Skip to content

Commit a49e4be

Browse files
tobias-tenglertobias-tengler
authored
Sign Nitro CLI (ChilliCream#8623)
1 parent aa58ed0 commit a49e4be

1 file changed

Lines changed: 120 additions & 91 deletions

File tree

.github/workflows/release.yml

Lines changed: 120 additions & 91 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,10 @@ on:
55
tags:
66
- "16.*"
77

8+
permissions:
9+
id-token: write
10+
contents: read
11+
812
jobs:
913
release:
1014
name: 📦 Build & Publish NuGet Packages
@@ -70,9 +74,11 @@ jobs:
7074
env:
7175
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
7276

73-
build-fusion-cli:
74-
name: 🧱 Build and Publish Fusion CLI
77+
build-nitro-cli:
78+
name: 🧱 Build and Publish Nitro CLI
7579
runs-on: ${{ matrix.os }}
80+
# We need to depend on this job, as it publishes the persisted operations of the CLI.
81+
needs: release
7682
permissions:
7783
contents: write
7884
strategy:
@@ -81,32 +87,24 @@ jobs:
8187
# Linux (x64)
8288
- os: ubuntu-22.04
8389
rid: linux-x64
84-
ext: ""
8590
- os: ubuntu-22.04
8691
rid: linux-musl-x64
87-
ext: ""
8892
# Linux (arm64 on ARM runner!)
8993
- os: ubuntu-24.04-arm
9094
rid: linux-arm64
91-
ext: ""
9295
# macOS
9396
- os: macos-15
9497
rid: osx-x64
95-
ext: ""
9698
- os: macos-15
9799
rid: osx-arm64
98-
ext: ""
99100
# Windows
100101
- os: windows-2025
101102
rid: win-x64
102-
ext: ".exe"
103103
- os: windows-2025
104104
rid: win-x86
105-
ext: ".exe"
106105
# Windows (arm64 on ARM runner!)
107-
- os: windows-11-arm
108-
rid: win-arm64
109-
ext: ".exe"
106+
# - os: windows-11-arm
107+
# rid: win-arm64
110108

111109
steps:
112110
- name: 📦 Checkout
@@ -117,112 +115,143 @@ jobs:
117115
with:
118116
dotnet-version: 10.x
119117

120-
- name: 🧩 Publish AOT Binary for ${{ matrix.rid }}
118+
- name: 🧩 Publish AOT binary for ${{ matrix.rid }}
121119
shell: bash
122120
run: |
123-
dotnet publish ./src/HotChocolate/Fusion-vnext/src/Fusion.CommandLine \
121+
dotnet publish ./src/Nitro/CommandLine/src/CommandLine \
124122
-c Release \
125123
-r ${{ matrix.rid }} \
126124
-f net10.0 \
127125
--self-contained true \
128126
-p:PublishAot=true \
129127
-p:TargetFrameworks=NET10.0 \
128+
-p:RuntimeIdentifiers=${{ matrix.rid }} \
130129
-o ./publish
131130
132-
- name: 📦 Zip Binary (Windows)
131+
- name: 🖋️ Azure login (for Windows)
132+
uses: azure/login@v1
133133
if: runner.os == 'Windows'
134-
run: Compress-Archive -Path publish/fusion.exe -DestinationPath fusion-${{ matrix.rid }}.zip
135-
shell: pwsh
134+
with:
135+
creds: ${{ secrets.SIGNING_CREDENTIALS }}
136136

137-
- name: 📦 Zip Binary (Unix)
138-
if: runner.os != 'Windows'
139-
run: |
140-
cd publish
141-
zip ../fusion-${{ matrix.rid }}.zip fusion${{ matrix.ext }}
142-
shell: bash
137+
- name: 🖋️ Sign Windows binary
138+
uses: azure/trusted-signing-action@v0
139+
if: runner.os == 'Windows'
140+
with:
141+
endpoint: ${{ vars.AZURE_TRUSTED_SIGNING_ACCOUNT_ENDPOINT }}
142+
trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }}
143+
certificate-profile-name: ${{ secrets.WINDOWS_APP_CERT_PROFILE_NAME }}
144+
files: ${{ github.workspace }}\publish\nitro.exe
145+
file-digest: SHA256
146+
timestamp-rfc3161: http://timestamp.acs.microsoft.com
147+
timestamp-digest: SHA256
148+
exclude-environment-credential: true
149+
exclude-workload-identity-credential: true
150+
exclude-managed-identity-credential: true
151+
exclude-shared-token-cache-credential: true
152+
exclude-visual-studio-credential: true
153+
exclude-visual-studio-code-credential: true
154+
exclude-azure-cli-credential: false
155+
exclude-azure-powershell-credential: true
156+
exclude-azure-developer-cli-credential: true
157+
exclude-interactive-browser-credential: true
143158

144-
- name: 📤 Upload Zipped AOT Binary
145-
shell: bash
146-
run: |
147-
gh release upload ${{ github.ref_name }} fusion-${{ matrix.rid }}.zip --repo ${{ github.repository }}
159+
# https://docs.github.com/en/actions/how-tos/deploy/deploy-to-third-party-platforms/sign-xcode-applications
160+
- name: 🖋️ Set up macOS signing resources
161+
if: runner.os == 'macOS'
148162
env:
149-
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
163+
BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_DEVELOPER_CERTFICATE_BASE64 }}
164+
P12_PASSWORD: ${{ secrets.APPLE_DEVELOPER_CERTFICATE_PASSWORD }}
165+
KEYCHAIN_PASSWORD: ${{ secrets.TEMPORARY_KEYCHAIN_PASSWORD }}
166+
run: |
167+
# create variables
168+
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
169+
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
150170
151-
build-nitro-cli:
152-
name: 🧱 Build and Publish Nitro CLI
153-
runs-on: ${{ matrix.os }}
154-
# We need to depend on this job, as it publishes the persisted operations of the CLI.
155-
needs: release
156-
permissions:
157-
contents: write
158-
strategy:
159-
matrix:
160-
include:
161-
# Linux (x64)
162-
- os: ubuntu-22.04
163-
rid: linux-x64
164-
ext: ""
165-
- os: ubuntu-22.04
166-
rid: linux-musl-x64
167-
ext: ""
168-
# Linux (arm64 on ARM runner!)
169-
- os: ubuntu-24.04-arm
170-
rid: linux-arm64
171-
ext: ""
172-
# macOS
173-
- os: macos-15
174-
rid: osx-x64
175-
ext: ""
176-
- os: macos-15
177-
rid: osx-arm64
178-
ext: ""
179-
# Windows
180-
- os: windows-2025
181-
rid: win-x64
182-
ext: ".exe"
183-
- os: windows-2025
184-
rid: win-x86
185-
ext: ".exe"
186-
# Windows (arm64 on ARM runner!)
187-
- os: windows-11-arm
188-
rid: win-arm64
189-
ext: ".exe"
171+
# import certificate from secrets
172+
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
190173
191-
steps:
192-
- name: 📦 Checkout
193-
uses: actions/checkout@v4
174+
# create temporary keychain
175+
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
176+
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
177+
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
194178
195-
- name: 🛠 Install .NET
196-
uses: actions/setup-dotnet@v4
197-
with:
198-
dotnet-version: 10.x
179+
# import certificate to keychain
180+
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
181+
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
182+
security list-keychain -d user -s $KEYCHAIN_PATH
199183
200-
- name: 🧩 Publish AOT Binary for ${{ matrix.rid }}
201-
shell: bash
184+
- name: 🖋️ Sign macOS binary
185+
if: runner.os == 'macOS'
186+
env:
187+
CODESIGN_IDENTITY: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_IDENTITY }}
202188
run: |
203-
dotnet publish ./src/Nitro/CommandLine/src/CommandLine \
204-
-c Release \
205-
-r ${{ matrix.rid }} \
206-
-f net10.0 \
207-
--self-contained true \
208-
-p:PublishAot=true \
209-
-p:TargetFrameworks=NET10.0 \
210-
-p:RuntimeIdentifiers=${{ matrix.rid }} \
211-
-o ./publish
189+
echo "Code signing 'publish/nitro'..."
212190
213-
- name: 📦 Zip Binary (Windows)
191+
codesign --sign "$CODESIGN_IDENTITY" \
192+
--verbose=3 \
193+
--identifier "com.chillicream.nitro" \
194+
--options runtime \
195+
--timestamp \
196+
--force \
197+
publish/nitro
198+
199+
codesign --verify --deep --strict --verbose=2 publish/nitro
200+
201+
- name: 📦 Zip binary (Windows)
214202
if: runner.os == 'Windows'
215-
run: Compress-Archive -Path publish/nitro.exe -DestinationPath nitro-${{ matrix.rid }}.zip
203+
run: |
204+
Compress-Archive -Path (Get-Item publish/nitro.exe) -DestinationPath nitro-${{ matrix.rid }}.zip
216205
shell: pwsh
217206

218-
- name: 📦 Zip Binary (Unix)
207+
- name: 📦 Zip binary (Unix)
219208
if: runner.os != 'Windows'
220209
run: |
221-
cd publish
222-
zip ../nitro-${{ matrix.rid }}.zip nitro${{ matrix.ext }}
210+
zip -j nitro-${{ matrix.rid }}.zip publish/nitro
223211
shell: bash
224212

225-
- name: 📤 Upload Zipped AOT Binary
213+
- name: 🖋️ Notarize macOS zipped binary
214+
if: runner.os == 'macOS'
215+
env:
216+
CODESIGN_IDENTITY: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_IDENTITY }}
217+
APPLE_DEVELOPER_ID_EMAIL: ${{ secrets.APPLE_DEVELOPER_ID_EMAIL }}
218+
APPLE_DEVELOPER_TEAM_ID: ${{ secrets.APPLE_DEVELOPER_TEAM_ID }}
219+
APPLE_DEVELOPER_NITRO_CLI_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_DEVELOPER_NITRO_CLI_APP_SPECIFIC_PASSWORD }}
220+
run: |
221+
echo "Code signing 'nitro-${{ matrix.rid }}.zip'..."
222+
223+
codesign --sign "$CODESIGN_IDENTITY" \
224+
--verbose=3 \
225+
--options runtime \
226+
--timestamp \
227+
--force \
228+
nitro-${{ matrix.rid }}.zip
229+
230+
codesign --verify --deep --strict --verbose=2 nitro-${{ matrix.rid }}.zip
231+
232+
echo "Notarizing 'nitro-${{ matrix.rid }}.zip'..."
233+
234+
xcrun notarytool submit nitro-${{ matrix.rid }}.zip \
235+
--apple-id "$APPLE_DEVELOPER_ID_EMAIL" \
236+
--team-id "$APPLE_DEVELOPER_TEAM_ID" \
237+
--password "$APPLE_DEVELOPER_NITRO_CLI_APP_SPECIFIC_PASSWORD" \
238+
--wait
239+
240+
spctl --assess --type exec -vv nitro-${{ matrix.rid }}.zip || true
241+
codesign -dvv nitro-${{ matrix.rid }}.zip || true
242+
243+
- name: 🖋️ Clean up macOS signing resources
244+
if: always() && runner.os == 'macOS'
245+
run: |
246+
security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
247+
248+
- name: 📤 Upload Zipped AOT binary as artifact
249+
uses: actions/upload-artifact@v4
250+
with:
251+
name: nitro-${{ matrix.rid }}
252+
path: nitro-${{ matrix.rid }}.zip
253+
254+
- name: 📤 Upload Zipped AOT binary to release
226255
shell: bash
227256
run: |
228257
gh release upload ${{ github.ref_name }} nitro-${{ matrix.rid }}.zip --repo ${{ github.repository }}

0 commit comments

Comments
 (0)