From 26cefe7b798243b0d50010269b7c60cb71b9a796 Mon Sep 17 00:00:00 2001 From: Brad Reed Date: Thu, 27 Nov 2025 14:39:58 +0000 Subject: [PATCH 01/10] macos signing --- .github/workflows/release.yml | 68 +++++++++++++++++++++++++++++++++-- 1 file changed, 66 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ec556c9f..a7debcab 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,7 +46,50 @@ jobs: if: startsWith(matrix.os, 'ubuntu') with: target: ${{ matrix.target }} - + + - name: Install the Apple certificate, provisioning profile, and API key (macOS) + if: ${{ matrix.target == 'universal-apple-darwin' }} + id: keychain + env: + BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} + P12_PASSWORD: ${{ secrets.P12_PASSWORD }} + BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }} + KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + AUTH_KEY_BASE64: ${{ secrets.AUTH_KEY_BASE64 }} + run: | + # create variables + CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 + PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile + KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db + AUTH_KEY_PATH=$RUNNER_TEMP/AuthKey.p8 + + # import certificate and provisioning profile from secrets + echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH + echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH + + # create temporary keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security set-keychain-settings -lut 21600 $KEYCHAIN_PATH + security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + + # import certificate to keychain + security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security list-keychain -d user -s $KEYCHAIN_PATH + + # apply provisioning profile + mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles + cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles + + # create auth key file for notarization + echo -n "$AUTH_KEY_BASE64" | base64 --decode -o $AUTH_KEY_PATH + + # setup outputs + echo "auth_key_path=$AUTH_KEY_PATH" >> $GITHUB_OUTPUT + echo "keychain_path=$KEYCHAIN_PATH" >> $GITHUB_OUTPUT + echo "pp_path=$PP_PATH" >> $GITHUB_OUTPUT + echo "certificate_path=$CERTIFICATE_PATH" >> $GITHUB_OUTPUT + - name: Build and Release uses: taiki-e/upload-rust-binary-action@v1 with: @@ -55,5 +98,26 @@ jobs: include: README.md,LICENSE,ACKNOWLEDGEMENTS.md,THIRDPARTY.toml leading-dir: true locked: true - target: ${{ matrix.target }} + target: universal-apple-darwin token: ${{ secrets.GITHUB_TOKEN }} + + # Sign build products using codesign on macOS + codesign: "7FP48PW9TN" + codesign-prefix: "fi.matiaskorhonen." + codesign-options: "runtime" + + - name: Zip the binary for notarization (macOS) + if: ${{ matrix.target == 'universal-apple-darwin' }} + run: zip -r $RUNNER_TEMP/purescript-analyzer-signed.zip target/${{ matrix.target }}/release/purescript-analyzer + + - name: Upload the binary for notarization (macOS) + if: ${{ matrix.target == 'universal-apple-darwin' }} + env: + KEY_ID: ${{ secrets.KEY_ID }} + ISSUER: ${{ secrets.ISSUER }} + run: | + xcrun notarytool submit $RUNNER_TEMP/purescript-analyzer-signed.zip \ + --key "${{ steps.keychain.outputs.auth_key_path }}" \ + --key-id "$KEY_ID" \ + --issuer "$ISSUER" \ + --wait From 2f66629c812907eea20445a03e075550c8d52cc1 Mon Sep 17 00:00:00 2001 From: Brad Reed Date: Thu, 27 Nov 2025 14:42:19 +0000 Subject: [PATCH 02/10] target --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a7debcab..a15f1d33 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -98,7 +98,7 @@ jobs: include: README.md,LICENSE,ACKNOWLEDGEMENTS.md,THIRDPARTY.toml leading-dir: true locked: true - target: universal-apple-darwin + target: ${{matrix.target}} token: ${{ secrets.GITHUB_TOKEN }} # Sign build products using codesign on macOS From b116cd5749361a7680a9ac1d926435a61e119b6e Mon Sep 17 00:00:00 2001 From: Brad Reed Date: Thu, 27 Nov 2025 14:53:54 +0000 Subject: [PATCH 03/10] update codesign stuff --- .github/workflows/release.yml | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a15f1d33..7dd97720 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,19 +4,20 @@ permissions: contents: write on: - push: - tags: - - v[0-9]+.* + pull_request: + # push: + # tags: + # - v[0-9]+.* jobs: - create-release: - name: Create GitHub Release - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: taiki-e/create-gh-release-action@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} + # create-release: + # name: Create GitHub Release + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v4 + # - uses: taiki-e/create-gh-release-action@v1 + # with: + # token: ${{ secrets.GITHUB_TOKEN }} build-and-release: needs: create-release @@ -102,8 +103,8 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} # Sign build products using codesign on macOS - codesign: "7FP48PW9TN" - codesign-prefix: "fi.matiaskorhonen." + codesign: "W53H5ARXR8" + codesign-prefix: "com.purefunctor" codesign-options: "runtime" - name: Zip the binary for notarization (macOS) From f918eff1c747ae4e4f39407f7224186db88a812b Mon Sep 17 00:00:00 2001 From: Brad Reed Date: Thu, 27 Nov 2025 14:54:47 +0000 Subject: [PATCH 04/10] needs --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7dd97720..aad16cc7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,7 +20,7 @@ jobs: # token: ${{ secrets.GITHUB_TOKEN }} build-and-release: - needs: create-release + # needs: create-release name: Build & Release runs-on: ${{ matrix.os }} strategy: From 5aa8088ebb1dc7ac1fcc576adddbf3df1295d753 Mon Sep 17 00:00:00 2001 From: Brad Reed Date: Thu, 27 Nov 2025 14:55:10 +0000 Subject: [PATCH 05/10] disabled --- .github/workflows/checks.yml | 101 ----------------------------------- 1 file changed, 101 deletions(-) delete mode 100644 .github/workflows/checks.yml diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml deleted file mode 100644 index 193b3331..00000000 --- a/.github/workflows/checks.yml +++ /dev/null @@ -1,101 +0,0 @@ -name: Cargo Build & Test - -on: - push: - branches: - pull_request: - -env: - CARGO_TERM_COLOR: always - -jobs: - build_and_test: - name: Compilation - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: - - ubuntu-latest - - macos-latest - - windows-latest - toolchain: - - stable - - steps: - - name: Checkout repository - uses: actions/checkout@v5 - - - name: Install Rust toolchain - run: rustup update ${{ matrix.toolchain }} && rustup default ${{ matrix.toolchain }} - - - name: Cache build artifacts - uses: Swatinem/rust-cache@v2.8.0 - with: - cache-bin: "false" - prefix-key: "v5-maho-${{ matrix.os }}-${{ matrix.toolchain }}" - - - name: Install cargo-binstall - uses: cargo-bins/cargo-binstall@v1.15.3 - - - name: Install cargo-nextest - run: cargo binstall cargo-nextest just - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and Test - run: | - cargo build --workspace --verbose - cargo nextest run - just integration - - coverage: - name: Coverage - runs-on: ubuntu-latest - strategy: - matrix: - toolchain: - - stable - - steps: - - name: Checkout repository - uses: actions/checkout@v5 - - - name: Install Rust toolchain - run: rustup update ${{ matrix.toolchain }} && rustup default ${{ matrix.toolchain }} - - - name: Cache build artifacts - uses: Swatinem/rust-cache@v2.8.0 - with: - cache-bin: "false" - prefix-key: "v5-maho-${{ matrix.toolchain }}" - - - name: Install cargo-binstall - uses: cargo-bins/cargo-binstall@v1.15.3 - - - name: Install cargo-nextest - run: cargo binstall cargo-nextest cargo-llvm-cov just - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and Test - run: | - cargo build --workspace --verbose - just coverage - just coverage-codecov - - - name: Upload to Codecov - uses: codecov/codecov-action@v5 - with: - token: ${{ secrets.CODECOV_TOKEN }} - files: codecov.json - fail_ci_if_error: true - - formatting: - name: Formatting - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - name: Run formatter - run: cargo fmt --check From a50be163e04557fe697a8f37291005afbe40582b Mon Sep 17 00:00:00 2001 From: Brad Reed Date: Thu, 27 Nov 2025 14:57:01 +0000 Subject: [PATCH 06/10] dry --- .github/workflows/release.yml | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index aad16cc7..d5d9a6d4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -26,17 +26,17 @@ jobs: strategy: matrix: include: - - os: ubuntu-latest - target: x86_64-unknown-linux-gnu - - - os: ubuntu-latest - target: x86_64-unknown-linux-musl - + # - os: ubuntu-latest + # target: x86_64-unknown-linux-gnu + # + # - os: ubuntu-latest + # target: x86_64-unknown-linux-musl + # - os: macos-latest target: universal-apple-darwin - - - os: windows-latest - target: x86_64-pc-windows-msvc + # + # - os: windows-latest + # target: x86_64-pc-windows-msvc steps: - name: Checkout repository @@ -102,6 +102,8 @@ jobs: target: ${{matrix.target}} token: ${{ secrets.GITHUB_TOKEN }} + dry-run: true + # Sign build products using codesign on macOS codesign: "W53H5ARXR8" codesign-prefix: "com.purefunctor" From 33cecc76e6ae296cde6412e3dfed34bd0d27baa5 Mon Sep 17 00:00:00 2001 From: Brad Reed Date: Thu, 27 Nov 2025 15:04:42 +0000 Subject: [PATCH 07/10] identity --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d5d9a6d4..f74d58e8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -105,8 +105,8 @@ jobs: dry-run: true # Sign build products using codesign on macOS - codesign: "W53H5ARXR8" - codesign-prefix: "com.purefunctor" + codesign: "47BE53B998AB29ED40729A647D0E481FE058CE9F" + codesign-prefix: "com.purefunctor." codesign-options: "runtime" - name: Zip the binary for notarization (macOS) From 7d1a76493544d670a314836f62a522d0e58a2ec4 Mon Sep 17 00:00:00 2001 From: Brad Reed Date: Thu, 27 Nov 2025 15:17:53 +0000 Subject: [PATCH 08/10] remove dry-run --- .github/workflows/release.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f74d58e8..8eda7a71 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -102,8 +102,6 @@ jobs: target: ${{matrix.target}} token: ${{ secrets.GITHUB_TOKEN }} - dry-run: true - # Sign build products using codesign on macOS codesign: "47BE53B998AB29ED40729A647D0E481FE058CE9F" codesign-prefix: "com.purefunctor." From 532e0e5716ad13b2394602e7cab5d954069e5cfd Mon Sep 17 00:00:00 2001 From: Brad Reed Date: Thu, 27 Nov 2025 15:19:16 +0000 Subject: [PATCH 09/10] revert --- .github/workflows/release.yml | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8eda7a71..99ebdafd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,23 +4,22 @@ permissions: contents: write on: - pull_request: - # push: - # tags: - # - v[0-9]+.* + push: + tags: + - v[0-9]+.* jobs: - # create-release: - # name: Create GitHub Release - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v4 - # - uses: taiki-e/create-gh-release-action@v1 - # with: - # token: ${{ secrets.GITHUB_TOKEN }} + create-release: + name: Create GitHub Release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: taiki-e/create-gh-release-action@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} build-and-release: - # needs: create-release + needs: create-release name: Build & Release runs-on: ${{ matrix.os }} strategy: From cbd0878186bbd234a64455e57f32e72f37118949 Mon Sep 17 00:00:00 2001 From: Brad Reed Date: Thu, 27 Nov 2025 15:33:06 +0000 Subject: [PATCH 10/10] minor --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 99ebdafd..1961090d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -98,7 +98,7 @@ jobs: include: README.md,LICENSE,ACKNOWLEDGEMENTS.md,THIRDPARTY.toml leading-dir: true locked: true - target: ${{matrix.target}} + target: ${{ matrix.target }} token: ${{ secrets.GITHUB_TOKEN }} # Sign build products using codesign on macOS