Fix generating cert on M1 machines and sign apps in build workflow #137
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sergeichestakov
commented
Oct 16, 2023
.github/workflows/build.yml
Outdated
Comment on lines
85
to
107
| - name: Generate Windows code signing certificate | ||
| if: matrix.os == 'windows-latest' | ||
| id: write_file | ||
| uses: timheuer/[email protected] | ||
| with: | ||
| fileName: 'windows-certificate.pfx' | ||
| encodedString: ${{ secrets.WINDOWS_CODESIGN_CERTIFICATE }} | ||
| - name: Generate MacOS code signing certificate | ||
| if: matrix.os == 'macOS-latest' || matrix.os == 'macOS-13-xlarge' | ||
| run: ./scripts/add-macos-cert.sh | ||
| env: | ||
| MACOS_CERT_P12: ${{ secrets.MACOS_CERT_P12 }} | ||
| MACOS_CERT_PASSWORD: ${{ secrets.MACOS_CERT_PASSWORD }} | ||
| - name: Make | ||
| run: pnpm run make --arch=${{ matrix.arch }} | ||
| env: | ||
| APPLE_ID: ${{ secrets.APPLE_ID }} | ||
| APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} | ||
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | ||
| WINDOWS_CERTIFICATE_FILE: ${{ steps.write_file.outputs.filePath }} | ||
| WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CODESIGN_PASSWORD }} | ||
| GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} | ||
| DEBUG: electron-osx-sign* |
There was a problem hiding this comment.
this is identical to what we do in the publish workflow (see below)
sergeichestakov
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why
We switched to M1 machines in this PR: #136 but we weren't actually signing them in CI during the publish step since we only generate the cert on the
macOS-latestmachine whereas we should actually generate it inmacOS-13-xlargeas well otherwise the app will fail to sign since the cert will not be present on the machine.Additionally, we should also run the sign step in CI during the "build" workflow. I was originally avoiding this since it takes quite a bit longer but a couple extra minutes per build is worth it since it better matches our publish step and can help us find bugs related to signing like this before we go to publish.
What changed
workflows/**directoryTest plan
Build passes (particularly on Mac and Windows) and the app is signed