-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmise.toml
More file actions
164 lines (143 loc) · 5.7 KB
/
Copy pathmise.toml
File metadata and controls
164 lines (143 loc) · 5.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
# mise.toml — build, sign, notarize, and package the `ta` CLI.
#
# Run `mise tasks` to list available tasks, `mise run <name>` to execute.
# See docs/packaging.md for one-time setup (Developer ID certs + notarytool
# keychain profile).
[env]
# Cert common names (not secret — Team ID is public in the cert).
# Override in mise.local.toml (gitignored) if you're using a different identity.
DEV_ID_APP = "Developer ID Application: Christian Tietze (FRMDA3XRGC)"
DEV_ID_INSTALLER = "Developer ID Installer: Christian Tietze (FRMDA3XRGC)"
# notarytool keychain profile name created via `xcrun notarytool store-credentials`.
NOTARY_PROFILE = "ta-notary"
# Package identifier (reverse-DNS).
PKG_IDENTIFIER = "de.christiantietze.ta"
# Build outputs.
SWIFT_PRODUCT = "ta"
RELEASE_DIR = ".build/apple/Products/Release"
[tasks.build]
description = "Build universal (arm64 + x86_64) release binary"
run = "swift build -c release --arch arm64 --arch x86_64"
sources = ["Sources/**/*.swift", "Package.swift"]
outputs = [".build/apple/Products/Release/ta"]
[tasks.sign]
description = "Codesign the universal binary with Developer ID Application"
depends = ["build"]
run = """
codesign --force --timestamp --options runtime \\
--sign "$DEV_ID_APP" "$RELEASE_DIR/$SWIFT_PRODUCT"
codesign --verify --strict --verbose=2 "$RELEASE_DIR/$SWIFT_PRODUCT"
"""
[tasks.prep]
description = "Clear dist/ of previous release artifacts"
run = "rm -rf dist && mkdir -p dist"
[tasks.check-changelog]
description = "Verify CHANGELOG.md has a heading matching the current version"
run = """
set -e
VERSION=$(scripts/get-version.sh)
grep -qE "^## \\[${VERSION}\\]" CHANGELOG.md \\
|| { echo "MISSING: CHANGELOG.md has no heading '## [${VERSION}]'. Move [Unreleased] content into a new version block before releasing." >&2; exit 1; }
"""
[tasks.pkg]
description = "Build and sign .pkg installer (staged in dist/unstapled/)"
depends = ["sign", "prep", "check-changelog"]
run = """
set -e
VERSION=$(scripts/get-version.sh)
mkdir -p dist/pkgroot/usr/local/bin dist/unstapled
cp "$RELEASE_DIR/$SWIFT_PRODUCT" dist/pkgroot/usr/local/bin/
pkgbuild --root dist/pkgroot --install-location / \\
--identifier "$PKG_IDENTIFIER" \\
--version "$VERSION" \\
--sign "$DEV_ID_INSTALLER" \\
"dist/unstapled/${SWIFT_PRODUCT}-${VERSION}-macos-universal.pkg"
pkgutil --check-signature "dist/unstapled/${SWIFT_PRODUCT}-${VERSION}-macos-universal.pkg"
"""
[tasks.notarize]
description = "Notarize and staple the staged .pkg, then promote to dist/"
depends = ["pkg"]
run = """
set -e
VERSION=$(scripts/get-version.sh)
STAGED="dist/unstapled/${SWIFT_PRODUCT}-${VERSION}-macos-universal.pkg"
FINAL="dist/${SWIFT_PRODUCT}-${VERSION}-macos-universal.pkg"
LOG=$(mktemp)
if ! xcrun notarytool submit "$STAGED" \\
--keychain-profile "$NOTARY_PROFILE" \\
--wait --timeout 30m 2>&1 | tee "$LOG"; then
SUBMISSION_ID=$(awk '/^[[:space:]]*id:/{print $NF; exit}' "$LOG" || true)
if [ -n "$SUBMISSION_ID" ]; then
echo "=== notarytool log $SUBMISSION_ID ===" >&2
xcrun notarytool log "$SUBMISSION_ID" \\
--keychain-profile "$NOTARY_PROFILE" >&2 || true
fi
rm -f "$LOG"
exit 1
fi
rm -f "$LOG"
xcrun stapler staple "$STAGED"
xcrun stapler validate "$STAGED"
spctl --assess -vv --type install "$STAGED"
mv "$STAGED" "$FINAL"
rmdir dist/unstapled 2>/dev/null || true
"""
[tasks.tarball]
description = "Build .tar.gz of the signed binary + docs"
depends = ["sign", "prep"]
run = """
set -e
VERSION=$(scripts/get-version.sh)
TARDIR="dist/${SWIFT_PRODUCT}-${VERSION}-macos-universal"
mkdir -p "$TARDIR"
cp "$RELEASE_DIR/$SWIFT_PRODUCT" "$TARDIR/"
cp README.md LICENSE CHANGELOG.md "$TARDIR/"
tar -czf "dist/${SWIFT_PRODUCT}-${VERSION}-macos-universal.tar.gz" \\
-C dist "${SWIFT_PRODUCT}-${VERSION}-macos-universal"
"""
[tasks.sums]
description = "Write SHA-256 sums for release assets"
depends = ["notarize", "tarball"]
run = """
set -e
VERSION=$(scripts/get-version.sh)
cd dist && shasum -a 256 \\
"${SWIFT_PRODUCT}-${VERSION}-macos-universal.pkg" \\
"${SWIFT_PRODUCT}-${VERSION}-macos-universal.tar.gz" \\
> SHA256SUMS
cat SHA256SUMS
"""
[tasks.release]
description = "Full release pipeline: build, sign, pkg, notarize, tarball, sums"
depends = ["sums"]
[tasks.clean]
description = "Remove build and dist artifacts"
run = "rm -rf .build dist"
[tasks.verify-setup]
description = "Verify Developer ID certs, notary profile, and toolchain are present"
run = """
set -e
echo "== Xcode Command Line Tools =="
xcode-select -p >/dev/null 2>&1 \\
|| { echo "MISSING: Xcode Command Line Tools. Install with 'xcode-select --install'." >&2; exit 1; }
echo "CLT: $(xcode-select -p)"
echo "== swift =="
command -v swift >/dev/null \\
|| { echo "MISSING: swift not on PATH. Install Xcode or the toolchain." >&2; exit 1; }
echo "$(swift --version | head -n1)"
echo "== pkgbuild / notarytool / stapler =="
for tool in pkgbuild notarytool stapler; do
xcrun --find "$tool" >/dev/null 2>&1 \\
|| { echo "MISSING: xcrun cannot find '$tool'. Reinstall Xcode CLT." >&2; exit 1; }
done
echo "== Developer ID Application =="
security find-identity -v -p codesigning | grep -F "$DEV_ID_APP" \\
|| { echo "MISSING: cert matching DEV_ID_APP='$DEV_ID_APP'. Override in mise.local.toml or see docs/packaging.md." >&2; exit 1; }
echo "== Developer ID Installer =="
security find-identity -v | grep -F "$DEV_ID_INSTALLER" \\
|| { echo "MISSING: cert matching DEV_ID_INSTALLER='$DEV_ID_INSTALLER'. Override in mise.local.toml or see docs/packaging.md." >&2; exit 1; }
echo "== notarytool keychain profile \\"$NOTARY_PROFILE\\" =="
xcrun notarytool history --keychain-profile "$NOTARY_PROFILE" >/dev/null 2>&1 \\
|| { echo "MISSING: notarytool profile '$NOTARY_PROFILE'. See docs/packaging.md." >&2; exit 1; }
echo "All prerequisites present."
"""