external/secretive
1
0
Fork 0
mirror of https://github.com/maxgoedjen/secretive.git synced 2025-12-14 21:10:56 +00:00
Code Issues Projects Releases Wiki Activity
625a605cc7
secretive/.github/workflows/release.yml
Roy Xu 625a605cc7
update name to be cursor internal
2025-12-09 16:30:01 -05:00

168 lines
8.7 KiB
YAML
Raw Blame History

name: Release
on:
push:
tags:
- '*'
jobs:
test:
permissions:
contents: read
runs-on: macos-26
timeout-minutes: 10
steps:
- uses: actions/checkout@v5
- name: Setup Signing
env:
SIGNING_DATA: ${{ secrets.SIGNING_DATA }}
SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
HOST_PROFILE_DATA: ${{ secrets.HOST_PROFILE_DATA }}
AGENT_PROFILE_DATA: ${{ secrets.AGENT_PROFILE_DATA }}
APPLE_API_KEY_DATA: ${{ secrets.APPLE_API_KEY_DATA }}
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
run: |
echo $SIGNING_DATA | base64 -d -o Signing.p12
security create-keychain -p ci ci.keychain
security default-keychain -s ci.keychain
security list-keychains -s ci.keychain
security import ./Signing.p12 -k ci.keychain -P $SIGNING_PASSWORD -A
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k ci ci.keychain
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
echo $HOST_PROFILE_DATA | base64 -d -o Host.provisionprofile
HOST_UUID=$(grep UUID -A1 -a Host.provisionprofile | grep -io "[-A-F0-9]\{36\}")
cp Host.provisionprofile ~/Library/MobileDevice/Provisioning\ Profiles/$HOST_UUID.provisionprofile
echo $AGENT_PROFILE_DATA | base64 -d -o Agent.provisionprofile
AGENT_UUID=$(grep UUID -A1 -a Agent.provisionprofile | grep -io "[-A-F0-9]\{36\}")
cp Agent.provisionprofile ~/Library/MobileDevice/Provisioning\ Profiles/$AGENT_UUID.provisionprofile
mkdir ~/.private_keys
echo -n "$APPLE_API_KEY_DATA" > ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8
- name: Set Environment
run: sudo xcrun xcode-select -s /Applications/Xcode_26.1.app
- name: Test
run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme PackageTests test
# SPM doesn't seem to pick up on the tests currently?
# run: swift test --build-system swiftbuild --package-path Sources/Packages
build:
permissions:
id-token: write
contents: write
attestations: write
actions: read
runs-on: macos-26
timeout-minutes: 10
steps:
- uses: actions/checkout@v5
- name: Setup Signing
env:
SIGNING_DATA: ${{ secrets.SIGNING_DATA }}
SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
HOST_PROFILE_DATA: ${{ secrets.HOST_PROFILE_DATA }}
AGENT_PROFILE_DATA: ${{ secrets.AGENT_PROFILE_DATA }}
APPLE_API_KEY_DATA: ${{ secrets.APPLE_API_KEY_DATA }}
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
run: |
echo $SIGNING_DATA | base64 -d -o Signing.p12
security create-keychain -p ci ci.keychain
security default-keychain -s ci.keychain
security list-keychains -s ci.keychain
security import ./Signing.p12 -k ci.keychain -P $SIGNING_PASSWORD -A
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k ci ci.keychain
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
echo $HOST_PROFILE_DATA | base64 -d -o Host.provisionprofile
HOST_UUID=$(grep UUID -A1 -a Host.provisionprofile | grep -io "[-A-F0-9]\{36\}")
cp Host.provisionprofile ~/Library/MobileDevice/Provisioning\ Profiles/$HOST_UUID.provisionprofile
echo $AGENT_PROFILE_DATA | base64 -d -o Agent.provisionprofile
AGENT_UUID=$(grep UUID -A1 -a Agent.provisionprofile | grep -io "[-A-F0-9]\{36\}")
cp Agent.provisionprofile ~/Library/MobileDevice/Provisioning\ Profiles/$AGENT_UUID.provisionprofile
mkdir ~/.private_keys
echo -n "$APPLE_API_KEY_DATA" > ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8
- name: Set Environment
run: sudo xcrun xcode-select -s /Applications/Xcode_26.1.app
- name: Update Build Number
env:
TAG_NAME: ${{ github.ref }}
RUN_ID: ${{ github.run_id }}
run: |
export CLEAN_TAG=$(echo $TAG_NAME | sed -e 's/refs\/tags\/v//')
sed -i '' -e "s/GITHUB_CI_VERSION/$CLEAN_TAG/g" Sources/Config/Config.xcconfig
sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
sed -i '' -e "s/GITHUB_BUILD_URL/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Config/Config.xcconfig
- name: Build App
run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
- name: Build CLI
run: swift build -c release --product SecretiveCLI --package-path Sources/Packages
- name: Codesign CLI
run: |
CLI_BINARY="Sources/Packages/.build/release/SecretiveCLI"
ENTITLEMENTS="Sources/Packages/Sources/SecretiveCLI/SecretiveCLI.entitlements"
IDENTITY=$(security find-identity -p codesigning -v 2>/dev/null | grep "Developer ID Application" | head -n1 | awk -F'"' '{print $2}')
codesign --force --options runtime --sign "$IDENTITY" --identifier "com.cursorinternal.Secretive.Host" --entitlements "$ENTITLEMENTS" "$CLI_BINARY"
- name: Prepare Artifact Folder
run: |
mkdir -p Artifact/App
mkdir -p Artifact/CLI
cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact/App/
cp Sources/Packages/.build/release/SecretiveCLI Artifact/CLI/secretive
- name: Build Installer Package
run: |
pkgbuild --root Artifact/App --install-location /Applications --identifier com.cursorinternal.Secretive.app --version 1.0 App.pkg
pkgbuild --root Artifact/CLI --install-location /usr/local/bin --identifier com.cursorinternal.Secretive.cli --version 1.0 CLI.pkg
cat > distribution.xml << 'EOF'
<?xml version="1.0" encoding="utf-8"?>
<installer-gui-script minSpecVersion="2">
<title>Secretive</title>
<organization>com.cursorinternal</organization>
<domains enable_localSystem="true"/>
<options customize="never" require-scripts="false" rootVolumeOnly="true"/>
<pkg-ref id="com.cursorinternal.Secretive.app"/>
<pkg-ref id="com.cursorinternal.Secretive.cli"/>
<choices-outline>
<line choice="default">
<line choice="com.cursorinternal.Secretive.app"/>
<line choice="com.cursorinternal.Secretive.cli"/>
</line>
</choices-outline>
<choice id="default"/>
<choice id="com.cursorinternal.Secretive.app" visible="false">
<pkg-ref id="com.cursorinternal.Secretive.app"/>
</choice>
<choice id="com.cursorinternal.Secretive.cli" visible="false">
<pkg-ref id="com.cursorinternal.Secretive.cli"/>
</choice>
<pkg-ref id="com.cursorinternal.Secretive.app" version="1.0" onConclusion="none">App.pkg</pkg-ref>
<pkg-ref id="com.cursorinternal.Secretive.cli" version="1.0" onConclusion="none">CLI.pkg</pkg-ref>
</installer-gui-script>
EOF
productbuild --distribution distribution.xml --package-path . Secretive-unsigned.pkg
INSTALLER_IDENTITY=$(security find-identity -p basic -v 2>/dev/null | grep "Developer ID Installer" | head -n1 | awk -F'"' '{print $2}')
productsign --sign "$INSTALLER_IDENTITY" Secretive-unsigned.pkg Secretive.pkg
- name: Notarize
env:
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
run: |
xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER --wait Secretive.pkg
xcrun stapler staple Secretive.pkg
- name: Upload Installer to Artifacts
id: upload
uses: actions/upload-artifact@v4
with:
name: Secretive.pkg
path: Secretive.pkg
- name: Attest
id: attest
uses: actions/attest-build-provenance@v2
with:
subject-path: "Secretive.pkg"
- name: Create Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG_NAME: ${{ github.ref }}
RUN_ID: ${{ github.run_id }}
ATTESTATION_ID: ${{ steps.attest.outputs.attestation-id }}
run: |
sed -i.tmp "s/RUN_ID/$RUN_ID/g" .github/templates/release.md
sed -i.tmp "s/ATTESTATION_ID/$ATTESTATION_ID/g" .github/templates/release.md
gh release create $TAG_NAME -d -F .github/templates/release.md
gh release upload $TAG_NAME Secretive.pkg
Reference in New Issue View Git Blame Copy Permalink