From 778e4c971077e38bf8f7d03b8b299d3dd111ba22 Mon Sep 17 00:00:00 2001
From: Matt Mastracci <matthew@mastracci.com>
Date: Thu, 23 Nov 2023 15:30:26 -0700
Subject: chore: start codesigning mac release builds (#21303)

- Adds a codesigning step to all mac targets
- Adds a new ci-full label to the build to force aarch64 builds on any
PR
---
 .github/workflows/ci.generate.ts | 38 +++++++++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

(limited to '.github/workflows/ci.generate.ts')

diff --git a/.github/workflows/ci.generate.ts b/.github/workflows/ci.generate.ts
index be71828e3..10bf59521 100755
--- a/.github/workflows/ci.generate.ts
+++ b/.github/workflows/ci.generate.ts
@@ -275,14 +275,18 @@ function handleMatrixItems(items: {
     }
 
     if (typeof item.skip === "string") {
-      let text = "${{ (";
-      text += removeSurroundingExpression(item.skip.toString()) + ") && ";
+      let text =
+        "${{ (!contains(github.event.pull_request.labels.*.name, 'ci-full') && (";
+      text += removeSurroundingExpression(item.skip.toString()) + ")) && ";
       text += `'${Runners.ubuntu}' || ${
         removeSurroundingExpression(item.os)
       } }}`;
 
       // deno-lint-ignore no-explicit-any
       (item as any).runner = text;
+      item.skip =
+        "${{ !contains(github.event.pull_request.labels.*.name, 'ci-full') && (" +
+        removeSurroundingExpression(item.skip.toString()) + ") }}";
     }
 
     return {
@@ -526,10 +530,18 @@ const ci = {
           name: "Install aarch64 lld",
           run: [
             "./tools/install_prebuilt.js ld64.lld",
-            "echo $GITHUB_WORKSPACE/third_party/prebuilt/mac >> $GITHUB_PATH",
           ].join("\n"),
           if: `matrix.os == '${macosArmRunner}'`,
         },
+        {
+          name: "Install rust-codesign",
+          run: [
+            "./tools/install_prebuilt.js rcodesign",
+            "echo $GITHUB_WORKSPACE/third_party/prebuilt/mac >> $GITHUB_PATH",
+          ].join("\n"),
+          if:
+            `(matrix.os == '${macosArmRunner}' || matrix.os == '${macosX86Runner}')`,
+        },
         {
           name: "Log versions",
           run: [
@@ -680,7 +692,17 @@ const ci = {
             "matrix.profile == 'release' &&",
             "github.repository == 'denoland/deno'",
           ].join("\n"),
+          env: {
+            "APPLE_CODESIGN_KEY": "${{ secrets.APPLE_CODESIGN_KEY }}",
+            "APPLE_CODESIGN_PASSWORD": "${{ secrets.APPLE_CODESIGN_PASSWORD }}",
+          },
           run: [
+            'echo "Key is $(echo $APPLE_CODESIGN_KEY | base64 -d | wc -c) bytes"',
+            "rcodesign sign target/release/deno " +
+            "--code-signature-flags=runtime " +
+            '--p12-password="$APPLE_CODESIGN_PASSWORD" ' +
+            "--p12-file=<(echo $APPLE_CODESIGN_KEY | base64 -d) " +
+            "--entitlements-xml-file=cli/entitlements.plist",
             "cd target/release",
             "zip -r deno-x86_64-apple-darwin.zip deno",
           ]
@@ -694,7 +716,17 @@ const ci = {
             "matrix.profile == 'release' &&",
             "github.repository == 'denoland/deno'",
           ].join("\n"),
+          env: {
+            "APPLE_CODESIGN_KEY": "${{ secrets.APPLE_CODESIGN_KEY }}",
+            "APPLE_CODESIGN_PASSWORD": "${{ secrets.APPLE_CODESIGN_PASSWORD }}",
+          },
           run: [
+            'echo "Key is $(echo $APPLE_CODESIGN_KEY | base64 -d | wc -c) bytes"',
+            "rcodesign sign target/release/deno " +
+            "--code-signature-flags=runtime " +
+            '--p12-password="$APPLE_CODESIGN_PASSWORD" ' +
+            "--p12-file=<(echo $APPLE_CODESIGN_KEY | base64 -d) " +
+            "--entitlements-xml-file=cli/entitlements.plist",
             "cd target/release",
             "zip -r deno-aarch64-apple-darwin.zip deno",
           ]
-- 
cgit v1.2.3