refactored build to run via make

Change-Id: I2ad5b8cb60480e4c9f76c6499e2b6dff5819f98e
Signed-off-by: Thomas Kosiewski <[email protected]>

Author: ThomasK33

.env

@@ -0,0 +1,9 @@
+# Build a release locally using: op run --env-file="./.env" -- make release
+APPLE_CERT="op://Apple/Apple DeveloperID PKCS12 base64/notesPlain"
+CERT_PASSWORD="op://Apple/DeveloperID p12 password/password"
+
+APPLE_ID="op://Apple/3apcadvvcojjbpxnd7m5fgh5wm/username"
+APPLE_ID_PASSWORD="op://Apple/3apcadvvcojjbpxnd7m5fgh5wm/password"
+
+APP_PROF="op://Apple/Provisioning Profiles/profiles/application_base64"
+EXT_PROF="op://Apple/Provisioning Profiles/profiles/extension_base64"

.github/workflows/release.yml

@@ -13,8 +13,6 @@ jobs:
     permissions:
       # To upload assets to the release
       contents: write
-    env:
-      KEYCHAIN_PATH: /tmp/app-signing.keychain-db
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -30,41 +28,15 @@ jobs:
       - name: Setup Nix
         uses: ./.github/actions/nix-devshell
 
-      # FIXME(ThomasK33): Only used for testing, shall be removed later
-      - name: Setup tmate session
-        uses: mxschmitt/action-tmate@v3
-        with:
-          limit-access-to-actor: true
+      - name: Build
         env:
           APPLE_CERT: ${{ secrets.APPLE_DEVELOPER_ID_PKCS12_B64 }}
-          CERT_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_PKCS12_PASSWORD }}
           APPLE_ID: ${{ secrets.APPLE_NOTARYTOOL_USERNAME  }}
           APPLE_ID_PASSWORD: ${{ secrets.APPLE_NOTARYTOOL_PASSWORD }}
           APP_PROF: ${{ secrets.CODER_DESKTOP_APP_PROVISIONPROFILE_B64 }}
-          EXT_PROF: ${{ secrets.CODER_DESKTOP_EXTENSION_PROVISIONPROFILE_B64 }}
-
-      - name: Install Cert & Retrieve Provisioning Profiles
-        env:
-          APPLE_CERT: ${{ secrets.APPLE_DEVELOPER_ID_PKCS12_B64 }}
           CERT_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_PKCS12_PASSWORD }}
-        run: |
-          set -euox pipefail
-          security create-keychain -p "" "$KEYCHAIN_PATH"
-          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
-          security unlock-keychain -p "" "$KEYCHAIN_PATH"
-          security import <(echo -n "$APPLE_CERT" | base64 -d) -P "$CERT_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
-          security list-keychain -d user -s "$KEYCHAIN_PATH"
-
-      - name: Build
-        env:
-          APPLE_ID: ${{ secrets.APPLE_NOTARYTOOL_USERNAME  }}
-          APPLE_ID_PASSWORD: ${{ secrets.APPLE_NOTARYTOOL_PASSWORD }}
-          APP_PROF: ${{ secrets.CODER_DESKTOP_APP_PROVISIONPROFILE_B64 }}
           EXT_PROF: ${{ secrets.CODER_DESKTOP_EXTENSION_PROVISIONPROFILE_B64 }}
-        run: ./scripts/build.sh \
-          --app-prof-path <(echo -n "$APP_PROF" | base64 -d) \
-          --ext-prof-path <(echo -n "$EXT_PROF" | base64 -d) \
-          --keychain-path "$KEYCHAIN_PATH"
+        run: make release
 
       - name: Upload Build Artifacts
         uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0

.gitignore

@@ -295,3 +295,10 @@ xcuserdata
 buildServer.json
 
 # End of https://www.toptal.com/developers/gitignore/api/xcode,jetbrains,macos,direnv,swift,swiftpm,objective-c
+
+*.entitlements
+
+app/
+
+# Make marker file
+app-signing.keychain-db

Coder Desktop/Coder Desktop/Coder_Desktop.entitlements

@@ -28,13 +28,28 @@ $(XCPROJECT): $(PROJECT)/project.yml
 $(PROJECT)/VPNLib/vpn.pb.swift: $(PROJECT)/VPNLib/vpn.proto
 	protoc --swift_opt=Visibility=public --swift_out=. 'Coder Desktop/VPNLib/vpn.proto'
 
-.PHONY: $(APP_SIGNING_KEYCHAIN)
 $(APP_SIGNING_KEYCHAIN):
 	security create-keychain -p "" "$(APP_SIGNING_KEYCHAIN)"
 	security set-keychain-settings -lut 21600 "$(APP_SIGNING_KEYCHAIN)"
 	security unlock-keychain -p "" "$(APP_SIGNING_KEYCHAIN)"
-	security import <(echo -n "${APPLE_CERT}" | base64 -d) -P "${CERT_PASSWORD}" -A -t cert -f pkcs12 -k "$(APP_SIGNING_KEYCHAIN)"
+	@tempfile=$$(mktemp); \
+	echo "$$APPLE_CERT" | base64 -d > $$tempfile; \
+	security import $$tempfile -P '$(CERT_PASSWORD)' -A -t cert -f pkcs12 -k "$(APP_SIGNING_KEYCHAIN)"; \
+	rm $$tempfile
 	security list-keychain -d user -s "$(APP_SIGNING_KEYCHAIN)"
+	touch $(APP_SIGNING_KEYCHAIN)
+
+.PHONY: release
+release: $(APP_SIGNING_KEYCHAIN) ## Create a release build of Coder Desktop
+	@APP_PROF_PATH="$$(mktemp)"; \
+	EXT_PROF_PATH="$$(mktemp)"; \
+	echo -n "$$APP_PROF" | base64 -d > "$$APP_PROF_PATH"; \
+	echo -n "$$EXT_PROF" | base64 -d > "$$EXT_PROF_PATH"; \
+	./scripts/build.sh \
+		--app-prof-path "$$APP_PROF_PATH" \
+		--ext-prof-path "$$EXT_PROF_PATH" \
+		--keychain "$(APP_SIGNING_KEYCHAIN)"; \
+	rm "$$APP_PROF_PATH" "$$EXT_PROF_PATH"
 
 .PHONY: fmt
 fmt: ## Run Swift file formatter
@@ -67,10 +82,28 @@ lint/actions: ## Lint GitHub Actions
 	zizmor .
 
 .PHONY: clean
-clean: ## Clean Xcode project
-	xcodebuild clean \
-		-project $(XCPROJECT)
-	rm -rf $(XCPROJECT)
+clean: clean/project clean/keychain clean/build ## Clean project and artifacts
+
+.PHONY: clean/project
+clean/project:
+	@if [ -d $(XCPROJECT) ]; then \
+		echo "Cleaning project: '$(XCPROJECT)'"; \
+		xcodebuild clean -project $(XCPROJECT); \
+		rm -rf $(XCPROJECT); \
+	fi
+	find . -name "*.entitlements" -type f -delete
+
+.PHONY: clean/keychain
+clean/keychain:
+	@if [ -e "$(APP_SIGNING_KEYCHAIN)" ]; then \
+		echo "Cleaning keychain: '$(APP_SIGNING_KEYCHAIN)'"; \
+		security delete-keychain "$(APP_SIGNING_KEYCHAIN)"; \
+		rm -f "$(APP_SIGNING_KEYCHAIN)"; \
+	fi
+
+.PHONY: clean/build
+clean/build:
+	rm -rf build/ app/
 
 .PHONY: proto
 proto: $(PROJECT)/VPNLib/vpn.pb.swift ## Generate Swift files from protobufs

Coder Desktop/VPN/VPN.entitlements

@@ -25,6 +25,30 @@
           };
 
           formatter = pkgs.nixfmt-rfc-style;
+
+          create-dmg = pkgs.buildNpmPackage rec {
+            pname = "create-dmg";
+            version = "7.0.0";
+
+            src = pkgs.fetchFromGitHub {
+              owner = "sindresorhus";
+              repo = pname;
+              rev = "v${version}";
+              hash = "sha256-+GxKfhVDmtgEh9NOAzGexgfj1qAb0raC8AmrrnJ2vNA=";
+            };
+
+            npmDepsHash = "sha256-48r9v0sTlHbyH4RjynClfC/QsFAlgMTtXCbleuMSM80=";
+
+            # create-dmg author does not want to include a lockfile in their releases,
+            # thus we need to vendor it in ourselves.
+            postPatch = ''
+              cp ${./nix/create-dmg/package-lock.json} package-lock.json
+            '';
+
+            # Plain JS, so nothing to build
+            dontNpmBuild = true;
+            dontNpmPrune = true;
+          };
         in
         {
           inherit formatter;