease: false
-            })
-            return data.id
+  # create-release:
+  #   permissions:
+  #     contents: write
+  #   runs-on: ubuntu-latest
+  #   outputs:
+  #     release_id: ${{ steps.create-release.outputs.result }}
+
+  #   steps:
+  #     - uses: actions/checkout@v4
+
+  #     - name: setup node
+  #       uses: actions/setup-node@v4
+  #       with:
+  #         node-version: lts/*
+
+  #     - name: get version
+  #       run: echo "PACKAGE_VERSION=$(node -p "require('./package.json').version")" >> $GITHUB_ENV
+
+  #     - name: create release
+  #       id: create-release
+  #       uses: actions/github-script@v7
+  #       with:
+  #         script: |
+  #           const { data } = await github.rest.repos.createRelease({
+  #             owner: context.repo.owner,
+  #             repo: context.repo.repo,
+  #             tag_name: `v${process.env.PACKAGE_VERSION}`,
+  #             name: `Exam Environment v${process.env.PACKAGE_VERSION}`,
+  #             body: 'Take a look at the assets to download and install this app.',
+  #             draft: true,
+  #             prerelease: false
+  #           })
+  #           return data.id
 
   build-tauri:
-    needs: create-release
+    # needs: create-release
     permissions:
       contents: write
     strategy:
       fail-fast: false
       matrix:
         include:
           - platform: "macos-latest"
-            args: "--target aarch64-apple-darwin"
+            args: "--target aarch64-apple-darwin --bundles dmg"
           - platform: "macos-latest"
-            args: "--target x86_64-apple-darwin"
-          - platform: "ubuntu-22.04"
-            args: ""
-          - platform: "windows-latest"
-            args: "--config src-tauri/tauri.microsoftstore.conf.json --bundles msi,updater"
-          - platform: "windows-latest"
-            args: "--bundles nsis,updater"
+            args: "--target x86_64-apple-darwin --bundles dmg"
+          # - platform: "ubuntu-22.04"
+          #   args: ""
+          # - platform: "windows-latest"
+          #   args: "--config src-tauri/tauri.microsoftstore.conf.json --bundles msi,updater"
+          # - platform: "windows-latest"
+          #   args: "--bundles nsis,updater"
 
     runs-on: ${{ matrix.platform }}
     env:
@@ -118,19 +118,24 @@ jobs:
         if: matrix.platform == 'macos-latest'
         env:
           KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
-          APPLE_DISTRIBUTION_CERT: ${{ secrets.APPLE_DISTRIBUTION_CERT }}
-          PROVISIONING_PROFILE: ${{ secrets.PROVISIONING_PROFILE }}
+          APPLE_DEVELOPER_ID_CERT: ${{ secrets.APPLE_DEVELOPER_ID_CERT }}
+          PROVISIONING_PROFILE: ${{ secrets.MAC_APP_DIRECT_PROVISIONING_PROFILE }}
+          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
         run: |
           # create variables
+          mkdir private_keys
           CERT_BASE_PATH=/Users/runner/Library/MobileDevice/Certificates
           mkdir -p $CERT_BASE_PATH
-          DISTRIBUTION_CERT_PATH=$CERT_BASE_PATH/distribution_certificate.p12
+          DEVELOPER_ID_CERT_PATH=$CERT_BASE_PATH/developer_id_certificate.p12
           PP_PATH=./src-tauri/embedded.provisionprofile
           KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          APPLE_API_KEY_PATH=./private_keys/AuthKey_$APPLE_API_KEY_ID.p8
 
           # import certificate and provisioning profile from secrets
-          echo -n "$APPLE_DISTRIBUTION_CERT" | base64 --decode -o $DISTRIBUTION_CERT_PATH
+          echo -n "$APPLE_DEVELOPER_ID_CERT" | base64 --decode -o $DEVELOPER_ID_CERT_PATH
           echo -n "$PROVISIONING_PROFILE" | base64 --decode -o $PP_PATH
+          echo -n "$APPLE_API_KEY" | base64 --decode -o $APPLE_API_KEY_PATH
 
           # create temporary keychain
           keychain initialize --password $KEYCHAIN_PASSWORD --path $KEYCHAIN_PATH --timeout 21600
@@ -150,6 +155,12 @@ jobs:
           AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
           AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
 
+          # MacOS specific
+          APPLE_SIGNING_IDENTITY: "Developer ID Application: Free Code Camp, Inc. (L33K9LWVP9)"
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY_ID }}
+
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           VITE_FREECODECAMP_API: ${{ env.VITE_FREECODECAMP_API }}
           VITE_MOCK_DATA: ${{ env.VITE_MOCK_DATA }}
@@ -160,24 +171,24 @@ jobs:
           includeRelease: true
           includeUpdaterJson: true
 
-  publish-release:
-    permissions:
-      contents: write
-    runs-on: ubuntu-latest
-    needs: [create-release, build-tauri]
-
-    steps:
-      - name: publish release
-        id: publish-release
-        uses: actions/github-script@v7
-        env:
-          release_id: ${{ needs.create-release.outputs.release_id }}
-        with:
-          script: |
-            github.rest.repos.updateRelease({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              release_id: process.env.release_id,
-              draft: false,
-              prerelease: false
-            })
+  # publish-release:
+  #   permissions:
+  #     contents: write
+  #   runs-on: ubuntu-latest
+  #   needs: [create-release, build-tauri]
+
+  #   steps:
+  #     - name: publish release
+  #       id: publish-release
+  #       uses: actions/github-script@v7
+  #       env:
+  #         release_id: ${{ needs.create-release.outputs.release_id }}
+  #       with:
+  #         script: |
+  #           github.rest.repos.updateRelease({
+  #             owner: context.repo.owner,
+  #             repo: context.repo.repo,
+  #             release_id: process.env.release_id,
+  #             draft: false,
+  #             prerelease: false
+  #           })
diff --git a/src-tauri/Release.entitlements → src-tauri/Entitlements.plist b/src-tauri/Release.entitlements → src-tauri/Entitlements.plist
diff --git a/src-tauri/tauri.conf.json b/src-tauri/tauri.conf.json
@@ -34,10 +34,10 @@
       "icons/icon.ico"
     ],
     "macOS": {
-      "entitlements": "./Release.entitlements",
+      "entitlements": "./Entitlements.plist",
       "exceptionDomain": "",
       "frameworks": [],
-      "signingIdentity": "Apple Distribution: Free Code Camp, Inc. (L33K9LWVP9)",
+      "signingIdentity": "Developer ID Application: Free Code Camp, Inc. (L33K9LWVP9)",
       "files": {
         "embedded.provisionprofile": "./embedded.provisionprofile"
       }