mirror of
https://github.com/zhayujie/chatgpt-on-wechat.git
synced 2026-07-17 11:07:11 +08:00
fix(desktop): notarize the .app zip
This commit is contained in:
60
.github/workflows/release.yml
vendored
60
.github/workflows/release.yml
vendored
@@ -108,6 +108,10 @@ jobs:
|
||||
# is the correct state for unsigned builds.
|
||||
MAC_CSC_LINK: ${{ secrets.MAC_CSC_LINK }}
|
||||
MAC_CSC_KEY_PASSWORD: ${{ secrets.MAC_CSC_KEY_PASSWORD }}
|
||||
# electron-builder's built-in notarization reads these.
|
||||
APPLE_ID: ${{ secrets.APPLE_ID }}
|
||||
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
|
||||
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
||||
WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }}
|
||||
WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
|
||||
run: |
|
||||
@@ -128,57 +132,15 @@ jobs:
|
||||
# Never let electron-builder publish: our publish target is a generic
|
||||
# (read-only) feed served from R2/D1, which it can't upload to. We mirror
|
||||
# installers to R2 and register them in D1 ourselves (publish-r2 job).
|
||||
# `--publish never` still emits the latest*.yml files we parse for sha512.
|
||||
# Use the dynamic config (electron-builder.js) so mac.binaries is
|
||||
# populated with the embedded backend's Mach-O files for signing.
|
||||
# electron-builder signs but does NOT notarize (notarize:false); the
|
||||
# dedicated step below notarizes + staples with retry.
|
||||
# `--publish never` still emits the latest*.yml files.
|
||||
# Use the dynamic config (electron-builder.js): it populates
|
||||
# mac.binaries (backend Mach-O files to sign) and enables built-in
|
||||
# notarization, which zips the .app and submits that (the path Apple
|
||||
# actually accepts for this large bundle) then staples + packs the dmg.
|
||||
npx electron-builder ${{ matrix.eb_flags }} --config electron-builder.js --publish never
|
||||
|
||||
# Whether Mac signing secrets are present. `secrets` can't be used in a
|
||||
# step `if:` directly, and step-level `env` isn't visible to that step's
|
||||
# own `if:`, so surface it as an output for the notarize step to gate on.
|
||||
- name: Check mac signing secrets
|
||||
id: macsign
|
||||
if: matrix.platform == 'mac'
|
||||
shell: bash
|
||||
env:
|
||||
MAC_CSC_LINK: ${{ secrets.MAC_CSC_LINK }}
|
||||
run: |
|
||||
if [ -n "$MAC_CSC_LINK" ]; then
|
||||
echo "enabled=true" >> "$GITHUB_OUTPUT"
|
||||
else
|
||||
echo "enabled=false" >> "$GITHUB_OUTPUT"
|
||||
echo "::notice::MAC_CSC_LINK not set — skipping notarization (unsigned build)."
|
||||
fi
|
||||
|
||||
# Notarize + staple the dmg: submit ONCE, then poll that submission id
|
||||
# until Accepted/Invalid (see notarize-dmg.sh — never resubmits).
|
||||
# Skipped for Windows and for unsigned builds (no cert).
|
||||
- name: Notarize macOS dmg
|
||||
if: matrix.platform == 'mac' && steps.macsign.outputs.enabled == 'true'
|
||||
working-directory: desktop
|
||||
shell: bash
|
||||
env:
|
||||
APPLE_ID: ${{ secrets.APPLE_ID }}
|
||||
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
|
||||
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
||||
run: |
|
||||
shopt -s nullglob
|
||||
dmgs=(release/*.dmg)
|
||||
if [ ${#dmgs[@]} -eq 0 ]; then
|
||||
echo "::error::no dmg found to notarize"
|
||||
exit 1
|
||||
fi
|
||||
for dmg in "${dmgs[@]}"; do
|
||||
bash build/notarize-dmg.sh "$dmg"
|
||||
done
|
||||
|
||||
# Always upload artifacts, even when notarization timed out. The
|
||||
# notarization ticket is keyed to the dmg's hash on Apple's servers: if
|
||||
# the submission is eventually Accepted, THIS exact dmg becomes valid
|
||||
# as-is (download it, `xcrun stapler staple`, publish manually) — no
|
||||
# rebuild needed. Rebuilding would change the hash and waste the ticket.
|
||||
# Upload artifacts regardless of outcome, so a failed run still surfaces
|
||||
# the built installers (and, on success, the notarized+stapled dmg).
|
||||
- name: Upload artifacts
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
|
||||
Reference in New Issue
Block a user