summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorBrendan Allan <[email protected]>2025-12-08 02:42:23 +0800
committerGitHub <[email protected]>2025-12-07 13:42:23 -0500
commit1574e2457ba563164642efa6e2dc63aa1389d3f4 (patch)
treecbeb856b370b40aec512367f54f84c40b5d2dd3e
parentaf33212f7719a377c1ca01b6331d0dbfeb95ba2d (diff)
downloadopencode-1574e2457ba563164642efa6e2dc63aa1389d3f4.tar.gz
opencode-1574e2457ba563164642efa6e2dc63aa1389d3f4.zip
Desktop macOS codesigning and notarization (#5154)
Co-authored-by: GitHub Action <[email protected]> Co-authored-by: Dax Raad <[email protected]>
-rw-r--r--.github/workflows/publish.yml33
-rw-r--r--packages/tauri/src-tauri/entitlements.plist16
-rw-r--r--packages/tauri/src-tauri/tauri.conf.json5
3 files changed, 49 insertions, 5 deletions
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f55b2635d..36a36ffe2 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -26,7 +26,7 @@ permissions:
jobs:
publish:
runs-on: blacksmith-4vcpu-ubuntu-2404
- if: github.repository == 'sst/opencode'
+ if: github.repository == 'sst/opencode' && github.ref == 'refs/heads/dev'
steps:
- uses: actions/checkout@v3
with:
@@ -99,6 +99,26 @@ jobs:
with:
fetch-depth: 0
+ - uses: apple-actions/import-codesign-certs@v2
+ if: ${{ runner.os == 'macOS' }}
+ with:
+ keychain: build
+ p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
+ p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+
+ - name: Verify Certificate
+ if: ${{ runner.os == 'macOS' }}
+ run: |
+ CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application")
+ CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
+ echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
+ echo "Certificate imported."
+
+ - name: Setup Apple API Key
+ if: ${{ runner.os == 'macOS' }}
+ run: |
+ echo "${{ secrets.APPLE_API_KEY_PATH }}" > $RUNNER_TEMP/apple-api-key.p8
+
- run: git fetch --force --tags
- uses: ./.github/actions/setup-bun
@@ -144,12 +164,17 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAURI_BUNDLER_NEW_APPIMAGE_FORMAT: true
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+ TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
+ APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+ APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+ APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
+ APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+ APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+ APPLE_API_KEY_PATH: ${{ runner.temp }}/apple-api-key.p8
with:
projectPath: packages/tauri
uploadWorkflowArtifacts: true
tauriScript: ${{ (startsWith(matrix.settings.host, 'ubuntu') && 'cargo tauri') || '' }}
args: --target ${{ matrix.settings.target }}
updaterJsonPreferNsis: true
- releaseDraft: true
- tagName: ${{ inputs.version }}
- releaseName: ${{ inputs.version }}
+ # releaseId: TODO
diff --git a/packages/tauri/src-tauri/entitlements.plist b/packages/tauri/src-tauri/entitlements.plist
new file mode 100644
index 000000000..afa54db33
--- /dev/null
+++ b/packages/tauri/src-tauri/entitlements.plist
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>com.apple.security.cs.allow-jit</key>
+ <true/>
+ <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+ <true/>
+ <key>com.apple.security.cs.disable-executable-page-protection</key>
+ <true/>
+ <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+ <true/>
+ <key>com.apple.security.cs.disable-library-validation</key>
+ <true/>
+</dict>
+</plist>
diff --git a/packages/tauri/src-tauri/tauri.conf.json b/packages/tauri/src-tauri/tauri.conf.json
index e111b239e..d8a48c976 100644
--- a/packages/tauri/src-tauri/tauri.conf.json
+++ b/packages/tauri/src-tauri/tauri.conf.json
@@ -22,7 +22,10 @@
"targets": ["deb", "rpm", "appimage", "dmg", "app", "nsis"],
"icon": ["icons/32x32.png", "icons/128x128.png", "icons/[email protected]", "icons/icon.icns", "icons/icon.ico"],
"externalBin": ["sidecars/opencode"],
- "createUpdaterArtifacts": true
+ "createUpdaterArtifacts": true,
+ "macOS": {
+ "entitlements": "./entitlements.plist"
+ }
},
"plugins": {
"updater": {