From 3fb118c709377719ff6f0f437aa968a2367d5c9d Mon Sep 17 00:00:00 2001
From: Allen Byrne <50328838+byrnHDF@users.noreply.github.com>
Date: Mon, 6 May 2024 11:37:28 -0500
Subject: [PATCH] Master sign env (#184)

---
 .github/workflows/ant.yml         | 22 ++++++++++++----------
 .github/workflows/daily-build.yml |  3 ++-
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/ant.yml b/.github/workflows/ant.yml
index 192538a1..2940c7cd 100644
--- a/.github/workflows/ant.yml
+++ b/.github/workflows/ant.yml
@@ -26,15 +26,17 @@ on:
         type: string
         required: true
         default: snapshots
+    secrets:
+        APPLE_CERTS_BASE64:
+            required: true
+        APPLE_CERTS_BASE64_PASSWORD:
+            required: true
+        KEYCHAIN_PASSWD:
+            required: true
 
 permissions:
   contents: read
 
-env:
-  BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTS_BASE64 }}
-  P12_PASSWORD: ${{ secrets.APPLE_CERTS_BASE64_PASSWORD }}
-  KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }}
-
 jobs:
   build_and_test_win:
   # Windows w/ MSVC + CMake
@@ -358,17 +360,17 @@ jobs:
           CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
           KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
           # import certificate from secrets
-          echo -n "${{ env.BUILD_CERTIFICATE_BASE64 }}" | base64 --decode -o $CERTIFICATE_PATH
+          echo -n "${{ secrets.APPLE_CERTS_BASE64 }}" | base64 --decode -o $CERTIFICATE_PATH
           ls -la $RUNNER_TEMP
           security -v verify-cert -c $CERTIFICATE_PATH
           # create temporary keychain
-          security -v create-keychain -p "$KEYCHAIN_PASSWD" $KEYCHAIN_PATH
+          security -v create-keychain -p "${{ secrets.KEYCHAIN_PASSWD }}" $KEYCHAIN_PATH
           security -v list-keychains
           security -v set-keychain-settings -lut 21600 $KEYCHAIN_PATH
-          security -v unlock-keychain -p "$KEYCHAIN_PASSWD" $KEYCHAIN_PATH
+          security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWD }}" $KEYCHAIN_PATH
           # import certificate to keychain
-          security -v import $CERTIFICATE_PATH -P "${{ env.P12_PASSWORD }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
-          security -v set-key-partition-list -S apple-tool:,apple: -k "${{ env.KEYCHAIN_PASSWD }}" $KEYCHAIN_PATH
+          security -v import $CERTIFICATE_PATH -P "${{ secrets.APPLE_CERTS_BASE64_PASSWORD }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security -v set-key-partition-list -S apple-tool:,apple: -k "${{ secrets.KEYCHAIN_PASSWD }}" $KEYCHAIN_PATH
           security -v list-keychain -d user -s $KEYCHAIN_PATH
 
     - name: Set up JDK 21
diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml
index ef450266..8a561ea0 100644
--- a/.github/workflows/daily-build.yml
+++ b/.github/workflows/daily-build.yml
@@ -81,7 +81,8 @@ jobs:
       use_hdf: ${{ needs.get-base-names.outputs.hdf4-name }}
       use_hdf5: ${{ needs.get-base-names.outputs.hdf5-name }}
       use_environ: snapshots
-    secrets: inherit
+    secrets: inherit      # pass all secrets
+
 
   call-workflow-release:
     needs: [get-base-names, call-workflow-tarball, call-workflow-ant]