diff --git a/.github/workflows/build-pkg.yml b/.github/workflows/build-pkg.yml index 7bc3bb40be4d7..9306e3bfb880b 100644 --- a/.github/workflows/build-pkg.yml +++ b/.github/workflows/build-pkg.yml @@ -1,4 +1,4 @@ -name: Build Homebrew package +name: Build Homebrew installer pkg on: push: paths: @@ -13,28 +13,63 @@ jobs: if: github.repository_owner == 'Homebrew' runs-on: macos-13 env: - IDENTIFIER: sh.brew.Homebrew - TMP_PATH: /tmp/brew - MIN_OS: '11.0' + TEMPORARY_CERTIFICATE_FILE: 'homebrew_developer_id_installer_certificate.p12' + TEMPORARY_KEYCHAIN_FILE: 'homebrew_installer_signing.keychain-db' + MIN_MACOS_VERSION: '11.0' steps: - uses: actions/checkout@v3 with: path: brew fetch-depth: 0 - - name: Version name + + - name: Get Homebrew version from Git id: print-version + run: echo "version=$(git -C brew describe --tags --always)" >> "${GITHUB_OUTPUT}" + + - name: Create and unlock temporary macOS keychain + env: + PKG_KEYCHAIN_PASSWORD: ${{ secrets.PKG_KEYCHAIN_PASSWORD }} run: | - echo "version=$(git -C brew describe --tags --always)" >> "$GITHUB_OUTPUT" - - name: Build package - run: | - pkgbuild --root brew \ - --scripts brew/package/scripts \ - --install-location "$TMP_PATH" \ - --identifier "$IDENTIFIER" \ - --min-os-version "$MIN_OS" \ - --filter .DS_Store \ - --version ${{ steps.print-version.outputs.version }} \ - Homebrew-${{ steps.print-version.outputs.version }}.pkg + TEMPORARY_KEYCHAIN_PATH="${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}" + security create-keychain -p "${PKG_KEYCHAIN_PASSWORD}" "${TEMPORARY_KEYCHAIN_PATH}" + security set-keychain-settings -l -u -t 21600 "${TEMPORARY_KEYCHAIN_PATH}" + security unlock-keychain -p "${PKG_KEYCHAIN_PASSWORD}" "${TEMPORARY_KEYCHAIN_PATH}" + + - name: Create temporary certificate file + env: + PKG_APPLE_SIGNING_CERTIFICATE_BASE64: ${{ secrets.PKG_APPLE_SIGNING_CERTIFICATE_BASE64 }} + run: echo -n "${PKG_APPLE_SIGNING_CERTIFICATE_BASE64}" | base64 --decode --output="${RUNNER_TEMP}/${TEMPORARY_CERTIFICATE_FILE}" + + - name: Import certificate file into macOS keychain + env: + PKG_APPLE_SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.PKG_APPLE_SIGNING_CERTIFICATE_PASSWORD }} + run: security import "${RUNNER_TEMP}/${TEMPORARY_CERTIFICATE_FILE}" -k "${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}" -t cert -f pkcs12 -P "${PKG_APPLE_SIGNING_CERTIFICATE_PASSWORD}" -A + + - name: Clean up temporary certificate file + if: ${{ always() }} + run: rm -f "${RUNNER_TEMP}/${TEMPORARY_CERTIFICATE_FILE}" + + - name: Open macOS keychain + run: security list-keychain -d user -s "${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}" + + - name: Build Homebrew installer package + env: + PKG_APPLE_DEVELOPER_TEAM_ID: ${{ secrets.PKG_APPLE_DEVELOPER_TEAM_ID }} + # Note: `Library/Homebrew/test/support/fixtures/` contains unsigned + # binaries so it needs to be excluded from notarization. + run: pkgbuild --root brew --scripts brew/package/scripts --identifier "sh.brew.homebrew" --version ${{ steps.print-version.outputs.version }} --install-location "/tmp/brew" --filter .DS_Store --filter "(.*)/Library/Homebrew/test/support/fixtures/" --min-os-version "${MIN_MACOS_VERSION}" --sign "${PKG_APPLE_DEVELOPER_TEAM_ID}" Homebrew-${{ steps.print-version.outputs.version }}.pkg + + - name: Notarize Homebrew installer package + env: + PKG_APPLE_DEVELOPER_TEAM_ID: ${{ secrets.PKG_APPLE_DEVELOPER_TEAM_ID }} + PKG_APPLE_ID_USERNAME: ${{ secrets.PKG_APPLE_ID_USERNAME }} + PKG_APPLE_ID_APP_SPECIFIC_PASSWORD: ${{ secrets.PKG_APPLE_ID_APP_SPECIFIC_PASSWORD }} + run: xcrun notarytool submit Homebrew-${{ steps.print-version.outputs.version }}.pkg --team-id "${PKG_APPLE_DEVELOPER_TEAM_ID}" --apple-id "${PKG_APPLE_ID_USERNAME}" --password "${PKG_APPLE_ID_APP_SPECIFIC_PASSWORD}" --wait + + - name: Clean up temporary macOS keychain + if: ${{ always() }} + run: test -f "${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}" && security delete-keychain "${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}" + - uses: actions/upload-artifact@v3 with: name: Homebrew ${{ steps.print-version.outputs.version }}