build: Baby's first GitHub Action

2020-07-27 18:04:24 -07:00 · 2020-07-27 18:04:24 -07:00 · 0f91d7c62a
parent ad7e313fb5
commit 0f91d7c62a
8 changed files with 157 additions and 37 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -0,0 +1,97 @@
+name: Build & Release
+
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - v*
+  pull_request:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: 12.x
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "::set-output name=dir::$(yarn cache dir)"
+      - uses: actions/cache@v1
+        id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+      - name: Install
+        run: yarn
+      - name: lint
+        run: yarn lint
+  build:
+    needs: lint
+    runs-on: ${{ matrix.platform.host }}
+    strategy:
+      matrix:
+        platform:
+          - host: windows-latest
+            target: win32
+          - host: macOS-latest
+            target: darwin
+          - host: ubuntu-latest
+            target: linux
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: 12.x
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "::set-output name=dir::$(yarn cache dir)"
+      - uses: actions/cache@v1
+        if: matrix.platform.host != 'macOS-latest'
+        id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+      - name: Set MacOS signing certs
+        if: matrix.os == 'macos-latest'
+        run: chmod +x tools/add-osx-cert.sh && ./tools/add-osx-cert.sh
+        env:
+          CERTIFICATE_OSX_APPLICATION: ${{ secrets.MACOS_CERT_P12 }}
+          CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERT_PASSWORD }}
+      - name: Set Windows signing certificate
+        if: matrix.os == 'windows-latest'
+        id: write_file
+        uses: timheuer/base64-to-file@v1
+        with:
+          fileName: 'win-certificate.pfx'
+          encodedString: ${{ secrets.WINDOWS_CODESIGN_P12 }}
+      - name: Install
+        run: yarn
+      - name: Make
+        # if: startsWith(github.ref, 'refs/tags/')
+        run: yarn make
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+          WINDOWS_CODESIGN_FILE: ${{ steps.write_file.outputs.filePath }}
+          WINDOWS_CODESIGN_PASSWORD: ${{ secrets.WINDOWS_CODESIGN_PASSWORD }}
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        if: startsWith(github.ref, 'refs/tags/')
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          files: |
+            electron-app/out/**/*.deb
+            electron-app/out/**/*.dmg
+            electron-app/out/**/*Setup.exe
+            electron-app/out/**/*.rpm
+            electron-app/out/**/*.zip
--- a/assets/certs/apple.cer
+++ b/assets/certs/apple.cer
--- a/assets/certs/dac.cer
+++ b/assets/certs/dac.cer
--- a/assets/entitlements.plist
+++ b/assets/entitlements.plist
@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+    <key>com.apple.security.automation.apple-events</key>
+    <true/>
+  </dict>
+</plist>
--- a/forge.config.js
+++ b/forge.config.js
@ -1,10 +1,17 @@
 const path = require('path');
+const fs = require('fs');
 const package = require('./package.json');

+if (process.env['WINDOWS_CODESIGN_FILE']) {
+  const certPath = path.join(__dirname, 'win-certificate.pfx');
+  const certExists = fs.existsSync(certPath);
+
+  if (certExists) {
+    process.env['WINDOWS_CODESIGN_FILE'] = certPath;
+  }
+}
+
 module.exports = {
-  hooks: {
-    postPackage: require('./tools/notarize')
-  },
  packagerConfig: {
    asar: false,
    icon: path.resolve(__dirname, 'assets', 'icon'),
@ -18,10 +25,14 @@ module.exports = {
      identity: 'Developer ID Application: Felix Rieseberg (LT94ZKYDCJ)',
      'hardened-runtime': true,
      'gatekeeper-assess': false,
-      'entitlements': 'static/entitlements.plist',
-      'entitlements-inherit': 'static/entitlements.plist',
+      'entitlements': 'assets/entitlements.plist',
+      'entitlements-inherit': 'assets/entitlements.plist',
      'signature-flags': 'library'
    },
+    osxNotarize: {
+      appleId: process.env['APPLE_ID'],
+      appleIdPassword: process.env['APPLE_ID_PASSWORD']
+    },
    ignore: [
      /\/assets(\/?)/,
      /\/docs(\/?)/,
@ -46,8 +57,8 @@ module.exports = {
          remoteReleases: '',
          setupExe: `macintoshjs-${package.version}-setup-${arch}.exe`,
          setupIcon: path.resolve(__dirname, 'assets', 'icon.ico'),
-          certificateFile: process.env.WINDOWS_CERTIFICATE_FILE,
-          certificatePassword: process.env.WINDOWS_CERTIFICATE_PASSWORD,
+          certificateFile: process.env['WINDOWS_CODESIGN_FILE'],
+          certificatePassword: process.env['WINDOWS_CODESIGN_PASSWORD'],
          loadingGif: './assets/loadingGif.gif',
        }
      }
--- a/tools/add-macos-cert.sh
+++ b/tools/add-macos-cert.sh
@ -0,0 +1,23 @@
+#!/usr/bin/env sh
+
+KEY_CHAIN=build.keychain
+MACOS_CERT_P12_FILE=certificate.p12
+
+# Recreate the certificate from the secure environment variable
+echo $MACOS_CERT_P12 | base64 --decode > $MACOS_CERT_P12_FILE
+
+#create a keychain
+security create-keychain -p actions $KEY_CHAIN
+
+# Make the keychain the default so identities are found
+security default-keychain -s $KEY_CHAIN
+
+# Unlock the keychain
+security unlock-keychain -p actions $KEY_CHAIN
+
+security import $MACOS_CERT_P12_FILE -k $KEY_CHAIN -P $MACOS_CERT_PASSWORD -T /usr/bin/codesign;
+
+security set-key-partition-list -S apple-tool:,apple: -s -k actions $KEY_CHAIN
+
+# remove certs
+rm -fr *.p12
--- a/tools/make-distributable.sh
+++ b/tools/make-distributable.sh
@ -0,0 +1,3 @@
+#!/bin/bash -xe
+
+yarn make --skip-package --platform $PLATFORM --targets=@electron-forge/maker-$MAKER
--- a/tools/notarize.js
+++ b/tools/notarize.js
@ -1,30 +0,0 @@
-const { notarize } = require('electron-notarize');
-const path = require('path');
-
-const buildOutput = path.resolve(
-  __dirname,
-  '..',
-  'out',
-  'macintosh.js-darwin-x64',
-  'macintosh.js.app'
-);
-
-module.exports = function () {
-  if (process.platform !== 'darwin') {
-    console.log('Not a Mac; skipping notarization');
-    return;
-  }
-
-  console.log('Notarizing...');
-
-  return notarize({
-    appBundleId: 'com.felixrieseberg.macintoshjs',
-    appPath: buildOutput,
-    appleId: process.env.APPLE_ID,
-    appleIdPassword: process.env.APPLE_ID_PASSWORD,
-    ascProvider: 'LT94ZKYDCJ'
-  }).catch((e) => {
-    console.error(e);
-    throw e;
-  });
-}