From 50e3d4020d2431d01ae3b8c6cc28c49a2762d267 Mon Sep 17 00:00:00 2001
From: Nat Goodspeed <nat@lindenlab.com>
Date: Mon, 25 Sep 2023 11:19:38 -0400
Subject: [PATCH] SL-19242: Reference the actual stored GitHub repo secrets.
Add a Mac signing step to unpack the credentials bundled into
NOTARIZE_CREDS_MACOS so viewer-build-util/sign-pkg-mac need not know about
that peculiarity of our secrets formatting.
---
.github/workflows/build.yaml | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index b010115e9c9..d7bc4a84af1 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -279,11 +279,36 @@ jobs:
needs: build
runs-on: macos-latest
steps:
+ - name: Unpack Mac notarization credentials
+ id: note-creds
+ shell: bash
+ run: |
+ # In NOTARIZE_CREDS_MACOS we expect to find:
+ # USERNAME="..."
+ # PASSWORD="..."
+ # ASC_PROVIDER="..."
+ eval "${{ secrets.NOTARIZE_CREDS_MACOS }}
+ echo "::add-mask::$USERNAME"
+ echo "::add-mask::$PASSWORD"
+ echo "::add-mask::$ASC_PROVIDER"
+ echo "note_user=$USERNAME" >> "$GITHUB_OUTPUT"
+ echo "note_pass=$PASSWORD" >> "$GITHUB_OUTPUT"
+ echo "note_asc=$ASC_PROVIDER" >> "$GITHUB_OUTPUT"
+ # If we didn't manage to retrieve all of these credentials, better
+ # find out sooner than later.
+ [[ -n "$USERNAME" && -n "$PASSWORD && -n "$ASC_PROVIDER" ]]
+
- name: Sign and package Mac viewer
uses: secondlife/viewer-build-util/sign-pkg-mac@main
with:
channel: ${{ needs.build.outputs.viewer_channel }}
imagename: ${{ needs.build.outputs.imagename }}
+ cert_base64: ${{ secrets.SIGNING_CERT_MACOS }}
+ cert_name: ${{ secrets.SIGNING_CERT_MACOS_IDENTITY }}
+ cert_pass: ${{ secrets.SIGNING_CERT_MACOS_PASSWORD }}
+ note_user: ${{ steps.note-creds.outputs.note_user }}
+ note_pass: ${{ steps.note-creds.outputs.note_pass }}
+ note_asc: ${{ steps.note-creds.outputs.note_asc }}
post-windows-symbols:
needs: build
--
GitLab