Merge pull request #3 from cdzombak/cdz/upload-artifact-v4 #13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CI | |
"on": | |
push: | |
branches: | |
- "main" | |
tags: | |
- "v*.*.*" | |
pull_request: | |
branches: | |
- "main" | |
permissions: | |
contents: read | |
jobs: | |
meta: | |
name: Derive Build Metadata | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Derive version string | |
id: bin_version | |
run: echo "bin_version=$(./.version.sh)" >> "$GITHUB_OUTPUT" | |
- name: bin_version | |
run: "echo bin_version: ${{ steps.bin_version.outputs.bin_version }}" | |
- name: Check if this is a running version tag update | |
id: running_version_tag | |
run: | | |
if [ -z "${{ github.event.ref }}" ]; then | |
echo "is_running_version_tag_update=false" >> "$GITHUB_OUTPUT" | |
elif [[ "${{ github.event.ref }}" =~ ^refs/tags/v[0-9]+\.[0-9]+$ ]]; then | |
echo "is_running_version_tag_update=true" >> "$GITHUB_OUTPUT" | |
elif [[ "${{ github.event.ref }}" =~ ^refs/tags/v[0-9]+$ ]]; then | |
echo "is_running_version_tag_update=true" >> "$GITHUB_OUTPUT" | |
else | |
echo "is_running_version_tag_update=false" >> "$GITHUB_OUTPUT" | |
fi | |
- name: is_running_version_tag | |
run: "echo is_running_version_tag_update: ${{ steps.running_version_tag.outputs.is_running_version_tag_update }}" | |
outputs: | |
bin_name: alfred-bear-${{ steps.bin_version.outputs.bin_version }}.alfredworkflow | |
bin_version: ${{ steps.bin_version.outputs.bin_version }} | |
is_prerelease: >- | |
${{ | |
steps.running_version_tag.outputs.is_running_version_tag_update != 'true' && | |
startsWith(github.ref, 'refs/tags/v') && | |
(contains(github.ref, '-alpha.') | |
|| contains(github.ref, '-beta.') | |
|| contains(github.ref, '-rc.')) | |
}} | |
is_release: >- | |
${{ | |
steps.running_version_tag.outputs.is_running_version_tag_update != 'true' && | |
startsWith(github.ref, 'refs/tags/v') && | |
!(contains(github.ref, '-alpha.') | |
|| contains(github.ref, '-beta.') | |
|| contains(github.ref, '-rc.')) | |
}} | |
is_pull_request: ${{ github.event_name == 'pull_request' }} | |
is_running_version_tag_update: ${{ steps.running_version_tag.outputs.is_running_version_tag_update }} | |
lint: | |
name: Lint | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
checks: write | |
issues: write | |
pull-requests: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Run MegaLinter | |
uses: oxsecurity/megalinter@v7 | |
env: | |
# See https://megalinter.io/configuration and .mega-linter.yml | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Archive MegaLinter artifacts | |
if: ( !env.ACT && ( success() || failure() ) ) | |
uses: actions/upload-artifact@v4 | |
with: | |
name: MegaLinter artifacts | |
path: | | |
megalinter-reports | |
mega-linter.log | |
package: | |
name: Workflow Package | |
needs: [meta] #, lint | |
if: needs.meta.outputs.is_running_version_tag_update != 'true' | |
runs-on: macos-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- run: go version | |
- name: Build alfred-bear binary | |
run: make build | |
- name: Sign alfred-bear binary | |
if: >- | |
needs.meta.outputs.is_release == 'true' || | |
needs.meta.outputs.is_prerelease == 'true' | |
working-directory: out | |
env: | |
DEVID_SIGNING_CERT_BASE64: ${{ secrets.DEVID_SIGNING_CERT }} | |
DEVID_SIGNING_CERT_PASS: ${{ secrets.DEVID_SIGNING_CERT_PASS }} | |
DEVID_SIGNING_CERT_ID: 072D402E34FDAA37E45A50A75D67FF974403582F | |
KEYCHAIN_PASS: ${{ secrets.KEYCHAIN_PASS }} | |
run: | | |
security create-keychain -p "$KEYCHAIN_PASS" build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p "$KEYCHAIN_PASS" build.keychain | |
echo "$DEVID_SIGNING_CERT_BASE64" | base64 --decode > certificate.p12 | |
security import certificate.p12 -k build.keychain -P "$DEVID_SIGNING_CERT_PASS" -T /usr/bin/codesign | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASS" build.keychain | |
/usr/bin/codesign --force --timestamp --options=runtime -s "$DEVID_SIGNING_CERT_ID" ./alfred-bear -v | |
- name: Build workflow | |
run: make package | |
- name: Upload workflow artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ needs.meta.outputs.bin_name }} | |
path: out | |
release: | |
name: GitHub (Pre)Release | |
needs: [meta, package] | |
if: >- | |
needs.meta.outputs.is_release == 'true' || | |
needs.meta.outputs.is_prerelease == 'true' | |
runs-on: macos-latest | |
permissions: | |
contents: write | |
steps: | |
- name: Download workflow artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: ${{ needs.meta.outputs.bin_name }} | |
path: out | |
- name: Create .dmg | |
working-directory: out | |
run: | | |
mkdir ./.dmg-src | |
xattr -cr ./.dmg-src | |
cp ${{ needs.meta.outputs.bin_name }} ./.dmg-src/ | |
hdiutil create -srcfolder ./.dmg-src \ | |
-fs "HFS+" \ | |
-volname "${{ needs.meta.outputs.bin_name }}" \ | |
./${{ needs.meta.outputs.bin_name }}.dmg | |
hdiutil verify ./${{ needs.meta.outputs.bin_name }}.dmg | |
- name: Notarize .dmg | |
working-directory: out | |
env: | |
NOTARIZATION_APPLE_ID: ${{ secrets.NOTARIZATION_APPLE_ID }} | |
NOTARIZATION_TEAM_ID: ${{ secrets.NOTARIZATION_TEAM_ID }} | |
NOTARIZATION_PASS: ${{ secrets.NOTARIZATION_PASS }} | |
run: | | |
xcrun notarytool store-credentials "notarytool-profile" \ | |
--apple-id "$NOTARIZATION_APPLE_ID" \ | |
--team-id "$NOTARIZATION_TEAM_ID" \ | |
--password "$NOTARIZATION_PASS" | |
xcrun notarytool submit ./${{ needs.meta.outputs.bin_name }}.dmg --keychain-profile "notarytool-profile" --wait | |
xcrun stapler staple ./${{ needs.meta.outputs.bin_name }}.dmg | |
- name: Upload notarized .dmg artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ needs.meta.outputs.bin_name }}.dmg | |
path: out/${{ needs.meta.outputs.bin_name }}.dmg | |
- name: Create GitHub release | |
uses: softprops/action-gh-release@v1 | |
with: | |
files: out/${{ needs.meta.outputs.bin_name }}.dmg | |
prerelease: ${{ needs.meta.outputs.is_prerelease == 'true' }} | |
fail_on_unmatched_files: true | |
generate_release_notes: true | |
tags: | |
name: Update Release Tags | |
needs: [meta, release] | |
if: needs.meta.outputs.is_release == 'true' | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Update running major/minor version tags | |
uses: sersoft-gmbh/running-release-tags-action@v3 | |
with: | |
fail-on-non-semver-tag: true | |
create-release: false | |
update-full-release: false |