LuckyRobots/LuckyWorld
14
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases 13 Wiki Activity

fix(workflows): enhance local signing workflow to support App Store Connect API key notarization and improve credential handling
All checks were successful
Test Local Signing / test-local-signing (push) Successful in 9s
Details

Browse Source
This commit is contained in:
Ozgur 2025-04-14 15:51:17 +02:00
parent 751105d1e2
commit 69fcbde72f
No known key found for this signature in database
GPG Key ID: 66CDF27505A35546
1 changed files with 70 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
.gitea/workflows/test-local-signing.yml
View File

@ -264,36 +264,83 @@ jobs:
env:
APPLE_ID: ${{ secrets.APPLE_NOTARY_USER }}
APP_PASSWORD: ${{ secrets.APPLE_NOTARY_PASSWORD }}
API_KEY_ID: ${{ secrets.APPLE_NOTARY_API_KEY_ID }}
API_ISSUER_ID: ${{ secrets.APPLE_NOTARY_API_ISSUER_ID }}
API_KEY: ${{ secrets.APPLE_NOTARY_API_KEY }}
run: |
echo "📤 Notarizing app..."
# Make sure we have required secrets
if [ -z "$APPLE_ID" ] || [ -z "$APP_PASSWORD" ] || [ -z "$APPLE_TEAM_ID" ]; then
# Check if we have API key credentials
if [ -n "$API_KEY_ID" ] && [ -n "$API_ISSUER_ID" ] && [ -n "$API_KEY" ]; then
echo "Using App Store Connect API key for notarization..."
# Create directory for API key
mkdir -p ~/private_keys
echo "$API_KEY" > ~/private_keys/AuthKey_${API_KEY_ID}.p8
# Create zip for notarization
ZIP_PATH="TestApp-notarize.zip"
ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"
echo "Submitting for notarization with API key..."
xcrun notarytool submit "$ZIP_PATH" \
--key ~/private_keys/AuthKey_${API_KEY_ID}.p8 \
--key-id "$API_KEY_ID" \
--issuer "$API_ISSUER_ID" \
--wait
# Staple the notarization ticket
echo "Stapling notarization ticket..."
xcrun stapler staple "$APP_PATH"
# Verify notarization
echo "🔍 Verifying notarization..."
spctl --assess --verbose --type exec "$APP_PATH"
echo "NOTARIZED=true" >> "$GITHUB_ENV"
# Clean up
rm -rf ~/private_keys
# Fall back to App-specific password if API key not available
elif [ -n "$APPLE_ID" ] && [ -n "$APP_PASSWORD" ] && [ -n "$APPLE_TEAM_ID" ]; then
echo "Using App-specific password for notarization..."
# Create zip for notarization
ZIP_PATH="TestApp-notarize.zip"
ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"
echo "Submitting for notarization..."
xcrun notarytool submit "$ZIP_PATH" \
--apple-id "$APPLE_ID" \
--password "$APP_PASSWORD" \
--team-id "$APPLE_TEAM_ID" \
--wait
# Staple the notarization ticket
echo "Stapling notarization ticket..."
xcrun stapler staple "$APP_PATH"
# Verify notarization
echo "🔍 Verifying notarization..."
spctl --assess --verbose --type exec "$APP_PATH"
echo "NOTARIZED=true" >> "$GITHUB_ENV"
else
echo "⚠️ Missing notarization credentials. Skipping notarization."
echo "For App Store Connect API key method, set these secrets:"
echo " - APPLE_NOTARY_API_KEY_ID: Your API key ID"
echo " - APPLE_NOTARY_API_ISSUER_ID: Your API issuer ID"
echo " - APPLE_NOTARY_API_KEY: Your API key content (p8 file)"
echo ""
echo "For App-specific password method, set these secrets:"
echo " - APPLE_NOTARY_USER: Your Apple ID (email)"
echo " - APPLE_NOTARY_PASSWORD: Your app-specific password"
echo " - APPLE_TEAM_ID: Your Apple Developer team ID"
echo "NOTARIZED=false" >> "$GITHUB_ENV"
exit 0
fi
# Create zip for notarization
ZIP_PATH="TestApp-notarize.zip"
ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"
echo "Submitting for notarization..."
xcrun notarytool submit "$ZIP_PATH" \
--apple-id "$APPLE_ID" \
--password "$APP_PASSWORD" \
--team-id "$APPLE_TEAM_ID" \
--wait
# Staple the notarization ticket
echo "Stapling notarization ticket..."
xcrun stapler staple "$APP_PATH"
# Verify notarization
echo "🔍 Verifying notarization..."
spctl --assess --verbose --type exec "$APP_PATH"
echo "NOTARIZED=true" >> "$GITHUB_ENV"
shell: bash
- name: Package Signed App