From 02e239e79e7023f055660b572b573a1bcd498a7a Mon Sep 17 00:00:00 2001 From: Lukas Mager <7467162+lkmgr@users.noreply.github.com> Date: Tue, 26 Aug 2025 09:53:49 +0200 Subject: [PATCH 1/4] ci: separate build and release jobs --- .github/workflows/ci.yaml | 75 +++++++++++++++++++++++++++++++++------ 1 file changed, 64 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 60a142fe..d2581180 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -53,14 +53,10 @@ jobs: cache: npm - run: npm ci - run: npm run docs-test - release: - if: github.event_name == 'push' && github.ref == 'refs/heads/main' + build: + # if: github.event_name == 'push' && github.ref == 'refs/heads/main' runs-on: ubuntu-latest needs: [lint, test] - permissions: - contents: write # to be able to publish a GitHub release - issues: write # to be able to comment on released issues - pull-requests: write # to be able to comment on released pull requests steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 @@ -77,7 +73,7 @@ jobs: - name: Build binaries using bun run: | mkdir -p build/binaries - for TARGET in linux-x64 linux-arm64 windows-x64 darwin-x64 darwin-arm64 linux-x64-musl linux-arm64-musl; do + for TARGET in linux-x64 linux-arm64 windows-x64 darwin-x64 darwin-arm64; do bun build ./build/src/cli.js \ --compile \ --minify \ @@ -85,7 +81,64 @@ jobs: --target bun-$TARGET \ --outfile build/binaries/linkinator-$TARGET done - - run: npx semantic-release - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + - run: ls -alh build/binaries + - name: Upload Linux binaries + uses: actions/upload-artifact@v4 + with: + name: binaries-linux + retention-days: 3 + path: | + build/binaries/linkinator-linux-x64 + build/binaries/linkinator-linux-arm64 + - name: Upload Windows binaries + uses: actions/upload-artifact@v4 + with: + name: binaries-windows + retention-days: 3 + path: | + build/binaries/linkinator-windows-x64 + - name: Upload unsigned macOS binaries + uses: actions/upload-artifact@v4 + with: + name: binaries-macos-unsigned + retention-days: 3 + path: | + build/binaries/linkinator-darwin-x64 + build/binaries/linkinator-darwin-arm64 + release: + # if: github.event_name == 'push' && github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + needs: [build] + permissions: + contents: write # to be able to publish a GitHub release + issues: write # to be able to comment on released issues + pull-requests: write # to be able to comment on released pull requests + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE }} + cache: npm + - run: npm ci + - name: Download Linux binaries + uses: actions/download-artifact@v5 + with: + name: binaries-linux + path: build/binaries + - name: Download Windows binaries + uses: actions/download-artifact@v5 + with: + name: binaries-windows + path: build/binaries + - name: Download signed macOS binaries + uses: actions/download-artifact@v5 + with: + name: binaries-macos + path: build/binaries + - run: ls -alh build/binaries + # - run: npx semantic-release + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # NPM_TOKEN: ${{ secrets.NPM_TOKEN }} From 02fbf23ea0643d34f70538bad2cf9bc3515e408f Mon Sep 17 00:00:00 2001 From: Lukas Mager <7467162+lkmgr@users.noreply.github.com> Date: Tue, 26 Aug 2025 09:57:47 +0200 Subject: [PATCH 2/4] ci: add missing windows binary extension --- .github/workflows/ci.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d2581180..27f4bcad 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -96,7 +96,7 @@ jobs: name: binaries-windows retention-days: 3 path: | - build/binaries/linkinator-windows-x64 + build/binaries/linkinator-windows-x64.exe - name: Upload unsigned macOS binaries uses: actions/upload-artifact@v4 with: @@ -135,7 +135,7 @@ jobs: - name: Download signed macOS binaries uses: actions/download-artifact@v5 with: - name: binaries-macos + name: binaries-macos-unsigned path: build/binaries - run: ls -alh build/binaries # - run: npx semantic-release From 48258b553ca07dd68d5c29dc49ae5cafc97ba056 Mon Sep 17 00:00:00 2001 From: Lukas Mager <7467162+lkmgr@users.noreply.github.com> Date: Tue, 26 Aug 2025 10:20:42 +0200 Subject: [PATCH 3/4] ci: create macOS binary signing job --- .github/workflows/ci.yaml | 49 +++++++++++++++++++++++++++++++++++++-- ci/entitlements.plist | 16 +++++++++++++ 2 files changed, 63 insertions(+), 2 deletions(-) create mode 100644 ci/entitlements.plist diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 27f4bcad..9710ba3e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -105,10 +105,55 @@ jobs: path: | build/binaries/linkinator-darwin-x64 build/binaries/linkinator-darwin-arm64 + sign: + # if: github.event_name == 'push' && github.ref == 'refs/heads/main' + runs-on: macos-14 + needs: [build] + steps: + - uses: actions/checkout@v4 + - name: Download unsigned macOS binaries + uses: actions/download-artifact@v5 + with: + name: binaries-macos-unsigned + path: binaries + - run: ls -alh binaries + - name: Sign macOS x64 binary + uses: lando/code-sign-action@a5703d3b5486ada6e8efd08912110f8756e873e8 # v3.0.0 + with: + file: binaries/linkinator-darwin-x64 + apple-team-id: ${{ secrets.APPLE_TEAM_ID }} + certificate-data: ${{ secrets.APPLE_CERT_DATA }} + certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }} + options: --options runtime --entitlements ci/entitlements.plist + # apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }} + # apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }} + # apple-notary-tool: altool + # apple-product-id: dev.lando.code-sign-action + - name: Sign macOS arm64 binary + uses: lando/code-sign-action@a5703d3b5486ada6e8efd08912110f8756e873e8 # v3.0.0 + with: + file: binaries/linkinator-darwin-arm64 + apple-team-id: ${{ secrets.APPLE_TEAM_ID }} + certificate-data: ${{ secrets.APPLE_CERT_DATA }} + certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }} + options: --options runtime --entitlements ci/entitlements.plist + # apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }} + # apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }} + # apple-notary-tool: altool + # apple-product-id: dev.lando.code-sign-action + - run: ls -alh binaries + - name: Upload signed macOS binaries + uses: actions/upload-artifact@v4 + with: + name: binaries-macos + retention-days: 3 + path: | + binaries/linkinator-darwin-x64 + binaries/linkinator-darwin-arm64 release: # if: github.event_name == 'push' && github.ref == 'refs/heads/main' runs-on: ubuntu-latest - needs: [build] + needs: [build, sign] permissions: contents: write # to be able to publish a GitHub release issues: write # to be able to comment on released issues @@ -135,7 +180,7 @@ jobs: - name: Download signed macOS binaries uses: actions/download-artifact@v5 with: - name: binaries-macos-unsigned + name: binaries-macos path: build/binaries - run: ls -alh build/binaries # - run: npx semantic-release diff --git a/ci/entitlements.plist b/ci/entitlements.plist new file mode 100644 index 00000000..afa54db3 --- /dev/null +++ b/ci/entitlements.plist @@ -0,0 +1,16 @@ + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-executable-page-protection + + com.apple.security.cs.allow-dyld-environment-variables + + com.apple.security.cs.disable-library-validation + + + From 0c6b6e5af5949ad9ffcd8831640e7cac4b51b2a3 Mon Sep 17 00:00:00 2001 From: Lukas Mager <7467162+lkmgr@users.noreply.github.com> Date: Fri, 19 Sep 2025 16:18:17 +0200 Subject: [PATCH 4/4] ci: run macos `codesign` manually --- .github/workflows/ci.yaml | 57 ++++++++++++++++++++++----------------- 1 file changed, 33 insertions(+), 24 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9710ba3e..6813c2d2 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -117,30 +117,39 @@ jobs: name: binaries-macos-unsigned path: binaries - run: ls -alh binaries - - name: Sign macOS x64 binary - uses: lando/code-sign-action@a5703d3b5486ada6e8efd08912110f8756e873e8 # v3.0.0 - with: - file: binaries/linkinator-darwin-x64 - apple-team-id: ${{ secrets.APPLE_TEAM_ID }} - certificate-data: ${{ secrets.APPLE_CERT_DATA }} - certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }} - options: --options runtime --entitlements ci/entitlements.plist - # apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }} - # apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }} - # apple-notary-tool: altool - # apple-product-id: dev.lando.code-sign-action - - name: Sign macOS arm64 binary - uses: lando/code-sign-action@a5703d3b5486ada6e8efd08912110f8756e873e8 # v3.0.0 - with: - file: binaries/linkinator-darwin-arm64 - apple-team-id: ${{ secrets.APPLE_TEAM_ID }} - certificate-data: ${{ secrets.APPLE_CERT_DATA }} - certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }} - options: --options runtime --entitlements ci/entitlements.plist - # apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }} - # apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }} - # apple-notary-tool: altool - # apple-product-id: dev.lando.code-sign-action + - name: Import Apple Developer ID certificate + uses: apple-actions/import-codesign-certs@95e84a1a18f2bdbc5c6ab9b7f4429372e4b13a8b # v5.0.3 + with: + p12-file-base64: ${{ secrets.APPLE_CERT_DATA }} + p12-password: ${{ secrets.APPLE_CERT_PASSWORD }} + - name: Sign macOS binaries + run: | + codesign --deep --force --sign "${{ secrets.APPLE_TEAM_ID }}" --entitlements ci/entitlements.plist ./binaries/linkinator-darwin-x64 + codesign --deep --force --sign "${{ secrets.APPLE_TEAM_ID }}" --entitlements ci/entitlements.plist ./binaries/linkinator-darwin-arm64 + # - name: Sign macOS x64 binary + # uses: lando/code-sign-action@a5703d3b5486ada6e8efd08912110f8756e873e8 # v3.0.0 + # with: + # file: binaries/linkinator-darwin-x64 + # apple-team-id: ${{ secrets.APPLE_TEAM_ID }} + # certificate-data: ${{ secrets.APPLE_CERT_DATA }} + # certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }} + # options: --options runtime --entitlements ci/entitlements.plist + # # apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }} + # # apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }} + # # apple-notary-tool: altool + # # apple-product-id: dev.lando.code-sign-action + # - name: Sign macOS arm64 binary + # uses: lando/code-sign-action@a5703d3b5486ada6e8efd08912110f8756e873e8 # v3.0.0 + # with: + # file: binaries/linkinator-darwin-arm64 + # apple-team-id: ${{ secrets.APPLE_TEAM_ID }} + # certificate-data: ${{ secrets.APPLE_CERT_DATA }} + # certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }} + # options: --options runtime --entitlements ci/entitlements.plist + # # apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }} + # # apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }} + # # apple-notary-tool: altool + # # apple-product-id: dev.lando.code-sign-action - run: ls -alh binaries - name: Upload signed macOS binaries uses: actions/upload-artifact@v4