GitHub Actions: natives.yml: sign Windows and macOS native libraries #146
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions | |
| # https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-gradle | |
| name: Native Libraries | |
| on: | |
| push: | |
| branches: | |
| - '*' | |
| tags: | |
| - '[0-9]*' | |
| paths: | |
| - 'flatlaf-natives/**' | |
| - '.github/workflows/natives.yml' | |
| - 'gradle/wrapper/gradle-wrapper.properties' | |
| - '!**.md' | |
| - '!**/.settings/**' | |
| jobs: | |
| Natives: | |
| strategy: | |
| matrix: | |
| os: | |
| - windows-latest | |
| - macos-latest | |
| - ubuntu-latest | |
| - ubuntu-24.04-arm | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: gradle/actions/wrapper-validation@v4 | |
| - name: install libxt-dev and libgtk-3-dev | |
| if: matrix.os == 'ubuntu-latest' || matrix.os == 'ubuntu-24.04-arm' | |
| run: sudo apt install libxt-dev libgtk-3-dev | |
| - name: Download libgtk-3.so for arm64 | |
| if: matrix.os == 'ubuntu-latest' | |
| working-directory: flatlaf-natives/flatlaf-natives-linux/lib/aarch64 | |
| run: | | |
| pwd | |
| ls -l /usr/lib/x86_64-linux-gnu/libgtk* | |
| wget --no-verbose https://ports.ubuntu.com/pool/main/g/gtk%2b3.0/libgtk-3-0_3.24.18-1ubuntu1_arm64.deb | |
| ls -l | |
| ar -x libgtk-3-0_3.24.18-1ubuntu1_arm64.deb data.tar.xz | |
| tar -xvf data.tar.xz --wildcards --to-stdout "./usr/lib/aarch64-linux-gnu/libgtk-3.so.0.*" > libgtk-3.so | |
| rm libgtk-3-0_3.24.18-1ubuntu1_arm64.deb data.tar.xz | |
| ls -l | |
| - name: install g++-aarch64-linux-gnu | |
| if: matrix.os == 'ubuntu-latest' | |
| run: sudo apt install g++-aarch64-linux-gnu | |
| - name: Setup Java 11 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: 11 | |
| distribution: temurin | |
| cache: gradle | |
| - name: Build with Gradle | |
| # --no-daemon is necessary on Windows otherwise caching Gradle would fail with: | |
| # tar.exe: Couldn't open ~/.gradle/caches/modules-2/modules-2.lock: Permission denied | |
| run: ./gradlew build-natives --no-daemon | |
| - name: Sign Windows DLLs | |
| if: matrix.os == 'windows-latest' | |
| uses: skymatic/code-sign-action@v3 | |
| with: | |
| certificate: '${{ secrets.CODE_SIGN_CERT_BASE64 }}' | |
| password: '${{ secrets.CODE_SIGN_CERT_PASSWORD }}' | |
| certificatesha1: '${{ secrets.CODE_SIGN_CERT_SHA1 }}' | |
| folder: 'flatlaf-core/src/main/resources/com/formdev/flatlaf/natives' | |
| - name: Sign macOS natives | |
| if: matrix.os == 'macos-latest' | |
| env: | |
| CERT_BASE64: ${{ secrets.CODE_SIGN_CERT_BASE64 }} | |
| CERT_PASSWORD: ${{ secrets.CODE_SIGN_CERT_PASSWORD }} | |
| CERT_IDENTITY: ${{ secrets.CODE_SIGN_CERT_IDENTITY }} | |
| run: | | |
| # https://docs.github.com/en/actions/use-cases-and-examples/deploying/installing-an-apple-certificate-on-macos-runners-for-xcode-development | |
| # create variables | |
| CERTIFICATE_PATH=$RUNNER_TEMP/cert.p12 | |
| KEYCHAIN_PATH=$RUNNER_TEMP/signing.keychain-db | |
| KEYCHAIN_PASSWORD=$CERT_PASSWORD | |
| # decode certificate | |
| printenv CERT_BASE64 | base64 --decode > $CERTIFICATE_PATH | |
| # create temporary keychain | |
| security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
| security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| # import certificate to keychain | |
| security import $CERTIFICATE_PATH -P "$CERT_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
| security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| security list-keychains -d user -s $KEYCHAIN_PATH | |
| # sign code | |
| codesign -s "$CERT_IDENTITY" -fv --timestamp \ | |
| flatlaf-core/src/main/resources/com/formdev/flatlaf/natives/libflatlaf-macos-*.dylib | |
| codesign -d --verbose=4 flatlaf-core/src/main/resources/com/formdev/flatlaf/natives/libflatlaf-macos-*.dylib | |
| # cleanup | |
| security delete-keychain $KEYCHAIN_PATH | |
| - name: Set artifacts pattern | |
| shell: bash | |
| run: | | |
| case ${{ matrix.os }} in | |
| windows-latest) echo "artifactPattern=flatlaf-windows-*.dll" >> $GITHUB_ENV ;; | |
| macos-latest) echo "artifactPattern=libflatlaf-macos-*.dylib" >> $GITHUB_ENV ;; | |
| ubuntu-latest) echo "artifactPattern=libflatlaf-linux-x86_64.so" >> $GITHUB_ENV ;; | |
| ubuntu-24.04-arm) echo "artifactPattern=libflatlaf-linux-arm64.so" >> $GITHUB_ENV ;; | |
| esac | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: FlatLaf-natives-build-artifacts-${{ matrix.os }} | |
| path: | | |
| flatlaf-core/src/main/resources/com/formdev/flatlaf/natives/${{ env.artifactPattern }} | |
| flatlaf-natives/flatlaf-natives-*/build |