.github/workflows/keychain-test.yaml

name: TEST Sign and Notarize

on:
  workflow_dispatch:  

env:
  CNQUERY_VERSION: '6.18.0-alpha2'

jobs:
  pkg:
    name: 'Signing and Notarization Test Action'
    runs-on: macos-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Setup local keychain for signing certificates
        run: |
          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
          # Setup Keychain:
          security create-keychain -p ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} $KEYCHAIN_PATH
          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
          security unlock-keychain -p ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} $KEYCHAIN_PATH
          # Import Certificates:
          echo "${{ secrets.APPLE_KEYS_PRODUCTSIGN }}" | base64 --decode > $RUNNER_TEMP/AppleKeysProductSign.p12
          echo "${{ secrets.APPLE_KEYS_CODESIGN }}"  | base64 --decode > $RUNNER_TEMP/AppleKeysCodeSign.p12
          security import $RUNNER_TEMP/AppleKeysProductSign.p12 -P ${{ secrets.APPLE_KEYS_PASSWORD }} -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security import $RUNNER_TEMP/AppleKeysCodeSign.p12 -P ${{ secrets.APPLE_KEYS_PASSWORD }} -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security list-keychain -d user -s $KEYCHAIN_PATH
      - name: Validate available security identities...
        run: |
          security find-identity -v
      - name: Binary Code Signing (codesign)
        run: |
          curl -O https://releases.mondoo.io/cnquery/7.0.0-alpha1/cnquery_7.0.0-alpha1_darwin_amd64.tar.gz
          tar xfvz cnquery_7.0.0-alpha1_darwin_amd64.tar.gz
          codesign -s "${{ secrets.APPLE_KEYS_CODESIGN_ID }}" -f -v --timestamp --options runtime ./cnquery
      - name: Package Sign Sample Package (productsign)
        run: |
          curl -O https://releases.mondoo.io/mondoo/6.19.1/mondoo_6.19.1_darwin_universal.pkg
          productsign --sign "${{ secrets.APPLE_KEYS_PRODUCTSIGN_ID }}" mondoo_6.19.1_darwin_universal.pkg mondoo_6.19.1_darwin_signed.pkg
      - name: "Notarize Signed PKG"
        uses: devbotsxyz/xcode-notarize@v1 
        with:
          product-path: mondoo_6.19.1_darwin_signed.pkg
          appstore-connect-username: ${{ secrets.APPLE_ACCOUNT_USERNAME }}
          appstore-connect-password: ${{ secrets.APPLE_ACCOUNT_PASSWORD }}
          primary-bundle-id: 'com.mondoo.client'

      - name: "Staple Release Build"
        uses: devbotsxyz/xcode-staple@v1
        with:
          product-path: mondoo_6.19.1_darwin_signed.pkg
      - name: Archive Notarized Package
        uses: actions/upload-artifact@v2
        with:
          name: notarized-package
          path: mondoo_6.19.1_darwin_signed.pkg