Skip to content

Commit

Permalink
Merge pull request #1213 from Chia-Network/ci-check-for-secrets-access
Browse files Browse the repository at this point in the history
ci: check for secrets access to allow dependabot to build unsigned bi…
  • Loading branch information
TheLastCicada authored Oct 31, 2024
2 parents 4bd8e9c + e39445b commit 5d881c9
Showing 1 changed file with 17 additions and 3 deletions.
20 changes: 17 additions & 3 deletions .github/workflows/build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -82,9 +82,20 @@ jobs:
- name: Copy sqlite3
run: cp ${{ matrix.sqlite-path }}node_sqlite3.node ./dist/

- name: Test for secrets access
id: check_secrets
shell: bash
run: |
unset HAS_SIGNING_SECRET
if [ -n "$SIGNING_SECRET" ]; then HAS_SIGNING_SECRET='true' ; fi
echo "HAS_SIGNING_SECRET=${HAS_SIGNING_SECRET}" >> "$GITHUB_OUTPUT"
env:
SIGNING_SECRET: "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}"

# Windows Code Signing
- name: Sign windows artifacts
if: matrix.runs-on == 'windows-2019'
if: matrix.runs-on == 'windows-2019' && steps.check_secrets.outputs.HAS_SIGNING_SECRET
uses: chia-network/actions/digicert/windows-sign@main
with:
sm_api_key: ${{ secrets.SM_API_KEY }}
Expand All @@ -95,15 +106,15 @@ jobs:

# Mac .pkg build + sign
- name: Import Apple installer signing certificate
if: matrix.runs-on == 'macos-latest'
if: matrix.runs-on == 'macos-latest' && steps.check_secrets.outputs.HAS_SIGNING_SECRET
uses: Apple-Actions/import-codesign-certs@v1
with:
keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }}
p12-file-base64: ${{ secrets.APPLE_DEV_ID_INSTALLER }}
p12-password: ${{ secrets.APPLE_DEV_ID_INSTALLER_PASS }}

- name: Import Apple Application signing certificate
if: matrix.runs-on == 'macos-latest'
if: matrix.runs-on == 'macos-latest' && steps.check_secrets.outputs.HAS_SIGNING_SECRET
uses: Apple-Actions/import-codesign-certs@v1
with:
create-keychain: false # Created when importing the first cert
Expand All @@ -130,6 +141,9 @@ jobs:
echo "Signing the .pkg"
productsign --sign "Developer ID Installer: Chia Network Inc." ${{ github.workspace }}/build-scripts/macos/target/pkg/CADT-macos-installer-x64.pkg ${{ github.workspace }}/build-scripts/macos/target/pkg-signed/CADT-macos-installer-x64.pkg
- name: Notarize Mac .pkg
if: matrix.runs-on == 'macos-latest' && steps.check_secrets.outputs.HAS_SIGNING_SECRET
run: |
echo "Notarizing the .pkg"
xcrun notarytool submit \
--wait \
Expand Down

0 comments on commit 5d881c9

Please sign in to comment.