diff --git a/.github/secrets/devid-app-cert.p12.gpg b/.github/secrets/devid-app-cert.p12.gpg deleted file mode 100644 index b278701e..00000000 Binary files a/.github/secrets/devid-app-cert.p12.gpg and /dev/null differ diff --git a/.github/secrets/devid-installer-cert.p12.gpg b/.github/secrets/devid-installer-cert.p12.gpg deleted file mode 100644 index e0fa6009..00000000 Binary files a/.github/secrets/devid-installer-cert.p12.gpg and /dev/null differ diff --git a/.github/secrets/macdev-cert.p12.gpg b/.github/secrets/macdev-cert.p12.gpg deleted file mode 100644 index d3e6613e..00000000 Binary files a/.github/secrets/macdev-cert.p12.gpg and /dev/null differ diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 71c03f76..79105366 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -523,44 +523,43 @@ jobs: npm --version echo "GitHub ref: $GITHUB_REF" echo "GitHub event: $GITHUB_EVENT" - shell: bash - - name: Decrypt secrets - env: - DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} - shell: bash + - name: Login to Azure + uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + with: + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + + - name: Get certificates run: | - mkdir -p $HOME/secrets + mkdir -p $HOME/certificates - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-installer-cert.p12.gpg" + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12 - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/macdev-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/macdev-cert.p12.gpg" + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | + jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 - name: Set up keychain env: KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} - MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }} - shell: bash run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain security set-keychain-settings -lut 1200 build.keychain - security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-installer-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/macdev-cert.p12" -k build.keychain -P $MACDEV_CERT_PASSWORD \ + + security import "$HOME/certificates/macdev-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain - name: Load package version