This repository was archived by the owner on Nov 26, 2025. It is now read-only.
feat: add macOS code signing and notarization to GitHub Actions workf… #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*.*.*' | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: 'Release tag (e.g., v0.1.0)' | |
| required: true | |
| jobs: | |
| build-and-release: | |
| name: Build and Release | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: macos-latest | |
| target: aarch64-apple-darwin | |
| artifact_name: rohas-macos-arm64 | |
| - os: macos-latest | |
| target: x86_64-apple-darwin | |
| artifact_name: rohas-macos-x86_64 | |
| - os: windows-latest | |
| target: x86_64-pc-windows-msvc | |
| artifact_name: rohas-windows-x86_64 | |
| - os: ubuntu-latest | |
| target: x86_64-unknown-linux-gnu | |
| artifact_name: rohas-linux-x86_64 | |
| - os: ubuntu-latest | |
| target: aarch64-unknown-linux-gnu | |
| artifact_name: rohas-linux-arm64 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: ${{ matrix.target }} | |
| - name: Install cross-compilation dependencies (Linux ARM64) | |
| if: matrix.target == 'aarch64-unknown-linux-gnu' | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y gcc-aarch64-linux-gnu libc6-dev-arm64-cross pkg-config | |
| rustup target add aarch64-unknown-linux-gnu | |
| echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc" >> $GITHUB_ENV | |
| - name: Install build dependencies (for vendored OpenSSL) | |
| if: runner.os == 'Linux' | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y make perl | |
| - name: Cache cargo registry | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/bin/ | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/git/db/ | |
| target/ | |
| key: ${{ runner.os }}-cargo-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-${{ matrix.target }}- | |
| - name: Build | |
| env: | |
| OPENSSL_STATIC: 1 | |
| OPENSSL_VENDORED: 1 | |
| run: cargo build --release --target ${{ matrix.target }} | |
| - name: Import Apple Code Signing Certificate | |
| if: runner.os == 'macOS' | |
| uses: apple-actions/import-codesign-certs@v2 | |
| with: | |
| p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }} | |
| p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| - name: Code Sign macOS Binary | |
| if: runner.os == 'macOS' | |
| shell: bash | |
| run: | | |
| BINARY="target/${{ matrix.target }}/release/rohas" | |
| if [ -f "$BINARY" ]; then | |
| SIGNING_IDENTITY="${{ secrets.APPLE_SIGNING_IDENTITY }}" | |
| if [ -z "$SIGNING_IDENTITY" ]; then | |
| echo "Warning: APPLE_SIGNING_IDENTITY not set, skipping code signing" | |
| else | |
| codesign --force --timestamp --options runtime --sign "$SIGNING_IDENTITY" "$BINARY" | |
| codesign --verify --verbose "$BINARY" | |
| fi | |
| else | |
| echo "Binary not found at $BINARY" | |
| exit 1 | |
| fi | |
| - name: Notarize macOS Binary | |
| if: runner.os == 'macOS' | |
| shell: bash | |
| run: | | |
| BINARY="target/${{ matrix.target }}/release/rohas" | |
| if [ -f "$BINARY" ]; then | |
| APPLE_ID="${{ secrets.APPLE_ID }}" | |
| APPLE_TEAM_ID="${{ secrets.APPLE_TEAM_ID }}" | |
| APPLE_APP_PASSWORD="${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}" | |
| if [ -z "$APPLE_ID" ] || [ -z "$APPLE_TEAM_ID" ] || [ -z "$APPLE_APP_PASSWORD" ]; then | |
| echo "Warning: Notarization credentials not set, skipping notarization" | |
| else | |
| xcrun notarytool submit "$BINARY" \ | |
| --apple-id "$APPLE_ID" \ | |
| --team-id "$APPLE_TEAM_ID" \ | |
| --password "$APPLE_APP_PASSWORD" \ | |
| --wait | |
| xcrun stapler staple "$BINARY" | |
| fi | |
| else | |
| echo "Binary not found at $BINARY" | |
| exit 1 | |
| fi | |
| - name: Prepare artifact (Windows) | |
| if: runner.os == 'Windows' | |
| shell: pwsh | |
| run: | | |
| $binary = "target\${{ matrix.target }}\release\rohas.exe" | |
| if (Test-Path $binary) { | |
| New-Item -ItemType Directory -Force -Path release | Out-Null | |
| Copy-Item $binary "release\rohas.exe" | |
| Compress-Archive -Path "release\rohas.exe" -DestinationPath "release\${{ matrix.artifact_name }}.zip" -Force | |
| echo "ARTIFACT_PATH=release\${{ matrix.artifact_name }}.zip" | Out-File -FilePath $env:GITHUB_ENV -Append | |
| echo "ARTIFACT_NAME=${{ matrix.artifact_name }}.zip" | Out-File -FilePath $env:GITHUB_ENV -Append | |
| } else { | |
| Write-Error "Binary not found at $binary" | |
| exit 1 | |
| } | |
| - name: Prepare artifact (Unix) | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: | | |
| BINARY="target/${{ matrix.target }}/release/rohas" | |
| if [ -f "$BINARY" ]; then | |
| mkdir -p release | |
| cp "$BINARY" "release/rohas" | |
| chmod +x "release/rohas" | |
| cd release | |
| tar czf "${{ matrix.artifact_name }}.tar.gz" rohas | |
| cd .. | |
| echo "ARTIFACT_PATH=release/${{ matrix.artifact_name }}.tar.gz" >> $GITHUB_ENV | |
| echo "ARTIFACT_NAME=${{ matrix.artifact_name }}.tar.gz" >> $GITHUB_ENV | |
| else | |
| echo "Binary not found at $BINARY" | |
| exit 1 | |
| fi | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.artifact_name }} | |
| path: ${{ env.ARTIFACT_PATH }} | |
| retention-days: 30 | |
| create-release: | |
| name: Create Release | |
| needs: build-and-release | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Get tag name | |
| id: tag | |
| run: | | |
| if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then | |
| echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT | |
| else | |
| echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Download all artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: artifacts | |
| - name: Prepare release assets | |
| shell: bash | |
| run: | | |
| mkdir -p release-assets | |
| find artifacts -type f \( -name "*.tar.gz" -o -name "*.zip" \) -exec cp {} release-assets/ \; | |
| - name: Create Release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| tag_name: ${{ steps.tag.outputs.tag }} | |
| name: Release ${{ steps.tag.outputs.tag }} | |
| body: | | |
| ## Release ${{ steps.tag.outputs.tag }} | |
| ### Downloads | |
| - **macOS ARM64 (M1)**: `rohas-macos-arm64.tar.gz` | |
| - **macOS x86_64**: `rohas-macos-x86_64.tar.gz` | |
| - **Windows x86_64**: `rohas-windows-x86_64.zip` | |
| - **Linux x86_64**: `rohas-linux-x86_64.tar.gz` | |
| - **Linux ARM64**: `rohas-linux-arm64.tar.gz` | |
| ### Installation | |
| **macOS/Linux:** | |
| ```bash | |
| tar -xzf rohas-<platform>.tar.gz | |
| sudo mv rohas /usr/local/bin/ | |
| ``` | |
| **Windows:** | |
| ```powershell | |
| Expand-Archive rohas-windows-x86_64.zip | |
| # Add to PATH | |
| ``` | |
| files: release-assets/* | |
| draft: false | |
| prerelease: ${{ contains(steps.tag.outputs.tag, '-') }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |