From eea19630bae4ef73e4510378b7750c11a630dca5 Mon Sep 17 00:00:00 2001
From: Conrad Kramer <conrad@conradkramer.com>
Date: Sat, 16 Mar 2024 10:40:09 -0700
Subject: [PATCH] Update release pipelines to upload release artifacts

---
 .github/actions/archive/action.yml           |  7 ++-
 .github/actions/build-for-testing/action.yml |  2 +-
 .github/actions/notarize/action.yml          | 57 ++++++++++++++++++
 .github/workflows/build-apple.yml            |  3 +-
 .github/workflows/release-apple.yml          | 62 +++++++++++---------
 Apple/Burrow.xcodeproj/project.pbxproj       |  2 -
 6 files changed, 98 insertions(+), 35 deletions(-)
 create mode 100644 .github/actions/notarize/action.yml

diff --git a/.github/actions/archive/action.yml b/.github/actions/archive/action.yml
index c34bd3ce..37282e19 100644
--- a/.github/actions/archive/action.yml
+++ b/.github/actions/archive/action.yml
@@ -26,9 +26,12 @@ runs:
     run: |
       echo "${{ inputs.app-store-key }}" > AuthKey_${{ inputs.app-store-key-id }}.p8
 
-      xcodebuild archive \
+      xcodebuild clean archive \
         -allowProvisioningUpdates \
         -allowProvisioningDeviceRegistration \
+        -skipPackagePluginValidation \
+        -skipMacroValidation \
+        -onlyUsePackageVersionsFromResolvedFile \
         -authenticationKeyID ${{ inputs.app-store-key-id }} \
         -authenticationKeyIssuerID ${{ inputs.app-store-key-issuer-id }} \
         -authenticationKeyPath "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8" \
@@ -38,6 +41,4 @@ runs:
         -archivePath '${{ inputs.archive-path }}' \
         -resultBundlePath BuildResults.xcresult
 
-      ./Tools/xcresulttool-github BuildResults.xcresult
-      
       rm -rf AuthKey_${{ inputs.app-store-key-id }}.p8
diff --git a/.github/actions/build-for-testing/action.yml b/.github/actions/build-for-testing/action.yml
index 2c66963a..084ba81d 100644
--- a/.github/actions/build-for-testing/action.yml
+++ b/.github/actions/build-for-testing/action.yml
@@ -18,7 +18,7 @@ inputs:
 runs:
   using: composite
   steps:
-  - name: Cache Swift Packages
+  - name: Xcode Cache
     uses: actions/cache@v3
     with:
       path: |
diff --git a/.github/actions/notarize/action.yml b/.github/actions/notarize/action.yml
new file mode 100644
index 00000000..41bef2c3
--- /dev/null
+++ b/.github/actions/notarize/action.yml
@@ -0,0 +1,57 @@
+name: Notarize
+inputs:
+  app-store-key:
+    description: App Store key in PEM PKCS#8 format
+    required: true
+  app-store-key-id:
+    description: App Store key ID
+    required: true
+  app-store-key-issuer-id:
+    description: App Store key issuer ID
+    required: true
+  archive-path:
+    description: Xcode archive path
+    required: true
+outputs:
+  notarized-app:
+    description: The compressed and notarized app
+    value: ${{ steps.notarize.outputs.notarized-app }}
+runs:
+  using: composite
+  steps:
+  - id: notarize
+    shell: bash
+    run: |
+      echo "${{ inputs.app-store-key }}" > AuthKey_${{ inputs.app-store-key-id }}.p8
+
+      echo '{"destination":"upload","method":"developer-id"}' \
+        | plutil -convert xml1 -o ExportOptions.plist -
+
+      xcodebuild \
+        -exportArchive \
+        -allowProvisioningUpdates \
+        -allowProvisioningDeviceRegistration \
+        -authenticationKeyID ${{ inputs.app-store-key-id }} \
+        -authenticationKeyIssuerID ${{ inputs.app-store-key-issuer-id }} \
+        -authenticationKeyPath "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8" \
+        -archivePath '${{ inputs.archive-path }}' \
+        -exportOptionsPlist ExportOptions.plist
+
+      until xcodebuild \
+        -exportNotarizedApp \
+        -allowProvisioningUpdates \
+        -allowProvisioningDeviceRegistration \
+        -authenticationKeyID ${{ inputs.app-store-key-id }} \
+        -authenticationKeyIssuerID ${{ inputs.app-store-key-issuer-id }} \
+        -authenticationKeyPath "${PWD}/AuthKey_${{ inputs.app-store-key-id }}.p8" \
+        -archivePath '${{ inputs.archive-path }}' \
+        -exportPath Release
+      do
+        echo "Failed to export app, trying again in 10s..."
+        sleep 10
+      done
+
+      aa archive -a lzma -b 8m -d Release -subdir Burrow.app -o Burrow.app.aar
+      rm -rf Release
+
+      rm -rf AuthKey_${{ inputs.app-store-key-id }}.p8 Release ExportOptions.plist
diff --git a/.github/workflows/build-apple.yml b/.github/workflows/build-apple.yml
index da0f56a6..1c00042d 100644
--- a/.github/workflows/build-apple.yml
+++ b/.github/workflows/build-apple.yml
@@ -12,7 +12,7 @@ concurrency:
 jobs:
   build:
     name: Build App (${{ matrix.platform }})
-    runs-on: macos-13
+    runs-on: macos-14
     strategy:
       fail-fast: false
       matrix:
@@ -53,7 +53,6 @@ jobs:
     - name: Install Rust
       uses: dtolnay/rust-toolchain@stable
       with:
-        toolchain: stable
         targets: ${{ join(matrix.rust-targets, ', ') }}
     - name: Build
       id: build
diff --git a/.github/workflows/release-apple.yml b/.github/workflows/release-apple.yml
index 3ea185de..b7a61b5c 100644
--- a/.github/workflows/release-apple.yml
+++ b/.github/workflows/release-apple.yml
@@ -1,26 +1,25 @@
 name: Build Apple Release
 on:
-  release:
-    types:
-    - created
+  push:
+    branches:  
+    - main
 jobs:
   build:
-    name: Build ${{ matrix.configuration['platform'] }} Release
-    runs-on: macos-13
+    name: Build ${{ matrix.platform }} Release
+    runs-on: macos-14
     strategy:
       fail-fast: false
       matrix:
-        configuration:
-        - scheme: App (iOS)
-          destination: generic/platform=iOS
+        include:
+        - destination: generic/platform=iOS
           platform: iOS
-          method: ad-hoc
-          artifact-file: Apple/Release/Burrow.ipa
-        - scheme: App (macOS)
-          destination: generic/platform=macOS
+          rust-targets:
+          - aarch64-apple-ios
+        - destination: generic/platform=macOS
           platform: macOS
-          method: mac-application
-          artifact-file: Burrow.app.txz
+          rust-targets:
+          - x86_64-apple-darwin
+          - aarch64-apple-darwin
     env:
       DEVELOPER_DIR: /Applications/Xcode_15.2.app/Contents/Developer
     steps:
@@ -34,32 +33,41 @@ jobs:
       with:
         certificate: ${{ secrets.DEVELOPER_CERT }}
         password: ${{ secrets.DEVELOPER_CERT_PASSWORD }}
+    - name: Install Rust
+      uses: dtolnay/rust-toolchain@stable
+      with:
+        targets: ${{ join(matrix.rust-targets, ', ') }}
     - name: Archive
       uses: ./.github/actions/archive
       with:
-        scheme: ${{ matrix.configuration['scheme'] }}
-        destination: ${{ matrix.configuration['destination'] }}
+        scheme: App
+        destination: ${{ matrix.destination }}
         app-store-key: ${{ secrets.APPSTORE_KEY }}
         app-store-key-id: ${{ secrets.APPSTORE_KEY_ID }}
         app-store-key-issuer-id: ${{ secrets.APPSTORE_KEY_ISSUER_ID }}
         archive-path: Burrow.xcarchive
-    - name: Export Locally
+    - name: Upload
       uses: ./.github/actions/export
       with:
-        method: ${{ matrix.configuration['method'] }}
-        destination: export
+        method: app-store
+        destination: upload
         app-store-key: ${{ secrets.APPSTORE_KEY }}
         app-store-key-id: ${{ secrets.APPSTORE_KEY_ID }}
         app-store-key-issuer-id: ${{ secrets.APPSTORE_KEY_ISSUER_ID }}
         archive-path: Burrow.xcarchive
         export-path: Release
+    - name: Notarize
+      if: ${{ matrix.platform == 'macOS' }}
+      uses: ./.github/actions/notarize
+      with:
+        app-store-key: ${{ secrets.APPSTORE_KEY }}
+        app-store-key-id: ${{ secrets.APPSTORE_KEY_ID }}
+        app-store-key-issuer-id: ${{ secrets.APPSTORE_KEY_ISSUER_ID }}
+        archive-path: Burrow.xcarchive
+        product-name: Burrow.app
     - name: Compress
-      if: ${{ matrix.configuration['platform'] == 'macOS' }}
       shell: bash
-      run: tar --options xz:compression-level=9 -C Apple/Release -cJf Burrow.app.txz ./
-    - name: Attach Artifact
-      uses: SierraSoftworks/gh-releases@v1.0.6
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        overwrite: 'false'
-        files: ${{ matrix.configuration['artifact-file'] }}
+      run: |
+        mkdir Artifacts
+        mv Burrow.app.aar Artifacts
+        aa archive -a lzma -b 8m -d . -subdir Burrow.xcarchive -o Artifacts/Burrow-${{ matrix.platform }}.xcarchive.aar
diff --git a/Apple/Burrow.xcodeproj/project.pbxproj b/Apple/Burrow.xcodeproj/project.pbxproj
index 8717a30f..9f5da28b 100644
--- a/Apple/Burrow.xcodeproj/project.pbxproj
+++ b/Apple/Burrow.xcodeproj/project.pbxproj
@@ -30,7 +30,6 @@
 		D0BCC5FD2A086D4700AD070D /* NetworkExtension+Async.swift in Sources */ = {isa = PBXBuildFile; fileRef = D0BCC5FC2A086D4700AD070D /* NetworkExtension+Async.swift */; };
 		D0BCC6082A0981FE00AD070D /* Tunnel.swift in Sources */ = {isa = PBXBuildFile; fileRef = D0B98FC629FDC5B5004E7149 /* Tunnel.swift */; };
 		D0BCC6092A09A03E00AD070D /* libburrow.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D0BCC6032A09535900AD070D /* libburrow.a */; };
-		D0BCC60A2A09A0B800AD070D /* build-rust.sh in Resources */ = {isa = PBXBuildFile; fileRef = D0B98FBF29FD8072004E7149 /* build-rust.sh */; };
 		D0FAB5922B818A5900F6A84B /* NetworkExtensionTunnel.swift in Sources */ = {isa = PBXBuildFile; fileRef = D0FAB5912B818A5900F6A84B /* NetworkExtensionTunnel.swift */; };
 		D0FAB5962B818B2900F6A84B /* TunnelButton.swift in Sources */ = {isa = PBXBuildFile; fileRef = D0FAB5952B818B2900F6A84B /* TunnelButton.swift */; };
 		D0FAB5982B818B8200F6A84B /* TunnelStatusView.swift in Sources */ = {isa = PBXBuildFile; fileRef = D0FAB5972B818B8200F6A84B /* TunnelStatusView.swift */; };
@@ -384,7 +383,6 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
-				D0BCC60A2A09A0B800AD070D /* build-rust.sh in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};