ai-workspace-lab/xworkmate-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: wire macOS profile from Vault

Browse Source
This commit is contained in:
Haitao Pan 2026-06-29 21:55:32 +08:00
parent 2ab7aa684d
commit de5ead0be4
4 changed files with 60 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.github/workflows/build-and-release.yml vendored
View File

@ -217,6 +217,7 @@ jobs:
echo "APPLE_CERT_P12_BASE64=${{ steps.vault_apple.outputs.APPLE_CERT_P12_BASE64 }}"
echo "APPLE_CERT_PASSWORD=${{ steps.vault_apple.outputs.APPLE_CERT_PASSWORD }}"
echo "APPLE_PROVISION_PROFILE_BASE64=${{ steps.vault_apple.outputs.APPLE_PROVISION_PROFILE_BASE64 }}"
echo "APPLE_MAC_PROVISION_PROFILE_BASE64=${{ steps.vault_apple.outputs.APPLE_MAC_PROVISION_PROFILE_BASE64 }}"
echo "APPLE_KEYCHAIN_PASSWORD=${{ steps.vault_apple.outputs.APPLE_KEYCHAIN_PASSWORD }}"
echo "APPLE_EXPORT_METHOD=${{ steps.vault_apple.outputs.APPLE_EXPORT_METHOD }}"
echo "WINDOWS_PFX_BASE64=${{ steps.vault_windows.outputs.WINDOWS_PFX_BASE64 }}"
@ -347,10 +348,6 @@ jobs:
jwtGithubAudience: vault
ignoreNotFound: true
secrets: |
kv/data/github-actions/xworkmate-app APPLE_CERT_P12_BASE64 | APPLE_CERT_P12_BASE64 ;
kv/data/github-actions/xworkmate-app APPLE_CERT_PASSWORD | APPLE_CERT_PASSWORD ;
kv/data/github-actions/xworkmate-app APPLE_MAC_PROVISION_PROFILE_BASE64 | APPLE_MAC_PROVISION_PROFILE_BASE64 ;
kv/data/github-actions/xworkmate-app APPLE_KEYCHAIN_PASSWORD | APPLE_KEYCHAIN_PASSWORD ;
kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_API_KEY_ID | APP_STORE_CONNECT_API_KEY_ID ;
kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_ISSUER_ID | APP_STORE_CONNECT_ISSUER_ID ;
kv/data/github-actions/xworkmate-app APP_STORE_CONNECT_API_KEY_P8_BASE64 | APP_STORE_CONNECT_API_KEY_P8_BASE64
@ -359,10 +356,6 @@ jobs:
if: ${{ matrix.target != 'github_release' }}
run: |
{
echo "APPLE_CERT_P12_BASE64=${{ steps.vault.outputs.APPLE_CERT_P12_BASE64 }}"
echo "APPLE_CERT_PASSWORD=${{ steps.vault.outputs.APPLE_CERT_PASSWORD }}"
echo "APPLE_MAC_PROVISION_PROFILE_BASE64=${{ steps.vault.outputs.APPLE_MAC_PROVISION_PROFILE_BASE64 }}"
echo "APPLE_KEYCHAIN_PASSWORD=${{ steps.vault.outputs.APPLE_KEYCHAIN_PASSWORD }}"
echo "APP_STORE_CONNECT_API_KEY_ID=${{ steps.vault.outputs.APP_STORE_CONNECT_API_KEY_ID }}"
echo "APP_STORE_CONNECT_ISSUER_ID=${{ steps.vault.outputs.APP_STORE_CONNECT_ISSUER_ID }}"
echo "APP_STORE_CONNECT_API_KEY_P8_BASE64=${{ steps.vault.outputs.APP_STORE_CONNECT_API_KEY_P8_BASE64 }}"

2
macos/Runner.xcodeproj/project.pbxproj
View File

@ -687,7 +687,7 @@
338D0CEB231458BD00FA5F75 /* Profile */ = {
isa = XCBuildConfiguration;
buildSettings = {
CODE_SIGN_STYLE = Manual;
CODE_SIGN_STYLE = Automatic;
MACOSX_DEPLOYMENT_TARGET = 14.0;
PRODUCT_NAME = "$(TARGET_NAME)";
};

44
scripts/ci/apple_signing.sh
View File

@ -82,3 +82,47 @@ apple_install_provision_profile() {
export APPLE_SIGNING_PROFILE_PATH="$profile_path"
apple_register_cleanup "rm -f \"$profile_path\""
}
apple_install_base64_provision_profile() {
local source_var="${1:?base64 source variable is required}"
local expected_bundle_id="${2:-}"
apple_require_signing_vars "$source_var"
local tmp_dir
tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-profile.XXXXXX")"
local tmp_profile="$tmp_dir/profile.provisionprofile"
local profile_plist="$tmp_dir/profile.plist"
apple_register_cleanup "rm -rf \"$tmp_dir\""
printf '%s' "${!source_var}" | apple_decode_base64 > "$tmp_profile"
security cms -D -i "$tmp_profile" > "$profile_plist"
local profile_uuid profile_name profile_team profile_app_id profile_platform
profile_uuid="$(/usr/libexec/PlistBuddy -c 'Print :UUID' "$profile_plist")"
profile_name="$(/usr/libexec/PlistBuddy -c 'Print :Name' "$profile_plist")"
profile_team="$(/usr/libexec/PlistBuddy -c 'Print :TeamIdentifier:0' "$profile_plist")"
profile_app_id="$(/usr/libexec/PlistBuddy -c 'Print :Entitlements:com.apple.application-identifier' "$profile_plist")"
profile_platform="$(/usr/libexec/PlistBuddy -c 'Print :Platform:0' "$profile_plist")"
if [[ "$profile_platform" != "OSX" ]]; then
echo "Provisioning profile '$profile_name' targets '$profile_platform', expected 'OSX'." >&2
return 1
fi
if [[ -n "$expected_bundle_id" && "$profile_app_id" != "$profile_team.$expected_bundle_id" ]]; then
echo "Provisioning profile '$profile_name' has app identifier '$profile_app_id', expected '$profile_team.$expected_bundle_id'." >&2
return 1
fi
local profile_dir="$HOME/Library/MobileDevice/Provisioning Profiles"
local profile_path="$profile_dir/$profile_uuid.provisionprofile"
mkdir -p "$profile_dir"
mv "$tmp_profile" "$profile_path"
export APPLE_SIGNING_PROFILE_PATH="$profile_path"
export APPLE_SIGNING_PROFILE_UUID="$profile_uuid"
export APPLE_SIGNING_PROFILE_NAME="$profile_name"
export APPLE_SIGNING_PROFILE_TEAM="$profile_team"
apple_register_cleanup "rm -f \"$profile_path\""
echo "Installed macOS provisioning profile: $profile_name ($profile_uuid)"
}

28
scripts/package-macos-app-store-pkg.sh
View File

@ -40,25 +40,22 @@ app_build_commit="${GIT_BUILD_COMMIT:-${BUILD_ID_LINE:-unknown}}"
tmp_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/xworkmate-macos-app-store.XXXXXX")"
cleanup() {
local status=$?
rm -rf "$tmp_dir"
apple_run_cleanup
return "$status"
}
trap cleanup EXIT
apple_setup_signing_keychain
apple_install_base64_provision_profile \
APPLE_MAC_PROVISION_PROFILE_BASE64 \
plus.svc.xworkmate
apple_decode_base64() {
if base64 --help 2>&1 | grep -q -- '--decode'; then
base64 --decode
else
base64 -D
fi
}
profile_dir="$HOME/Library/MobileDevice/Provisioning Profiles"
profile_path="$profile_dir/xworkmate-macos.mobileprovision"
mkdir -p "$profile_dir"
printf '%s' "$APPLE_MAC_PROVISION_PROFILE_BASE64" | apple_decode_base64 > "$profile_path"
apple_register_cleanup "rm -f \"$profile_path\""
if [[ "$APPLE_SIGNING_PROFILE_TEAM" != "N3G9T67W78" ]]; then
echo "Provisioning profile team '$APPLE_SIGNING_PROFILE_TEAM' does not match expected team 'N3G9T67W78'." >&2
exit 1
fi
mkdir -p "$DIST_DIR"
archive_path="$tmp_dir/$APP_NAME.xcarchive"
@ -80,12 +77,15 @@ xcodebuild archive \
-scheme Runner \
-configuration Release \
-archivePath "$archive_path" \
-allowProvisioningUpdates \
-allowProvisioningDeviceRegistration \
DEVELOPMENT_TEAM="N3G9T67W78"
xcodebuild -exportArchive \
-archivePath "$archive_path" \
-exportPath "$DIST_DIR" \
-exportOptionsPlist "$export_options_path"
-exportOptionsPlist "$export_options_path" \
-allowProvisioningUpdates
if ! compgen -G "$DIST_DIR/*.pkg" >/dev/null; then
echo "No macOS TestFlight pkg was produced under $DIST_DIR" >&2