diff --git a/.github/workflows/build-desktop.yml b/.github/workflows/build-desktop.yml index 9e59bc47853..a8ee1091a24 100644 --- a/.github/workflows/build-desktop.yml +++ b/.github/workflows/build-desktop.yml @@ -776,10 +776,18 @@ jobs: mkdir PlugIns cp -r $GITHUB_WORKSPACE/browser-build-artifacts/Safari/dmg/build/Release/safari.appex PlugIns/safari.appex + - name: Set up private auth key + run: | + mkdir ~/private_keys + cat << EOF > ~/private_keys/AuthKey_6TV9MKN3GP.p8 + ${{ secrets.APP_STORE_CONNECT_AUTH_KEY }} + EOF + - name: Build application (dist) env: - APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} + APP_STORE_CONNECT_TEAM_ISSUER: ${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }} + APP_STORE_CONNECT_AUTH_KEY: 6TV9MKN3GP + APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_6TV9MKN3GP.p8 CSC_FOR_PULL_REQUEST: true run: npm run pack:mac @@ -985,12 +993,20 @@ jobs: mkdir PlugIns cp -r $GITHUB_WORKSPACE/browser-build-artifacts/Safari/mas/build/Release/safari.appex PlugIns/safari.appex + - name: Set up private auth key + run: | + mkdir ~/private_keys + cat << EOF > ~/private_keys/AuthKey_6TV9MKN3GP.p8 + ${{ secrets.APP_STORE_CONNECT_AUTH_KEY }} + EOF + - name: Build application for App Store - run: npm run pack:mac:mas env: - APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} + APP_STORE_CONNECT_TEAM_ISSUER: ${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }} + APP_STORE_CONNECT_AUTH_KEY: 6TV9MKN3GP + APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_6TV9MKN3GP.p8 CSC_FOR_PULL_REQUEST: true + run: npm run pack:mac:mas - name: Upload .pkg artifact uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 @@ -1000,15 +1016,15 @@ jobs: if-no-files-found: error - name: Deploy to TestFlight - env: - APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} if: | (github.ref == 'refs/heads/main' && needs.setup.outputs.rc_branch_exists == 0 && needs.setup.outputs.hotfix_branch_exists == 0) || (github.ref == 'refs/heads/rc' && needs.setup.outputs.hotfix_branch_exists == 0) || github.ref == 'refs/heads/hotfix-rc-desktop' + env: + APP_STORE_CONNECT_TEAM_ISSUER: ${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }} + APP_STORE_CONNECT_AUTH_KEY: 6TV9MKN3GP run: npm run upload:mas @@ -1180,11 +1196,18 @@ jobs: mkdir PlugIns cp -r $GITHUB_WORKSPACE/browser-build-artifacts/Safari/masdev/build/Release/safari.appex PlugIns/safari.appex + - name: Set up private auth key + run: | + mkdir ~/private_keys + cat << EOF > ~/private_keys/AuthKey_6TV9MKN3GP.p8 + ${{ secrets.APP_STORE_CONNECT_AUTH_KEY }} + EOF + - name: Build dev application for App Store - run: npm run pack:mac:masdev env: - APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} + APP_STORE_CONNECT_TEAM_ISSUER: ${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }} + APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_6TV9MKN3GP.p8 + run: npm run pack:mac:masdev - name: Zip masdev asset run: | diff --git a/apps/desktop/package.json b/apps/desktop/package.json index fd9c2351dd2..977a00b04dd 100644 --- a/apps/desktop/package.json +++ b/apps/desktop/package.json @@ -52,7 +52,7 @@ "publish:mac:mas": "npm run dist:mac:mas && npm run upload:mas", "publish:win": "npm run build && npm run clean:dist && electron-builder --win --x64 --arm64 --ia32 -p always -c.win.certificateSubjectName=\"8bit Solutions LLC\"", "publish:win:dev": "npm run build && npm run clean:dist && electron-builder --win --x64 --arm64 --ia32 -p always", - "upload:mas": "xcrun altool --upload-app --type osx --file \"$(find ./dist/mas-universal/Bitwarden*.pkg)\" --username $APPLE_ID_USERNAME --password $APPLE_ID_PASSWORD", + "upload:mas": "xcrun altool --upload-app --type osx --file \"$(find ./dist/mas-universal/Bitwarden*.pkg)\" --apiKey $APP_STORE_CONNECT_AUTH_KEY --apiIssuer $APP_STORE_CONNECT_TEAM_ISSUER", "test": "jest", "test:watch": "jest --watch", "test:watch:all": "jest --watchAll" diff --git a/apps/desktop/scripts/after-sign.js b/apps/desktop/scripts/after-sign.js index 97815bc8b9b..69c078a13b5 100644 --- a/apps/desktop/scripts/after-sign.js +++ b/apps/desktop/scripts/after-sign.js @@ -50,14 +50,27 @@ async function run(context) { if (macBuild) { console.log("### Notarizing " + appPath); - const appleId = process.env.APPLE_ID_USERNAME || process.env.APPLEID; - const appleIdPassword = process.env.APPLE_ID_PASSWORD || `@keychain:AC_PASSWORD`; - return await notarize({ - tool: "notarytool", - appPath: appPath, - teamId: "LTZ2PFU5D6", - appleId: appleId, - appleIdPassword: appleIdPassword, - }); + if (process.env.APP_STORE_CONNECT_TEAM_ISSUER) { + const appleApiIssuer = process.env.APP_STORE_CONNECT_TEAM_ISSUER; + const appleApiKey = process.env.APP_STORE_CONNECT_AUTH_KEY_PATH; + const appleApiKeyId = process.env.APP_STORE_CONNECT_AUTH_KEY; + return await notarize({ + tool: "notarytool", + appPath: appPath, + appleApiIssuer: appleApiIssuer, + appleApiKey: appleApiKey, + appleApiKeyId: appleApiKeyId, + }); + } else { + const appleId = process.env.APPLE_ID_USERNAME || process.env.APPLEID; + const appleIdPassword = process.env.APPLE_ID_PASSWORD || `@keychain:AC_PASSWORD`; + return await notarize({ + tool: "notarytool", + appPath: appPath, + teamId: "LTZ2PFU5D6", + appleId: appleId, + appleIdPassword: appleIdPassword, + }); + } } }