mirror of
https://github.com/containers/podman.git
synced 2026-02-05 06:45:31 +01:00
146 lines
5.4 KiB
YAML
146 lines
5.4 KiB
YAML
name: Sign and Upload Mac Installer [DEPRECATED]
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
description: 'Release version to build and upload (e.g. "v9.8.7")'
|
|
required: true
|
|
dryrun:
|
|
description: 'Perform all the steps except uploading to the release page'
|
|
required: true
|
|
default: "true" # 'choice' type requires string value
|
|
type: choice
|
|
options:
|
|
- "true" # Must be quoted string, boolean value not supported.
|
|
- "false"
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: macos-latest
|
|
permissions:
|
|
contents: write
|
|
env:
|
|
APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }}
|
|
CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }}
|
|
INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }}
|
|
PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }}
|
|
CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
|
|
|
NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
|
|
NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
|
|
NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
|
|
|
|
KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
|
|
steps:
|
|
- name: Consolidate dryrun setting to always be true or false
|
|
id: actual_dryrun
|
|
env:
|
|
INPUT_DRYRUN: ${{ inputs.dryrun }}
|
|
run: |
|
|
# The 'release' trigger will not have a 'dryrun' input set. Handle
|
|
# this case in a readable/maintainable way.
|
|
if [[ -z "${INPUT_DRYRUN}" ]]
|
|
then
|
|
echo "dryrun=false" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "dryrun=${INPUT_DRYRUN}" >> $GITHUB_OUTPUT
|
|
fi
|
|
- name: Dry Run Status
|
|
env:
|
|
DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }}
|
|
run: |
|
|
echo "::notice::This workflow execution will be a dry-run: ${DRYRUN}"
|
|
- name: Determine Version
|
|
id: getversion
|
|
env:
|
|
INPUT_VERSION: ${{ inputs.version }}
|
|
TAG_NAME: ${{ github.event.release.tag_name }}
|
|
run: |
|
|
if [[ -z "${INPUT_VERSION}" ]]
|
|
then
|
|
VERSION=${TAG_NAME}
|
|
else
|
|
VERSION=${INPUT_VERSION}
|
|
fi
|
|
echo
|
|
echo "version=$VERSION" >> $GITHUB_OUTPUT
|
|
- name: Check uploads
|
|
id: check
|
|
env:
|
|
VERSION: ${{ steps.getversion.outputs.version }}
|
|
run: |
|
|
URI="https://github.com/containers/podman/releases/download/${VERSION}"
|
|
ARM_FILE="podman-installer-macos-arm64.pkg"
|
|
|
|
status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${ARM_FILE}")
|
|
if [[ "$status" == "404" ]] ; then
|
|
echo "buildarm=true" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "::warning::ARM installer already exists, skipping"
|
|
echo "buildarm=false" >> $GITHUB_OUTPUT
|
|
fi
|
|
- name: Checkout Version
|
|
if: >-
|
|
steps.check.outputs.buildarm == 'true' ||
|
|
steps.actual_dryrun.outputs.dryrun == 'true'
|
|
uses: actions/checkout@v6
|
|
with:
|
|
ref: ${{steps.getversion.outputs.version}}
|
|
persist-credentials: false
|
|
- name: Set up Go
|
|
# Conditional duplication sucks - GHA doesn't grok YAML anchors/aliases
|
|
if: >-
|
|
steps.check.outputs.buildarm == 'true' ||
|
|
steps.actual_dryrun.outputs.dryrun == 'true'
|
|
uses: actions/setup-go@v6
|
|
with:
|
|
go-version: stable
|
|
cache: false
|
|
- name: Create Keychain
|
|
if: >-
|
|
steps.check.outputs.buildarm == 'true' ||
|
|
steps.actual_dryrun.outputs.dryrun == 'true'
|
|
run: |
|
|
echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12
|
|
echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12
|
|
|
|
security create-keychain -p "$KEYCHAIN_PWD" build.keychain
|
|
security default-keychain -s build.keychain
|
|
security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain
|
|
security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign
|
|
security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign
|
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain &> /dev/null
|
|
|
|
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null
|
|
- name: Build and Sign ARM
|
|
if: steps.check.outputs.buildarm == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
|
|
working-directory: contrib/pkginstaller
|
|
run: |
|
|
make ARCH=aarch64 notarize &> /dev/null
|
|
cd out && shasum -a 256 podman-installer-macos-arm64.pkg >> shasums
|
|
- name: Artifact
|
|
if: >-
|
|
steps.check.outputs.buildarm == 'true' ||
|
|
steps.actual_dryrun.outputs.dryrun == 'true'
|
|
uses: actions/upload-artifact@v6
|
|
with:
|
|
name: installers
|
|
path: |
|
|
contrib/pkginstaller/out/podman-installer-macos-*.pkg
|
|
contrib/pkginstaller/out/shasums
|
|
- name: Upload to Release
|
|
if: >-
|
|
steps.actual_dryrun.outputs.dryrun == 'false' &&
|
|
steps.check.outputs.buildarm == 'true'
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
VERSION: ${{ steps.getversion.outputs.version }}
|
|
run: |
|
|
(gh release download "${VERSION}" -p "shasums" || exit 0)
|
|
cat contrib/pkginstaller/out/shasums >> shasums
|
|
gh release upload "${VERSION}" contrib/pkginstaller/out/podman-installer-macos-*.pkg
|
|
gh release upload "${VERSION}" --clobber shasums
|