From a73e1743a48173f8ba5999a23af73bbdd4b84d30 Mon Sep 17 00:00:00 2001 From: Carlos Alexandro Becker Date: Sat, 18 Jan 2025 13:22:10 -0300 Subject: [PATCH 1/6] ci: update goreleaser configs see https://github.com/goreleaser/goreleaser/issues/5460 --- .goreleaser.yml | 38 ++++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 85ce0d1..cd46d22 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,4 +1,7 @@ +# yaml-language-server: $schema=https://goreleaser.com/static/schema-pro.json + project_name: tart +version: 2 before: hooks: @@ -15,27 +18,38 @@ builds: goarch: - arm64 - amd64 - binary: tart.app/Contents/MacOS/tart + binary: tart prebuilt: path: '.build/{{- if eq .Arch "arm64" }}arm64{{- else }}x86_64{{ end }}-apple-macosx/release/tart' universal_binaries: - replace: true - hooks: - post: gon gon.hcl + +notarize: + macos: + - enabled: '{{ isEnvSet "MACOS_SIGN_P12" }}' + sign: + certificate: "{{.Env.MACOS_SIGN_P12}}" + password: "{{.Env.MACOS_SIGN_PASSWORD}}" + entitlements: ./Resources/tart-{{ if or .IsSnapshot .IsNightly }}dev{{ else }}prod{{ end }}.entitlements + notarize: + issuer_id: "{{.Env.MACOS_NOTARY_ISSUER_ID}}" + key_id: "{{.Env.MACOS_NOTARY_KEY_ID}}" + key: "{{.Env.MACOS_NOTARY_KEY}}" + +app_bundles: + - name: tart + extra_files: + - src: ./Resources/Info.plist + dst: Contents/Info.plist + - src: ./Resources/embedded.provisionprofile + dst: Contents/embedded.provisionprofile + - src: ./Resources/AppIcon.png + dst: Contents/Resources/AppIcon.png archives: - name_template: "{{ .ProjectName }}" files: - - src: Resources/embedded.provisionprofile - dst: tart.app/Contents - strip_parent: true - - src: Resources/Info.plist - dst: tart.app/Contents - strip_parent: true - - src: Resources/AppIcon.png - dst: tart.app/Contents/Resources - strip_parent: true - LICENSE release: From 634e275b96229754a69a14aed7380423edfaf911 Mon Sep 17 00:00:00 2001 From: fedor Date: Wed, 22 Jan 2025 08:56:43 -0500 Subject: [PATCH 2/6] Reverted app_bundle change and fixed environment variables --- .goreleaser.yml | 37 ++++++++++++++++++------------------- gon.hcl | 12 ------------ 2 files changed, 18 insertions(+), 31 deletions(-) delete mode 100644 gon.hcl diff --git a/.goreleaser.yml b/.goreleaser.yml index 8ead687..999344d 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -2,7 +2,6 @@ version: 2 project_name: tart -version: 2 before: hooks: @@ -24,33 +23,33 @@ builds: path: '.build/{{- if eq .Arch "arm64" }}arm64{{- else }}x86_64{{ end }}-apple-macosx/release/tart' universal_binaries: - - replace: true + - name_template: tart.app/Contents/MacOS/tart + replace: true notarize: macos: - - enabled: '{{ isEnvSet "MACOS_SIGN_P12" }}' + - enabled: '{{ isEnvSet "MACOS_CERTIFICATE" }}' sign: - certificate: "{{.Env.MACOS_SIGN_P12}}" - password: "{{.Env.MACOS_SIGN_PASSWORD}}" - entitlements: ./Resources/tart-{{ if or .IsSnapshot .IsNightly }}dev{{ else }}prod{{ end }}.entitlements + certificate: "{{.Env.MACOS_CERTIFICATE}}" + password: "password101" + entitlements: ./Resources/tart-prod.entitlements notarize: - issuer_id: "{{.Env.MACOS_NOTARY_ISSUER_ID}}" - key_id: "{{.Env.MACOS_NOTARY_KEY_ID}}" - key: "{{.Env.MACOS_NOTARY_KEY}}" - -app_bundles: - - name: tart - extra_files: - - src: ./Resources/Info.plist - dst: Contents/Info.plist - - src: ./Resources/embedded.provisionprofile - dst: Contents/embedded.provisionprofile - - src: ./Resources/AppIcon.png - dst: Contents/Resources/AppIcon.png + issuer_id: "9M2P8L4D89" + key_id: "hello@cirruslabs.org" + key: "{{.Env.AC_PASSWORD}}" archives: - name_template: "{{ .ProjectName }}" files: + - src: Resources/embedded.provisionprofile + dst: tart.app/Contents + strip_parent: true + - src: Resources/Info.plist + dst: tart.app/Contents + strip_parent: true + - src: Resources/AppIcon.png + dst: tart.app/Contents/Resources + strip_parent: true - LICENSE release: diff --git a/gon.hcl b/gon.hcl deleted file mode 100644 index 461d2aa..0000000 --- a/gon.hcl +++ /dev/null @@ -1,12 +0,0 @@ -source = [ "dist/tart_darwin_all/tart.app/Contents/MacOS/tart" ] -bundle_id = "com.github.cirruslabs.tart" - -apple_id { - username = "hello@cirruslabs.org" - password = "@env:AC_PASSWORD" -} - -sign { - application_identity = "Developer ID Application: Cirrus Labs, Inc." - entitlements_file = "Resources/tart-prod.entitlements" -} From 573239547ddfdc19b74e3de1d0f570986e56ccae Mon Sep 17 00:00:00 2001 From: fedor Date: Wed, 22 Jan 2025 09:04:29 -0500 Subject: [PATCH 3/6] Cleanup Cirrus config --- .cirrus.yml | 28 ---------------------------- 1 file changed, 28 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index d67b1be..82b66b3 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -73,22 +73,8 @@ task: AC_PASSWORD: ENCRYPTED[4a761023e7e06fe2eb350c8b6e8e7ca961af193cb9ba47605f25f1d353abc3142606f412e405be48fd897a78787ea8c2] GITHUB_TOKEN: ENCRYPTED[!98ace8259c6024da912c14d5a3c5c6aac186890a8d4819fad78f3e0c41a4e0cd3a2537dd6e91493952fb056fa434be7c!] GORELEASER_KEY: ENCRYPTED[!9b80b6ef684ceaf40edd4c7af93014ee156c8aba7e6e5795f41c482729887b5c31f36b651491d790f1f668670888d9fd!] - setup_script: - - cd $HOME - - echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 - - security create-keychain -p password101 build.keychain - - security default-keychain -s build.keychain - - security unlock-keychain -p password101 build.keychain - - security import certificate.p12 -k build.keychain -P password101 -T /usr/bin/codesign -T /usr/bin/pkgbuild - - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k password101 build.keychain - - xcrun notarytool store-credentials "notarytool" --apple-id "hello@cirruslabs.org" --team-id "9M2P8L4D89" --password $AC_PASSWORD install_script: - brew install go goreleaser/tap/goreleaser-pro - - brew install mitchellh/gon/gon - info_script: - - security find-identity -v - - xcodebuild -version - - swift -version goreleaser_script: goreleaser release --skip=publish --snapshot --clean always: dist_artifacts: @@ -111,22 +97,8 @@ task: SENTRY_ORG: cirrus-labs SENTRY_PROJECT: persistent-workers SENTRY_AUTH_TOKEN: ENCRYPTED[!9eaf2875d51b113e2f68598441ff8e6b2e53242e48fcb93633bd75a373fbe2e7caa900d837cc92f0b142b65579731644!] - setup_script: - - cd $HOME - - echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 - - security create-keychain -p password101 build.keychain - - security default-keychain -s build.keychain - - security unlock-keychain -p password101 build.keychain - - security import certificate.p12 -k build.keychain -P password101 -T /usr/bin/codesign -T /usr/bin/pkgbuild - - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k password101 build.keychain - - xcrun notarytool store-credentials "notarytool" --apple-id "hello@cirruslabs.org" --team-id "9M2P8L4D89" --password $AC_PASSWORD install_script: - brew install go goreleaser/tap/goreleaser-pro getsentry/tools/sentry-cli - - brew install mitchellh/gon/gon - info_script: - - security find-identity -v - - xcodebuild -version - - swift -version release_script: goreleaser upload_sentry_debug_files_script: - cd .build/arm64-apple-macosx/release/ From b3e43db63fb7b50833a0b8a0e2f5b06a6bec6a52 Mon Sep 17 00:00:00 2001 From: Nikolay Edigaryev Date: Tue, 22 Jul 2025 16:34:18 +0200 Subject: [PATCH 4/6] CI: switch to ghcr.io/cirruslabs/macos-runner:sequoia --- .cirrus.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index 82b66b3..b8334cf 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -37,7 +37,7 @@ task: name: Lint alias: lint macos_instance: - image: ghcr.io/cirruslabs/macos-runner:sonoma + image: ghcr.io/cirruslabs/macos-runner:sequoia lint_script: - swift package plugin --allow-writing-to-package-directory swiftformat --cache ignore --lint --report swiftformat.json . always: @@ -54,7 +54,7 @@ task: name: Build ($BUILD_ARCH) alias: build macos_instance: - image: ghcr.io/cirruslabs/macos-runner:sonoma + image: ghcr.io/cirruslabs/macos-runner:sequoia build_script: swift build --arch $BUILD_ARCH --product tart sign_script: codesign --sign - --entitlements Resources/tart-dev.entitlements --force .build/$BUILD_ARCH-apple-macosx/debug/tart binary_artifacts: @@ -67,7 +67,7 @@ task: - lint - build macos_instance: - image: ghcr.io/cirruslabs/macos-runner:sonoma + image: ghcr.io/cirruslabs/macos-runner:sequoia env: MACOS_CERTIFICATE: ENCRYPTED[552b9d275d1c2bdbc1bff778b104a8f9a53cbd0d59344d4b7f6d0ca3c811a5cefb97bef9ba0ef31c219cb07bdacdd2c2] AC_PASSWORD: ENCRYPTED[4a761023e7e06fe2eb350c8b6e8e7ca961af193cb9ba47605f25f1d353abc3142606f412e405be48fd897a78787ea8c2] @@ -88,7 +88,7 @@ task: - test - build macos_instance: - image: ghcr.io/cirruslabs/macos-runner:sonoma + image: ghcr.io/cirruslabs/macos-runner:sequoia env: MACOS_CERTIFICATE: ENCRYPTED[552b9d275d1c2bdbc1bff778b104a8f9a53cbd0d59344d4b7f6d0ca3c811a5cefb97bef9ba0ef31c219cb07bdacdd2c2] AC_PASSWORD: ENCRYPTED[4a761023e7e06fe2eb350c8b6e8e7ca961af193cb9ba47605f25f1d353abc3142606f412e405be48fd897a78787ea8c2] From b5dcbacde1b9b509496e76e0eaf8a295c07bd4e2 Mon Sep 17 00:00:00 2001 From: Nikolay Edigaryev Date: Tue, 22 Jul 2025 16:40:13 +0200 Subject: [PATCH 5/6] CI: specify --cask when installing goreleaser/tap/goreleaser-pro --- .cirrus.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index b8334cf..1b909d7 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -74,7 +74,8 @@ task: GITHUB_TOKEN: ENCRYPTED[!98ace8259c6024da912c14d5a3c5c6aac186890a8d4819fad78f3e0c41a4e0cd3a2537dd6e91493952fb056fa434be7c!] GORELEASER_KEY: ENCRYPTED[!9b80b6ef684ceaf40edd4c7af93014ee156c8aba7e6e5795f41c482729887b5c31f36b651491d790f1f668670888d9fd!] install_script: - - brew install go goreleaser/tap/goreleaser-pro + - brew install go + - brew install --cask goreleaser/tap/goreleaser-pro goreleaser_script: goreleaser release --skip=publish --snapshot --clean always: dist_artifacts: @@ -98,7 +99,8 @@ task: SENTRY_PROJECT: persistent-workers SENTRY_AUTH_TOKEN: ENCRYPTED[!9eaf2875d51b113e2f68598441ff8e6b2e53242e48fcb93633bd75a373fbe2e7caa900d837cc92f0b142b65579731644!] install_script: - - brew install go goreleaser/tap/goreleaser-pro getsentry/tools/sentry-cli + - brew install go getsentry/tools/sentry-cli + - brew install --cask goreleaser/tap/goreleaser-pro release_script: goreleaser upload_sentry_debug_files_script: - cd .build/arm64-apple-macosx/release/ From 310d6a14999338ec6b064dfba8bba8ee3f4a5359 Mon Sep 17 00:00:00 2001 From: Nikolay Edigaryev Date: Thu, 7 Aug 2025 10:52:21 +0200 Subject: [PATCH 6/6] Re-use macOS signing and notarization credentials from Chamber --- .cirrus.yml | 12 ++++++++++-- .goreleaser.yml | 12 ++++++------ 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index 1b909d7..0291010 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -69,7 +69,11 @@ task: macos_instance: image: ghcr.io/cirruslabs/macos-runner:sequoia env: - MACOS_CERTIFICATE: ENCRYPTED[552b9d275d1c2bdbc1bff778b104a8f9a53cbd0d59344d4b7f6d0ca3c811a5cefb97bef9ba0ef31c219cb07bdacdd2c2] + MACOS_SIGN_P12: ENCRYPTED[!183482723ca1a95f9c4439f7a79c9d3b115472bb18c739ed1586e12d3914ccf94ade8169eeda7332fc204f8be9c27d9f!] + MACOS_SIGN_PASSWORD: ENCRYPTED[!417423346c567f12007f42d084bff1cfee30ee14f7e8258550157679a269c70d541c9f19224224ab0293b10f2c6d4c5e!] + MACOS_NOTARY_ISSUER_ID: ENCRYPTED[!74076906e9fa36bca3c1da1637b0759b58bb009eb1a707446896eefad3767e8dba1d0f87e71106b98cde98ac4b037a2a!] + MACOS_NOTARY_KEY_ID: ENCRYPTED[!af9e5da1010a6b04e548ef494acc77a6e0ce176549de98f81c5b5cdd72856de09f77e51cf0849e3c4b7a2d2c22f25ca8!] + MACOS_NOTARY_KEY: ENCRYPTED[!c70c53f3e6c163931c7cdf9d90aff8934ef21d5dd1090158688e00b94e97c68257d9cf4ae1df873e6ae0d949866aee72!] AC_PASSWORD: ENCRYPTED[4a761023e7e06fe2eb350c8b6e8e7ca961af193cb9ba47605f25f1d353abc3142606f412e405be48fd897a78787ea8c2] GITHUB_TOKEN: ENCRYPTED[!98ace8259c6024da912c14d5a3c5c6aac186890a8d4819fad78f3e0c41a4e0cd3a2537dd6e91493952fb056fa434be7c!] GORELEASER_KEY: ENCRYPTED[!9b80b6ef684ceaf40edd4c7af93014ee156c8aba7e6e5795f41c482729887b5c31f36b651491d790f1f668670888d9fd!] @@ -91,7 +95,11 @@ task: macos_instance: image: ghcr.io/cirruslabs/macos-runner:sequoia env: - MACOS_CERTIFICATE: ENCRYPTED[552b9d275d1c2bdbc1bff778b104a8f9a53cbd0d59344d4b7f6d0ca3c811a5cefb97bef9ba0ef31c219cb07bdacdd2c2] + MACOS_SIGN_P12: ENCRYPTED[!183482723ca1a95f9c4439f7a79c9d3b115472bb18c739ed1586e12d3914ccf94ade8169eeda7332fc204f8be9c27d9f!] + MACOS_SIGN_PASSWORD: ENCRYPTED[!417423346c567f12007f42d084bff1cfee30ee14f7e8258550157679a269c70d541c9f19224224ab0293b10f2c6d4c5e!] + MACOS_NOTARY_ISSUER_ID: ENCRYPTED[!74076906e9fa36bca3c1da1637b0759b58bb009eb1a707446896eefad3767e8dba1d0f87e71106b98cde98ac4b037a2a!] + MACOS_NOTARY_KEY_ID: ENCRYPTED[!af9e5da1010a6b04e548ef494acc77a6e0ce176549de98f81c5b5cdd72856de09f77e51cf0849e3c4b7a2d2c22f25ca8!] + MACOS_NOTARY_KEY: ENCRYPTED[!c70c53f3e6c163931c7cdf9d90aff8934ef21d5dd1090158688e00b94e97c68257d9cf4ae1df873e6ae0d949866aee72!] AC_PASSWORD: ENCRYPTED[4a761023e7e06fe2eb350c8b6e8e7ca961af193cb9ba47605f25f1d353abc3142606f412e405be48fd897a78787ea8c2] GITHUB_TOKEN: ENCRYPTED[!98ace8259c6024da912c14d5a3c5c6aac186890a8d4819fad78f3e0c41a4e0cd3a2537dd6e91493952fb056fa434be7c!] GORELEASER_KEY: ENCRYPTED[!9b80b6ef684ceaf40edd4c7af93014ee156c8aba7e6e5795f41c482729887b5c31f36b651491d790f1f668670888d9fd!] diff --git a/.goreleaser.yml b/.goreleaser.yml index 999344d..3453587 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -28,15 +28,15 @@ universal_binaries: notarize: macos: - - enabled: '{{ isEnvSet "MACOS_CERTIFICATE" }}' + - enabled: '{{ isEnvSet "MACOS_SIGN_P12" }}' sign: - certificate: "{{.Env.MACOS_CERTIFICATE}}" - password: "password101" + certificate: "{{.Env.MACOS_SIGN_P12}}" + password: "{{.Env.MACOS_SIGN_PASSWORD}}" entitlements: ./Resources/tart-prod.entitlements notarize: - issuer_id: "9M2P8L4D89" - key_id: "hello@cirruslabs.org" - key: "{{.Env.AC_PASSWORD}}" + issuer_id: "{{.Env.MACOS_NOTARY_ISSUER_ID}}" + key_id: "{{.Env.MACOS_NOTARY_KEY_ID}}" + key: "{{.Env.MACOS_NOTARY_KEY}}" archives: - name_template: "{{ .ProjectName }}"