name: Sign and Upload Mac Installer on: release: types: [created, published] workflow_dispatch: inputs: version: description: 'Release version to build and upload (e.g. "v9.8.7")' required: true dryrun: description: 'Perform all the steps except uploading to the release page' required: true default: "true" # 'choice' type requires string value type: choice options: - "true" # Must be quoted string, boolean value not supported. - "false" permissions: contents: write jobs: build: runs-on: macos-latest env: APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }} CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }} INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }} PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }} CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }} KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }} steps: - name: Consolidate dryrun setting to always be true or false id: actual_dryrun run: | # The 'release' trigger will not have a 'dryrun' input set. Handle # this case in a readable/maintainable way. if [[ -z "${{ inputs.dryrun }}" ]] then echo "dryrun=false" >> $GITHUB_OUTPUT else echo "dryrun=${{ inputs.dryrun }}" >> $GITHUB_OUTPUT fi - name: Dry Run Status run: | echo "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}" - name: Determine Version id: getversion run: | if [[ -z "${{ inputs.version }}" ]] then VERSION=${{ github.event.release.tag_name }} else VERSION=${{ inputs.version }} fi echo echo "version=$VERSION" >> $GITHUB_OUTPUT - name: Check uploads id: check run: | URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}" ARM_FILE="podman-installer-macos-arm64.pkg" AMD_FILE="podman-installer-macos-amd64.pkg" UNIVERSAL_FILE="podman-installer-macos-universal.pkg" status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${ARM_FILE}") if [[ "$status" == "404" ]] ; then echo "buildarm=true" >> $GITHUB_OUTPUT else echo "::warning::ARM installer already exists, skipping" echo "buildarm=false" >> $GITHUB_OUTPUT fi status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${AMD_FILE}") if [[ "$status" == "404" ]] ; then echo "buildamd=true" >> $GITHUB_OUTPUT else echo "::warning::AMD installer already exists, skipping" echo "buildamd=false" >> $GITHUB_OUTPUT fi status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${UNIVERSAL_FILE}") if [[ "$status" == "404" ]] ; then echo "builduniversal=true" >> $GITHUB_OUTPUT else echo "::warning::Universal installer already exists, skipping" echo "builduniversal=false" >> $GITHUB_OUTPUT fi - name: Checkout Version if: >- steps.check.outputs.buildamd == 'true' || steps.check.outputs.buildarm == 'true' || steps.check.outputs.builduniversal == 'true' || steps.actual_dryrun.outputs.dryrun == 'true' uses: actions/checkout@v4 with: ref: ${{steps.getversion.outputs.version}} - name: Set up Go # Conditional duplication sucks - GHA doesn't grok YAML anchors/aliases if: >- steps.check.outputs.buildamd == 'true' || steps.check.outputs.buildarm == 'true' || steps.check.outputs.builduniversal == 'true' || steps.actual_dryrun.outputs.dryrun == 'true' uses: actions/setup-go@v5 with: go-version: stable - name: Create Keychain if: >- steps.check.outputs.buildamd == 'true' || steps.check.outputs.buildarm == 'true' || steps.check.outputs.builduniversal == 'true' || steps.actual_dryrun.outputs.dryrun == 'true' run: | echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12 echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12 security create-keychain -p "$KEYCHAIN_PWD" build.keychain security default-keychain -s build.keychain security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain &> /dev/null xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null - name: Build and Sign ARM if: steps.check.outputs.buildarm == 'true' || steps.actual_dryrun.outputs.dryrun == 'true' working-directory: contrib/pkginstaller run: | make ARCH=aarch64 notarize &> /dev/null cd out && shasum -a 256 podman-installer-macos-arm64.pkg >> shasums - name: Build and Sign AMD if: steps.check.outputs.buildamd == 'true' || steps.actual_dryrun.outputs.dryrun == 'true' working-directory: contrib/pkginstaller run: | make ARCH=amd64 notarize &> /dev/null cd out && shasum -a 256 podman-installer-macos-amd64.pkg >> shasums - name: Build and Sign Universal if: steps.check.outputs.builduniversal == 'true' || steps.actual_dryrun.outputs.dryrun == 'true' working-directory: contrib/pkginstaller run: | make ARCH=universal notarize &> /dev/null cd out && shasum -a 256 podman-installer-macos-universal.pkg >> shasums - name: Artifact if: >- steps.check.outputs.buildamd == 'true' || steps.check.outputs.buildarm == 'true' || steps.check.outputs.builduniversal == 'true' || steps.actual_dryrun.outputs.dryrun == 'true' uses: actions/upload-artifact@v4 with: name: installers path: | contrib/pkginstaller/out/podman-installer-macos-*.pkg contrib/pkginstaller/out/shasums - name: Upload to Release if: >- steps.actual_dryrun.outputs.dryrun == 'false' && (steps.check.outputs.buildamd == 'true' || steps.check.outputs.buildarm == 'true'|| steps.check.outputs.builduniversal == 'true' ) env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | (gh release download ${{steps.getversion.outputs.version}} -p "shasums" || exit 0) cat contrib/pkginstaller/out/shasums >> shasums gh release upload ${{steps.getversion.outputs.version}} contrib/pkginstaller/out/podman-installer-macos-*.pkg gh release upload ${{steps.getversion.outputs.version}} --clobber shasums