kimi-code/.github/actions/macos-notarize/action.yml
2026-05-22 15:54:50 +08:00

95 lines
3.1 KiB
YAML

name: macOS notarize
description: |
Submit a signed binary to Apple notary service via notarytool, wait for
result, and run Gatekeeper online check (spctl). Fails the job with the
notarytool log on rejection.
inputs:
binary-path:
description: Absolute path to the signed binary
required: true
notarization-key-p8:
description: Base64-encoded App Store Connect API Key (.p8)
required: true
notarization-key-id:
description: API Key ID
required: true
notarization-issuer-id:
description: Issuer ID
required: true
timeout:
description: notarytool wait timeout (e.g. 15m)
required: false
default: '15m'
runs:
using: composite
steps:
- name: Submit to notary service
shell: bash
env:
BINARY_PATH: ${{ inputs.binary-path }}
APPLE_NOTARIZATION_KEY_P8: ${{ inputs.notarization-key-p8 }}
APPLE_NOTARIZATION_KEY_ID: ${{ inputs.notarization-key-id }}
APPLE_NOTARIZATION_ISSUER_ID: ${{ inputs.notarization-issuer-id }}
NOTARY_TIMEOUT: ${{ inputs.timeout }}
run: |
set -euo pipefail
if [[ ! -f "$BINARY_PATH" ]]; then
echo "::error::Binary not found at $BINARY_PATH"
exit 1
fi
# 1. Decode API key
key_path="${RUNNER_TEMP}/AuthKey.p8"
printf '%s' "$APPLE_NOTARIZATION_KEY_P8" | base64 -d > "$key_path"
# 2. Pack with ditto (--norsrc avoids ._AppleDouble files)
binary_name=$(basename "$BINARY_PATH")
zip_path="${RUNNER_TEMP}/${binary_name}.notarize.zip"
ditto -c -k --norsrc --keepParent "$BINARY_PATH" "$zip_path"
echo "==> Submitting $binary_name for notarization..."
# 3. Submit and capture log
log_path="${RUNNER_TEMP}/notarize-${binary_name}.log"
set +e
xcrun notarytool submit "$zip_path" \
--key "$key_path" \
--key-id "$APPLE_NOTARIZATION_KEY_ID" \
--issuer "$APPLE_NOTARIZATION_ISSUER_ID" \
--wait --timeout "$NOTARY_TIMEOUT" 2>&1 | tee "$log_path"
notarize_rc=${PIPESTATUS[0]}
set -e
# 4. Inspect status
if ! grep -q "status: Accepted" "$log_path"; then
echo "::error::Notarization failed (exit=$notarize_rc)"
submission_id=$(grep -m1 "id:" "$log_path" | awk '{print $2}' || true)
if [[ -n "$submission_id" ]]; then
echo "Fetching detailed log for submission $submission_id..."
xcrun notarytool log "$submission_id" \
--key "$key_path" \
--key-id "$APPLE_NOTARIZATION_KEY_ID" \
--issuer "$APPLE_NOTARIZATION_ISSUER_ID" || true
fi
rm -f "$key_path" "$zip_path"
exit 1
fi
echo "==> Notarization accepted"
# 5. Cleanup
rm -f "$key_path" "$zip_path"
- name: Verify with Gatekeeper online check
shell: bash
env:
BINARY_PATH: ${{ inputs.binary-path }}
run: |
set -euo pipefail
echo "==> codesign -dv $BINARY_PATH"
codesign -dv --verbose=2 "$BINARY_PATH"
echo "==> spctl -a -vvv -t install $BINARY_PATH"
spctl -a -vvv -t install "$BINARY_PATH"