Build and package the NowSecure Platform CLI

Pull NS changes #5

Workflow file for this run

	name: Build and package the NowSecure Platform CLI
	on:
	push:
	branches:
	- main
	tags:
	- 'v[0-9]+.[0-9]+.[0-9]+*'
	pull_request:
	branches:
	- main
	workflow_dispatch: {}

	jobs:
	build-on-ubuntu:
	name: Build .deb files for arm & intel
	runs-on: ubuntu-22.04
	steps:
	- uses: actions/checkout@v3
	- name: Get Git History
	run: git fetch --unshallow --filter=blob:none --tags --force
	- name: Set Version
	id: set-version
	run: \|
	TAG_REGEX="^refs/tags/(v(0\|[1-9][0-9])\\.(0\|[1-9][0-9])\\.(0\|[1-9][0-9])(\\-[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+))?(\\+[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?)$"
	if [[ ${{ github.ref }} =~ $TAG_REGEX ]]; then
	echo "version=${BASH_REMATCH[1]}" >> $GITHUB_OUTPUT
	else
	echo "version=$(git describe --tags --long --match 'v*')" >> $GITHUB_OUTPUT
	fi
	- uses: actions/setup-node@v3
	with:
	node-version: '20'
	- run: \|
	sudo apt update && sudo apt install p7zip-full nsis
	CLI_VERSION=${{ steps.set-version.outputs.version }} node cli/.ci/set-package-vars.js
	CI_CD_BUILD=1 cli/.ci/package.sh
	- name: Archive artifacts
	uses: actions/upload-artifact@v3
	with:
	name: Linux
	path: \|
	cli/tmp/artifacts

	build-on-macos:
	name: Build, sign and notarize .pkg files for Mac
	runs-on: macos-14
	steps:
	- uses: actions/checkout@v3
	- name: Get Git History
	run: git fetch --unshallow --filter=blob:none --tags --force
	- name: Set Version
	id: set-version
	run: \|
	TAG_REGEX="^refs/tags/(v(0\|[1-9][0-9])\\.(0\|[1-9][0-9])\\.(0\|[1-9][0-9])(\\-[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+))?(\\+[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?)$"
	if [[ ${{ github.ref }} =~ $TAG_REGEX ]]; then
	echo "version=${BASH_REMATCH[1]}" >> $GITHUB_OUTPUT
	else
	echo "version=$(git describe --tags --long --match 'v*')" >> $GITHUB_OUTPUT
	fi
	- uses: actions/setup-node@v3
	with:
	node-version: '20'
	- name: Install the Apple certificate and provisioning profile
	env:
	BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
	P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
	KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
	run: \|
	# create variables
	CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
	KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

	# import certificate from secrets
	echo -n "$BUILD_CERTIFICATE_BASE64" \| base64 --decode -o $CERTIFICATE_PATH

	# create temporary keychain
	security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
	security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

	# import certificate to keychain
	security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
	security list-keychain -d user -s $KEYCHAIN_PATH

	- name: Build, sign, and notarize the installer packages
	env:
	KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
	APPLEID_PASSWORD: ${{ secrets.APPLEID_PASSWORD }}
	APPLEID: ${{ secrets.APPLEID }}
	APPLEID_TEAM: ${{ secrets.APPLEID_TEAM }}
	SIGNING_ID: ${{ secrets.SIGNING_ID }}

	# Note: oclif requires the env var OSX_KEYCHAIN to know where the keychain is
	run: \|
	CLI_VERSION=${{ steps.set-version.outputs.version }} node cli/.ci/set-package-vars.js

	security unlock-keychain -p "$KEYCHAIN_PASSWORD" $OSX_KEYCHAIN
	OSX_KEYCHAIN=$RUNNER_TEMP/app-signing.keychain-db CI_CD_BUILD=1 cli/.ci/package.sh

	node cli/.ci/notarize.js cli/dist/macos/*.pkg
	spctl --assess -vv --type install cli/dist/macos/*.pkg

	- name: Clean up keychain
	if: ${{ always() }}
	run: \|
	security delete-keychain $RUNNER_TEMP/app-signing.keychain-db

	- name: Archive Artifacts
	uses: actions/upload-artifact@v3
	with:
	name: MacOS
	path: \|
	cli/dist/macos

	release:
	needs:
	- build-on-ubuntu
	- build-on-macos
	runs-on: ubuntu-22.04
	steps:
	- name: Check Tag
	id: check-tag
	run: \|
	TAG_REGEX="^refs/tags/(v(0\|[1-9][0-9])\\.(0\|[1-9][0-9])\\.(0\|[1-9][0-9])(\\-[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+))?(\\+[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?)$"
	if [[ ${{ github.ref }} =~ $TAG_REGEX ]]; then
	echo "version=${BASH_REMATCH[1]}" >> $GITHUB_OUTPUT
	echo "release=true" >> $GITHUB_OUTPUT
	else
	echo "release=false" >> $GITHUB_OUTPUT
	fi

	- name: Download Release Artifacts
	if: ${{ steps.check-tag.outputs.release == 'true' }}
	uses: actions/download-artifact@v3
	with:
	path: artifacts

	- name: Create Release
	if: ${{ steps.check-tag.outputs.release == 'true' }}
	uses: ncipollo/[email protected]
	with:
	artifacts: "artifacts/Linux/.deb,artifacts/MacOS/.pkg"
	tag: ${{ steps.check-tag.outputs.version }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pull NS changes #5

Workflow file

Pull NS changes #5

Jobs

Run details

Workflow file for this run