Merge pull request #326 from betwixt-labs/publish-workflow

fix: publish workflow (macos signing)
betwixt-labs · Mar 29, 2024 · c93a49b · c93a49b
2 parents 664b39e + 3ff6959
commit c93a49b
Showing 1 changed file with 28 additions and 26 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -99,35 +99,38 @@ jobs:
         working-directory: ./extensions/chordc
 
       - if: matrix.os == 'macos-latest'
-        name: Import Code-Signing Certificates
-        uses: Apple-Actions/import-codesign-certs@v1
-        with:
-          # The certificates in a PKCS12 file encoded as a base64 string
-          p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
-          # The password used to import the PKCS12 file.
-          p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
+        name: Sign macOS (x64) Binary
+        uses: lando/code-sign-action@v2
+        with:
+          file: ${{env.BUILD_ARTIFACT_X86_64}}
+          certificate-data: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
+          certificate-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
+          apple-notary-user: ${{ secrets.AC_USERNAME }}
+          apple-notary-password: ${{ secrets.AC_PASSWORD }}
+          apple-product-id: "sh.bebop"
+          apple-team-id: ${{ secrets.APPLE_TEAM_ID }}
+          options: --options runtime --entitlements bebopc.entitlements
 
       - if: matrix.os == 'macos-latest'
-        name: Install gon via HomeBrew for Code Signing and App Notarization
-        run: |
-          brew install mitchellh/gon/gon
+        name: Zip notarized macOS (x64) Binary
+        run: zip -j ${{env.BUILD_ZIP_ARTIFACT_X86_64}} ${{ steps.code-sign-action.outputs.file }}
 
       - if: matrix.os == 'macos-latest'
-        name: Sign and zip macOS Binary
-        env:
-          AC_USERNAME: ${{ secrets.AC_USERNAME }}
-          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
-        run: |
-          gon -log-level=trace -log-json ./gon-x64.json
-          unzip -j -o ./notarized-osx-x64.zip
-          rm -f ./notarized-osx-x64.zip
-          zip -j ${{env.BUILD_ZIP_ARTIFACT_X86_64}} ./bebopc
-          rm -f ./bebopc
-          gon -log-level=trace -log-json ./gon-arm64.json
-          unzip -j -o ./notarized-osx-arm64.zip
-          rm -f ./notarized-osx-arm64.zip
-          zip -j ${{env.BUILD_ZIP_ARTIFACT_ARM64}} ./bebopc
-          rm -f ./bebopc
+        name: Sign macOS (arm64) Binary
+        uses: lando/code-sign-action@v2
+        with:
+          file: ${{env.BUILD_ARTIFACT_ARM64}}
+          certificate-data: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
+          certificate-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
+          apple-notary-user: ${{ secrets.AC_USERNAME }}
+          apple-notary-password: ${{ secrets.AC_PASSWORD }}
+          apple-product-id: "sh.bebop"
+          apple-team-id: ${{ secrets.APPLE_TEAM_ID }}
+          options: --options runtime --entitlements bebopc.entitlements
+
+      - if: matrix.os == 'macos-latest'
+        name: Zip notarized macOS (arm64) Binary
+        run: zip -j ${{env.BUILD_ZIP_ARTIFACT_ARM64}} ${{ steps.code-sign-action.outputs.file }}
 
       - if: matrix.os == 'macos-latest'
         name: Zip chordc macOS Binary
@@ -147,7 +150,6 @@ jobs:
           zip -j ${{env.CHORD_ZIP_ARTIFACT_X86_64}} ${{env.CHORD_ARTIFACT_X86_64}}
           zip -j ${{env.CHORD_ZIP_ARTIFACT_ARM64}} ${{env.CHORD_ARTIFACT_ARM64}}
 
-
       - if: matrix.os == 'windows-latest'
         name: ZIP Windows Build
         shell: powershell