ci(conveyor): use the Apple notarization API

gotson · Oct 17, 2023 · e9af1c4 · e9af1c4
1 parent 1fcef0e
commit e9af1c4
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 5 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -149,6 +149,12 @@ jobs:
           tag: 'v${{ needs.version.outputs.version_next }}'
           default_author: github_actions
 
+      - name: Retrieve the Apple private key and decode it to a file
+        env:
+          APPLE_PRIVATE_KEY: ${{ secrets.APPLE_PRIVATE_KEY }}
+        run: |
+          echo APPLE_PRIVATE_KEY | base64 --decode > ./secret/apple_private_key.p8
+
       - name: Conveyor build apps
         uses: hydraulic-software/conveyor/actions/[email protected]
         if: inputs.github_release
@@ -157,8 +163,8 @@ jobs:
           signing_key: ${{ secrets.CONVEYOR_SIGNING_KEY }}
           agree_to_license: 1
         env:
-          APPLE_ASP: ${{ secrets.APPLE_ASP }}
-          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_ISSUER_ID: ${{ secrets.APPLE_ISSUER_ID }}
+          APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }}
 
       - name: Adjust Conveyor output
         if: inputs.github_release

diff --git a/.gitignore b/.gitignore
@@ -52,3 +52,4 @@ application-oauth2.yml
 
 ### Conveyor
 output/
+secret/
diff --git a/conveyor.ci.conf b/conveyor.ci.conf
@@ -4,8 +4,9 @@ app {
     mac.certificate = apple.cer
 
     mac.notarization {
-        app-specific-password = ${env.APPLE_ASP}
-        team-id = GCZZU2X3J2
-        apple-id = ${env.APPLE_ID}
+        issuer-id = ${env.APPLE_ISSUER_ID}
+        key-id = ${env.APPLE_KEY_ID}
+        ; the secret is written to file by CI from Gihub Secrets
+        private-key = ./secret/apple_private_key.p8
     }
 }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -52,3 +52,4 @@ application-oauth2.yml

		### Conveyor
		output/
		secret/