diff --git a/.github/workflows/desktop-release.yml b/.github/workflows/desktop-release.yml index accb7ac1c..b0cf53379 100644 --- a/.github/workflows/desktop-release.yml +++ b/.github/workflows/desktop-release.yml @@ -282,8 +282,9 @@ jobs: shell: bash env: IS_DRY_RUN: ${{ inputs.dry_run }} - APPLE_APP_SPECIFIC_PASSWORD_SECRET: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} - APPLE_ID_SECRET: ${{ secrets.APPLE_ID }} + APPLE_NOTARY_API_KEY_P8_BASE64_SECRET: ${{ secrets.APPLE_NOTARY_API_KEY_P8_BASE64 }} + APPLE_NOTARY_KEY_ID_SECRET: ${{ secrets.APPLE_NOTARY_KEY_ID }} + APPLE_NOTARY_ISSUER_ID_SECRET: ${{ secrets.APPLE_NOTARY_ISSUER_ID }} APPLE_TEAM_ID_SECRET: ${{ secrets.APPLE_TEAM_ID }} IS_DRAFT: ${{ inputs.draft }} MAC_CSC_KEY_PASSWORD_SECRET: ${{ secrets.MAC_CSC_KEY_PASSWORD }} @@ -333,10 +334,19 @@ jobs: exit 1 fi + # Materialize the App Store Connect API key (.p8) so electron-builder + # (>=24) notarizes via notarytool. It reads APPLE_API_KEY (a path to + # the .p8 file), APPLE_API_KEY_ID, and APPLE_API_ISSUER from the env. + if [ -n "$APPLE_NOTARY_API_KEY_P8_BASE64_SECRET" ] && [ -n "$APPLE_NOTARY_KEY_ID_SECRET" ] && [ -n "$APPLE_NOTARY_ISSUER_ID_SECRET" ]; then + api_key_path="${RUNNER_TEMP}/apple-notary-key.p8" + printf '%s' "$APPLE_NOTARY_API_KEY_P8_BASE64_SECRET" | base64 --decode > "$api_key_path" + append_env "APPLE_API_KEY" "$api_key_path" + append_env "APPLE_API_KEY_ID" "$APPLE_NOTARY_KEY_ID_SECRET" + append_env "APPLE_API_ISSUER" "$APPLE_NOTARY_ISSUER_ID_SECRET" + fi + append_env "CSC_LINK" "$mac_csc_link" append_env "CSC_KEY_PASSWORD" "$mac_csc_key_password" - append_env "APPLE_ID" "$APPLE_ID_SECRET" - append_env "APPLE_APP_SPECIFIC_PASSWORD" "$APPLE_APP_SPECIFIC_PASSWORD_SECRET" append_env "APPLE_TEAM_ID" "$APPLE_TEAM_ID_SECRET" echo "CSC_IDENTITY_AUTO_DISCOVERY=true" >> "$GITHUB_ENV" else