saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
salt/.github/workflows/build-macos-packages.yml
Pedro Algarvio 48dc65ca3a Package signing is now a checkbox on the staging workflow. Disabled by default. 
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
2023-04-29 18:18:53 +01:00

114 lines
4.6 KiB
YAML
Raw Blame History

---
name: Build macOS Packages
on:
workflow_call:
inputs:
salt-version:
type: string
required: true
description: The Salt version to set prior to building packages.
sign-packages:
type: boolean
default: false
description: Sign Packages
environment:
type: string
description: The GitHub Environment where this workflow should run
default: ci
jobs:
build-pkgs:
name: macOS
environment: ${{ inputs.environment }}
strategy:
fail-fast: false
matrix:
arch:
- x86_64
runs-on:
- macos-12
steps:
- name: Check Package Signing Enabled
shell: bash
id: check-pkg-sign
run: |
if [ "${{ inputs.sign-packages }}" == "true" ]; then
if [ "${{ (secrets.MAC_SIGN_APPLE_ACCT != '' && contains(fromJSON('["nightly", "staging"]'), inputs.environment)) && 'true' || 'false' }}" != "true" ]; then
MSG="Secrets for signing packages are not available. The packages created will NOT be signed."
echo "${MSG}"
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
echo "sign-pkgs=false" >> "$GITHUB_OUTPUT"
else
MSG="The packages created WILL be signed."
echo "${MSG}"
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
echo "sign-pkgs=true" >> "$GITHUB_OUTPUT"
fi
else
MSG="The sign-packages input is false. The packages created will NOT be signed."
echo "${MSG}"
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
echo "sign-pkgs=false" >> "$GITHUB_OUTPUT"
fi
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: 3.9
- name: Setup Python Tools Scripts
uses: ./.github/actions/setup-python-tools-scripts
- name: Setup Salt Version
id: setup-salt-version
uses: ./.github/actions/setup-salt-version
with:
salt-version: "${{ inputs.salt-version }}"
- name: Download Onedir Tarball as an Artifact
uses: actions/download-artifact@v3
with:
name: salt-${{ inputs.salt-version }}-onedir-darwin-${{ matrix.arch }}.tar.xz
path: artifacts/
- name: Prepare Package Signing
if: ${{ steps.check-pkg-sign.outputs.sign-pkgs == 'true' }}
run: |
echo ${{ secrets.MAC_SIGN_DEV_APP_CERT_B64 }} | base64 --decode > app-cert.p12
echo ${{ secrets.MAC_SIGN_DEV_INSTALL_CERT_B64 }} | base64 --decode > install-cert.p12
# Create SaltSigning keychain. This will contain the certificates for signing
security create-keychain -p "${{ secrets.MAC_SIGN_DEV_PASSWORD }}" "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}"
# Append SaltSigning keychain to the search list
security list-keychains -d user -s "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}" "$(security list-keychains -d user | sed s/\"//g)"
# Unlock the keychain so we can import certs
security unlock-keychain -p "${{ secrets.MAC_SIGN_DEV_PASSWORD }}" "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}"
# Developer Application Certificate
security import "app-cert.p12" -t agg -k "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}" -P "${{ secrets.MAC_SIGN_DEV_PASSWORD }}" -A
rm app-cert.p12
# Developer Installer Certificate
security import "install-cert.p12" -t agg -k "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}" -P "${{ secrets.MAC_SIGN_DEV_PASSWORD }}" -A
rm install-cert.p12
security set-key-partition-list -S apple-tool:,apple: -k "${{ secrets.MAC_SIGN_DEV_PASSWORD }}" "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}" &> /dev/null
- name: Build MacOS Package
env:
DEV_APP_CERT: "${{ secrets.MAC_SIGN_DEV_APP_CERT }}"
DEV_INSTALL_CERT: "${{ secrets.MAC_SIGN_DEV_INSTALL_CERT }}"
APPLE_ACCT: "${{ secrets.MAC_SIGN_APPLE_ACCT }}"
APP_SPEC_PWD: "${{ secrets.MAC_SIGN_APP_SPEC_PWD }}"
run: |
tools pkg build macos --onedir salt-${{ inputs.salt-version }}-onedir-darwin-${{ matrix.arch }}.tar.xz \
--salt-version ${{ inputs.salt-version }} ${{
steps.check-pkg-sign.outputs.sign-pkgs == 'true' && '--sign' || ''
}}
- name: Upload ${{ matrix.arch }} Package
uses: actions/upload-artifact@v3
with:
name: salt-${{ inputs.salt-version }}-${{ matrix.arch }}-macos
path: pkg/macos/salt-${{ inputs.salt-version }}-py3-*.pkg
retention-days: 7
if-no-files-found: error
Reference in a new issue View git blame Copy permalink