ci(conveyor): use the Apple notarization API

2025-01-08 11:47:47 +08:00 · 2023-10-17 15:44:25 +08:00 · 2023-10-17 15:44:25 +08:00 · 0704e9f562
commit 0704e9f562
parent 6c21b69429
3 changed files with 14 additions and 5 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -150,6 +150,13 @@ jobs:
          tag: '${{ needs.version.outputs.version_next }}'
          default_author: github_actions

+      - name: Retrieve the Apple private key and decode it to a file
+        if: inputs.github_release
+        env:
+          APPLE_PRIVATE_KEY: ${{ secrets.APPLE_PRIVATE_KEY }}
+        run: |
+          echo APPLE_PRIVATE_KEY | base64 --decode > ./secret/apple_private_key.p8
+
      - name: Conveyor build apps
        uses: hydraulic-software/conveyor/actions/build@v11.4
        if: inputs.github_release
@ -158,8 +165,8 @@ jobs:
          signing_key: ${{ secrets.CONVEYOR_SIGNING_KEY }}
          agree_to_license: 1
        env:
-          APPLE_ASP: ${{ secrets.APPLE_ASP }}
-          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_ISSUER_ID: ${{ secrets.APPLE_ISSUER_ID }}
+          APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }}

      - name: Adjust Conveyor output
        if: inputs.github_release
--- a/.gitignore
+++ b/.gitignore
@ -52,3 +52,4 @@ application-oauth2.yml

 ### Conveyor
 output/
+secret/
--- a/conveyor.ci.conf
+++ b/conveyor.ci.conf
@ -4,8 +4,9 @@ app {
    mac.certificate = apple.cer

    mac.notarization {
-        app-specific-password = ${env.APPLE_ASP}
-        team-id = GCZZU2X3J2
-        apple-id = ${env.APPLE_ID}
+        issuer-id = ${env.APPLE_ISSUER_ID}
+        key-id = ${env.APPLE_KEY_ID}
+        ; the secret is written to file by CI from Gihub Secrets
+        private-key = ./secret/apple_private_key.p8
    }
 }