mirror/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2026-03-17 14:18:09 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
0ecda592c98c9fa7276ddb31e8d14e66ea22c1c8
podman/.github/workflows/mac-pkg.yml
Chris Evich 93f4cc1b51 [CI:DOCS] GHA: Use stable go for Mac/Win builds 
Having hard-coded versions burried under a hidden directory is ripe for
maintenance headaches.  Use the latest 'stable' version, since this will
be "close enough" to what we test in CI.

Ref: https://github.com/containers/podman/discussions/19404

Signed-off-by: Chris Evich <cevich@redhat.com>
2023-07-31 10:43:53 -04:00

116 lines
4.8 KiB
YAML
Raw Blame History

name: Sign and Upload Mac Installer
on:
release:
types: [created, published]
workflow_dispatch:
inputs:
version:
description: 'Release version to build and upload (e.g. "v4.2.1")'
required: true
permissions:
contents: write
jobs:
build:
runs-on: macos-latest
env:
APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }}
CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }}
INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }}
PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }}
CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
steps:
- name: Determine Version
id: getversion
run: |
if [ -z "${{ inputs.version }}" ]
then
VERSION=${{ github.event.release.tag_name }}
else
VERSION=${{ inputs.version }}
fi
echo
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Check uploads
id: check
run: |
URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}"
ARM_FILE="podman-installer-macos-arm64.pkg"
AMD_FILE="podman-installer-macos-amd64.pkg"
status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${ARM_FILE}")
if [[ "$status" == "404" ]] ; then
echo "buildarm=true" >> $GITHUB_OUTPUT
else
echo "ARM installer already exists, skipping"
echo "buildarm=false" >> $GITHUB_OUTPUT
fi
status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${AMD_FILE}")
if [[ "$status" == "404" ]] ; then
echo "buildamd=true" >> $GITHUB_OUTPUT
else
echo "AMD installer already exists, skipping"
echo "buildamd=false" >> $GITHUB_OUTPUT
fi
- name: Checkout Version
# If no binaries need to be built, then there's no reason to Checkout
if: steps.check.outputs.buildamd == 'true' || steps.check.outputs.buildarm == 'true'
uses: actions/checkout@v3
with:
ref: ${{steps.getversion.outputs.version}}
- name: Set up Go
# If no binaries need to be built, then there's no reason to set up Go
if: steps.check.outputs.buildamd == 'true' || steps.check.outputs.buildarm == 'true'
uses: actions/setup-go@v4
with:
go-version: stable
- name: Create Keychain
if: steps.check.outputs.buildamd == 'true' || steps.check.outputs.buildarm == 'true'
run: |
echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12
echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12
security create-keychain -p "$KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain
security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign
security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain &> /dev/null
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null
- name: Build and Sign ARM
if: steps.check.outputs.buildarm == 'true'
working-directory: contrib/pkginstaller
run: |
make ARCH=aarch64 notarize &> /dev/null
cd out && shasum -a 256 podman-installer-macos-arm64.pkg >> shasums
- name: Build and Sign AMD
if: steps.check.outputs.buildamd == 'true'
working-directory: contrib/pkginstaller
run: |
make ARCH=amd64 notarize &> /dev/null
cd out && shasum -a 256 podman-installer-macos-amd64.pkg >> shasums
- name: Artifact
if: steps.check.outputs.buildamd == 'true' || steps.check.outputs.buildarm == 'true'
uses: actions/upload-artifact@v3
with:
name: installers
path: |
contrib/pkginstaller/out/podman-installer-macos-*.pkg
- name: Upload to Release
if: steps.check.outputs.buildamd == 'true' || steps.check.outputs.buildarm == 'true'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
(gh release download ${{steps.getversion.outputs.version}} -p "shasums" || exit 0)
cat contrib/pkginstaller/out/shasums >> shasums
gh release upload ${{steps.getversion.outputs.version}} contrib/pkginstaller/out/podman-installer-macos-*.pkg
gh release upload ${{steps.getversion.outputs.version}} --clobber shasums
Reference in New Issue View Git Blame Copy Permalink