From e2be8078b4284ea4504c9443967c0aa621c66026 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Fabianski?= <cedric@bearer.sh>
Date: Tue, 13 Dec 2022 12:20:51 +0100
Subject: [PATCH] chore: sign darwin binaries (#238)

chore: sign darwin
---
 .github/workflows/release.yml | 19 +++++++++++++++---
 goreleaser/darwin.yaml        | 38 +++++++++++++++++++++++++++++++++--
 2 files changed, 52 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7403e9eee..232703116 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -72,6 +72,15 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: 1.18
+      - name: Setup Gon
+        run: brew install mitchellh/gon/gon
+      - name: Import Code-Signing Certificates
+        uses: Apple-Actions/import-codesign-certs@v1
+        with:
+          # The certificates in a PKCS12 file encoded as a base64 string
+          p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
+          # The password used to import the PKCS12 file.
+          p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v3
         with:
@@ -80,14 +89,18 @@ jobs:
           args: release --skip-publish -f ./goreleaser/darwin.yaml
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AC_USERNAME: ${{ secrets.AC_USERNAME }}
+          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
       - name: Upload
         uses: actions/upload-artifact@v3
         with:
           name: curio-darwin
-          path: dist/curio*
+          path: |
+            dist/curio*.tar.gz
+            dist/curio*checksums.txt
 
   publish:
-    needs: [tag, build-darwin, build-linux]
+    needs: [tag, build-linux, build-darwin]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -112,8 +125,8 @@ jobs:
       - name: Merge checksum file
         run: |
           cd ./curio-build
-          cat ./darwin/curio*checksums.txt >> checksums.txt
           cat ./linux/curio*checksums.txt >> checksums.txt
+          cat ./darwin/curio*checksums.txt >> checksums.txt
           rm ./darwin/curio*checksums.txt
           rm ./linux/curio*checksums.txt
       - name: Release
diff --git a/goreleaser/darwin.yaml b/goreleaser/darwin.yaml
index 5a61f9c43..f2712f14e 100644
--- a/goreleaser/darwin.yaml
+++ b/goreleaser/darwin.yaml
@@ -1,9 +1,12 @@
+project_name: curio
+
 before:
   hooks:
     - go mod tidy
     - go generate ./...
+
 builds:
-  - id: "darwin"
+  - id: curio-macos-build
     main: ./cmd/curio
     binary: curio
     env:
@@ -11,14 +14,45 @@ builds:
     goos:
       - darwin
     goarch:
-      - arm64
       - amd64
+      - arm64
     ldflags:
       - -s -w
       - -X "github.com/bearer/curio/cmd/curio/build.Version={{.Version}}"
       - -X "github.com/bearer/curio/cmd/curio/build.CommitSHA={{.Commit}}"
+    hooks:
+      post:
+        - |
+          sh -c '
+          fn=dist/curio-macos-build_{{.Target}}/gon.hcl
+          cat >"$fn" <<EOF
+          source = ["dist/curio-macos-build_{{.Target}}/{{.Name}}"]
+
+          bundle_id = "com.bearer.curio"
+
+          apple_id {
+            password = "@env:AC_PASSWORD"
+          }
+
+          sign {
+            application_identity = "Developer ID Application: Bearer Inc (5T2VP4YAG8)"
+          }
+
+          zip {
+            output_path = "curio_{{.Target}}.zip"
+          }
+          EOF
+          '
+        - "gon -log-level=debug 'dist/curio-macos-build_{{.Target}}/gon.hcl'"
+
 snapshot:
   name_template: "{{ incpatch .Version }}-next"
+
+archives:
+  - id: macos-archive
+    builds:
+      - curio-macos-build
+
 changelog:
   sort: asc
   filters: