From 0f91d7c62a9b8ee892b5b6040e4e18a92dfe9911 Mon Sep 17 00:00:00 2001
From: Felix Rieseberg <felix@felixrieseberg.com>
Date: Mon, 27 Jul 2020 18:04:24 -0700
Subject: [PATCH] build: Baby's first GitHub Action

---
 .github/workflows/build.yml |  97 ++++++++++++++++++++++++++++++++++++
 assets/certs/apple.cer      | Bin 0 -> 1062 bytes
 assets/certs/dac.cer        | Bin 0 -> 1051 bytes
 assets/entitlements.plist   |  16 ++++++
 forge.config.js             |  25 +++++++---
 tools/add-macos-cert.sh     |  23 +++++++++
 tools/make-distributable.sh |   3 ++
 tools/notarize.js           |  30 -----------
 8 files changed, 157 insertions(+), 37 deletions(-)
 create mode 100644 .github/workflows/build.yml
 create mode 100644 assets/certs/apple.cer
 create mode 100644 assets/certs/dac.cer
 create mode 100644 assets/entitlements.plist
 create mode 100644 tools/add-macos-cert.sh
 create mode 100644 tools/make-distributable.sh
 delete mode 100644 tools/notarize.js

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..af8cf45
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,97 @@
+name: Build & Release
+
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - v*
+  pull_request:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: 12.x
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "::set-output name=dir::$(yarn cache dir)"
+      - uses: actions/cache@v1
+        id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+      - name: Install
+        run: yarn
+      - name: lint
+        run: yarn lint
+  build:
+    needs: lint
+    runs-on: ${{ matrix.platform.host }}
+    strategy:
+      matrix:
+        platform:
+          - host: windows-latest
+            target: win32
+          - host: macOS-latest
+            target: darwin
+          - host: ubuntu-latest
+            target: linux
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: 12.x
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "::set-output name=dir::$(yarn cache dir)"
+      - uses: actions/cache@v1
+        if: matrix.platform.host != 'macOS-latest'
+        id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+      - name: Set MacOS signing certs
+        if: matrix.os == 'macos-latest'
+        run: chmod +x tools/add-osx-cert.sh && ./tools/add-osx-cert.sh
+        env:
+          CERTIFICATE_OSX_APPLICATION: ${{ secrets.MACOS_CERT_P12 }}
+          CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERT_PASSWORD }}
+      - name: Set Windows signing certificate
+        if: matrix.os == 'windows-latest'
+        id: write_file
+        uses: timheuer/base64-to-file@v1
+        with:
+          fileName: 'win-certificate.pfx'
+          encodedString: ${{ secrets.WINDOWS_CODESIGN_P12 }}
+      - name: Install
+        run: yarn
+      - name: Make
+        # if: startsWith(github.ref, 'refs/tags/')
+        run: yarn make
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+          WINDOWS_CODESIGN_FILE: ${{ steps.write_file.outputs.filePath }}
+          WINDOWS_CODESIGN_PASSWORD: ${{ secrets.WINDOWS_CODESIGN_PASSWORD }}
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        if: startsWith(github.ref, 'refs/tags/')
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          files: |
+            electron-app/out/**/*.deb
+            electron-app/out/**/*.dmg
+            electron-app/out/**/*Setup.exe
+            electron-app/out/**/*.rpm
+            electron-app/out/**/*.zip
\ No newline at end of file
diff --git a/assets/certs/apple.cer b/assets/certs/apple.cer
new file mode 100644
index 0000000000000000000000000000000000000000..d2bb1da64122c864c872d9b711b176d042462748
GIT binary patch
literal 1062
zcmXqLVo@?^V&+=F%*4pV#KCxP&k@Vq1p)@VY@Awc9&O)w85vnw84QvPxeYkkm_u3E
zgqcEv4TTK^K^!h&F2{m`oKywRyktE?H3JopAh)nAM9?|4s3bEjGdZy&Ge1wkv9u&3
zzbLb$(ooDm1f-5xm=~fhC_leM!P(J3PMp`!*ucoZ+{n<x!o)mEoYx4MYtT3iyCZmz
z9id~O1$G3FGQ{xk{Gyzc^30S}1((#a)SUc+)FOqT)EuyziVa;1oWM@uu_i*b0uB!u
zG%+e6hZiF&19KB2KLb#li>Zl`k>Qj@$g<O6t4^p`dc5p;_a=Tvz1qY*Cc#zbYLXig
z%TwZ(vMX=1{1>1r8WvHYTX!VypjWG%{)c-lQVYXRuCJE(pY=;r$WxR<a?PsST1IcD
zC1(VQ+V*t4*`F;j^#Su5#@gwu>F4-br<!NI<=nO|{cK>${9`c}_k`!An>Li0EopDe
zv*^E}E$UaTdLwGTU-QA<OOvlk6>d$KGuPNJ^ruh+PumVL-h)reU3&vOc4_NAnbP|3
z#gVzkGL~*w{3pGxU>8%Qce&F<%bj1(KJ<Biz}ll{*;B>Xzgbzkmy4MuTza<lvzzA0
z7l*rFRvySoOc&ks;qTLoJxTF-=V#u1FP;2vQtE0ZW=00a#f{4h8W$VL0>fLDk420{
zq(fbtbLBRPgzh)5cYSk@JQ@_Tc)I~VNLrYY@jnZz0W**?kOv7Uvq%_-HHc_m$aJ4l
z#`*6{cCVhpvhVJ`^&D{qdLRYzEb0cT2FeQ*7s$8CW|Wi^Sn2C07v<<Bf>Nhma(=FU
z5ipVI0fh|sK<fEHHn0Gbe4Bv)8y7gCC#SG6F|sfL(>iL>2Sz0$ga7&Wk^6MMZpzW`
ze<$2-^n%rNMP7I9$xNP|H^ujq>s(2H^mkUSRb<TlX2!jn)@dacZCro$u&Y7;;%44+
zvhG_xPVQP<GJDD48Aa{ZcI#caCxz@Z+C4!cIGf8)VB1aEfE>jJu1>%3p6qBF+hu?6
zedkq{<@Qo*x8F5!lFt%JA<5kEuT>H4)frt++IqZRKk^h=we)T%!^(BLy$#kqT(EJE
zX2Ubi@~8Vu7BQZxzw?Oene~p{Z+0b3{mh!|*mRcPTGnUklH03)o}Bv9|B3H&wV91C
z_x#+Vd5N(q?V(=JH^r`_KPnzJuG@ck!rYZ>Kd=95AvG=CKqhc$%$vflrY$-AJfiXd
D2`7-6

literal 0
HcmV?d00001

diff --git a/assets/certs/dac.cer b/assets/certs/dac.cer
new file mode 100644
index 0000000000000000000000000000000000000000..3d8fb276401a365b90012ec5d9a2d57d95151b9d
GIT binary patch
literal 1051
zcmXqLVi7lJV*0;;nTe5!i6dRpaqp8$OQj5W**LY@JlekVGBR?rG8iNoavN~6F^96S
z2{VNT8wwi;f;e2lT#f|=IjIVsdC7W)Y6dDGL2hALh@f+7QAuW6W^!UlW`3T6V`)i7
zeo<ygrJ<OC2uK~XFfT-1P=0=ig0rK6oH(zcv4M$^rJ;q1fvHK9IIocf64#)y+tAX$
z9ITbcz$LXTH7CCywFqo*YF-J<9$dES7-)fA$D<6fH9Ws4C#5_yB~<}oR8VRT*s;ZM
z5Aq;;5IG18ni!Rk1BsE9fw_s1p8+V&#ni;e$na{z=h^$#eJ|@?wPkNxmoM-73?;MA
zQ!{_vP&%?f&Q2=lpsL&|?MK3OW)ENFO8tGEZFitvw`)ppYlE7`%(TT~99y33v9-GL
zip?Q1Qs~}&wYQp6>TEBc`t0jqG55adwjQnNZx$y^{CiMw!5;GmH@R~5mRA-h3Hw<H
z1%3-WsOaw7c;Jqg^1ofqyPmDSD)=$&w863Mj-UEfWoFOv5^RqMdz1LtNz}8|fG0AC
z_vKPEgTe*OpFb@QID4RC+SQd-#-BqJ1v}>(HfC<zZ>T(N-krl~Rsm7^aeIqjgvf-v
zUFf+vSID%f>UziuZ=*w+Tonv^E^5Y~OA~mo+&tMymFvl!4$DF&W=00a#f{4h8W$VL
z0z+Pwk420{#PgdO=MHJ*U(C_lUNtSa87m->&St<5k``uU{LjK_zzn1e<Us<;ED{D{
z4I<hXGTo<?asK;~-K*!Y?7O>fJx82@9!P;ai@JfTf${>y1@djO86_nJR{HwMMLBwj
zpd_i6oS&;-1WZ|aKp_J@ka~WQ4J^QP&SoIM#syB@$ti41+$>DM1df{Cfl<lGaP?EC
zoA}MNQ(@m9uF^i=^76#=yaS9yYHCU!H(fgUtWvnHI%u8PDS;VJpOsv*_K3cl|8}PN
z_YBK>E}Ks{bjfcIXS|(xUZNx5`ZB42O+udQZuEJGtcekLaNg~Qo=H~Q)w{tL9AED|
z?418ORoUy<C#|?uYiv2X_WzFA%J_TI-WN@26;fV{r5LXXwM+YcZe6Cu>>Lwr@80^)
z^2^Orwfkxsc5AJitadWVt%EUC>*kiQ@b}IylU}_3d;J4zAD7)ui64ePj85<{d^=H;
zcg5awr&jaR178_5GHt!?HF`e^I`itGP3M~($GiJKTr<12F6^G=M$KEnF&ZJKl-wt!
LpXU%x`}Pa~3t@{q

literal 0
HcmV?d00001

diff --git a/assets/entitlements.plist b/assets/entitlements.plist
new file mode 100644
index 0000000..983f109
--- /dev/null
+++ b/assets/entitlements.plist
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+    <key>com.apple.security.automation.apple-events</key>
+    <true/>
+  </dict>
+</plist>
\ No newline at end of file
diff --git a/forge.config.js b/forge.config.js
index 9c6859b..8ca0132 100644
--- a/forge.config.js
+++ b/forge.config.js
@@ -1,10 +1,17 @@
 const path = require('path');
+const fs = require('fs');
 const package = require('./package.json');
 
+if (process.env['WINDOWS_CODESIGN_FILE']) {
+  const certPath = path.join(__dirname, 'win-certificate.pfx');
+  const certExists = fs.existsSync(certPath);
+
+  if (certExists) {
+    process.env['WINDOWS_CODESIGN_FILE'] = certPath;
+  }
+}
+
 module.exports = {
-  hooks: {
-    postPackage: require('./tools/notarize')
-  },
   packagerConfig: {
     asar: false,
     icon: path.resolve(__dirname, 'assets', 'icon'),
@@ -18,10 +25,14 @@ module.exports = {
       identity: 'Developer ID Application: Felix Rieseberg (LT94ZKYDCJ)',
       'hardened-runtime': true,
       'gatekeeper-assess': false,
-      'entitlements': 'static/entitlements.plist',
-      'entitlements-inherit': 'static/entitlements.plist',
+      'entitlements': 'assets/entitlements.plist',
+      'entitlements-inherit': 'assets/entitlements.plist',
       'signature-flags': 'library'
     },
+    osxNotarize: {
+      appleId: process.env['APPLE_ID'],
+      appleIdPassword: process.env['APPLE_ID_PASSWORD']
+    },
     ignore: [
       /\/assets(\/?)/,
       /\/docs(\/?)/,
@@ -46,8 +57,8 @@ module.exports = {
           remoteReleases: '',
           setupExe: `macintoshjs-${package.version}-setup-${arch}.exe`,
           setupIcon: path.resolve(__dirname, 'assets', 'icon.ico'),
-          certificateFile: process.env.WINDOWS_CERTIFICATE_FILE,
-          certificatePassword: process.env.WINDOWS_CERTIFICATE_PASSWORD,
+          certificateFile: process.env['WINDOWS_CODESIGN_FILE'],
+          certificatePassword: process.env['WINDOWS_CODESIGN_PASSWORD'],
           loadingGif: './assets/loadingGif.gif',
         }
       }
diff --git a/tools/add-macos-cert.sh b/tools/add-macos-cert.sh
new file mode 100644
index 0000000..742a0b3
--- /dev/null
+++ b/tools/add-macos-cert.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env sh
+
+KEY_CHAIN=build.keychain
+MACOS_CERT_P12_FILE=certificate.p12
+
+# Recreate the certificate from the secure environment variable
+echo $MACOS_CERT_P12 | base64 --decode > $MACOS_CERT_P12_FILE
+
+#create a keychain
+security create-keychain -p actions $KEY_CHAIN
+
+# Make the keychain the default so identities are found
+security default-keychain -s $KEY_CHAIN
+
+# Unlock the keychain
+security unlock-keychain -p actions $KEY_CHAIN
+
+security import $MACOS_CERT_P12_FILE -k $KEY_CHAIN -P $MACOS_CERT_PASSWORD -T /usr/bin/codesign;
+
+security set-key-partition-list -S apple-tool:,apple: -s -k actions $KEY_CHAIN
+
+# remove certs
+rm -fr *.p12
diff --git a/tools/make-distributable.sh b/tools/make-distributable.sh
new file mode 100644
index 0000000..6a98d7d
--- /dev/null
+++ b/tools/make-distributable.sh
@@ -0,0 +1,3 @@
+#!/bin/bash -xe
+
+yarn make --skip-package --platform $PLATFORM --targets=@electron-forge/maker-$MAKER
\ No newline at end of file
diff --git a/tools/notarize.js b/tools/notarize.js
deleted file mode 100644
index ba3fb08..0000000
--- a/tools/notarize.js
+++ /dev/null
@@ -1,30 +0,0 @@
-const { notarize } = require('electron-notarize');
-const path = require('path');
-
-const buildOutput = path.resolve(
-  __dirname,
-  '..',
-  'out',
-  'macintosh.js-darwin-x64',
-  'macintosh.js.app'
-);
-
-module.exports = function () {
-  if (process.platform !== 'darwin') {
-    console.log('Not a Mac; skipping notarization');
-    return;
-  }
-
-  console.log('Notarizing...');
-
-  return notarize({
-    appBundleId: 'com.felixrieseberg.macintoshjs',
-    appPath: buildOutput,
-    appleId: process.env.APPLE_ID,
-    appleIdPassword: process.env.APPLE_ID_PASSWORD,
-    ascProvider: 'LT94ZKYDCJ'
-  }).catch((e) => {
-    console.error(e);
-    throw e;
-  });
-}