From 9400b8445bda556c3eb31cb7748622caa7d87bc7 Mon Sep 17 00:00:00 2001 From: Nikolay Edigaryev Date: Mon, 16 Mar 2026 21:34:22 +0100 Subject: [PATCH] GoReleaser: use "macos_native" signing and notarization instead of gon --- .cirrus.yml | 137 ++----------------------------------------- .goreleaser.yml | 27 ++++++++- Resources/Info.plist | 2 +- gon.hcl | 12 ---- 4 files changed, 29 insertions(+), 149 deletions(-) delete mode 100644 gon.hcl diff --git a/.cirrus.yml b/.cirrus.yml index 23f33f3..8255ef6 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -1,74 +1,8 @@ use_compute_credits: true -task: - name: Test - alias: test - persistent_worker: - labels: - name: dev-mini - resources: - tart-vms: 1 - build_script: - - swift build - test_script: - # Add /usr/sbin to PATH, otherwise testDiskutilInfo() fails to locate "diskutil" - - export PATH=$PATH:/usr/sbin - - swift test - integration_test_script: - - codesign --sign - --entitlements Resources/tart-dev.entitlements --force .build/debug/tart - - export PATH=$(pwd)/.build/arm64-apple-macosx/debug:$PATH - # Run integration tests - - cd integration-tests - - python3 -m venv --symlinks venv - - source venv/bin/activate - - pip install -r requirements.txt - - pytest --verbose --junit-xml=pytest-junit.xml - - go test -v ./... - pytest_junit_result_artifacts: - path: "integration-tests/pytest-junit.xml" - format: junit - -task: - name: Markdown Lint - only_if: $CIRRUS_BRANCH != 'gh-pages' && changesInclude('**.md') - container: - image: node:latest - install_script: npm install -g markdownlint-cli - lint_script: markdownlint --config=docs/.markdownlint.yml docs/ - -task: - name: Lint - alias: lint - macos_instance: - image: ghcr.io/cirruslabs/macos-runner:sequoia - lint_script: - - swift package plugin --allow-writing-to-package-directory swiftformat --cache ignore --lint --report swiftformat.json . - always: - swiftformat_report_artifacts: - path: swiftformat.json - format: swiftformat - -task: - only_if: $CIRRUS_TAG == '' - env: - matrix: - BUILD_ARCH: arm64 - BUILD_ARCH: x86_64 - name: Build ($BUILD_ARCH) - alias: build - macos_instance: - image: ghcr.io/cirruslabs/macos-runner:sequoia - build_script: swift build --arch $BUILD_ARCH --product tart - sign_script: codesign --sign - --entitlements Resources/tart-dev.entitlements --force .build/$BUILD_ARCH-apple-macosx/debug/tart - binary_artifacts: - path: .build/$BUILD_ARCH-apple-macosx/debug/tart - task: only_if: $CIRRUS_TAG == '' && ($CIRRUS_USER_PERMISSION == 'write' || $CIRRUS_USER_PERMISSION == 'admin') name: Release (Dry Run) - depends_on: - - lint - - build macos_instance: image: ghcr.io/cirruslabs/macos-runner:sequoia env: @@ -87,7 +21,6 @@ task: - xcrun notarytool store-credentials "notarytool" --apple-id "hello@cirruslabs.org" --team-id "9M2P8L4D89" --password $AC_PASSWORD install_script: - brew install go - - brew install mitchellh/gon/gon - brew install --cask goreleaser/tap/goreleaser-pro info_script: - security find-identity -v @@ -95,70 +28,8 @@ task: - swift -version goreleaser_script: goreleaser release --skip=publish --snapshot --clean always: + check_dist_script: + - find dist/ + - du -hs dist/ dist_artifacts: - path: "dist/*" - -task: - name: Release - only_if: $CIRRUS_TAG != '' - depends_on: - - lint - - test - - build - macos_instance: - image: ghcr.io/cirruslabs/macos-runner:sequoia - env: - MACOS_CERTIFICATE: ENCRYPTED[552b9d275d1c2bdbc1bff778b104a8f9a53cbd0d59344d4b7f6d0ca3c811a5cefb97bef9ba0ef31c219cb07bdacdd2c2] - AC_PASSWORD: ENCRYPTED[4a761023e7e06fe2eb350c8b6e8e7ca961af193cb9ba47605f25f1d353abc3142606f412e405be48fd897a78787ea8c2] - GITHUB_TOKEN: ENCRYPTED[!98ace8259c6024da912c14d5a3c5c6aac186890a8d4819fad78f3e0c41a4e0cd3a2537dd6e91493952fb056fa434be7c!] - GORELEASER_KEY: ENCRYPTED[!9b80b6ef684ceaf40edd4c7af93014ee156c8aba7e6e5795f41c482729887b5c31f36b651491d790f1f668670888d9fd!] - SENTRY_ORG: cirrus-labs - SENTRY_PROJECT: persistent-workers - SENTRY_AUTH_TOKEN: ENCRYPTED[!9eaf2875d51b113e2f68598441ff8e6b2e53242e48fcb93633bd75a373fbe2e7caa900d837cc92f0b142b65579731644!] - setup_script: - - cd $HOME - - echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 - - security create-keychain -p password101 build.keychain - - security default-keychain -s build.keychain - - security unlock-keychain -p password101 build.keychain - - security import certificate.p12 -k build.keychain -P password101 -T /usr/bin/codesign -T /usr/bin/pkgbuild - - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k password101 build.keychain - - xcrun notarytool store-credentials "notarytool" --apple-id "hello@cirruslabs.org" --team-id "9M2P8L4D89" --password $AC_PASSWORD - install_script: - - brew install go getsentry/tools/sentry-cli - - brew install mitchellh/gon/gon - - brew install --cask goreleaser/tap/goreleaser-pro - info_script: - - security find-identity -v - - xcodebuild -version - - swift -version - release_script: goreleaser - upload_sentry_debug_files_script: - - cd .build/arm64-apple-macosx/release/ - # Generate and upload symbols - - dsymutil tart - - sentry-cli debug-files upload tart.dSYM/ - - SENTRY_PROJECT=tart sentry-cli debug-files upload tart.dSYM/ - # Bundle and upload sources - - sentry-cli debug-files bundle-sources tart.dSYM - - sentry-cli debug-files upload tart.src.zip - - SENTRY_PROJECT=tart sentry-cli debug-files upload tart.src.zip - create_sentry_release_script: - - export SENTRY_RELEASE="tart@$CIRRUS_TAG" - - sentry-cli releases new $SENTRY_RELEASE - - sentry-cli releases set-commits $SENTRY_RELEASE --auto - - sentry-cli releases finalize $SENTRY_RELEASE - -task: - name: Deploy Documentation - only_if: $CIRRUS_BRANCH == 'main' - container: - image: ghcr.io/cirruslabs/mkdocs-material-insiders:latest - registry_config: ENCRYPTED[!cf1a0f25325aa75bad3ce6ebc890bc53eb0044c02efa70d8cefb83ba9766275a994b4831706c52630a0692b2fa9cfb9e!] - env: - DEPLOY_TOKEN: ENCRYPTED[!45ed45666558902ed1c2400add734ec063103bec31841847e8c8764802fca229bfa6d85c690e16ad159e047574b48793!] - deploy_script: - - git config --global user.name "Cirrus CI" - - git config --global user.name "hello@cirruslabs.org" - - git remote set-url origin https://$DEPLOY_TOKEN@github.com/cirruslabs/tart/ - - mkdocs --verbose gh-deploy --force --remote-branch gh-pages + path: "dist/dmg/tart_all/Tart.dmg" diff --git a/.goreleaser.yml b/.goreleaser.yml index 2326b63..bdbbd41 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,3 +1,4 @@ +# yaml-language-server: $schema=https://goreleaser.com/static/schema-pro.json version: 2 project_name: tart @@ -17,15 +18,35 @@ builds: goarch: - arm64 - amd64 - binary: tart.app/Contents/MacOS/tart + binary: tart prebuilt: path: '.build/{{- if eq .Arch "arm64" }}arm64{{- else }}x86_64{{ end }}-apple-macosx/release/tart' universal_binaries: - name_template: tart.app/Contents/MacOS/tart replace: true - hooks: - post: gon gon.hcl + +app_bundles: + - name: Tart + bundle: com.github.cirruslabs.tart + icon: Resources/AppIcon.png + +dmg: + - name: Tart + use: appbundle + replace: true + +notarize: + macos_native: + - enabled: "true" + sign: + keychain: "build.keychain" + identity: "Developer ID Application: Cirrus Labs, Inc." + #options: [runtime] + entitlements: ./Resources/tart-prod.entitlements + notarize: + profile_name: "notarytool" + #wait: true archives: - name_template: "{{ .ProjectName }}" diff --git a/Resources/Info.plist b/Resources/Info.plist index fd682e1..de72579 100644 --- a/Resources/Info.plist +++ b/Resources/Info.plist @@ -7,7 +7,7 @@ CFBundleDisplayName Tart CFBundleIdentifier - org.cirruslabs.tart + com.github.cirruslabs.tart CFBundleExecutable tart LSApplicationCategoryType diff --git a/gon.hcl b/gon.hcl deleted file mode 100644 index 461d2aa..0000000 --- a/gon.hcl +++ /dev/null @@ -1,12 +0,0 @@ -source = [ "dist/tart_darwin_all/tart.app/Contents/MacOS/tart" ] -bundle_id = "com.github.cirruslabs.tart" - -apple_id { - username = "hello@cirruslabs.org" - password = "@env:AC_PASSWORD" -} - -sign { - application_identity = "Developer ID Application: Cirrus Labs, Inc." - entitlements_file = "Resources/tart-prod.entitlements" -}