name: GoReleaser Orbit on: push: tags: - 'orbit-*' permissions: contents: read jobs: goreleaser: runs-on: macos-latest environment: Docker Hub permissions: contents: write steps: - name: Checkout uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2 # Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source # paid version. We pay for goreleaser, but using the closed source build would weaken our # supply-chain integrity goals, so we hack around it by replacing the tag. - name: Replace tag run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') - name: Import signing keys env: APPLE_APPLICATION_CERTIFICATE: ${{ secrets.APPLE_APPLICATION_CERTIFICATE }} APPLE_APPLICATION_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERTIFICATE_PASSWORD }} KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} run: | echo "$APPLE_APPLICATION_CERTIFICATE" | base64 --decode > certificate.p12 security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain security import certificate.p12 -k build.keychain -P $APPLE_APPLICATION_CERTIFICATE_PASSWORD -T /usr/bin/codesign security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain security find-identity -vv rm certificate.p12 - name: Set up Go uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # v2 with: go-version: 1.19.1 - name: Run GoReleaser run: go run github.com/goreleaser/goreleaser@v1.9.2 release --rm-dist -f orbit/.goreleaser.yml env: AC_USERNAME: ${{ secrets.APPLE_USERNAME }} AC_PASSWORD: ${{ secrets.APPLE_PASSWORD }} CODESIGN_IDENTITY: 51049B247B25B3119FAE7E9C0CC4375A43E47237 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}