ci: replace gon with rcodesign, switch to ubuntu runner (#738)

This PR replaces the unmaintained `mitchellh/gon` with [`rcodesign`](https://gregoryszorc.com/docs/apple-codesign/stable), which makes the CI pipeline able to run on Linux. This should make the build and release process faster. The Apple Developer ID and password are not used anymore (this was not clear before). Also, the Apple code signing certificate has been moved to a secret. Closes #676 --------- Co-authored-by: Jonas L <jooola@users.noreply.github.com>
hetznercloud · Apr 25, 2024 · 703f535 · 703f535
1 parent c2300d5
commit 703f535
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 57 deletions.
diff --git a/.github/secrets/hcloud_cli.p12.gpg b/.github/secrets/hcloud_cli.p12.gpg
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   build:
-    runs-on: macos-latest
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   release:
-    runs-on: macos-latest
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -17,8 +17,10 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - name: Set up gon
-        run: brew install mitchellh/gon/gon
+      - name: Setup rcodesign
+        uses: hashicorp/action-setup-rcodesign@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Import GPG key
         id: import_gpg
@@ -27,10 +29,8 @@ jobs:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.GPG_PASSPHRASE }}
 
-      - name: Decrypt Secrets
-        env:
-          SECRETS_PASSWORD: ${{ secrets.SECRETS_PASSWORD }}
-        run: bash script/decrypt_secrets.sh
+      - name: Extract Apple certificate
+        run: echo "${{ secrets.APPLE_CERTIFICATE_P12_FILE }}" | base64 -d > certificate.p12
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5
@@ -39,6 +39,8 @@ jobs:
           args: release --clean --skip=validate
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          HC_APPLE_DEVELOPER_USER: ${{ secrets.HC_APPLE_DEVELOPER_USER }}
-          HC_APPLE_DEVELOPER_PASSWORD: ${{ secrets.HC_APPLE_DEVELOPER_PASSWORD }}
-          HC_APPLE_IDENTITY: ${{ secrets.HC_APPLE_IDENTITY }}
+          APPLE_CERTIFICATE_P12_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
+
+      - name: Delete Apple certificate
+        if: always()
+        run: rm -f certificate.p12
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -41,7 +41,16 @@ builds:
       - arm64
     hooks:
       post:
-        - cmd: bash script/gon.sh "{{ .Path }}"
+        - cmd: >
+            {{- if index .Env "APPLE_CERTIFICATE_P12_PASSWORD" -}}
+            rcodesign sign
+              --p12-file certificate.p12
+              --p12-password "{{ .Env.APPLE_CERTIFICATE_P12_PASSWORD }}"
+              --code-signature-flags runtime
+              "{{ .Path }}"
+            {{- else -}}
+            echo "skipping rcodesign sign hook!"
+            {{- end -}}
           output: true
 
 snapshot:

diff --git a/script/decrypt_secrets.sh b/script/decrypt_secrets.sh
diff --git a/script/gon.sh b/script/gon.sh