CodeEditApp · lukepistrol · Dec 7, 2022 · Dec 7, 2022 · Dec 7, 2022
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -13,33 +13,73 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v2
-
+      - name: Install codesign certificate
+        env:
+          # DEV_CERT_B64: Base64-encoded developer certificate as .p12
+          # DEV_CERT_PWD: Developer certificate .p12 password
+          # PROVISION_PROFILE_B64: Base64-encoded provisioning profile as .provisionprofile
+          # KEYCHAIN_TIMEOUT: Lock keychain after timeout interval
+          # https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development
+          DEV_CERT_B64: ${{ secrets.DEV_CERT_B64 }}
+          DEV_CERT_PWD: ${{ secrets.DEV_CERT_PWD }}
+          KEYCHAIN_TIMEOUT: 21600
+        run: |
+          DEV_CERT_P12="$RUNNER_TEMP/dev_cert.p12"
+          KEYCHAIN_DB="$RUNNER_TEMP/keychain.keychain-db"
+          KEYCHAIN_PWD=$(openssl rand -base64 24)
+          security create-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_DB"
+          security set-keychain-settings -lut "$KEYCHAIN_TIMEOUT" "$KEYCHAIN_DB"
+          security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_DB"
+          echo -n "$DEV_CERT_B64" | base64 --decode --output "$DEV_CERT_P12"
+          security import "$DEV_CERT_P12" -P "$DEV_CERT_PWD" -A -t cert -f pkcs12 -k "$KEYCHAIN_DB"
+          security list-keychain -d user -s "$KEYCHAIN_DB"
       - name: Building
         run: |
           swift build -c release --arch arm64 --arch x86_64
-          cd .build/apple/Products/Release/
-          zip codeedit-cli.zip codeedit-cli
-          cd ../../../../
-
       # CODESIGN & NOTARIZE THE BINARY
-
-      - name: Create Release
-        id: create_release
-        uses: actions/create-release@v1
+      - name: Sign 
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ github.ref }}
-          release_name: ${{ github.ref }}
-          draft: false
-          prerelease: false
-
-      - name: Upload Release Asset
-        uses: actions/upload-release-asset@v1
+          CODESIGN_SIGN: ${{ secrets.CODESIGN_SIGN }}
+        run: |
+          codesign --sign "$CODESIGN_SIGN" --prefix austincondiff.CodeEdit. --options=runtime --verbose --timestamp .build/apple/Products/Release/codeedit-cli
+      - name: Zip
+        run: zip -r .build/apple/Products/Release/codeedit-cli.zip .build/apple/Products/Release/codeedit-cli
+      - name: Notarize
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: .build/apple/Products/Release/codeedit-cli.zip
-          asset_name: codeedit-cli-binary.zip
-          asset_content_type: application/zip
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_ID_PWD: ${{ secrets.APPLE_ID_PWD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: |
+          xcrun notarytool submit ".build/apple/Products/Release/codeedit-cli.zip" --apple-id "$APPLE_ID" --password "$APPLE_ID_PWD" --team-id "$APPLE_TEAM_ID" --verbose --wait --output-format plist > "NotarizationResponse.plist"
+          echo "**RESPONSE**"
+          cat NotarizationResponse.plist
+          id=`/usr/libexec/PlistBuddy -c "Print :id" "NotarizationResponse.plist"`
+          xcrun notarytool log --verbose --apple-id "$APPLE_ID" --password "$APPLE_ID_PWD" --team-id "$APPLE_TEAM_ID" "$id"
+          status=`/usr/libexec/PlistBuddy -c "Print :status" "NotarizationResponse.plist"`
+          if [[ $status != "Accepted" ]]; then
+            exit 999
+          fi
+      #- name: Create Release
+       # id: create_release
+        #uses: actions/create-release@v1
+        #env:
+          #GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        #with:
+          #tag_name: ${{ github.ref }}
+          #release_name: ${{ github.ref }}
+          #draft: false
+          #prerelease: false
+
+      #- name: Upload Release Asset
+       # uses: actions/upload-release-asset@v1
+        #env:
+         # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        #with:
+          #upload_url: ${{ steps.create_release.outputs.upload_url }}
+          #asset_path: .build/apple/Products/Release/codeedit-cli.zip
+          #asset_name: codeedit-cli-binary.zip
+          #asset_content_type: application/zip
+      - name: Clean up keychain
+        if: ${{ always() }}
+        run: |
+          security delete-keychain "$RUNNER_TEMP/keychain.keychain-db"