add codesigning to gh action

2026-04-25 00:16:29 +02:00 · 2026-01-19 18:32:09 +05:30 · 2026-01-19 18:32:09 +05:30 · fe77a7a419
commit fe77a7a419
parent 7387d3c1c9
4 changed files with 159 additions and 96 deletions
--- a/.github/workflows/electron-build.yml
+++ b/.github/workflows/electron-build.yml
@ -53,11 +53,45 @@ jobs:
            console.log('Updated version to:', version);
          "

+      - name: Import Code Signing Certificate
+        env:
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+        run: |
+          # Create a temporary keychain
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
+          
+          # Create keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          
+          # Decode and import certificate
+          echo "$APPLE_CERTIFICATE" | base64 --decode > $RUNNER_TEMP/certificate.p12
+          security import $RUNNER_TEMP/certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+          
+          # Allow codesign to access the keychain
+          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          
+          # Add keychain to search list
+          security list-keychain -d user -s "$KEYCHAIN_PATH" login.keychain
+          
+          # Verify certificate was imported
+          security find-identity -v "$KEYCHAIN_PATH"
+          
+          # Clean up certificate file
+          rm -f $RUNNER_TEMP/certificate.p12
+
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
        working-directory: apps/x

      - name: Build distributables
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        run: npm run make
        working-directory: apps/x/apps/main

@ -109,3 +143,11 @@ jobs:
          files: apps/x/apps/main/out/make/*
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Cleanup keychain
+        if: always()
+        run: |
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          if [ -f "$KEYCHAIN_PATH" ]; then
+            security delete-keychain "$KEYCHAIN_PATH" || true
+          fi