chore(ci): build for distribution

Author: ethanndickson

.env

@@ -0,0 +1,9 @@
+# Build a release locally using: op run --env-file="./.env" -- make release
+APPLE_CERT="op://Apple/Apple DeveloperID PKCS12 base64/notesPlain"
+CERT_PASSWORD="op://Apple/DeveloperID p12 password/password"
+
+APPLE_ID="op://Apple/3apcadvvcojjbpxnd7m5fgh5wm/username"
+APPLE_ID_PASSWORD="op://Apple/3apcadvvcojjbpxnd7m5fgh5wm/password"
+
+APP_PROF="op://Apple/Provisioning Profiles/profiles/application_base64"
+EXT_PROF="op://Apple/Provisioning Profiles/profiles/extension_base64"

.github/actions/nix-devshell/action.yaml

@@ -6,8 +6,5 @@ runs:
     - name: Setup Nix
       uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d # v16
 
-    - name: Setup GHA Nix cache
-      uses: DeterminateSystems/magic-nix-cache-action@6221693898146dc97e38ad0e013488a16477a4c4 # v9
-
     - name: Enter devshell
       uses: nicknovitski/nix-develop@9be7cfb4b10451d3390a75dc18ad0465bed4932a # v1.2.1

.github/dependabot.yaml

@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      time: "06:00"
+      timezone: "America/Chicago"
+    labels: []
+    commit-message:
+      prefix: "ci"
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/ci.yml

@@ -18,15 +18,11 @@ jobs:
     name: test
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest'}}
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
-        with:
-          egress-policy: audit
-
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Switch XCode Version
         uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
@@ -44,15 +40,11 @@ jobs:
     name: fmt
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest'}}
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
-        with:
-          egress-policy: audit
-
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Switch XCode Version
         uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
@@ -70,15 +62,11 @@ jobs:
     name: lint
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest'}}
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
-        with:
-          egress-policy: audit
-
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup Nix
         uses: ./.github/actions/nix-devshell

.github/workflows/release.yml

@@ -0,0 +1,47 @@
+name: release
+
+on:
+  # TODO: Switch to on `v*` tag push
+  pull_request:
+
+permissions: {}
+
+jobs:
+  build:
+    runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest'}}
+    if: ${{ github.repository_owner == 'coder' }}
+    permissions:
+      # To upload assets to the release
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 1
+          persist-credentials: false
+
+      - name: Switch XCode Version
+        uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
+        with:
+          xcode-version: "16.0.0"
+
+      - name: Setup Nix
+        uses: ./.github/actions/nix-devshell
+
+      - name: Build
+        env:
+          APPLE_CERT: ${{ secrets.APPLE_DEVELOPER_ID_PKCS12_B64 }}
+          APPLE_ID: ${{ secrets.APPLE_NOTARYTOOL_USERNAME  }}
+          APPLE_ID_PASSWORD: ${{ secrets.APPLE_NOTARYTOOL_PASSWORD }}
+          APP_PROF: ${{ secrets.CODER_DESKTOP_APP_PROVISIONPROFILE_B64 }}
+          CERT_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_PKCS12_PASSWORD }}
+          EXT_PROF: ${{ secrets.CODER_DESKTOP_EXTENSION_PROVISIONPROFILE_B64 }}
+        run: make release
+
+      - name: Upload Build Artifacts
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: app
+          path: |
+            ./build
+          retention-days: 7

.gitignore

@@ -295,3 +295,10 @@ xcuserdata
 buildServer.json
 
 # End of https://www.toptal.com/developers/gitignore/api/xcode,jetbrains,macos,direnv,swift,swiftpm,objective-c
+
+*.entitlements
+
+app/
+
+# Make marker file
+app-signing.keychain-db

Coder Desktop/Coder Desktop/Coder_Desktop.entitlements

@@ -194,7 +194,9 @@ enum LoginField: Hashable {
     case sessionToken
 }
 
-#Preview {
-    LoginForm<PreviewSession>()
-        .environmentObject(PreviewSession())
-}
+#if DEBUG
+    #Preview {
+        LoginForm<PreviewSession>()
+            .environmentObject(PreviewSession())
+    }
+#endif

Coder Desktop/Coder Desktop/Views/LoginForm.swift

@@ -9,6 +9,8 @@ struct NetworkTab<VPN: VPNService>: View {
     }
 }
 
-#Preview {
-    NetworkTab<PreviewVPN>()
-}
+#if DEBUG
+    #Preview {
+        NetworkTab<PreviewVPN>()
+    }
+#endif

Coder Desktop/Coder Desktop/Views/Settings/NetworkTab.swift

@@ -98,8 +98,10 @@ func openSystemExtensionSettings() {
     NSWorkspace.shared.open(URL(string: "x-apple.systempreferences:com.apple.ExtensionsPreferences?extensionPointIdentifier=com.apple.system_extension.network_extension.extension-point")!)
 }
 
-#Preview {
-    VPNMenu<PreviewVPN, PreviewSession>().frame(width: 256)
-        .environmentObject(PreviewVPN())
-        .environmentObject(PreviewSession())
-}
+#if DEBUG
+    #Preview {
+        VPNMenu<PreviewVPN, PreviewSession>().frame(width: 256)
+            .environmentObject(PreviewVPN())
+            .environmentObject(PreviewSession())
+    }
+#endif

Coder Desktop/Coder Desktop/Views/VPNMenu.swift

@@ -48,12 +48,13 @@ actor Manager {
         }
 
         // HACK: The downloaded dylib may be quarantined, but we've validated it's signature
-        // so it's safe to execute. However, this SE must be sandboxed, so we defer to the app.
+        // so it's safe to execute. However, the SE must be sandboxed, so we defer to the app.
         try await removeQuarantine(dest)
 
         do {
             try tunnelHandle = TunnelHandle(dylibPath: dest)
         } catch {
+            logger.error("couldn't open dylib \(error, privacy: .public)")
             throw .tunnelSetup(error)
         }
         speaker = await Speaker<Vpn_ManagerMessage, Vpn_TunnelMessage>(

Coder Desktop/VPN/Manager.swift

@@ -114,14 +114,15 @@ targets:
       path: Coder Desktop/Coder_Desktop.entitlements
       properties:
         com.apple.developer.networking.networkextension:
-          - packet-tunnel-provider
+          - packet-tunnel-provider${PTP_SUFFIX}
         com.apple.developer.system-extension.install: true
         com.apple.security.application-groups:
           - $(TeamIdentifierPrefix)com.coder.Coder-Desktop
     settings:
       base:
         ASSETCATALOG_COMPILER_APPICON_NAME: AppIcon # Sets the app icon to "AppIcon".
         ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME: AccentColor
+        # `CODE_SIGN_*` options are overriden during a release build
         CODE_SIGN_IDENTITY: "Apple Development"
         CODE_SIGN_STYLE: Automatic
         COMBINE_HIDPI_IMAGES: YES
@@ -132,6 +133,8 @@ targets:
         INFOPLIST_KEY_NSHumanReadableCopyright: ""
         SWIFT_EMIT_LOC_STRINGS: YES
         PRODUCT_BUNDLE_IDENTIFIER: "com.coder.Coder-Desktop"
+        # Empty outside of release builds
+        PROVISIONING_PROFILE_SPECIFIER: ${APP_PROVISIONING_PROFILE_ID}
 
         # (ThomasK33): Install the application into the /Applications folder
         # so that macOS stops complaining about the app being run from an
@@ -197,7 +200,8 @@ targets:
       path: VPN/VPN.entitlements
       properties:
         com.apple.developer.networking.networkextension:
-          - packet-tunnel-provider
+          # PTP_SUFFIX is populated at `xcodegen` time.
+          - packet-tunnel-provider${PTP_SUFFIX}
         com.apple.security.app-sandbox: true
         com.apple.security.application-groups:
           - $(TeamIdentifierPrefix)com.coder.Coder-Desktop
@@ -212,6 +216,11 @@ targets:
         PRODUCT_NAME: "$(PRODUCT_BUNDLE_IDENTIFIER)"
         SWIFT_EMIT_LOC_STRINGS: YES
         SWIFT_OBJC_BRIDGING_HEADER: "VPN/com_coder_Coder_Desktop_VPN-Bridging-Header.h"
+        # `CODE_SIGN_*` are overriden during a release build
+        CODE_SIGN_IDENTITY: "Apple Development"
+        CODE_SIGN_STYLE: Automatic
+        # Empty outside of release builds
+        PROVISIONING_PROFILE_SPECIFIER: ${EXT_PROVISIONING_PROFILE_ID}
     dependencies:
       - target: VPNLib
         embed: true
@@ -232,8 +241,6 @@ targets:
         DYLIB_COMPATIBILITY_VERSION: 1
         DYLIB_CURRENT_VERSION: 1
         DYLIB_INSTALL_NAME_BASE: "@rpath"
-        CODE_SIGN_IDENTITY: "Apple Development"
-        CODE_SIGN_STYLE: Automatic
         LD_RUNPATH_SEARCH_PATHS:
           - "@executable_path/../Frameworks"
           - "@loader_path/Frameworks"
@@ -294,4 +301,4 @@ targets:
     settings:
       base:
         TEST_HOST: "$(BUILT_PRODUCTS_DIR)/Coder Desktop.app/$(BUNDLE_EXECUTABLE_FOLDER_PATH)/Coder Desktop"
-        PRODUCT_BUNDLE_IDENTIFIER: com.coder.Coder-Desktop.CoderSDKTests
+        PRODUCT_BUNDLE_IDENTIFIER: com.coder.Coder-Desktop.CoderSDKTests

Coder Desktop/VPN/VPN.entitlements

@@ -10,6 +10,7 @@ PROJECT := Coder\ Desktop
 XCPROJECT := Coder\ Desktop/Coder\ Desktop.xcodeproj
 SCHEME := Coder\ Desktop
 SWIFT_VERSION := 6.0
+APP_SIGNING_KEYCHAIN := /tmp/app-signing.keychain-db
 
 .PHONY: setup
 setup: \
@@ -18,11 +19,37 @@ setup: \
 
 $(XCPROJECT): $(PROJECT)/project.yml
 	cd $(PROJECT); \
-		SWIFT_VERSION=$(SWIFT_VERSION) xcodegen
+		SWIFT_VERSION=$(SWIFT_VERSION) \
+		PTP_SUFFIX=${PTP_SUFFIX} \
+		APP_PROVISIONING_PROFILE_ID=${APP_PROVISIONING_PROFILE_ID} \
+		EXT_PROVISIONING_PROFILE_ID=${EXT_PROVISIONING_PROFILE_ID} \
+		xcodegen
 
 $(PROJECT)/VPNLib/vpn.pb.swift: $(PROJECT)/VPNLib/vpn.proto
 	protoc --swift_opt=Visibility=public --swift_out=. 'Coder Desktop/VPNLib/vpn.proto'
 
+$(APP_SIGNING_KEYCHAIN):
+	security create-keychain -p "" "$(APP_SIGNING_KEYCHAIN)"
+	security set-keychain-settings -lut 21600 "$(APP_SIGNING_KEYCHAIN)"
+	security unlock-keychain -p "" "$(APP_SIGNING_KEYCHAIN)"
+	@tempfile=$$(mktemp); \
+	echo "$$APPLE_CERT" | base64 -d > $$tempfile; \
+	security import $$tempfile -P '$(CERT_PASSWORD)' -A -t cert -f pkcs12 -k "$(APP_SIGNING_KEYCHAIN)"; \
+	rm $$tempfile
+	security list-keychains -d user -s $$(security list-keychains -d user | tr -d '\"') "$(APP_SIGNING_KEYCHAIN)"
+
+.PHONY: release
+release: $(APP_SIGNING_KEYCHAIN) ## Create a release build of Coder Desktop
+	@APP_PROF_PATH="$$(mktemp)"; \
+	EXT_PROF_PATH="$$(mktemp)"; \
+	echo -n "$$APP_PROF" | base64 -d > "$$APP_PROF_PATH"; \
+	echo -n "$$EXT_PROF" | base64 -d > "$$EXT_PROF_PATH"; \
+	./scripts/build.sh \
+		--app-prof-path "$$APP_PROF_PATH" \
+		--ext-prof-path "$$EXT_PROF_PATH" \
+		--keychain "$(APP_SIGNING_KEYCHAIN)"; \
+	rm "$$APP_PROF_PATH" "$$EXT_PROF_PATH"
+
 .PHONY: fmt
 fmt: ## Run Swift file formatter
 	swiftformat \
@@ -40,16 +67,42 @@ test: $(XCPROJECT) ## Run all tests
 		CODE_SIGNING_ALLOWED=NO | xcbeautify
 
 .PHONY: lint
-lint: ## Lint swift files
+lint: lint/swift lint/actions ## Lint all files in the repo
+
+.PHONY: lint/swift
+lint/swift: ## Lint Swift files
 	swiftlint \
 		--strict \
 		--quiet $(LINTFLAGS)
 
+.PHONY: lint/actions
+lint/actions: ## Lint GitHub Actions
+	actionlint
+	zizmor .
+
 .PHONY: clean
-clean: ## Clean Xcode project
-	xcodebuild clean \
-		-project $(XCPROJECT)
-	rm -rf $(XCPROJECT)
+clean: clean/project clean/keychain clean/build ## Clean project and artifacts
+
+.PHONY: clean/project
+clean/project:
+	@if [ -d $(XCPROJECT) ]; then \
+		echo "Cleaning project: '$(XCPROJECT)'"; \
+		xcodebuild clean -project $(XCPROJECT); \
+		rm -rf $(XCPROJECT); \
+	fi
+	find . -name "*.entitlements" -type f -delete
+
+.PHONY: clean/keychain
+clean/keychain:
+	@if [ -e "$(APP_SIGNING_KEYCHAIN)" ]; then \
+		echo "Cleaning keychain: '$(APP_SIGNING_KEYCHAIN)'"; \
+		security delete-keychain "$(APP_SIGNING_KEYCHAIN)"; \
+		rm -f "$(APP_SIGNING_KEYCHAIN)"; \
+	fi
+
+.PHONY: clean/build
+clean/build:
+	rm -rf build/ app/
 
 .PHONY: proto
 proto: $(PROJECT)/VPNLib/vpn.pb.swift ## Generate Swift files from protobufs