Rework apple certificate, add grapheme fix

author: Павел Жуков <33721692+LeaveMyYard@users.noreply.github.com> 2023-05-27 19:21:58 +0300
committer: Павел Жуков <33721692+LeaveMyYard@users.noreply.github.com> 2023-05-27 19:21:58 +0300
commit: a953146ef1e995b2cc3eb16e981ca8a7947060fe (patch)
tree: 3974ae622934e2df61056a3fc0bbb0c2fd2b5c10 /.github/workflows/build-on-release.yml
parent: 8b7abd743f64e22b61c9ce1ad13353d40c4a55ae (diff)
1 files changed, 37 insertions, 7 deletions
diff --git a/.github/workflows/build-on-release.yml b/.github/workflows/build-on-release.yml
index 93d8d47..6d983cf 100644
--- a/.github/workflows/build-on-release.yml
+++ b/.github/workflows/build-on-release.yml
@@ -31,16 +31,40 @@ jobs:
       run: |
         sudo apt-get install -y binutils
 
-    - name: Build with PyInstaller
-      run: |
-        pyinstaller krr.py
-
-    - name: Sign the application
+    - name: Install the Apple certificate and provisioning profile
       if: matrix.os == 'macos-latest'
       env:
-        APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}
+        BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
+        P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+        BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
+        KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+      run: |
+        # create variables
+        CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+        PP_PATH=$RUNNER_TEMP/build_pp.mobileprovision
+        KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+        # import certificate and provisioning profile from secrets
+        echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
+        echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
+
+        # create temporary keychain
+        security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+        security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+        security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+        # import certificate to keychain
+        security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+        security list-keychain -d user -s $KEYCHAIN_PATH
+
+        # apply provisioning profile
+        mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
+        cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
+
+    - name: Build with PyInstaller
       run: |
-        codesign --force --options runtime --sign "Developer ID Application: pavel@robusta.dev" --keychain-password "$APPLE_DEV_PASSWORD" dist/krr/krr
+        pyinstaller krr.py
+        ${{ fromJSON('{"ubuntu-latest":"cp","macos-latest":"cp","windows-latest":"copy"}')[matrix.os] || matrix.os }} $(python3.9 -c "import grapheme; print(grapheme.__path__[0] + '/data/grapheme_break_property.json')") ./dist/krr/grapheme/data/grapheme_break_property.json
 
     - name: Zip the application
       run: |
@@ -55,3 +79,9 @@ jobs:
         asset_path: ./krr-${{ matrix.os }}-${{ github.ref_name }}.zip
         asset_name: krr-${{ matrix.os }}-${{ github.ref_name }}.zip
         asset_content_type: application/octet-stream
+
+    - name: Clean up keychain and provisioning profile
+      if: (matrix.os == 'macos-latest') && always()
+      run: |
+        security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
+        rm ~/Library/MobileDevice/Provisioning\ Profiles/build_pp.mobileprovision
author	Павел Жуков <33721692+LeaveMyYard@users.noreply.github.com>	2023-05-27 19:21:58 +0300
committer	Павел Жуков <33721692+LeaveMyYard@users.noreply.github.com>	2023-05-27 19:21:58 +0300
commit	a953146ef1e995b2cc3eb16e981ca8a7947060fe (patch)
tree	3974ae622934e2df61056a3fc0bbb0c2fd2b5c10 /.github/workflows/build-on-release.yml
parent	8b7abd743f64e22b61c9ce1ad13353d40c4a55ae (diff)