import apple certs

2026-04-28 16:55:44 +00:00 · 2025-12-06 12:34:40 +08:00
parent 25dae77fcd
commit a6573f2f9f
1 changed files with 74 additions and 48 deletions
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -24,62 +24,62 @@ permissions:
  packages: write

 jobs:
-  publish:
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    if: github.repository == 'sst/opencode'
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
+  # publish:
+  #   runs-on: blacksmith-4vcpu-ubuntu-2404
+  #   if: github.repository == 'sst/opencode'
+  #   steps:
+  #     - uses: actions/checkout@v3
+  #       with:
+  #         fetch-depth: 0

-      - run: git fetch --force --tags
+  #     - run: git fetch --force --tags

-      - uses: actions/setup-go@v5
-        with:
-          go-version: ">=1.24.0"
-          cache: true
-          cache-dependency-path: go.sum
+  #     - uses: actions/setup-go@v5
+  #       with:
+  #         go-version: ">=1.24.0"
+  #         cache: true
+  #         cache-dependency-path: go.sum

-      - uses: ./.github/actions/setup-bun
+  #     - uses: ./.github/actions/setup-bun

-      - name: Install makepkg
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y pacman-package-manager
-      - name: Setup SSH for AUR
-        run: |
-          mkdir -p ~/.ssh
-          echo "${{ secrets.AUR_KEY }}" > ~/.ssh/id_rsa
-          chmod 600 ~/.ssh/id_rsa
-          git config --global user.email "opencode@sst.dev"
-          git config --global user.name "opencode"
-          ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts || true
+  #     - name: Install makepkg
+  #       run: |
+  #         sudo apt-get update
+  #         sudo apt-get install -y pacman-package-manager
+  #     - name: Setup SSH for AUR
+  #       run: |
+  #         mkdir -p ~/.ssh
+  #         echo "${{ secrets.AUR_KEY }}" > ~/.ssh/id_rsa
+  #         chmod 600 ~/.ssh/id_rsa
+  #         git config --global user.email "opencode@sst.dev"
+  #         git config --global user.name "opencode"
+  #         ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts || true

-      - name: Install OpenCode
-        run: curl -fsSL https://opencode.ai/install | bash
+  #     - name: Install OpenCode
+  #       run: curl -fsSL https://opencode.ai/install | bash

-      - name: Setup npm auth
-        run: |
-          echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
+  #     - name: Setup npm auth
+  #       run: |
+  #         echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc

-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+  #     - name: Login to GitHub Container Registry
+  #       uses: docker/login-action@v3
+  #       with:
+  #         registry: ghcr.io
+  #         username: ${{ github.repository_owner }}
+  #         password: ${{ secrets.GITHUB_TOKEN }}

-      - name: Publish
-        run: |
-          ./script/publish.ts
-        env:
-          OPENCODE_BUMP: ${{ inputs.bump }}
-          OPENCODE_VERSION: ${{ inputs.version }}
-          OPENCODE_CHANNEL: latest
-          NPM_CONFIG_TOKEN: ${{ secrets.NPM_TOKEN }}
-          GITHUB_TOKEN: ${{ secrets.SST_GITHUB_TOKEN }}
-          AUR_KEY: ${{ secrets.AUR_KEY }}
-          OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
+  #     - name: Publish
+  #       run: |
+  #         ./script/publish.ts
+  #       env:
+  #         OPENCODE_BUMP: ${{ inputs.bump }}
+  #         OPENCODE_VERSION: ${{ inputs.version }}
+  #         OPENCODE_CHANNEL: latest
+  #         NPM_CONFIG_TOKEN: ${{ secrets.NPM_TOKEN }}
+  #         GITHUB_TOKEN: ${{ secrets.SST_GITHUB_TOKEN }}
+  #         AUR_KEY: ${{ secrets.AUR_KEY }}
+  #         OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}

  publish-tauri:
    strategy:
@@ -99,6 +99,25 @@ jobs:
        with:
          fetch-depth: 0

+      - uses: apple-actions/import-codesign-certs@v2
+        if: ${{ runner.os == 'macOS' }}
+        with:
+          p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
+          p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+
+      - name: Verify Certificate
+        if: ${{ runner.os == 'macOS' }}
+        run: |
+          CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Apple Development")
+          CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
+          echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
+          echo "Certificate imported."
+
+      - name: Setup Apple API Key
+        if: ${{ runner.os == 'macOS' }}
+        run: |
+          echo "${{ secrets.APPLE_API_KEY_PATH }}" > $RUNNER_TEMP/apple-api-key.p8
+
      - run: git fetch --force --tags

      - uses: ./.github/actions/setup-bun
@@ -139,11 +158,18 @@ jobs:
        if: startsWith(matrix.settings.host, 'ubuntu')

      - name: Build and upload artifacts
+        if: false
        uses: tauri-apps/tauri-action@390cbe447412ced1303d35abe75287949e43437a
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAURI_BUNDLER_NEW_APPIMAGE_FORMAT: true
          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+          APPLE_API_KEY_PATH: ${{ runner.temp }}/apple-api-key.p8
        with:
          projectPath: packages/tauri
          uploadWorkflowArtifacts: true