diff --git a/.github/workflows/bundle-desktop-intel.yml b/.github/workflows/bundle-desktop-intel.yml index ee69ed7eb95f..4e1101add944 100644 --- a/.github/workflows/bundle-desktop-intel.yml +++ b/.github/workflows/bundle-desktop-intel.yml @@ -26,20 +26,7 @@ on: required: false default: '' secrets: - CERTIFICATE_OSX_APPLICATION: - description: 'Certificate for macOS application signing' - required: false - CERTIFICATE_PASSWORD: - description: 'Password for the macOS certificate' - required: false - APPLE_ID: - description: 'Apple ID for notarization' - required: false - APPLE_ID_PASSWORD: - description: 'Password for the Apple ID' - required: false - APPLE_TEAM_ID: - description: 'Apple Team ID' + OSX_CODESIGN_ROLE: required: false name: Reusable workflow to bundle desktop app for Intel Mac @@ -48,37 +35,14 @@ jobs: bundle-desktop-intel: runs-on: macos-latest name: Bundle Desktop App on Intel macOS + permissions: + id-token: write + contents: read steps: # Check initial disk space - name: Check initial disk space run: df -h - # Validate Signing Secrets if signing is enabled - - name: Validate Signing Secrets - if: ${{ inputs.signing }} - run: | - if [[ -z "${{ secrets.CERTIFICATE_OSX_APPLICATION }}" ]]; then - echo "Error: CERTIFICATE_OSX_APPLICATION secret is required for signing." - exit 1 - fi - if [[ -z "${{ secrets.CERTIFICATE_PASSWORD }}" ]]; then - echo "Error: CERTIFICATE_PASSWORD secret is required for signing." - exit 1 - fi - if [[ -z "${{ secrets.APPLE_ID }}" ]]; then - echo "Error: APPLE_ID secret is required for signing." - exit 1 - fi - if [[ -z "${{ secrets.APPLE_ID_PASSWORD }}" ]]; then - echo "Error: APPLE_ID_PASSWORD secret is required for signing." - exit 1 - fi - if [[ -z "${{ secrets.APPLE_TEAM_ID }}" ]]; then - echo "Error: APPLE_TEAM_ID secret is required for signing." - exit 1 - fi - echo "All required signing secrets are present." - - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: @@ -186,14 +150,6 @@ jobs: cp temporal-service/temporal-service ui/desktop/src/bin/temporal-service cp bin/temporal ui/desktop/src/bin/temporal - - name: Add MacOS certs for signing and notarization - if: ${{ inputs.signing }} - run: ./scripts/add-macos-cert.sh - working-directory: ui/desktop - env: - CERTIFICATE_OSX_APPLICATION: ${{ secrets.CERTIFICATE_OSX_APPLICATION }} - CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} - - name: Install dependencies run: source ../../bin/activate-hermit && npm ci working-directory: ui/desktop @@ -209,8 +165,7 @@ jobs: - name: Check disk space before bundling run: df -h - - name: Make Unsigned App - if: ${{ !inputs.signing }} + - name: Build App run: | source ../../bin/activate-hermit attempt=0 @@ -227,27 +182,76 @@ jobs: fi working-directory: ui/desktop - - name: Make Signed App + - name: Configure AWS credentials + if: ${{ inputs.signing }} + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 + with: + role-to-assume: "${{ secrets.OSX_CODESIGN_ROLE }}" + aws-region: us-west-2 + + - name: Codesigning and Notarization if: ${{ inputs.signing }} run: | - source ../../bin/activate-hermit - attempt=0 - max_attempts=2 - until [ $attempt -ge $max_attempts ]; do - npm run bundle:intel && break - attempt=$((attempt + 1)) - echo "Attempt $attempt failed. Retrying..." - sleep 5 - done - if [ $attempt -ge $max_attempts ]; then - echo "Action failed after $max_attempts attempts." + set -e + + echo "⬆️ uploading unsigned app" + source_job_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + unsigned_url="s3://block-goose-artifacts-bucket-production/unsigned/goose-${GITHUB_SHA}-${{ github.run_id }}-intel.zip" + + zip -q -u -r out/Goose-darwin-x64/Goose_intel_mac.zip entitlements.plist + + # upload unsigned goose to transfer bucket so it can be passed to lambda + aws s3 cp --quiet out/Goose-darwin-x64/Goose_intel_mac.zip "${unsigned_url}" + + # begin signing + echo "🚀 launching signing process" + aws lambda invoke \ + --function-name codesign_helper \ + --cli-binary-format raw-in-base64-out \ + --payload "{\"source_s3_url\": \"${unsigned_url}\", \"source_job_url\": \"${source_job_url}\"}" \ + response.json > /dev/null + + if [ "$(jq -r .statusCode response.json)" != "200" ]; then + echo "⚠️ lambda function did not return expected status code" exit 1 fi + + build_number="$(jq -r .body.build_number response.json)" + + start_time=$(date +%s) + + while sleep 30; do + aws lambda invoke \ + --function-name codesign_helper \ + --cli-binary-format raw-in-base64-out \ + --payload "{\"source_s3_url\": \"${unsigned_url}\", \"build_number\": \"${build_number}\"}" \ + response.json > /dev/null + + if [ "$(jq -r .statusCode response.json)" != "200" ]; then + echo "⚠️ signing request returned unexpected response code $(jq -r .statusCode response.json):" + jq . response.json + exit 1 + fi + + if [ "$(jq -r .body.state response.json)" == "completed" ]; then + echo "✅ signing complete ($(($(date +%s) - start_time))s)" + break + fi + + if [ $(($(date +%s) - start_time)) -ge 900 ]; then + echo "⚠️ timed out ($(($(date +%s) - start_time))s)" + exit 1 + fi + echo "⏲️ waiting for signing to complete ($(($(date +%s) - start_time))s)" + done + + # parse lambda response + signed_url=$(jq -r .body.destination_url response.json) + + # download the signed app from S3 + echo "⬇️ downloading signed app" + aws s3 cp --quiet "${signed_url}" out/Goose-darwin-x64/Goose_intel_mac.zip working-directory: ui/desktop - env: - APPLE_ID: ${{ secrets.APPLE_ID }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} - APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} - name: Final cleanup before artifact upload run: | diff --git a/.github/workflows/bundle-desktop.yml b/.github/workflows/bundle-desktop.yml index b015303c74f4..8f4543a60cd8 100644 --- a/.github/workflows/bundle-desktop.yml +++ b/.github/workflows/bundle-desktop.yml @@ -27,20 +27,7 @@ on: type: string default: '' secrets: - CERTIFICATE_OSX_APPLICATION: - description: 'Certificate for macOS application signing' - required: false - CERTIFICATE_PASSWORD: - description: 'Password for the macOS certificate' - required: false - APPLE_ID: - description: 'Apple ID for notarization' - required: false - APPLE_ID_PASSWORD: - description: 'Password for the Apple ID' - required: false - APPLE_TEAM_ID: - description: 'Apple Team ID' + OSX_CODESIGN_ROLE: required: false name: Reusable workflow to bundle desktop app @@ -49,6 +36,9 @@ jobs: bundle-desktop: runs-on: macos-latest name: Bundle Desktop App on macOS + permissions: + id-token: write + contents: read steps: # Debug information about the workflow and inputs - name: Debug workflow info @@ -78,31 +68,6 @@ jobs: - name: Check initial disk space run: df -h - # Validate Signing Secrets if signing is enabled - - name: Validate Signing Secrets - if: ${{ inputs.signing }} - env: - HAS_CERT: ${{ secrets.CERTIFICATE_OSX_APPLICATION != '' }} - HAS_CERT_PASS: ${{ secrets.CERTIFICATE_PASSWORD != '' }} - HAS_APPLE_ID: ${{ secrets.APPLE_ID != '' }} - HAS_APPLE_PASS: ${{ secrets.APPLE_ID_PASSWORD != '' }} - HAS_TEAM_ID: ${{ secrets.APPLE_TEAM_ID != '' }} - run: | - missing=() - [[ "${HAS_CERT}" != "true" ]] && missing+=("CERTIFICATE_OSX_APPLICATION") - [[ "${HAS_CERT_PASS}" != "true" ]] && missing+=("CERTIFICATE_PASSWORD") - [[ "${HAS_APPLE_ID}" != "true" ]] && missing+=("APPLE_ID") - [[ "${HAS_APPLE_PASS}" != "true" ]] && missing+=("APPLE_ID_PASSWORD") - [[ "${HAS_TEAM_ID}" != "true" ]] && missing+=("APPLE_TEAM_ID") - - if (( ${#missing[@]} > 0 )); then - echo "Error: Missing required signing secrets:" - printf '%s\n' "${missing[@]}" - exit 1 - fi - - echo "All required signing secrets are present." - - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: @@ -224,14 +189,6 @@ jobs: cp temporal-service/temporal-service ui/desktop/src/bin/temporal-service cp bin/temporal ui/desktop/src/bin/temporal - - name: Add MacOS certs for signing and notarization - if: ${{ inputs.signing }} - run: ./scripts/add-macos-cert.sh - working-directory: ui/desktop - env: - CERTIFICATE_OSX_APPLICATION: ${{ secrets.CERTIFICATE_OSX_APPLICATION }} - CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} - - name: Install dependencies run: source ../../bin/activate-hermit && npm ci working-directory: ui/desktop @@ -240,8 +197,7 @@ jobs: - name: Check disk space before bundling run: df -h - - name: Make Unsigned App - if: ${{ !inputs.signing }} + - name: Build App run: | source ../../bin/activate-hermit attempt=0 @@ -258,26 +214,75 @@ jobs: fi working-directory: ui/desktop - - name: Make Signed App + - name: Configure AWS credentials + if: ${{ inputs.signing }} + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 + with: + role-to-assume: "${{ secrets.OSX_CODESIGN_ROLE }}" + aws-region: us-west-2 + + - name: Codesigning and Notarization if: ${{ inputs.signing }} - env: - APPLE_ID: ${{ secrets.APPLE_ID }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} - APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} run: | + set -e - attempt=0 - max_attempts=2 - until [ $attempt -ge $max_attempts ]; do - npm run bundle:default && break - attempt=$((attempt + 1)) - echo "Attempt $attempt failed. Retrying..." - sleep 5 - done - if [ $attempt -ge $max_attempts ]; then - echo "Action failed after $max_attempts attempts." + echo "⬆️ uploading unsigned app" + source_job_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + unsigned_url="s3://block-goose-artifacts-bucket-production/unsigned/goose-${GITHUB_SHA}-${{ github.run_id }}-arm64.zip" + + zip -q -u -r out/Goose-darwin-arm64/Goose.zip entitlements.plist + + # upload unsigned goose to transfer bucket so it can be passed to lambda + aws s3 cp --quiet out/Goose-darwin-arm64/Goose.zip "${unsigned_url}" + + # begin signing + echo "🚀 launching signing process" + aws lambda invoke \ + --function-name codesign_helper \ + --cli-binary-format raw-in-base64-out \ + --payload "{\"source_s3_url\": \"${unsigned_url}\", \"source_job_url\": \"${source_job_url}\"}" \ + response.json > /dev/null + + if [ "$(jq -r .statusCode response.json)" != "200" ]; then + echo "⚠️ lambda function did not return expected status code" exit 1 fi + + build_number="$(jq -r .body.build_number response.json)" + + start_time=$(date +%s) + + while sleep 30; do + aws lambda invoke \ + --function-name codesign_helper \ + --cli-binary-format raw-in-base64-out \ + --payload "{\"source_s3_url\": \"${unsigned_url}\", \"build_number\": \"${build_number}\"}" \ + response.json > /dev/null + + if [ "$(jq -r .statusCode response.json)" != "200" ]; then + echo "⚠️ signing request returned unexpected response code $(jq -r .statusCode response.json):" + jq . response.json + exit 1 + fi + + if [ "$(jq -r .body.state response.json)" == "completed" ]; then + echo "✅ signing complete ($(($(date +%s) - start_time))s)" + break + fi + + if [ $(($(date +%s) - start_time)) -ge 900 ]; then + echo "⚠️ timed out ($(($(date +%s) - start_time))s)" + exit 1 + fi + echo "⏲️ waiting for signing to complete ($(($(date +%s) - start_time))s)" + done + + # parse lambda response + signed_url=$(jq -r .body.destination_url response.json) + + # download the signed app from S3 + echo "⬇️ downloading signed app" + aws s3 cp --quiet "${signed_url}" out/Goose-darwin-arm64/Goose.zip working-directory: ui/desktop - name: Final cleanup before artifact upload diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml index ac266085c48c..55cf394983b2 100644 --- a/.github/workflows/canary.yml +++ b/.github/workflows/canary.yml @@ -67,13 +67,7 @@ jobs: uses: ./.github/workflows/bundle-desktop.yml with: version: ${{ needs.prepare-version.outputs.version }} - signing: true - secrets: - CERTIFICATE_OSX_APPLICATION: ${{ secrets.CERTIFICATE_OSX_APPLICATION }} - CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} - APPLE_ID: ${{ secrets.APPLE_ID }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} - APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} + signing: false # ------------------------------------------------------------ # 5) Bundle Desktop App (Linux) - builds goosed and Electron app @@ -92,11 +86,7 @@ jobs: uses: ./.github/workflows/bundle-desktop-windows.yml with: version: ${{ needs.prepare-version.outputs.version }} - signing: true - secrets: - WINDOWS_CODESIGN_CERTIFICATE: ${{ secrets.WINDOWS_CODESIGN_CERTIFICATE }} - WINDOW_SIGNING_ROLE: ${{ secrets.WINDOW_SIGNING_ROLE }} - WINDOW_SIGNING_ROLE_TAG: ${{ secrets.WINDOW_SIGNING_ROLE_TAG }} + signing: false # ------------------------------------ # 7) Create/Update GitHub Release diff --git a/.github/workflows/pr-comment-bundle-intel.yml b/.github/workflows/pr-comment-bundle-intel.yml index 9bab3820dc58..e0f63c699879 100644 --- a/.github/workflows/pr-comment-bundle-intel.yml +++ b/.github/workflows/pr-comment-bundle-intel.yml @@ -64,14 +64,8 @@ jobs: if: ${{ needs.trigger-on-command.outputs.continue == 'true' }} uses: ./.github/workflows/bundle-desktop-intel.yml with: - signing: true + signing: false ref: ${{ needs.trigger-on-command.outputs.head_sha }} - secrets: - CERTIFICATE_OSX_APPLICATION: ${{ secrets.CERTIFICATE_OSX_APPLICATION }} - CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} - APPLE_ID: ${{ secrets.APPLE_ID }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} - APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} pr-comment-intel: name: PR Comment with macOS Intel App diff --git a/.github/workflows/pr-comment-bundle.yml b/.github/workflows/pr-comment-bundle.yml index 2b3002fb8f27..0561682a2b38 100644 --- a/.github/workflows/pr-comment-bundle.yml +++ b/.github/workflows/pr-comment-bundle.yml @@ -108,14 +108,8 @@ jobs: if: ${{ needs.trigger-on-command.outputs.continue == 'true' }} uses: ./.github/workflows/bundle-desktop.yml with: - signing: true + signing: false ref: ${{ needs.trigger-on-command.outputs.pr_sha }} - secrets: - CERTIFICATE_OSX_APPLICATION: ${{ secrets.CERTIFICATE_OSX_APPLICATION }} - CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} - APPLE_ID: ${{ secrets.APPLE_ID }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} - APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} pr-comment-arm64: name: PR Comment with macOS ARM64 App diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c75ade9f9069..644518a5c1ce 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,11 +47,7 @@ jobs: with: signing: true secrets: - CERTIFICATE_OSX_APPLICATION: ${{ secrets.CERTIFICATE_OSX_APPLICATION }} - CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} - APPLE_ID: ${{ secrets.APPLE_ID }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} - APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} + OSX_CODESIGN_ROLE: ${{ secrets.OSX_CODESIGN_ROLE }} # ------------------------------------------------------------ # 4) Bundle Desktop App (macOS) @@ -61,11 +57,7 @@ jobs: with: signing: true secrets: - CERTIFICATE_OSX_APPLICATION: ${{ secrets.CERTIFICATE_OSX_APPLICATION }} - CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} - APPLE_ID: ${{ secrets.APPLE_ID }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} - APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} + OSX_CODESIGN_ROLE: ${{ secrets.OSX_CODESIGN_ROLE }} # ------------------------------------------------------------ # 5) Bundle Desktop App (Linux) diff --git a/ui/desktop/forge.config.ts b/ui/desktop/forge.config.ts index 432e7e662c36..b10e8862c12e 100644 --- a/ui/desktop/forge.config.ts +++ b/ui/desktop/forge.config.ts @@ -33,26 +33,8 @@ let cfg = { } ] }, - // macOS specific configuration - osxSign: { - entitlements: 'entitlements.plist', - 'entitlements-inherit': 'entitlements.plist', - 'gatekeeper-assess': false, - hardenedRuntime: true, - identity: 'Developer ID Application: Michael Neale (W2L75AE9HQ)', - }, - osxNotarize: { - appleId: process.env['APPLE_ID'], - appleIdPassword: process.env['APPLE_ID_PASSWORD'], - teamId: process.env['APPLE_TEAM_ID'], - }, }; -if (process.env['APPLE_ID'] === undefined) { - delete cfg.osxNotarize; - delete cfg.osxSign; -} - module.exports = { packagerConfig: cfg, rebuildConfig: {},