diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..af8cf45 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,97 @@ +name: Build & Release + +on: + push: + branches: + - master + tags: + - v* + pull_request: + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Setup Node.js + uses: actions/setup-node@v1 + with: + node-version: 12.x + - name: Get yarn cache directory path + id: yarn-cache-dir-path + run: echo "::set-output name=dir::$(yarn cache dir)" + - uses: actions/cache@v1 + id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`) + with: + path: ${{ steps.yarn-cache-dir-path.outputs.dir }} + key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }} + restore-keys: | + ${{ runner.os }}-yarn- + - name: Install + run: yarn + - name: lint + run: yarn lint + build: + needs: lint + runs-on: ${{ matrix.platform.host }} + strategy: + matrix: + platform: + - host: windows-latest + target: win32 + - host: macOS-latest + target: darwin + - host: ubuntu-latest + target: linux + steps: + - uses: actions/checkout@v2 + - name: Setup Node.js + uses: actions/setup-node@v1 + with: + node-version: 12.x + - name: Get yarn cache directory path + id: yarn-cache-dir-path + run: echo "::set-output name=dir::$(yarn cache dir)" + - uses: actions/cache@v1 + if: matrix.platform.host != 'macOS-latest' + id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`) + with: + path: ${{ steps.yarn-cache-dir-path.outputs.dir }} + key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }} + restore-keys: | + ${{ runner.os }}-yarn- + - name: Set MacOS signing certs + if: matrix.os == 'macos-latest' + run: chmod +x tools/add-osx-cert.sh && ./tools/add-osx-cert.sh + env: + CERTIFICATE_OSX_APPLICATION: ${{ secrets.MACOS_CERT_P12 }} + CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERT_PASSWORD }} + - name: Set Windows signing certificate + if: matrix.os == 'windows-latest' + id: write_file + uses: timheuer/base64-to-file@v1 + with: + fileName: 'win-certificate.pfx' + encodedString: ${{ secrets.WINDOWS_CODESIGN_P12 }} + - name: Install + run: yarn + - name: Make + # if: startsWith(github.ref, 'refs/tags/') + run: yarn make + env: + APPLE_ID: ${{ secrets.APPLE_ID }} + APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} + WINDOWS_CODESIGN_FILE: ${{ steps.write_file.outputs.filePath }} + WINDOWS_CODESIGN_PASSWORD: ${{ secrets.WINDOWS_CODESIGN_PASSWORD }} + - name: Release + uses: softprops/action-gh-release@v1 + if: startsWith(github.ref, 'refs/tags/') + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + files: | + electron-app/out/**/*.deb + electron-app/out/**/*.dmg + electron-app/out/**/*Setup.exe + electron-app/out/**/*.rpm + electron-app/out/**/*.zip \ No newline at end of file diff --git a/assets/certs/apple.cer b/assets/certs/apple.cer new file mode 100644 index 0000000..d2bb1da Binary files /dev/null and b/assets/certs/apple.cer differ diff --git a/assets/certs/dac.cer b/assets/certs/dac.cer new file mode 100644 index 0000000..3d8fb27 Binary files /dev/null and b/assets/certs/dac.cer differ diff --git a/assets/entitlements.plist b/assets/entitlements.plist new file mode 100644 index 0000000..983f109 --- /dev/null +++ b/assets/entitlements.plist @@ -0,0 +1,16 @@ + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-library-validation + + com.apple.security.cs.disable-executable-page-protection + + com.apple.security.automation.apple-events + + + \ No newline at end of file diff --git a/forge.config.js b/forge.config.js index 9c6859b..8ca0132 100644 --- a/forge.config.js +++ b/forge.config.js @@ -1,10 +1,17 @@ const path = require('path'); +const fs = require('fs'); const package = require('./package.json'); +if (process.env['WINDOWS_CODESIGN_FILE']) { + const certPath = path.join(__dirname, 'win-certificate.pfx'); + const certExists = fs.existsSync(certPath); + + if (certExists) { + process.env['WINDOWS_CODESIGN_FILE'] = certPath; + } +} + module.exports = { - hooks: { - postPackage: require('./tools/notarize') - }, packagerConfig: { asar: false, icon: path.resolve(__dirname, 'assets', 'icon'), @@ -18,10 +25,14 @@ module.exports = { identity: 'Developer ID Application: Felix Rieseberg (LT94ZKYDCJ)', 'hardened-runtime': true, 'gatekeeper-assess': false, - 'entitlements': 'static/entitlements.plist', - 'entitlements-inherit': 'static/entitlements.plist', + 'entitlements': 'assets/entitlements.plist', + 'entitlements-inherit': 'assets/entitlements.plist', 'signature-flags': 'library' }, + osxNotarize: { + appleId: process.env['APPLE_ID'], + appleIdPassword: process.env['APPLE_ID_PASSWORD'] + }, ignore: [ /\/assets(\/?)/, /\/docs(\/?)/, @@ -46,8 +57,8 @@ module.exports = { remoteReleases: '', setupExe: `macintoshjs-${package.version}-setup-${arch}.exe`, setupIcon: path.resolve(__dirname, 'assets', 'icon.ico'), - certificateFile: process.env.WINDOWS_CERTIFICATE_FILE, - certificatePassword: process.env.WINDOWS_CERTIFICATE_PASSWORD, + certificateFile: process.env['WINDOWS_CODESIGN_FILE'], + certificatePassword: process.env['WINDOWS_CODESIGN_PASSWORD'], loadingGif: './assets/loadingGif.gif', } } diff --git a/tools/add-macos-cert.sh b/tools/add-macos-cert.sh new file mode 100644 index 0000000..742a0b3 --- /dev/null +++ b/tools/add-macos-cert.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env sh + +KEY_CHAIN=build.keychain +MACOS_CERT_P12_FILE=certificate.p12 + +# Recreate the certificate from the secure environment variable +echo $MACOS_CERT_P12 | base64 --decode > $MACOS_CERT_P12_FILE + +#create a keychain +security create-keychain -p actions $KEY_CHAIN + +# Make the keychain the default so identities are found +security default-keychain -s $KEY_CHAIN + +# Unlock the keychain +security unlock-keychain -p actions $KEY_CHAIN + +security import $MACOS_CERT_P12_FILE -k $KEY_CHAIN -P $MACOS_CERT_PASSWORD -T /usr/bin/codesign; + +security set-key-partition-list -S apple-tool:,apple: -s -k actions $KEY_CHAIN + +# remove certs +rm -fr *.p12 diff --git a/tools/make-distributable.sh b/tools/make-distributable.sh new file mode 100644 index 0000000..6a98d7d --- /dev/null +++ b/tools/make-distributable.sh @@ -0,0 +1,3 @@ +#!/bin/bash -xe + +yarn make --skip-package --platform $PLATFORM --targets=@electron-forge/maker-$MAKER \ No newline at end of file diff --git a/tools/notarize.js b/tools/notarize.js deleted file mode 100644 index ba3fb08..0000000 --- a/tools/notarize.js +++ /dev/null @@ -1,30 +0,0 @@ -const { notarize } = require('electron-notarize'); -const path = require('path'); - -const buildOutput = path.resolve( - __dirname, - '..', - 'out', - 'macintosh.js-darwin-x64', - 'macintosh.js.app' -); - -module.exports = function () { - if (process.platform !== 'darwin') { - console.log('Not a Mac; skipping notarization'); - return; - } - - console.log('Notarizing...'); - - return notarize({ - appBundleId: 'com.felixrieseberg.macintoshjs', - appPath: buildOutput, - appleId: process.env.APPLE_ID, - appleIdPassword: process.env.APPLE_ID_PASSWORD, - ascProvider: 'LT94ZKYDCJ' - }).catch((e) => { - console.error(e); - throw e; - }); -}