Revert changes related to #5999 to unbreak CI (#6011)

* Revert "Attempt to fix Sign MacOS Pt1" This reverts commit 208f8349a6. * Revert "fetch logs on error (#6003)" This reverts commit 32e71b0386. * Revert "Fix Build Attest pt3" This reverts commit 1c687e7a45. * Revert "Fix Build Attest pt2" This reverts commit 53ed028663. * Revert "Fix Build Attest" This reverts commit 2a4ebe1b3e. * Revert "Add write permissions for `contents` (#6002)" This reverts commit df863355b7. * Revert "make script executable (#6000)" This reverts commit b69091a51a. * Revert "move signing mac apps to own script (#5999)" This reverts commit 0fe30ebe49.
2025-12-24 12:03:06 -08:00 · 2025-06-29 18:49:47 -07:00
parent 8615c4c3b0
commit 6b44b9ae1e
3 changed files with 62 additions and 103 deletions
--- a/.github/workflows/desktop-build.yml
+++ b/.github/workflows/desktop-build.yml
@@ -1,7 +1,6 @@
 name: Build Desktop

 permissions:
-  contents: write
  id-token: write
  attestations: write

@@ -210,6 +209,7 @@ jobs:
        if: steps.upload_release.outcome == 'success'
        uses: actions/attest-build-provenance@v2
        with:
+          subject-path: ${{steps.build.outputs.path}}
          subject-name: ${{steps.build.outputs.name}}
          subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }}

@@ -292,6 +292,10 @@ jobs:
          BUILDTYPE: '${{matrix.type}}'
          MAKE_PACKAGE: '${{matrix.make_package}}'
          PACKAGE_SUFFIX: '-macOS${{matrix.target}}_${{matrix.soc}}'
+          MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
+          MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
+          MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
          CMAKE_GENERATOR: '${{env.CMAKE_GENERATOR}}'
        run: .ci/compile.sh --server --test --ccache "$CCACHE_SIZE"

@@ -304,16 +308,47 @@ jobs:

      - name: Sign app bundle
        if: matrix.make_package && (github.ref == 'refs/heads/master' || needs.configure.outputs.tag != null)
-        shell: bash
        env:
          MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
-          MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
-          MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
          MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
+        run: |
+          if [[ -n "$MACOS_CERTIFICATE_NAME" ]]
+          then
+            security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+            /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose ${{steps.build.outputs.path}}
+          fi
+
+      - name: Notarize app bundle
+        if: matrix.make_package && (github.ref == 'refs/heads/master' || needs.configure.outputs.tag != null)
+        env:
          MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
          MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
          MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
-        run: .ci/sign_macos.sh ${{steps.build.outputs.path}}
+        run: |
+          if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]
+          then
+            # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
+            echo "Create keychain profile"
+            xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
+  
+            # We can't notarize an app bundle directly, but we need to compress it as an archive.
+            # Therefore, we create a zip file containing our app bundle, so that we can send it to the
+            # notarization service
+            echo "Creating temp notarization archive"
+            ditto -c -k --keepParent ${{steps.build.outputs.path}} "notarization.zip"
+  
+            # Here we send the notarization request to the Apple's Notarization service, waiting for the result.
+            # This typically takes a few seconds inside a CI environment, but it might take more depending on the App
+            # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
+            # you're curious
+            echo "Notarize app"
+            xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
+  
+            # Finally, we need to "attach the staple" to our executable, which will allow our app to be
+            # validated by macOS even when an internet connection is not available.
+            echo "Attach staple"
+            xcrun stapler staple ${{steps.build.outputs.path}}
+          fi

      - name: Upload artifact
        id: upload_artifact
@@ -340,6 +375,7 @@ jobs:
        if: steps.upload_release.outcome == 'success'
        uses: actions/attest-build-provenance@v2
        with:
+          subject-path: ${{steps.build.outputs.path}}
          subject-name: ${{steps.build.outputs.name}}
          subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }}

@@ -443,6 +479,7 @@ jobs:
        if: steps.upload_release.outcome == 'success'
        uses: actions/attest-build-provenance@v2
        with:
+          subject-path: ${{steps.build.outputs.path}}
          subject-name: ${{steps.build.outputs.name}}
          subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }}