diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2818089..8c9dd81 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,6 +3,7 @@ name: Release on: release: types: [created] + workflow_dispatch: permissions: contents: write @@ -86,6 +87,64 @@ jobs: bun build dist/index.js --compile --target=bun-${{ matrix.target }} --outfile="${BINARY_NAME}" fi + - name: Import Apple Developer ID cert + if: matrix.platform == 'darwin' + uses: apple-actions/import-codesign-certs@b610f78488812c1e56b20e6df63ec42d833f2d14 # v6.0.0 + with: + p12-file-base64: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12 }} + p12-password: ${{ secrets.APPLE_DEVELOPER_ID_CERT_PASSWORD }} + + - name: Sign macOS binary + if: matrix.platform == 'darwin' + shell: bash + env: + BINARY_NAME: make-cli-${{ matrix.platform }}-${{ matrix.arch }} + run: | + set -euo pipefail + + codesign --remove-signature "${BINARY_NAME}" || true + + IDENTITY="$(security find-identity -v -p codesigning signing_temp \ + | awk -F'"' '/Developer ID Application/ { print $2; exit }')" + if [ -z "${IDENTITY}" ]; then + echo "::error::No 'Developer ID Application' identity found in the imported certificate" + exit 1 + fi + echo "Signing identity: ${IDENTITY}" + + codesign \ + --force \ + --options runtime \ + --entitlements build/entitlements.mac.plist \ + --timestamp \ + --sign "${IDENTITY}" \ + "${BINARY_NAME}" + + codesign --verify --strict --verbose "${BINARY_NAME}" + codesign -dv --verbose=4 "${BINARY_NAME}" + + - name: Notarize macOS binary + if: matrix.platform == 'darwin' + shell: bash + env: + BINARY_NAME: make-cli-${{ matrix.platform }}-${{ matrix.arch }} + APPLE_ID: ${{ secrets.APPLE_ID }} + APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} + APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }} + run: | + set -euo pipefail + + ZIP_PATH="${BINARY_NAME}.notarize.zip" + ditto -c -k --keepParent "${BINARY_NAME}" "${ZIP_PATH}" + + xcrun notarytool submit "${ZIP_PATH}" \ + --apple-id "${APPLE_ID}" \ + --team-id "${APPLE_TEAM_ID}" \ + --password "${APPLE_APP_PASSWORD}" \ + --wait + + rm -f "${ZIP_PATH}" + - name: Create tar.gz archive shell: bash run: | @@ -105,6 +164,7 @@ jobs: build-deb: needs: build + if: github.event_name == 'release' runs-on: ubuntu-latest strategy: matrix: @@ -139,6 +199,7 @@ jobs: release: needs: [build, build-deb] + if: github.event_name == 'release' runs-on: ubuntu-latest permissions: contents: write @@ -183,6 +244,7 @@ jobs: update-homebrew: needs: release + if: github.event_name == 'release' runs-on: ubuntu-latest steps: diff --git a/build/entitlements.mac.plist b/build/entitlements.mac.plist new file mode 100644 index 0000000..d34af29 --- /dev/null +++ b/build/entitlements.mac.plist @@ -0,0 +1,16 @@ + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-executable-page-protection + + com.apple.security.cs.allow-dyld-environment-variables + + com.apple.security.cs.disable-library-validation + + + \ No newline at end of file diff --git a/package-lock.json b/package-lock.json index 59636c7..085cab1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@makehq/cli", - "version": "1.3.0", + "version": "1.3.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@makehq/cli", - "version": "1.3.0", + "version": "1.3.1", "license": "MIT", "dependencies": { "@inquirer/prompts": "^8.3.2", diff --git a/package.json b/package.json index 2843823..eae0544 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@makehq/cli", - "version": "1.3.0", + "version": "1.3.1", "description": "A command-line tool for Make automation platform", "license": "MIT", "author": "Make",