From 4bb30ecefed395278619ff83b7468dce5772da38 Mon Sep 17 00:00:00 2001 From: Emlyn Bolton Date: Mon, 28 Mar 2022 10:32:00 -0700 Subject: [PATCH 1/7] Enable read-write files entitlement for sandbox --- Jamulus.entitlements | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Jamulus.entitlements b/Jamulus.entitlements index 9f3c0e8c3c..6a3a486a6f 100644 --- a/Jamulus.entitlements +++ b/Jamulus.entitlements @@ -10,5 +10,7 @@ com.apple.security.network.server + com.apple.security.files.user-selected.read-write + From 052c983a8e12a6b7956f851b3e73d4284875a91a Mon Sep 17 00:00:00 2001 From: Emlyn Bolton Date: Mon, 28 Mar 2022 13:35:24 -0700 Subject: [PATCH 2/7] Disable codeQL when signing on macOS --- .github/workflows/autobuild.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 1d7bd5852a..95fbc0e6fb 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -305,5 +305,6 @@ jobs: asset_content_type: application/octet-stream - name: Perform CodeQL Analysis - if: matrix.config.run_codeql + # Don't run if we're signing on macOS + if: matrix.config.run_codeql && steps.build.outputs.macos_signed == 'false' uses: github/codeql-action/analyze@v1 From fc501123f2ebc60ade0ccee8f1eb140ce6e6c367 Mon Sep 17 00:00:00 2001 From: Emlyn Bolton Date: Mon, 28 Mar 2022 13:51:01 -0700 Subject: [PATCH 3/7] Use environment variable of certificate to determine if codeQL can be run on mac build --- .github/workflows/autobuild.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 95fbc0e6fb..5d871dfe08 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -214,7 +214,8 @@ jobs: JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }} - name: Initialize CodeQL - if: matrix.config.run_codeql + # Don't run CodeQL if we have a set up for signing the macOS build + if: matrix.config.run_codeql && ${{ env.MACOS_CERTIFICATE == '' }} uses: github/codeql-action/init@v1 with: languages: 'cpp' @@ -305,6 +306,6 @@ jobs: asset_content_type: application/octet-stream - name: Perform CodeQL Analysis - # Don't run if we're signing on macOS - if: matrix.config.run_codeql && steps.build.outputs.macos_signed == 'false' + # Don't run CodeQL if we have a set up for signing the macOS build + if: matrix.config.run_codeql && ${{ env.MACOS_CERTIFICATE == '' }} uses: github/codeql-action/analyze@v1 From 7974d08e04b9963bce019f098a339342310fa192 Mon Sep 17 00:00:00 2001 From: Emlyn Bolton Date: Mon, 28 Mar 2022 14:06:38 -0700 Subject: [PATCH 4/7] Bring in the environment var so it can be used --- .github/workflows/autobuild.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 5d871dfe08..72cc508a98 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -214,6 +214,8 @@ jobs: JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }} - name: Initialize CodeQL + env: + MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT}} # Don't run CodeQL if we have a set up for signing the macOS build if: matrix.config.run_codeql && ${{ env.MACOS_CERTIFICATE == '' }} uses: github/codeql-action/init@v1 @@ -306,6 +308,8 @@ jobs: asset_content_type: application/octet-stream - name: Perform CodeQL Analysis + env: + MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT}} # Don't run CodeQL if we have a set up for signing the macOS build - if: matrix.config.run_codeql && ${{ env.MACOS_CERTIFICATE == '' }} + if: matrix.config.run_codeql && ${{ env.MACOS_CERTIFICATE == null }} uses: github/codeql-action/analyze@v1 From b75fc789b4f3d517a0f741ec5d585e39e18e8fb4 Mon Sep 17 00:00:00 2001 From: Emlyn Bolton Date: Mon, 28 Mar 2022 14:20:35 -0700 Subject: [PATCH 5/7] Change the config, not the steps --- .github/workflows/autobuild.yml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 72cc508a98..621922a839 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -127,7 +127,7 @@ jobs: # Stay on 10.15 as long as we use dmgbuild which does not work with 11's hdiutil (?): building_on_os: macos-10.15 base_command: QT_VERSION=5.15.2 SIGN_IF_POSSIBLE=1 ./.github/autobuild/mac.sh - run_codeql: true + run_codeql: ${{ secrets.MACOS_CERT == null }} xcode_version: 12.1.1 - config_name: MacOS Legacy (artifacts) @@ -214,10 +214,7 @@ jobs: JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }} - name: Initialize CodeQL - env: - MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT}} - # Don't run CodeQL if we have a set up for signing the macOS build - if: matrix.config.run_codeql && ${{ env.MACOS_CERTIFICATE == '' }} + if: matrix.config.run_codeql uses: github/codeql-action/init@v1 with: languages: 'cpp' @@ -308,8 +305,5 @@ jobs: asset_content_type: application/octet-stream - name: Perform CodeQL Analysis - env: - MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT}} - # Don't run CodeQL if we have a set up for signing the macOS build - if: matrix.config.run_codeql && ${{ env.MACOS_CERTIFICATE == null }} + if: matrix.config.run_codeql uses: github/codeql-action/analyze@v1 From 92dea45e1cdf8d2a50679f57a89b0918d409480d Mon Sep 17 00:00:00 2001 From: Emlyn Bolton Date: Mon, 28 Mar 2022 14:23:55 -0700 Subject: [PATCH 6/7] Bring in env var again --- .github/workflows/autobuild.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 621922a839..69647ee250 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -95,6 +95,8 @@ jobs: release_assets: name: Build for ${{ matrix.config.config_name }} + env: + MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT}} needs: create_release strategy: fail-fast: false @@ -127,7 +129,7 @@ jobs: # Stay on 10.15 as long as we use dmgbuild which does not work with 11's hdiutil (?): building_on_os: macos-10.15 base_command: QT_VERSION=5.15.2 SIGN_IF_POSSIBLE=1 ./.github/autobuild/mac.sh - run_codeql: ${{ secrets.MACOS_CERT == null }} + run_codeql: ${{ env.MACOS_CERTIFICATE == null }} xcode_version: 12.1.1 - config_name: MacOS Legacy (artifacts) From 0672a80ba8a63e3bb2d43cf35c0fffbdf7f72d5e Mon Sep 17 00:00:00 2001 From: Emlyn Bolton Date: Mon, 28 Mar 2022 15:03:05 -0700 Subject: [PATCH 7/7] Just force disable the codeQL for signing purposes. --- .github/workflows/autobuild.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 69647ee250..7a3bb671f0 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -95,8 +95,6 @@ jobs: release_assets: name: Build for ${{ matrix.config.config_name }} - env: - MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT}} needs: create_release strategy: fail-fast: false @@ -129,7 +127,8 @@ jobs: # Stay on 10.15 as long as we use dmgbuild which does not work with 11's hdiutil (?): building_on_os: macos-10.15 base_command: QT_VERSION=5.15.2 SIGN_IF_POSSIBLE=1 ./.github/autobuild/mac.sh - run_codeql: ${{ env.MACOS_CERTIFICATE == null }} + # Disable CodeQL on mac as it interferes with signing the binaries + run_codeql: false xcode_version: 12.1.1 - config_name: MacOS Legacy (artifacts) @@ -216,7 +215,7 @@ jobs: JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }} - name: Initialize CodeQL - if: matrix.config.run_codeql + if: matrix.config.run_codeql uses: github/codeql-action/init@v1 with: languages: 'cpp'