added some local helpers and reactivated ci workflows

Change-Id: Ie0ecd24e63f5d015f3375c2853829c4646df16a6
Signed-off-by: Thomas Kosiewski <[email protected]>

Author: ThomasK33

.github/actions/nix-devshell/action.yaml

@@ -6,8 +6,5 @@ runs:
     - name: Setup Nix
       uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d # v16
 
-    - name: Setup GHA Nix cache
-      uses: DeterminateSystems/magic-nix-cache-action@6221693898146dc97e38ad0e013488a16477a4c4 # v9
-
     - name: Enter devshell
       uses: nicknovitski/nix-develop@9be7cfb4b10451d3390a75dc18ad0465bed4932a # v1.2.1

.github/dependabot.yaml

@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      time: "06:00"
+      timezone: "America/Chicago"
+    labels: []
+    commit-message:
+      prefix: "ci"
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/ci.yml

@@ -17,12 +17,12 @@ jobs:
   test:
     name: test
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest'}}
-    if: false
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Switch XCode Version
         uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
@@ -39,12 +39,12 @@ jobs:
   format:
     name: fmt
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest'}}
-    if: false
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Switch XCode Version
         uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
@@ -61,12 +61,12 @@ jobs:
   lint:
     name: lint
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest'}}
-    if: false
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup Nix
         uses: ./.github/actions/nix-devshell

.github/workflows/release.yml

@@ -2,73 +2,74 @@ name: release
 
 on:
   # TODO: Switch to on `v*` tag push
-  workflow_dispatch:
+  pull_request:
 
-# permissions:
-#   # To upload assets to the release
-#   contents: write
+permissions: {}
 
 jobs:
   build:
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest'}}
     if: ${{ github.repository_owner == 'coder' }}
-    env: 
-      CERT_PATH:       /tmp/apple_cert.p12
-      APP_PROF_PATH:   /tmp/app.provisionprofile
-      EXT_PROF_PATH:   /tmp/ext.provisionprofile
-      KEYCHAIN_PATH:   /tmp/app-signing.keychain-db
+    permissions:
+      # To upload assets to the release
+      contents: write
+    env:
+      KEYCHAIN_PATH: /tmp/app-signing.keychain-db
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Switch XCode Version
         uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
         with:
           xcode-version: "16.0.0"
 
-      - name: Install Cert & Retrieve Provisioning Profiles
+      - name: Setup Nix
+        uses: ./.github/actions/nix-devshell
+
+      # FIXME(ThomasK33): Only used for testing, shall be removed later
+      - name: Setup tmate session
+        uses: mxschmitt/action-tmate@v3
+        with:
+          limit-access-to-actor: true
         env:
           APPLE_CERT: ${{ secrets.APPLE_DEVELOPER_ID_PKCS12_B64 }}
           CERT_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_PKCS12_PASSWORD }}
+          APPLE_ID: ${{ secrets.APPLE_NOTARYTOOL_USERNAME  }}
+          APPLE_ID_PASSWORD: ${{ secrets.APPLE_NOTARYTOOL_PASSWORD }}
           APP_PROF: ${{ secrets.CODER_DESKTOP_APP_PROVISIONPROFILE_B64 }}
           EXT_PROF: ${{ secrets.CODER_DESKTOP_EXTENSION_PROVISIONPROFILE_B64 }}
+
+      - name: Install Cert & Retrieve Provisioning Profiles
+        env:
+          APPLE_CERT: ${{ secrets.APPLE_DEVELOPER_ID_PKCS12_B64 }}
+          CERT_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_PKCS12_PASSWORD }}
         run: |
-          set -euo pipefail
-          touch "$CERT_PATH" "$APP_PROF_PATH" "$EXT_PROF_PATH"
-          echo "$APPLE_CERT" | base64 -d > "$CERT_PATH"
-          echo "$APP_PROF" | base64 -d > "$APP_PROF_PATH"
-          echo "$EXT_PROF" | base64 -d > "$EXT_PROF_PATH"
-          set -x
+          set -euox pipefail
           security create-keychain -p "" "$KEYCHAIN_PATH"
           security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
           security unlock-keychain -p "" "$KEYCHAIN_PATH"
-          security import "$CERT_PATH" -P "$CERT_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+          security import <(echo -n "$APPLE_CERT" | base64 -d) -P "$CERT_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
           security list-keychain -d user -s "$KEYCHAIN_PATH"
 
-      - name: Setup Deps
-        run: |
-          brew install xcodegen
-          npm install --global create-dmg
-
       - name: Build
         env:
           APPLE_ID: ${{ secrets.APPLE_NOTARYTOOL_USERNAME  }}
           APPLE_ID_PASSWORD: ${{ secrets.APPLE_NOTARYTOOL_PASSWORD }}
-        run: |
-          ./scripts/build.sh
-      
+          APP_PROF: ${{ secrets.CODER_DESKTOP_APP_PROVISIONPROFILE_B64 }}
+          EXT_PROF: ${{ secrets.CODER_DESKTOP_EXTENSION_PROVISIONPROFILE_B64 }}
+        run: ./scripts/build.sh \
+          --app-prof-path <(echo -n "$APP_PROF" | base64 -d) \
+          --ext-prof-path <(echo -n "$EXT_PROF" | base64 -d) \
+          --keychain-path "$KEYCHAIN_PATH"
+
       - name: Upload Build Artifacts
         uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: app
           path: |
             ./build
           retention-days: 7
-
-      - name: Clean Up
-        if: always()
-        run: |
-          security delete-keychain "$KEYCHAIN_PATH"
-          rm -f /tmp/{apple_cert.p12,app.provisionprofile,ext.provisionprofile,app-signing.keychain-db}

Makefile

@@ -10,6 +10,7 @@ PROJECT := Coder\ Desktop
 XCPROJECT := Coder\ Desktop/Coder\ Desktop.xcodeproj
 SCHEME := Coder\ Desktop
 SWIFT_VERSION := 6.0
+APP_SIGNING_KEYCHAIN := app-signing.keychain-db
 
 .PHONY: setup
 setup: \
@@ -27,6 +28,14 @@ $(XCPROJECT): $(PROJECT)/project.yml
 $(PROJECT)/VPNLib/vpn.pb.swift: $(PROJECT)/VPNLib/vpn.proto
 	protoc --swift_opt=Visibility=public --swift_out=. 'Coder Desktop/VPNLib/vpn.proto'
 
+.PHONY: $(APP_SIGNING_KEYCHAIN)
+$(APP_SIGNING_KEYCHAIN):
+	security create-keychain -p "" "$(APP_SIGNING_KEYCHAIN)"
+	security set-keychain-settings -lut 21600 "$(APP_SIGNING_KEYCHAIN)"
+	security unlock-keychain -p "" "$(APP_SIGNING_KEYCHAIN)"
+	security import <(echo -n "${APPLE_CERT}" | base64 -d) -P "${CERT_PASSWORD}" -A -t cert -f pkcs12 -k "$(APP_SIGNING_KEYCHAIN)"
+	security list-keychain -d user -s "$(APP_SIGNING_KEYCHAIN)"
+
 .PHONY: fmt
 fmt: ## Run Swift file formatter
 	swiftformat \
@@ -44,11 +53,19 @@ test: $(XCPROJECT) ## Run all tests
 		CODE_SIGNING_ALLOWED=NO | xcbeautify
 
 .PHONY: lint
-lint: ## Lint swift files
+lint: lint/swift lint/actions ## Lint all files in the repo
+
+.PHONY: lint/swift
+lint/swift: ## Lint Swift files
 	swiftlint \
 		--strict \
 		--quiet $(LINTFLAGS)
 
+.PHONY: lint/actions
+lint/actions: ## Lint GitHub Actions
+	actionlint
+	zizmor .
+
 .PHONY: clean
 clean: ## Clean Xcode project
 	xcodebuild clean \

flake.nix

@@ -31,17 +31,22 @@
 
           devShells.default = pkgs.mkShellNoCC {
             buildInputs = with pkgs; [
+              actionlint
               apple-sdk_15
               clang
+              coreutils
+              create-dmg
               formatter
               gnumake
               protobuf_28
               protoc-gen-swift
               swiftformat
               swiftlint
               watchexec
-              xcodegen
               xcbeautify
+              xcodegen
+              xcpretty
+              zizmor
             ];
           };
         }

scripts/build.sh

@@ -1,19 +1,67 @@
 #!/usr/bin/env bash
+set -euo pipefail
 
-set -euxo pipefail
+# Build Documentation @ https://developer.apple.com/forums/thread/737894
+APPLE_TEAM_ID="4399GN35BJ"
+CODE_SIGN_IDENTITY="Developer ID Application: Coder Technologies Inc (${APPLE_TEAM_ID})"
 
-get_uuid() {
-    strings "$1" | grep -E -o '[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}'
+# Default values pulled in from env
+APP_PROF_PATH=${APP_PROF_PATH:-""}
+EXT_PROF_PATH=${EXT_PROF_PATH:-""}
+KEYCHAIN_PATH=${KEYCHAIN_PATH:-""}
+
+# Function to display usage
+usage() {
+  echo "Usage: $0 [--app-prof-path <path>] [--ext-prof-path <path>] [--keychain-path <path>]"
+  echo "  --app-prof-path <path>  Set the APP_PROF_PATH variable"
+  echo "  --ext-prof-path <path>  Set the EXT_PROF_PATH variable"
+  echo "  --keychain-path <path>  Set the KEYCHAIN_PATH variable"
+  echo "  -h, --help              Display this help message"
 }
 
-# Build Documentation @ https://developer.apple.com/forums/thread/737894
+# Parse command line arguments
+while [[ "$#" -gt 0 ]]; do
+  case $1 in
+  --app-prof-path)
+    APP_PROF_PATH="$2"
+    shift 2
+    ;;
+  --ext-prof-path)
+    EXT_PROF_PATH="$2"
+    shift 2
+    ;;
+  --keychain-path)
+    KEYCHAIN_PATH="$2"
+    shift 2
+    ;;
+  -h | --help)
+    usage
+    exit 0
+    ;;
+  *)
+    echo "Unknown parameter passed: $1"
+    usage
+    exit 1
+    ;;
+  esac
+done
+
+# Check if required variables are set
+if [[ -z "$APP_PROF_PATH" || -z "$EXT_PROF_PATH" || -z "$KEYCHAIN_PATH" ]]; then
+  echo "Missing required values"
+  echo
+  usage
+  exit 1
+fi
 
 XCODE_PROVISIONING_PROFILES_DIR="$HOME/Library/Developer/Xcode/UserData/Provisioning Profiles"
 ALT_PROVISIONING_PROFILES_DIR="$HOME/Library/MobileDevice/Provisioning Profiles"
 mkdir -p "$XCODE_PROVISIONING_PROFILES_DIR"
 mkdir -p "$ALT_PROVISIONING_PROFILES_DIR"
-APPLE_TEAM_ID="4399GN35BJ"
-CODE_SIGN_IDENTITY="Developer ID Application: Coder Technologies Inc (${APPLE_TEAM_ID})"
+
+get_uuid() {
+  strings "$1" | grep -E -o '[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}'
+}
 
 # Extract the ID of each provisioning profile
 APP_PROVISIONING_PROFILE_ID=$(get_uuid "$APP_PROF_PATH")
@@ -29,41 +77,43 @@ cp "$EXT_PROF_PATH" "${ALT_PROVISIONING_PROFILES_DIR}/${EXT_PROVISIONING_PROFILE
 export APP_PROVISIONING_PROFILE_ID
 export EXT_PROVISIONING_PROFILE_ID
 export PTP_SUFFIX
+
 make
+
 xcodebuild \
-    -project "Coder Desktop/Coder Desktop.xcodeproj" \
-    -scheme "Coder Desktop" \
-    -configuration "Release" \
-    -skipPackagePluginValidation \
-    CODE_SIGN_STYLE=Manual \
-    CODE_SIGN_IDENTITY="$CODE_SIGN_IDENTITY" \
-    CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO \
-    OTHER_CODE_SIGN_FLAGS='--timestamp' | LC_ALL="en_US.UTF-8" xcpretty
+  -project "Coder Desktop/Coder Desktop.xcodeproj" \
+  -scheme "Coder Desktop" \
+  -configuration "Release" \
+  -skipPackagePluginValidation \
+  CODE_SIGN_STYLE=Manual \
+  CODE_SIGN_IDENTITY="$CODE_SIGN_IDENTITY" \
+  CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO \
+  OTHER_CODE_SIGN_FLAGS='--timestamp' | LC_ALL="en_US.UTF-8" xcpretty
 
 mkdir build
 built_app_path="./Coder Desktop.app"
 ditto "$(find "$HOME/Library/Developer/Xcode/DerivedData" -name "Coder Desktop.app")" "$built_app_path"
 
 create-dmg \
-    --identity="$CODE_SIGN_IDENTITY" \
-    "$built_app_path" \
-    ./
+  --identity="$CODE_SIGN_IDENTITY" \
+  "$built_app_path" \
+  ./
 
 # Add dmg to build artifacts
 dmg_path="./build/Coder Desktop.dmg"
 mv ./Coder\ Desktop*.dmg "$dmg_path"
 
 # Notarize
 xcrun notarytool store-credentials "notarytool-credentials" \
-    --apple-id "$APPLE_ID" \
-    --team-id "$APPLE_TEAM_ID" \
-    --password "$APPLE_ID_PASSWORD" \
-    --keychain "$KEYCHAIN_PATH"
+  --apple-id "$APPLE_ID" \
+  --team-id "$APPLE_TEAM_ID" \
+  --password "$APPLE_ID_PASSWORD" \
+  --keychain "$KEYCHAIN_PATH"
 
 xcrun notarytool submit "$dmg_path" \
-    --keychain-profile "notarytool-credentials" \
-    --keychain "$KEYCHAIN_PATH" \
-    --wait
+  --keychain-profile "notarytool-credentials" \
+  --keychain "$KEYCHAIN_PATH" \
+  --wait
 
 # Staple the notarization to the app and dmg, so they work without internet
 xcrun stapler staple "$dmg_path"