chore(ci): build for distribution

ethanndickson · ethanndickson · commit 739649bbff9e · 2025-02-06T18:25:44.000+11:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -17,12 +17,8 @@ jobs:
   test:
     name: test
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest'}}
+    if: false
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
-        with:
-          egress-policy: audit
-
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -43,12 +39,8 @@ jobs:
   format:
     name: fmt
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest'}}
+    if: false
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
-        with:
-          egress-policy: audit
-
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -69,12 +61,8 @@ jobs:
   lint:
     name: lint
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest'}}
+    if: false
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
-        with:
-          egress-policy: audit
-
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,74 @@
+name: release
+
+on:
+  # TODO: Switch to on `v*` tag push
+  pull_request:
+
+# permissions:
+#   # To upload assets to the release
+#   contents: write
+
+jobs:
+  build:
+    runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest'}}
+    if: ${{ github.repository_owner == 'coder' }}
+    env: 
+      CERT_PATH:       /tmp/apple_cert.p12
+      APP_PROF_PATH:   /tmp/app.provisionprofile
+      EXT_PROF_PATH:   /tmp/ext.provisionprofile
+      KEYCHAIN_PATH:   /tmp/app-signing.keychain-db
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - name: Switch XCode Version
+        uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
+        with:
+          xcode-version: "16.0.0"
+
+      - name: Install Cert & Retrieve Provisioning Profiles
+        env:
+          APPLE_CERT: ${{ secrets.APPLE_DEVELOPER_ID_PKCS12_B64 }}
+          CERT_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_PKCS12_PASSWORD }}
+          APP_PROF: ${{ secrets.CODER_DESKTOP_APP_PROVISIONPROFILE_B64 }}
+          EXT_PROF: ${{ secrets.CODER_DESKTOP_EXTENSION_PROVISIONPROFILE_B64 }}
+        run: |
+          set -euo pipefail
+          touch "$CERT_PATH" "$APP_PROF_PATH" "$EXT_PROF_PATH"
+          echo "$APPLE_CERT" | base64 -d > "$CERT_PATH"
+          echo "$APP_PROF" | base64 -d > "$APP_PROF_PATH"
+          echo "$EXT_PROF" | base64 -d > "$EXT_PROF_PATH"
+          set -x
+          security create-keychain -p "" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "" "$KEYCHAIN_PATH"
+          security import "$CERT_PATH" -P "$CERT_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+          security list-keychain -d user -s "$KEYCHAIN_PATH"
+
+      - name: Setup Deps
+        run: |
+          brew install xcodegen
+          npm install --global create-dmg
+
+      - name: Build
+        env:
+          APPLE_ID: ${{ secrets.APPLE_NOTARYTOOL_USERNAME  }}
+          APPLE_ID_PASSWORD: ${{ secrets.APPLE_NOTARYTOOL_PASSWORD }}
+        run: |
+          ./scripts/build.sh
+      
+      - name: Upload Build Artifacts
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: app
+          path: |
+            ./build
+          retention-days: 7
+
+      - name: Clean Up
+        if: always()
+        run: |
+          security delete-keychain "$KEYCHAIN_PATH"
+          rm -f /tmp/{apple_cert.p12,app.provisionprofile,ext.provisionprofile,app-signing.keychain-db}
diff --git a/Coder Desktop/Coder Desktop/Views/LoginForm.swift b/Coder Desktop/Coder Desktop/Views/LoginForm.swift
@@ -194,7 +194,9 @@ enum LoginField: Hashable {
     case sessionToken
 }
 
-#Preview {
-    LoginForm<PreviewSession>()
-        .environmentObject(PreviewSession())
-}
+#if DEBUG
+    #Preview {
+        LoginForm<PreviewSession>()
+            .environmentObject(PreviewSession())
+    }
+#endif
diff --git a/Coder Desktop/Coder Desktop/Views/Settings/NetworkTab.swift b/Coder Desktop/Coder Desktop/Views/Settings/NetworkTab.swift
@@ -9,6 +9,8 @@ struct NetworkTab<VPN: VPNService>: View {
     }
 }
 
-#Preview {
-    NetworkTab<PreviewVPN>()
-}
+#if DEBUG
+    #Preview {
+        NetworkTab<PreviewVPN>()
+    }
+#endif
diff --git a/Coder Desktop/Coder Desktop/Views/VPNMenu.swift b/Coder Desktop/Coder Desktop/Views/VPNMenu.swift
@@ -88,8 +88,10 @@ struct VPNMenu<VPN: VPNService, S: Session>: View {
     }
 }
 
-#Preview {
-    VPNMenu<PreviewVPN, PreviewSession>().frame(width: 256)
-        .environmentObject(PreviewVPN())
-        .environmentObject(PreviewSession())
-}
+#if DEBUG
+    #Preview {
+        VPNMenu<PreviewVPN, PreviewSession>().frame(width: 256)
+            .environmentObject(PreviewVPN())
+            .environmentObject(PreviewSession())
+    }
+#endif
diff --git a/Coder Desktop/VPN/Manager.swift b/Coder Desktop/VPN/Manager.swift
@@ -11,8 +11,10 @@ actor Manager {
     let speaker: Speaker<Vpn_ManagerMessage, Vpn_TunnelMessage>
     var readLoop: Task<Void, any Error>!
 
-    private let dest = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask)
-        .first!.appending(path: "coder-vpn.dylib")
+    private let frameworksDir = FileManager.default.urls(for: .libraryDirectory, in: .userDomainMask)
+        .first!.appendingPathComponent("Frameworks")
+    private var dest = FileManager.default.urls(for: .libraryDirectory, in: .userDomainMask)
+        .first!.appendingPathComponent("Frameworks").appending(path: "coder-vpn.dylib")
     private let logger = Logger(subsystem: Bundle.main.bundleIdentifier!, category: "manager")
 
     // swiftlint:disable:next function_body_length
@@ -26,6 +28,16 @@ actor Manager {
         #else
             fatalError("unknown architecture")
         #endif
+        do {
+            if !FileManager.default.fileExists(atPath: frameworksDir.path) {
+                try FileManager.default.createDirectory(
+                    atPath: frameworksDir.path,
+                    withIntermediateDirectories: true,
+                    attributes: [:])
+            }
+        } catch {
+            throw .download(.fileOpError(error))
+        }
         do {
             try await download(src: dylibPath, dest: dest)
         } catch {
@@ -49,6 +61,7 @@ actor Manager {
         do {
             try tunnelHandle = TunnelHandle(dylibPath: dest)
         } catch {
+            logger.error("couldn't open dylib \(error, privacy: .public)")
             throw .tunnelSetup(error)
         }
         speaker = await Speaker<Vpn_ManagerMessage, Vpn_TunnelMessage>(
diff --git a/Coder Desktop/VPN/VPN.entitlements b/Coder Desktop/VPN/VPN.entitlements
@@ -12,6 +12,8 @@
 	<array>
 		<string>$(TeamIdentifierPrefix)com.coder.Coder-Desktop</string>
 	</array>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<true/>
 	<key>com.apple.security.network.client</key>
 	<true/>
 	<key>com.apple.security.network.server</key>
diff --git a/Coder Desktop/project.yml b/Coder Desktop/project.yml
@@ -114,7 +114,7 @@ targets:
       path: Coder Desktop/Coder_Desktop.entitlements
       properties:
         com.apple.developer.networking.networkextension:
-          - packet-tunnel-provider
+          - packet-tunnel-provider${PTP_SUFFIX}
         com.apple.developer.system-extension.install: true
         com.apple.security.app-sandbox: true
         com.apple.security.files.user-selected.read-only: true
@@ -125,6 +125,7 @@ targets:
       base:
         ASSETCATALOG_COMPILER_APPICON_NAME: AppIcon # Sets the app icon to "AppIcon".
         ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME: AccentColor
+        # `CODE_SIGN_*` options are overriden during a release build
         CODE_SIGN_IDENTITY: "Apple Development"
         CODE_SIGN_STYLE: Automatic
         COMBINE_HIDPI_IMAGES: YES
@@ -135,6 +136,8 @@ targets:
         INFOPLIST_KEY_NSHumanReadableCopyright: ""
         SWIFT_EMIT_LOC_STRINGS: YES
         PRODUCT_BUNDLE_IDENTIFIER: "com.coder.Coder-Desktop"
+        # Empty outside of release builds
+        PROVISIONING_PROFILE_SPECIFIER: ${APP_PROVISIONING_PROFILE_ID}
 
         # (ThomasK33): Install the application into the /Applications folder
         # so that macOS stops complaining about the app being run from an
@@ -200,12 +203,15 @@ targets:
       path: VPN/VPN.entitlements
       properties:
         com.apple.developer.networking.networkextension:
-          - packet-tunnel-provider
+          # PTP_SUFFIX is populated at `xcodegen` time.
+          - packet-tunnel-provider${PTP_SUFFIX}
         com.apple.security.app-sandbox: true
         com.apple.security.application-groups:
           - $(TeamIdentifierPrefix)com.coder.Coder-Desktop
         com.apple.security.network.client: true
         com.apple.security.network.server: true
+        # TODO: Remove this
+        com.apple.security.cs.disable-library-validation: true
     settings:
       base:
         ENABLE_HARDENED_RUNTIME: YES
@@ -215,6 +221,11 @@ targets:
         PRODUCT_NAME: "$(PRODUCT_BUNDLE_IDENTIFIER)"
         SWIFT_EMIT_LOC_STRINGS: YES
         SWIFT_OBJC_BRIDGING_HEADER: "VPN/com_coder_Coder_Desktop_VPN-Bridging-Header.h"
+        # `CODE_SIGN_*` are overriden during a release build
+        CODE_SIGN_IDENTITY: "Apple Development"
+        CODE_SIGN_STYLE: Automatic
+        # Empty outside of release builds
+        PROVISIONING_PROFILE_SPECIFIER: ${EXT_PROVISIONING_PROFILE_ID}
     dependencies:
       - target: VPNLib
         embed: true
@@ -235,8 +246,6 @@ targets:
         DYLIB_COMPATIBILITY_VERSION: 1
         DYLIB_CURRENT_VERSION: 1
         DYLIB_INSTALL_NAME_BASE: "@rpath"
-        CODE_SIGN_IDENTITY: "Apple Development"
-        CODE_SIGN_STYLE: Automatic
         LD_RUNPATH_SEARCH_PATHS:
           - "@executable_path/../Frameworks"
           - "@loader_path/Frameworks"
@@ -297,4 +306,4 @@ targets:
     settings:
       base:
         TEST_HOST: "$(BUILT_PRODUCTS_DIR)/Coder Desktop.app/$(BUNDLE_EXECUTABLE_FOLDER_PATH)/Coder Desktop"
-        PRODUCT_BUNDLE_IDENTIFIER: com.coder.Coder-Desktop.CoderSDKTests
+        PRODUCT_BUNDLE_IDENTIFIER: com.coder.Coder-Desktop.CoderSDKTests
diff --git a/Makefile b/Makefile
@@ -18,7 +18,11 @@ setup: \
 
 $(XCPROJECT): $(PROJECT)/project.yml
 	cd $(PROJECT); \
-		SWIFT_VERSION=$(SWIFT_VERSION) xcodegen
+		SWIFT_VERSION=$(SWIFT_VERSION) \
+		PTP_SUFFIX=${PTP_SUFFIX} \
+		APP_PROVISIONING_PROFILE_ID=${APP_PROVISIONING_PROFILE_ID} \
+		EXT_PROVISIONING_PROFILE_ID=${EXT_PROVISIONING_PROFILE_ID} \
+		xcodegen
 
 $(PROJECT)/VPNLib/vpn.pb.swift: $(PROJECT)/VPNLib/vpn.proto
 	protoc --swift_opt=Visibility=public --swift_out=. 'Coder Desktop/VPNLib/vpn.proto'
diff --git a/scripts/build.sh b/scripts/build.sh
@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+get_uuid() {
+    strings "$1" | grep -E -o '[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}'
+}
+
+# Build Documentation @ https://developer.apple.com/forums/thread/737894
+
+XCODE_PROVISIONING_PROFILES_DIR="$HOME/Library/Developer/Xcode/UserData/Provisioning Profiles"
+ALT_PROVISIONING_PROFILES_DIR="$HOME/Library/MobileDevice/Provisioning Profiles"
+mkdir -p "$XCODE_PROVISIONING_PROFILES_DIR"
+mkdir -p "$ALT_PROVISIONING_PROFILES_DIR"
+APPLE_TEAM_ID="4399GN35BJ"
+CODE_SIGN_IDENTITY="Developer ID Application: Coder Technologies Inc (${APPLE_TEAM_ID})"
+
+# Extract the ID of each provisioning profile
+APP_PROVISIONING_PROFILE_ID=$(get_uuid "$APP_PROF_PATH")
+EXT_PROVISIONING_PROFILE_ID=$(get_uuid "$EXT_PROF_PATH")
+PTP_SUFFIX="-systemextension"
+
+# Install Provisioning Profiles
+cp "$APP_PROF_PATH" "${XCODE_PROVISIONING_PROFILES_DIR}/${APP_PROVISIONING_PROFILE_ID}.provisionprofile"
+cp "$APP_PROF_PATH" "${ALT_PROVISIONING_PROFILES_DIR}/${APP_PROVISIONING_PROFILE_ID}.provisionprofile"
+cp "$EXT_PROF_PATH" "${XCODE_PROVISIONING_PROFILES_DIR}/${EXT_PROVISIONING_PROFILE_ID}.provisionprofile"
+cp "$EXT_PROF_PATH" "${ALT_PROVISIONING_PROFILES_DIR}/${EXT_PROVISIONING_PROFILE_ID}.provisionprofile"
+
+export APP_PROVISIONING_PROFILE_ID
+export EXT_PROVISIONING_PROFILE_ID
+export PTP_SUFFIX
+make
+xcodebuild \
+    -project "Coder Desktop/Coder Desktop.xcodeproj" \
+    -scheme "Coder Desktop" \
+    -configuration "Release" \
+    -skipPackagePluginValidation \
+    CODE_SIGN_STYLE=Manual \
+    CODE_SIGN_IDENTITY="$CODE_SIGN_IDENTITY" \
+    CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO \
+    OTHER_CODE_SIGN_FLAGS='--timestamp' | LC_ALL="en_US.UTF-8" xcpretty
+
+mkdir build
+built_app_path="./Coder Desktop.app"
+ditto "$(find "$HOME/Library/Developer/Xcode/DerivedData" -name "Coder Desktop.app")" "$built_app_path"
+
+create-dmg \
+    --identity="$CODE_SIGN_IDENTITY" \
+    "$built_app_path" \
+    ./
+
+# Add dmg to build artifacts
+dmg_path="./build/Coder Desktop.dmg"
+mv ./Coder\ Desktop*.dmg "$dmg_path"
+
+# Notarize
+xcrun notarytool store-credentials "notarytool-credentials" \
+    --apple-id "$APPLE_ID" \
+    --team-id "$APPLE_TEAM_ID" \
+    --password "$APPLE_ID_PASSWORD" \
+    --keychain "$KEYCHAIN_PATH"
+
+xcrun notarytool submit "$dmg_path" \
+    --keychain-profile "notarytool-credentials" \
+    --keychain "$KEYCHAIN_PATH" \
+    --wait
+
+# Staple the notarization to the app and dmg, so they work without internet
+xcrun stapler staple "$dmg_path"
+xcrun stapler staple "$built_app_path"
+
+# Add dsym to build artifacts
+dsym_zipped_path="./build/coder-desktop-universal-dsym.zip"
+zip -9 -r --symlinks "$dsym_zipped_path" "$(find "$HOME/Library/Developer/Xcode/DerivedData" -name "Coder Desktop.app.dSYM")"
+
+# Add zipped app to build artifacts
+app_zipped_path="./build/coder-desktop-universal.zip"
+zip -9 -r --symlinks "$app_zipped_path" "$built_app_path"

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,8 @@ struct NetworkTab<VPN: VPNService>: View {`
`9`	`9`	`}`
`10`	`10`	`}`
`11`	`11`
`12`		`-#Preview {`
`13`		`- NetworkTab<PreviewVPN>()`
`14`		`-}`
	`12`	`+#if DEBUG`
	`13`	`+ #Preview {`
	`14`	`+ NetworkTab<PreviewVPN>()`
	`15`	`+ }`
	`16`	`+#endif`